Research Data Management
  • Print
   
   

Security

Data security describes how access to any sensitive or confidential data is protected from unauthorized users, and to prevent theft or destruction of data.  

Security

 

Best practice for safeguarding data

Key points outlining best practice for safeguarding  electronic data:

  • research data must be protected from anyone who is not allowed to view, copy, update or delete the information
  • principle investigators are responsible for ensuring the data is held safely and in a secure and appropriate manner
  • all research data must be classified using the University's information classification scheme.  Any confidential data may require additional security controls 
  • any data that is accessed remotely may require extra security measures. The same is also true for storing data on cloud based solutions such as Dropbox or Sky Drive
  • the data needs to be protected when in use on a machine, in motion - for example being sent via email - and at rest (such as when it is held on a USB device or server)
  • researchers must make use of the centrally managed information security services, rather than implementing locally managed services
  • physical security should be employed to protect equipment, such as locking doors, or locking removable devices in a secure place
  • IT Support are happy to offer advice and guidance for research projects

Security services 

Information Services provide the following to assist with information security:

Network security services


  • enterprise-class perimeter firewalls
  • enterprise-class internal firewalls
  • enterprise-class anomaly detection network monitoring solution
  • off-campus managed email filtering service
  • enterprise-class secure web proxy
  • encrypted wireless network service 
  • virtual private network (VPN)
  • network access control solution (student network only)
  • network access monitoring solution (main campus network only)
  • network bandwidth management service (student network only)
 

Operational security


  • centrally managed anti-virus client
  • centrally managed patching service for Windows computers
  • central logging service
  • centrally managed digital certificate service              
 

Access control


  • university username and password authentication required for critical network services                           
 

Physical security


  • school server hosting
  • data centre access controls
 

Summary of security guidance


  • research data must be permanently stored on an IT Services provided file server located within the University - School based servers or machines must not be used for permanent storage.
  • USB sticks, portable hard drives and cloud based services must only be used as temporary storage solutions when data is being transferred from one permanent location to another.
  • research data classified as confidential must be encrypted when being temporarily stored or transferred via USB stick, portable hard drive, laptop, or other mobile device. 
  • older insecure electronic transfer methods, such as FTP or email attachments (even if password protected) must NOT be used when transferring confidential data. Instead, newer transfer methods using encryption - e.g. secure socket layer (SSL), transport layer security (TLS), secure shell (SSH) or secure file transfer protocol (SFTP) must be used instead.
  • access controls (at a minimum a unique username and strong password for each person accessing the data) must be used for all computers or devices used to access data classified as confidential or higher. This includes setting passwords or PINs on laptops, tablet computers, smart phones and other mobile devices.
  • research servers, desktop PCs and laptops running the Microsoft Windows operating system must be added to the University Active Directory (AD).
  • research servers, desktop PCs, laptops and other mobile devices must be configured to receive regular operating system and application patches where available. For Windows platforms, the centrally provided Windows Server Update Service (WSUS) must be used.
  • internet or cloud-based services must NOT be used for storage or transmission of data classified as confidential or highly confidential unless it is separately encrypted before transfer to the service. This encryption must be in addition to any claimed level of encryption provided by the service itself.
  • exceptions to the guidance provided above for the storage and protection of research data may be granted at the discretion of the PVC for Research, the Chief Information Officer or designee providing that a risk assessment has been made and suitable alternative or equivalent information security arrangements are put in place. For data classified as highly confidential, if alternative or equivalent arrangements cannot be made, acceptance of the additional risk must be agreed with University management.

 


 

Security advice

  • general information security advice and guidance on basic services like anti-virus use or the email filtering service is available from the IT website, IT helpline or your local IT support team.    
 

Research @ The University of Nottingham

King's Meadow Campus
Lenton Lane
Nottingham, NG7 2NR

email: Email Us