Computers and Information Security Policy
Introduction
It is important that you protect yourself, your data and the University computer systems from attack via malware, phishing etc. For general advice and training please visit the University's InfoSec pages at https://www.infosec.ox.ac.uk/.
Further information and policies we have about these topics follow.
Operating System Version and Updates
All OxCIN computers MUST run an OS that is under current vendor support and any available updates should be installed as soon as practical (ideally within 24 hours of notification of availability). The current list of supported OSes is:
- macOS: 13.7.6.14.7.6, 15.x
- Windows: 11 (10 goes out of support in October 2025)
- Linux: Centos/RedHat Enterprise 8.10, 9.6 and 10.0, Rocky Linux 8.10, 9.6 and 10.0, Ubuntu LTS 22.04, Debian 11, Debian 12
Where it is essential that you use an unsupported OS, e.g. Windows XP, 7 or 10 (MRI sequence development) then these devices MUST NOT be connected to the OxCIN Centre network, e.g. for VMs you should run a host-only network setup.
If your computer runs an unsupported OS then please contact computing-help@win.ox.ac.uk for advice and help on upgrading to a supported OS.
Anti-Virus and Device Monitoring
OxCIN operates a cloud managed Sophos anti-virus service for all Centre owned computers. All newly purchased/setup machines will automatically be enrolled into this service but some legacy devices may not be setup for this service, please read on for details on how to confirm that your Sophos install is working.
macOS devices should display a Shield + S logo in the menu bar whenever Sophos is installed and running correctly. Click on this icon to get a status message - a large green circle with white tick shows all is well. Click Open Sophos Endpoint... then click on 'About' - check that Endpoint Advanced and Sophos Intercept X are installed and that the Last update time stamp is within 24 hours of now.
Windows users should check in the Windows system tray and Sophos application for update status: https://community.sophos.com/kb/en-us/12429.
If you find your computer is not updating Sophos or you are unsure whether your device is enrolled with our central management system then please contact computing-help@oxcin.ox.ac.uk.
In addition 'posture' checking is carried out on all Centre managed computers, collecting metrics about system utilisation, software packages and security standing. This information may be used to limit access to certain services, e.g. VPN connections, to computers with acceptable OS/software versions.
Device Encryption
It is Centre policy that ALL laptops (and where practical, desktops) are at-rest encrypted using the OS provided facility (FileVault on macOS, BitLocker on Windows or LUKS on Linux).
All backup drives (e.g. Time Machine or Windows backup disks) MUST be encrypted with a strong passphrase. Please ensure your keep a copy of your backup disk passphrase in a secure location SEPARATE from the disk (ideally in a form that is available if the computer is not-bootable/available). OxCIN IT will be happy to keep a record in our encrypted key store - please do NOT email these passphrases!
All USB-pen/hard drives that contain sensitive information MUST be encrypted (either via hardware or FileVault/BitLocker).
All smart phones and tablets that are used for University business MUST be encrypted and protected with a 6-digit (or better) passcode which must automatically engage after a short period of idle time.
The use of biometrics, e.g. Face/Touch ID or similar is acceptable.
macOS and Windows devices can have their encryption managed by Sophos of a MDM solution (Orchard for macOS devices, InTune for Windows) - you MUST ensure your device is enrolled into this service if it is available as not only does it enable us to confirm that your device was encrypted should it be lost but also enables IT staff to unlock your device should you forget your password. If you are unsure if your device is encrypted then contact computing-help@oxcin.ox.ac.uk to have your device enrolled.
Passwords/Phrases
Do NOT record passwords/passphrases in a form that could allow them to be used by a malicious party:
- NEVER store them with the device they protect (i.e. not on a post-it note attached to the computer)
- NEVER store them in plain text files
- AVOID writing them down, if you must, keep this in a secure location (e.g. locked box/drawer) and NEVER write them down with the apprpopriate username and service address
- DO use a password manager, e.g. macOS Passwords. More advanced password managers are available, e.g. 1Password, keepass, Bitwarden, Codebook. These protect all your various passwords behind a single (strong!) password so you only have to remember one password. You can then ensure you have unique passphrases for each service you use, limiting exposure should one account be compromised. Use biometrics to unlock your password manager, where possible. Password manager passwords MUST obide by University of Oxford passphrase rules.
- ALWAYS enable Multi-Factor Authentication (MFA) if a service supports it. Ideally use an application to provide this (i.e. one-time passwords in 1Password records, Google Authenticator or similar).
- Consider using Passkeys where offered.
- NEVER use SMS MFA where othe options are available.
- Consider using a hardware MFA token, e.g. YubiKey or Passkey (mobile phone + biometrics or Apple Passwords/1Password/Microsoft Autheticator etc).