OOPS! – Working from Home

There is a cracking article in a recent edition of “The Economist”, which is available online and in which Yahoo’s new Chief Executive, Marissa Mayer, appears to be driving Yahoo employees to come in to the office unless they have a very good reason to work from home. The memo from the Human Resources Manager is addressed to “Yahoos”. If you are cringing already, read the article!

This is contrary to the direction that most enlightened organisations are travelling in – the ability to work from home or anywhere else off Campus for that matter is increasingly one aspect of a more flexible approach to working life. Of course, there are occasions where face to face contact and participation cannot be easily replaced, but equally there are many activities which can be easily carried out anywhere.  An important aspect of our IT Strategy is to ensure that access to our core IT services can be provided easily to any location, on any device, whilst maintaining security of information and access. A key part of that is the MyApps service, which I have mentioned before and which gives  you access to your University IT resources from anywhere – at work, at home, on the move, on a Pc, on an iPad – even on your phone if you can cope with the small screen size.

The great thing about MyApps is that information and data never leaves the University servers. This is important if you are working from home and relieves you of many responsibilities. Did you know that if you use your personal e-mail account for work then these e-mails are covered by the Freedom of Information Act? Likewise, if you store University documents on your home computer, or take paper documents home, you could be personally liable for any breaches under the data protection act? There are a few things to think about if you are working from home – have a look at the page on the Staff Portal if you want a very comprehensive guide:

We’ve also published an interactive guide to data security for mobile devices under the banner of “OOPS” – “Out Of Protected Spaces” and if you are a member of staff you will already have received that guide in hard copy as well as interactively. We’ve had really good feedback from that – with many people making positive suggestions and asking very relevant questions about particular situations and also requests for additional copies. We did have one person who returned the printed cards with an anonymous note saying “waste of money”. That’s a real disappointment and completely out of step with all the other feedback we have received. Given the amount of press coverage of authorities being fined 6 figure sums of money for data protection breaches, and given the fact that this whole issue is important enough to grab the attention of the University’s Audit Committee, I hope that person has a change of heart on further reflection.

Here is the “OOPS” guide:

OOPS

Advertisements

What kind of paper should we use in our printers?

Last summer, I wrote a post about our planned print strategy. This is now well underway – most staff areas now have multifunction devices (i.e. MFD’s, i.e. combined photocopiers/printers/scanners) which are networked and which they can now access using the “PrintAtRGU” print queue. Students at the moment use a separate fleet of printers, but largely the same system. Over the summer the University will move to a single fleet of printers for both staff and students – anyone will be able to print to any printer anywhere on the campus. We are just now at the point of looking at how this print fleet will be supported across the organisation.

One issue that has come up is our choice of paper. Throughout 2012 and into 2013 the Waste Management Group has worked with Departments to trial the use of 100% recycled paper.  As well as being 100% recycled, the paper is not bleached, nor does it contain optical brightening. This means that its natural colour is off-white (similar to paperback books) which makes a visual statement that the University is making a commitment to the environment.

This paper is being promoted throughout the public sector for its environmental credentials and other users include the NHS and some Scottish Government departments. Feedback during the trial was both positive and negative but in overall terms concluded that the grade of paper trialled was suitable for internal use but might not be suitable for official documents, some external correspondence, or colour prints where high quality colour definition is important. Documents printed on this paper are reported to be easier to read for those with, for example, Dyslexia.

Some of the feedback also raised interesting questions. One person observed that “Tipp-ex” correcting fluid showed up starkly on the off white paper. Others found that when photocopying the paper, because it is off-white the photocopier tries to copy the darker background copy of the paper as well as the text – using more toner. I have no idea why we are still using “Tipp-ex” or photocopying documents that can more easily be reprinted from the electronic original (or better, not printed at all!) but that’s for another day.

This recycled paper is already widely used across the University and as we are now moving to one shared printer fleet across all staff and students, it will be important to minimise the different types of paper in use across the organisation. At present, some staff areas use the recycled paper but student printers still use regular white paper. It will be confusing in future if staff or students have to think which printer or printer tray to use in order to get which type of paper. There will always be a need to keep stocks of regular white and headed paper, but it will be less confusing if other than that the paper choice can be standardised as much as possible across the University. That discussion is about to start and any comments or suggestions would be very welcome!

 

 

No Phishing!

Security is always an issue with IT – ever more so these days with the explosion of connectivity, mobile devices and so on. Organisations often test their IT security by arranging with a specialist company to carry out an external “penetration test”. Effectively, that’s asking a friend to see if they can get past the organisation’s security controls by exploiting any weaknesses. If they can, then they let the organisation know and it can then plug the weaknesses.

In the past, these specialist companies have focussed on the technological defences. Increasingly, however, they are looking at the softer weak points – i.e. people. One company I spoke with carries out tests on datacentre security – they might be asked to see if they can gain physical access to an organisation’s datacentre. For obvious reasons I won’t tell you how they might try to do this, but it’s designed to test how good the access and security protocols in practice. On one occasion they did indeed manage to get into the datacentre – except it was the wrong one!

The other growing area is what they call a “social engineering” penetration test. To put it unkindly, this is to test how gullible the employees in an organisation are. You have probably all at some point seen an e-mail in your inbox offering you the chance to inherit somebody’s fortune if you can only help by supplying your bank account details. Or an e-mail from your bank telling you that there is a problem with your account and asking you to give them your password or PIN number so that they can check.

These e-mails are getting more and more sophisticated, and they steal branding and corporate images to make them look completely genuine at first glance. I have seen e-mails claiming to be from the RGU IT Help desk asking users to hand over their password so that their account can be reactivated, and these e-mails can look very convincing. Sometimes they ask for information, and sometimes they just try to coax you to click on a link for further information. That link, of course, will install some nasty software on your computer and from then on they can do anything – maybe steal confidential information (including any passwords you type in) or hijack your computer to get it to send out thousands of other e-mails to other people.

Have a look at the Wikipedia entry for more background.

I learned of one organisation recently where somebody thought one of these e-mails were genuine, clicked on the link, and before long their organisation had suffered a major security breach. These e-mails are therefore a real threat to security in any organisation, and not just a minor nuisance.

So remember:
– No legitimate organisation (internal or external) will EVER ask you to e-mail to them any confidential information, whether that’s a password, PIN number, date of birth or whatever.
– If you receive an e-mail that you were not expecting, and if it has a link to another web site, don’t click. Be very careful of unusual e-mails from people you know – especially if it’s little more than a link to some web site and a subject line saying “check this out”. It probably means their e-mail has been hacked and is being used to send out SPAM.

So, what’s a “social engineering” penetration test? That’s when we agree with an external company that they can send into the organisation lots of “phishing” style e-mails and then see how many people get tricked into responding. That’s not to catch people out, but to help educate and test the level of awareness across the organisation. I might just look at that . . .

Cyber Security

The whole subject of cyber security is growing in prominence across the UK – indeed across the world. It is recognised as a significant challenge to organisations and national economies, and with the key role that Universities play in research and education they are as vulnerable as any other sector. Universities own areas of intellectual property of immense value and theft of that intellectual property would be an issue not just for the Universities concerned, but for the wider economy as well.

The UK Government’s National Security Strategy lists “hostile attacks upon UK Cyber Space” as amongst the top 4 priority risk areas next to terrorism, war and major accidents/natural hazards.

In November 2011, the Cabinet Office published a “UK Cyber Security Strategy

This strategy sets out how the UK Government will tackle the threats, but also in a way that ensures that “. .  cyberspace remains an open space – open to innovation and the free flow of ideas, information and expression.”

That’s important for Universities. We are very open communities, with large student populations, members of the public, and staff involved in a wide range of activities. Our IT infrastructure needs to be open enough to permit all of that, but secure enough to protect important information resources, personal and confidential information.

Like many organisations, we will be keeping our security measures under constant review, particularly in the light of growing cyber security threats. We want to make it easy for staff and students to access our systems but there will always be the need for some security and it is important that all of our users respect this and follow guidelines and instructions where they are provided. You may feel that you are not involved in anything that is secret or confidential. If you are connected to our network, however, you are just as likely to be a target and if you don’t follow security guidelines your equipment could provide an easy entry point for an attacker.

Paper – from Mountain to Molehill

With the advent of the computer age, many people have heralded the anticipated demise of paper. A quick look on Google, however, reveals that according to the Mail Online paper consumption globally has increased by almost half since 1980!

However, achieving a reduction in paper storage still remains an aspiration for us, and particularly at RGU with a move to a new modern Campus building the thought of moving all that paper, never mind where to put it, presents a great opportunity to get rid of it. Over the past few years, our Records Manager, Keith Fraser, has developed a records management strategy for the University and has been working with Schools and Departments to help them with their approach to records management.

A key priority has been to work with the Schools who are moving into the new Campus building, to make sure they are reducing as much as possible their paper filing. One of the early achievements in the records management strategy was the creation of the Master Retention Schedule, or MaRS as it has become affectionately known.  Based on advice from a whole range of sources, this set of documents tells you what you can destroy, and when. It also tells you what you need to keep and for how long.

Using MaRS, Schools are making great progress in eliminating unnecessary paper stores. Our School of Pharmacy and Life Sciences, for example, disposed of 200 bags of paper in the last 12 months.

One thing that became clear, however, was that student files represent about 70% of all paper storage in the Schools. These include:

  • UCAS Forms
  • Medical Certificates
  • Transcripts for each year
  • Email and letter correspondence
  • Private and Confidential Correspondence
  • Withdrawal / Suspension Confirmations from Student Administration
  • Industrial Placement Forms
  • Completed Exam papers in circumstances where special exam was sat. etc
  • Absence forms
  • Record of personal interviews
  • Withdrawal / suspension forms (signed by staff)
  • Fitness to practice information  etc

These paper files can be disposed off once students have left, but that still leaves a lot of paper for students who are here for 4 years. So, we have decided to add an electronic document management module to our student records system.

The new module has been purchased and installed, and what we are doing at the moment is scanning all the paper records into the student record system. Our internal graphics and printing department, “The Gatehouse”, are doing the scanning – and it’s not a simple process. The original paper records have to be bar coded with the student ID number, and then the scanning can correctly match them up to the student entry in the system. For the first 3 Schools (School of Computing, School of Engineering, School of Pharmacy and Life Sciences), that’s about 1,700 student files but the Gatehouse is making great progress. Once these are done, we’ll look at the remaining Schools – that’s about another 5,500 student files.

Once this is done, properly authorised staff can look at the student record for any student and see digital copies of all the paper records for that student. The actual paper originals can then be securely disposed off and we will have eliminated a very substantial storage of paper from across the Campus.