uog logo
School of Physics and Astronomy – computing
phas it logo

Contents

Security

The school does not have demanding security requirements, and the network is by design kept relatively open. We do restrict access to the network from off-campus. If you wish to run any externally-facing services, please discuss this with local IT staff beforehand.

Authentication §

Passwords are important, and we have some advice about passwords. We intend this password advice to be quite generic, and not just specific to University systems. The short version is

More details on the password advice page.

Multi-factor authentication

From 2021, IT Services has required that anyone accessing University services hosted by Microsoft (Office 365, AVD, etc) do so using Multi-factor authentication. We have some additional notes on physical MFA tokens.

Data protection, and the GDPR §

The Data Protection Act imposes certain obligations on us all, because we process ‘personal data’ in the sense of that Act. These obligations are not particularly onerous, but they are summarised in our data protection advice, which is additional to, or complementary to, the University's information security advice.

The short version:

One of the recommendations of those notes is that laptops which may hold personal data (which in practical effect includes every laptop which has University email on it), should be configured with full-disk encryption (FDE). Suitable software is available for macOS, Windows, and Linux (instructions).

We can escrow keys (in case you accidentally lock yourself out), but won't insist.

Though they are separate concepts, there is an overlap in concerns between Data Protection legislation and the Freedom of Information Act.

Backups §

You take backups of your devices at home? Excellent plan!

You should be aware, though, that if that backup includes ‘personal data’ – for example if it includes work email which mentions students – then that that data is covered by the GDPR, and if that backup is lost, for example in a theft, then that is a GDPR-relevant breach of university data, which should in principle be reported.

If your backups are encrypted (you really are well organised) then there's probably only a minor problem here. This is one reason why the University encourages people to do as much work as possible on shared storage such as Sharepoint or OneDrive (where backups are Someone Else's Problem). As long as these are synced to a FDE-protected machine, there's little problem. If you can conveniently exclude your @glasgow.ac.uk email from your backups, or OneDrive, you should consider doing so.

If you're working with ‘sensitive personal data’, it would probably be good to think carefully about how you're doing so, and talk to P&A IT if appropriate.

Mobile devices §

Any mobile device which has university email on it must be protected by a PIN (or password, or fingerprint, or face-scan, or something similar).

Most mobile devices will be encrypted by default (that is, the advice above applies to desktops and laptops).

Data breaches §

If a laptop, smartphone, or personal backup, containing personal data, is lost or stolen, that is a potential data breach. It should be reported to local IT staff and/or to the University Data Protection Office.

If the device was full-disk encrypted, then that is probably the end of the matter, as far as data protection is concerned. If it wasn't full-disk encrypted, then it's still important that you tell us: there's probably a certain amount of paperwork in this case, but it's important that we log the issue promptly.

Cloud sync providers §

Don't use personal Dropbox services for anything which might include ‘personal data’.

The problem with Dropbox, Google cloud, and similar services, from the point of view of the GDPR, is that they cannot guarantee that the data is stored within the EU (or UK – brexit doesn't significantly change this issue). There are some cloud providers which are able to make such guarantees, or equivalent ones; talk to local IT staff for advice.

That advice will probably be to use OneDrive, which is integrated with Office365, and which can sync to your (FDE-enabled) computer or smartphone. It's available for Windows (obviously) and macOS, and slightly indirectly for Linux.

Wherever these bytes are actually stored, they are stored in a way which the University has determined is compatible with its GDPR obligations.