Information Security Management

Policy on Safeguarding Data –

Storage, Backup and Encryption
Version 2.0
11 August 2014

© University of Leeds 2014

The intellectual property contained within this publication is the property of the University of Leeds.
This publication (including its text and illustrations) is protected by copyright. Any unauthorised
projection, editing, copying, reselling, rental or distribution of the whole or part of this publication in
whatever form (including electronic and magnetic forms) is prohibited. [Any breach of this prohibition
may render you liable to both civil proceedings and criminal penalties].
Policy on Safeguarding Data – Storage, Backup and Encryption

Owner: Kevin Darley,

University IT Security Co-ordinator,
IT, University of Leeds

Source Location:

Document Reference:

Other Documents
Referenced:

Related Documents:
Information Protection Policy
Mobile & Remote Working Policy
Access Control & Account Management Policy
Password Usage & Management Policy

Acknowledgements:

Document Control
This document is subject to change control and any amendments will be recorded below.

Change History
Version Date Circulation Changes
1.0 30/09/08 http://campus.leeds.ac.uk/isms First formal issue
2.0 11/08/14 http://it.leeds.ac.uk/info/113/policies_and_information_security Update to reflect
introduction of
Information
Protection Policy
and new IT
website

Version Awareness
The audience of this document should be aware that a physical copy may not be the latest available
version. The latest version, which supersedes all previous versions, is available at
http://it.leeds.ac.uk/info/113 . Those to whom this Policy applies are responsible for familiarising
themselves periodically with the latest version and for complying with Policy requirements at all times.

Information Security Management 2.0 (11/08/14) Page 2 of 7

Policy on Safeguarding Data – Storage, Backup and Encryption

Contents
Document Control ......................................................................................................................................................2
Change History ...........................................................................................................................................................2
Version Awareness .....................................................................................................................................................2
1. Introduction .........................................................................................................................................................4
1.1. Objective ......................................................................................................................................................4
1.2. Scope ..........................................................................................................................................................4
2. Policy ...................................................................................................................................................................4
2.1. Considerations.............................................................................................................................................4
2.2. More Information .........................................................................................................................................5
3. Annex ...................................................................................................................................................................6

Information Security Management 2.0 (11/08/14) Page 3 of 7

Policy on Safeguarding Data – Storage, Backup and Encryption

1. Introduction
This policy which forms part of the University’s Information Security Management System (ISMS)
framework has been supported by Research Board and is a key part of the University’s response
to the internal audit on Research Data Backup.
The University’s Information Security Policies can be found at
http://it.leeds.ac.uk/info/113/policies_and_information_security

1.1. Objective
The University and its employees, students and partners need to ensure that we:
 take responsible ownership or stewardship of all data;
 follow legal, regulatory and compliance needs;
 ensure the confidentiality of data (classified data is not disclosed to unauthorised
recipients);
 ensure the integrity of data (data is accurate, complete and up-to-date);
 ensure the availability of data (data is accessible whenever it is required).
It is essential that a balance is maintained between security and operation so that no un-
necessary burden is placed on staff, processes or resources.

1.2. Scope
This policy covers all data, including:-
 research data,
 learning and teaching data,
 administration and management information data.

2. Policy
Neither individuals nor computers should jeopardise the University’s reputation, resources or
investment through poor or inappropriate data management. Everyone has to take personal
ownership of ensuring good data management and adherence to this policy. Data should:
 have an identified owner or steward, normally defined in terms of roles, responsible for
ensuring maintenance, accuracy and destruction when no longer required;
 be assessed according to its classification in accordance with the University’s Information
Protection Policy;
 be assessed for its criticality – its importance to the running of the project or organisation;
 be stored and backed-up according to these assessments;
 be capable of being restored to a sufficiently recent state in a timescale that does not
compromise the effectiveness, reputation or future operations of the data users.

2.1. Considerations
 Data has a lifecycle and the application of this policy will change over this lifecycle:-
o Creation, processing, transmitting, sharing, archiving and destruction.

Information Security Management 2.0 (11/08/14) Page 4 of 7

Policy on Safeguarding Data – Storage, Backup and Encryption

 Risks associated with confidentiality (and criticality) can be assessed using some simple
risk assessment questions that will also suggest whether encryption of the data is needed
(see http://it.leeds.ac.uk/info/116/policies/249/information_protection_policy ).
 The use of unencrypted laptops or removable media, especially memory sticks, cause
significant risks of data loss or compromise. They should be used with care and with the
expectation that the machine or storage device may be lost or stolen and hence the
implications that this would have must always be considered.
 When working on data owned by someone else or another organisation, stewards must
ensure familiarity and compliance with the owners’ needs.
 When collaborating with others outside our University, owners or stewards must ensure that
collaborators are aware of and follow this policy.
 Email or other electronic transmission is generally not secure and therefore should not be
used for classified content or attachments unless additional controls are applied.
 Physical transmission of data (internal or external post or courier) should always be
considered insecure and so no classified data should be sent un-encrypted.
 Access to information sources should be permitted according to operational need.
However, consideration should be given to the likelihood that restrictions and security
requirements are likely to change over time or through circumstance.
 A balance has to be maintained between access privilege and responsibility: the greater
access individuals have to classified and/or critical data, the more responsible they become
to apply and maintain appropriate security controls.
 The use of encryption and passwords to restrict access needs to be used with care to
ensure that access to data is not lost due to forgetting, loss or compromise of passwords.
 Where data is archived for long-term retention, arrangements need to be made to ensure it
remains accessible using either future technologies and software or that the systems and
software on which it resided and operated are also preserved in an operational state.
 When data no longer becomes needed or regulatory requirements mean that it has to be
disposed, this should be done in a timely, secure and environmentally friendly fashion.

2.2. More Information

This policy statement is designed to provide general guidance for the safeguarding and security
of University data. Specific security and procedural requirements in support of this statement are
in respective University Information Protection Policy and other supporting policies which can be
found at http://it.leeds.ac.uk/info/116/policies.
 Appropriate controls to restrict access to data are to be deployed in accordance with the
University’s Access Control & Account Management Policy and Password Usage &
Management Policy.
 The security of data outside the University cannot be guaranteed unless additional
controls are implemented. Work undertaken outside campus should be in accordance
with the University’s Information Protection Policy, the Mobile and Remote Working Policy
and this Policy.
 Personal data provided to or exchanged with external agencies must be in compliance
with the University’s Code of Practice on Data Protection and the data must be protected
during transit.

Information Security Management 2.0 (11/08/14) Page 5 of 7

Policy on Safeguarding Data – Storage, Backup and Encryption

3. Annex
Assessing Requirements for Encryption: Does your data need to be encrypted?
It is impractical to specify precisely what data will warrant the additional protection of encryption,
but in general terms it will be classified data that is removed from on-campus University
systems/network, either on a laptop computer or on removable media, to and from premises
outside the University.
Classified data is defined as information that is categorised as either ‘confidential’ or ‘highly
confidential’:
 Highly confidential applies to information disclosure of which to unauthorised recipients
would be likely to result in serious damage to the interests of individuals or of the University.
 Confidential applies to information disclosure of which to unauthorised recipients could
have a negative impact on individuals or the University.
All other information is unclassified by default. No particular controls apply to the disclosure of
unclassified information.
The ‘data owner’ will generally be the person best placed to assess whether his/her data requires
to be encrypted. Data that is created, processed or stored on University systems, and accessed
over the University network would not normally require to be encrypted.
Questions to ask are:-
 Are the data known to be University or research sponsor classified?
 Are the data subject to a non-disclosure agreement or government security standards that
require encryption?
 Would the University suffer reputational damage if the data were disclosed or found un-
protected?
 Are the data removed from secure campus storage, for instance via a laptop, memory
stick or email?
If the answers to any of these are “Yes”, then encryption is likely to be needed.
Those who believe they have a need to encrypt data should seek advice through the IT Help
Desk.
Assessing Access Requirements: Does access to your data need to be restricted?
If you need additional assurance that team or project data is complete and accurate you will need
to place it in a shared area of the network (‘N’ Drive) but restrict write and delete access to it to
the most trusted and competent members of the team. Each user accessing shared data should
use their own user credentials to do so as opposed to using shared accounts.
Other permissions and privileges can be also be applied to control access to and manage of data
files.
Email accounts should not be used for shared or project data. When an individual leaves the
University, colleagues must ensure any project data is retrieved from the personal account of the
individual before it is automatically deleted.
Contact your Faculty IT Manager or the IT Help Desk for more details.

Information Security Management 2.0 (11/08/14) Page 6 of 7

Policy on Safeguarding Data – Storage, Backup and Encryption

Assessing Data Storage and Backup Requirements: What storage and backup
arrangements need to be in place for your data?
To help determine the availability required of data, the following categories could be considered:-
Highly Critical Data needed for key functions which is probably available only from a
limited source and impossible to recreate quickly. Its loss or errors in it
would have serious implications.
Critical Data needed for day-to-day working. It is not widely available and it
would take considerable time and effort to recreate it. Its loss or errors
in it would cause significant disruption.
Non-critical Data not important to operation.
The required arrangements really depend on the criticality of the data, but the general rule of
thumb is that:-
 Data should not be stored in only one location (e.g. on the hard disk of a PC).
 It should ideally be stored on a network resource (e.g. server) that is effectively backed up
either by IT or the parent Faculty.
 Backup arrangements should ensure that critical data is backed up daily, and that less
critical data is backed up to the extent that loss of original source would be nothing more
that a minor inconvenience.
 The backups must be kept securely and remotely from the computer being backed up and
without contravening Data Protection legislation.
 Any data that warrants encryption should be held encrypted on backup media where
backups are preformed under local arrangements.
 Off-site storage should be considered for all critical back-up data, such as that associated
with research.
 Storage solutions must be designed to have minimal single points of failure (hardware,
software, process and people).
 People responsible for data backup and restoration should be suitably trained and
supported as well as having the time to ensure this Policy is followed.
 Any backup and restore scheme must be fully and securely documented.
 The system must be tested and proven to work.

Information Security Management 2.0 (11/08/14) Page 7 of 7