Computers and Information Security Policy
It is important that you protect yourself, your data and the University computer systems from attack via malware, phishing etc. For general advice and training please visit the University's InfoSec pages at https://www.infosec.ox.ac.uk/.
Further information and policies we have about these topics follow.
Operating System Version and Updates
All WIN Centre computers MUST run a supported OS and any available updates should be installed as soon as practical (ideally within 24 hours of notification of availability). The current list of supported OSes is:
- macOS: 10.14.x, 10.15.x, 11.x
- Windows: 10
- Linux: Centos/Redhat Enterprise 7.9, Centos/RedHat Enterprise 8.4, Rocky Linux 8, Ubuntu LTS 20.04, Debian 10, Debian 11
Where it is essential that you use an unsupported OS, e.g. Windows XP or 7 (MRI sequence development) then these devices MUST NOT be connected to the WIN Centre network, e.g. for VMs you should run a host-only network setup.
If your computer runs an unsupported OS then please contact email@example.com for advice and help on upgrading to a supported OS.
The WIN Centre operates a cloud managed Sophos anti-virus service for all Centre owned computers. All newly purchased/setup machines will automatically be enrolled into this service but some legacy devices may not be setup for this service, please read on for details on how to confirm that your Sophos install is working.
macOS devices should display a Shield + S logo in the menu bar whenever Sophos is installed and running correctly. Click on this icon to get a status message - a large green circle with white tick shows all is well. Click Open Sophos Endpoint... then click on 'About' - check that Endpoint Advanced and Sophos Intercept X are installed and that the Last update time stamp is within 24 hours of now.
Windows users should check in the Windows system tray and Sophos application for update status: https://community.sophos.com/kb/en-us/12429.
If you find your computer is not updating Sophos or you are unsure whether your device is enrolled with our central management system then please contact firstname.lastname@example.org.
It is Centre policy that ALL laptops are at-rest encrypted using the OS provided facility (FileVault on macOS, BitLocker on Windows or LUKS on Linux). At this time we do not support the encryption of macOS desktops. If you have a Windows or Linux desktop and store sensitive information on it then please contact email@example.com for advice on encryption (in the case of Linux this WILL require a wipe and reinstall).
All backup drives (e.g. Time Machine or Windows backup disks) MUST be encrypted with a strong passphrase. Please ensure your keep a copy of your backup disk passphrase in a secure location SEPARATE from the disk (ideally in a form that is available if the computer is not-bootable/available). WIN IT will be happy to keep a record in our encrypted key store - please do NOT email these passphrases!
All USB-pen/hard drives that contain sensitive information MUST be encrypted (either via hardware or FileVault/BitLocker).
All smart phones and tablets that are used for University business MUST be encrypted and protected with a 6-digit (or better) passcode which must automatically engage after a short period of idle time.
The use of biometrics, e.g. Face/Touch ID or similar is acceptable.
macOS and Windows devices can have their encryption managed by Sophos - you MUST ensure your device is enrolled into this service as not only does it enable us to confirm that your device was encrypted should it be lost but also enables IT staff to unlock your device should you forget your password. On macOS devices you can check whether you are enrolled by running the application Sophos Device Encryption - if this is not present or reports that it has not been setup please contact firstname.lastname@example.org to have your device enrolled.
Do NOT record passwords/passphrases in a form that could allow them to be used by a malicious party:
- NEVER store them with the device they protect (e.g. not on a post-it note attached to the computer)
- NEVER store them in plain text files
- AVOID writing them down, if you must, keep this in a secure location (e.g. locked box/drawer) and NEVER write them down with the apprpopriate username and service address
- DO use a password manager, e.g. macOS Keychain. More advanced password managers are available, e.g. 1Password, keepass, Codebook. These protect all your various passwords behind a single (strong!) password so you only have to remember one password. You can then ensure you have unique passphrases for each service you use, limiting exposure should one account be compromised.
- ENABLE 2 Factor Authentication if a service supports it. Ideally use an application to provide this (i.e. one-time passwords in 1Password records, Google Authenticator or similar) - SMS 2FA isn't 100% secure but better than nothing.