The Acceptable Use Policy (AUP) is one of a series of actions to increase our cyber security protection. It is a significant step in protecting staff, students and the institution from cyber crime. It reminds all users that they can help prevent security-related incidents like ransomware attacks, theft of data and disruption to our work. It also reminds us all of ways of working that can help to protect ourselves from crimes like identity theft, scams, and the loss of information.
Why do we need this policy?
We aim to reduce the following risks for our staff, students and institution:
-
Distress and increased vulnerability to fraud if personal data held by the University is leaked, lost or stolen
-
Lost productivity and disruption to work and study resulting from any service downtime
-
Increasing difficulty for academic staff applying for research funding as funders steadily increase cyber security requirements
-
Regulatory intervention and significant legal and financial penalties resulting from any data leakage
-
Reputational damage to staff, students and the institution resulting from successful attacks.
The Policy helps the University to meet the requirements of its regulators, auditors, and insurers, and helps staff and students to comply with relevant laws in their use of information services, such as the Data Protection Act and the Computer Misuse Act.
Essential and immediate actions
-
Choose a strong password
-
Enable multi-factor authentication
-
Complete cyber security awareness training
-
Don’t share or re-use your password
Regular actions
-
Install antivirus updates promptly
-
Manage confidential and personal data appropriately
-
Use encrypted devices to store confidential data
-
Lock your screen when you leave your computer
-
Don’t use a non-University email account to send confidential data
Important awareness
-
Don’t trust unexpected communications or open links or downloads that are unexpected
-
Secure or delete confidential data before repair, disposal, return or re-use
-
Report incidents or suspected incidents as a matter of urgency
-
Report a compromised password, malware infection or security weakness to your IT support
-
Report any breach of personal data via your local mechanism or to the Information Compliance Office
Timeline for implementation
This policy was implemented on 1 April 2024.
In the first year after the implementation date of this policy – that is, to 1 April 2025 – users will be expected but not required to comply. Compliance will be required from 1 April 2025.
Paragraph 19 of the policy relating to encryption of devices and portable storage devices will remain an expectation until 1 April 2026 when it will become a requirement. This is to allow for effective communication of the policy and related guidance as well as staggered provision of UIS support for users needing assistance to comply. Users should begin working towards compliance as soon as possible.
Breaches of compliance
In most cases, the approach to breaches will be to provide supportive guidance and educational material. However, users should be aware that consequences of a breach could include temporary or permanent removal of access to University information services.
Refusal to engage with the policy and associated processes may, in the most serious cases, result in the initiation of disciplinary procedures: for staff, the staff disciplinary procedure; for students, the student disciplinary procedure; and for any other user, review of relationship with the University with primary institutional contact and/or Head of Institution and (if appropriate) HR representative.
In the case of proven gross misconduct, consequences could include dismissal. Suspected illegal activity may be reported to the police or other law enforcement agency.
Further information
How the Acceptable Use Policy was developed