Physical Security Guidance

Our Staff handbook states (Section 4.10 – Security):

Security is a serious concern and we make all reasonable efforts to provide a safe, secure environment for staff, students and visitors. However, we must all work together to improve security.

You should familiarise yourself with the security arrangements in your office and…you should make sure that:

• confidential files and removable storage devices e.g. flash drives are locked away when unattended;
• all cabinets and drawers are locked when unattended and keys deposited safely or taken home;
• equipment is security tagged and recorded in a local inventory;
• you report any potential security risk to the Security Manager at your campus;
• digital or electronic door lock codes are only shared with relevantstaff members;
• you keep computer passwords secret;
• you must not leave your workstation logged in while unattended. At a minimum, you must use a screen locking mechanism (i.e. use CTRL, ALT, DLT).

Additional requirements to help secure the data within our buildings are:

• All visitors that you allow into a secure area must be supervised at all times until they leave those areas.
• Digital or electronic door lock codes and security alarm disabling codes are changed regularly and as part of the leavers process where a member of staff leaves ARU or moves to an ARU role which no longer requires them to have the access.
• ARU Security may perform regular checks of staff compliance with this policy and staff are required to cooperate with these and with any investigation into breaches of security.

Our Staff handbook states (4.12 – Staff cards):

Your staff identity card will be given to you on your first day at work. You are required to wear your staff identity card at all times whilst on our premises.

Further requirements over correct use of the ID card are:

• You must not allow anyone to follow you through an active security door (tailgating) without clearly displaying their ARU ID Card.
• You must carry your ARU ID Card or Visitor pass and display it at all times when in ARU buildings, or to prove to a member of the public or staff of another organisation that you are representing ARU on official business.
• You must not share your ARU ID Card with anyone, or share door codes or keys with unauthorised people.
• If you find a lost ARU ID Card, you must hand it in to your local campus security office.
• If you lose your pass or it is stolen, you must report it to Security.
• All leavers must hand their ID card to their line-manager as part of the leavers’ process.
• Any ID Card which provides access to ARU buildings, or visibly identifies a person as being employed by ARU (or by an employer in partnership or under contract to ARU), or visibly identifies that a person has been approved by ARU to carry out a service, must be formally provided and recorded according to ARU approved processes. No area of ARU can create or distribute its own identity cards.
• If you are a line manager or are approving requests for cards on behalf of partners or supplier staff, you must ensure that any access rights you approve are appropriate to the employee/ supplier’s role.
• ARU Security manage a system which records who is in possession of ARU ID Cards and the transactions made by each card. Card transaction data for investigations will only be used where approved by the Secretary & Clerk’s Office.

Our Staff handbook states (6.8 – Communications: Personal Computing Devices / Bring Your Own Device)

“Bring Your Own Device” (BYOD) is a term which refers to when you use your personal computing device(s), typically smartphones and tablets, in connection with your duties and/or in the workplace. You’re allowed to connect your personal devices to our network. Any and all data associated with the University, including email messages, that is held or processed on the device is the property and responsibility of Anglia Ruskin University and extra care is needed on the part of anyone doing so to manage the security risks”.

As a minimum:

• You must use a strong password to secure your device and ensure that the device is locked when not in use at all times.
• All devices must be set to lock or erase if an incorrect password is inputted too many times.
• If your device is used or accessed by members of your family or others, you should make sure that all Anglia Ruskin data is protected so that it is only accessible by you.
• You must also take steps to make sure that unauthorised persons cannot see the screen whether being used on or away from our premises.
• You must report immediately to [IT Services and the Information Compliance Team] if any device is lost or stolen as this could be a data breach which the University is required to report to the Information Commissioner.

It will be your responsibility to ensure that your device is maintained and supported. It is ARU’s expectation that this will include the latest versions of the operating system, anti-malware and personal firewalls that are installed on the device. All relevant patches and critical information security updates will be installed by you within one week of release from the software supplier.

We reserve the right to require additional security protection software to be loaded onto your personal devices in the future. Please contact IT Services for help and advice about configuring your device. Disciplinary action may be taken against staff in breach of this guidance.

In addition:

• When you are physically transporting ARU personal data outside of ARU premises, on any medium, you must take steps to keep it secure. Consider code or padlocked carry cases.
• You must not leave ARU personal data unattended in a vehicle whilst you are travelling and always keep it out of sight.
• You must take appropriate steps to secure ARU data when you work on it at home; storing it out of view of passers-by, visitors and co-residents, preferably within lockable storage units.
• When you take ARU personal data with you to non-ARU premises such as those of partners, peer institutions, conference/ meeting venues you must take appropriate steps to secure it taking advantage of appropriate equipment or facilities made available for that purpose.
• Where you take hard-copy files or storage devices containing personal data away from ARU premises there should be a local record maintained to help others who require access to the data and your manager to know who has custody of it.
• When using wi-fi connections at non-ARU premises you must make sure that it is secure before you access ARU personal data over it. Wi-fi providers will provide statements of compliance at the point of sign-up to give this reassurance. Eduroam services at all locations are trusted.

When we send personal data to an internal or external recipient, GDPR challenges us to ensure this is done with ‘appropriate’ security measures. This means that we need to understand the sensitivity of the data in order to decide the appropriate method of sending.

Sending within ARU

An email containing personal data sent from one ARU email address to another ARU email address does not leave ARU’s IT secure systems, therefore there is no need to protect it in the same way as sending externally.

There is no need to password protect email attachments containing personal data when sending internally.

See our Email Policy for more details.

Where the data is ‘Special Category’ or relates to over 100 individuals it must be saved in an attachment and the attachment should be password-protected.

The password should be complex:

• Contains 8 characters or more
• Contains a combination of upper case, lower case letters and numbers

The password should be shared with the recipient preferably by a separate communication method (e.g. phone or text). By email is permissible if no other contact means is available.

A password can be re-used when there is frequent data sharing going on with the same recipient(s), however it should be changed at least every 12 months.

Sending within ARU

Where information is being sent through the internal mail post system and it contains personal data or is sensitive in other ways (e.g. commercially or legally) then it should be sealed in an envelope (or other container), marked ‘confidential’ with care taken to address it correctly.

For more information about the internal post service, please see here

See current range of Royal Mail services

Where information is being sent using external providers and it contains personal data then a routine first or second class service is acceptable.

Where the data is special category or has other non-personal data sensitivity then a service is required which confirms delivery. It is important to note that with Royal Mail ‘Tracked’ services it is possible for items to be delivered to a recipient’s neighbour if they are not available. Although there would be a record that a neighbour took delivery there are still risks with this and specific cases may mean that this service should be avoided and a ‘Confirmed’ delivery option should be selected instead. Typically Royal Mail will not leave ‘Tracked’ mail with a neighbour if sent to a business address. The preferred method of delivery should be clearly marked on the item before handing to the custody of ARU Postal Services.

Wherever possible the envelope or packaging should contain a return address which allows an incorrect recipient or postal service to identify where the item needs to be returned to without needing to open it. This should give sufficient data to get the item back to ARU but care should be taken not to reveal to much information about the nature of the intended recipient’s relationship with us in case this in itself gives an incorrect recipient some personal data about the Data Subject.

All devices storing ARU personal data should be secured before sending through a postal service. It should not be possible for someone to easily gain access to the data on a lost or stolen device. A device here means a USB memory stick, external hard-drive, phone, laptop, PC hard-drive, CD or DVD disc, memory card etc.

All devices should therefore be encrypted ensuring credentials (PIN code, pattern, password or biometric data) are provided before the stored data can be accessed. The following guidance assumes that encryption is in place before sending. Whilst encryption does not guarantee that someone with enhanced skills and access to the right resources cannot still gain access to the stored data, these steps will ensure that ARU has taken reasonable and appropriate steps to guard against unauthorised access.

Items should be packaged (or where they are larger items – labelled) stating the contents are confidential and where they should be returned to if they are lost. Details of the credentials required to access the device or the data on it should never be provided in the same delivery as the item. This information should be emailed or provided over the phone. Where special category data is stored or data of another type of high sensitivity then the following guidance applies:

The ARU Post Service should be informed through the description field of the Post Collection Request online form that the signature of the recipient is required to evidence safe delivery.

The ARU Post Service should be informed through the description field of the Post Collection Request online form that the item must be delivered with the ability to be tracked to its destination and evidence of a signature of the recipient obtained.

Where the recipient is another public sector organisation, in particular a central government department or agency or a law enforcement service, then Protective Marking guidance should be considered.

Please follow the ‘Safe Haven Fax Procedure’ guidance

When sending data to another Public sector recipient, we must also consider the Government’s Protective Marking guidance. The Government’s Security Classifications provides the UK public sector with a common means of describing the sensitivity of data to help make sure that it’s transferred between organisations with appropriate security and marked in a way which helps a receiving organisation to handle it appropriately.

There are 3 classifications: OFFICIAL, SECRET and TOP SECRET.

ARU will only handle data at OFFICIAL level unless explicitly required to do so by a government department.

OFFICIAL data is described as: “The majority of information that is created or processed by the public sector. This includes routine business operations and services, some of which could have damaging consequences if lost, stolen or published in the media, but are not subject to a heightened threat profile”.

There is no requirement to label or physically mark data with the word ‘OFFICIAL’, however where there is a clear need to protect the ‘need to know’, data should be marked ‘OFFICIAL-SENSITIVE’. For example, in the context of personal data this may because the data is ‘special category’ and shows that we’ve taken extra steps to make sure the recipient understands that the data needs to be shared with only those entitled to see it.

Where data is OFFICIAL SENSITIVE it must be marked by:

• Writing in capital letters at the start of an email title
• Writing in capital letters on a post item

The scheme allows for us to add a ‘descriptor’ to help others to understand the specific nature of the information to help with handling measures where this may be useful.