IT Code of Connection
This code applies to all systems and devices connecting to University networks, or accessing University of Sheffield services or data.
Off
- Version and ownership
Version Date Author(s) Comments 1.0 13/11/2019 Tom Griffin Creation 2.0 23/05/2023 Matthew Doxey Major review 2.1 12/06/2024 David Afflick and Matthew Doxey Review 2.1 24/06/2024 Tom Griffin Approved 3.0 17/09/2025 Matthew Doxey Restructure and additional content 3.0 19/09/2025 Tom Griffin (CISO) Approved Classification - Internal
If you have any questions, or require advice on configuring and securing your system, contact IT help and support.
If you are unable to comply with the any of the controls listed in the code of connection, you should contact Information Security to discuss and agree a solution.
Code of Connection
| Control | Statement | Applies to | |||
|---|---|---|---|---|---|
| Endpoints | Mobiles | Servers | Applications and Cloud Systems | ||
| Governance | You must comply with the University’s IT Code of Practice and any other policies and procedures that are relevant to you. | Y | Y | Y | Y |
| Asset Management | IT asset management records must be kept up to date for any hardware or software used. | Y | Y | Y | Y |
| Network registration details must be kept up to date (including ownership of an asset). If you fail to keep records up to date then systems may be disconnected from the network. | Y | Y | Y | ||
| Access Control | Only necessary accounts must be enabled. Any unused, guest or system accounts must be disabled or have default credentials changed. | Y | Y | Y | Y |
| Privileged accounts must be separated from user accounts, and you should never log in or unlock devices with privileged accounts. | Y | Y | Y | ||
| Multi Factor Authentication (MFA) must be applied to all accounts. | |||||
| All accounts must be protected with strong passwords (as outlined in the section below). | Y | Y | Y | Y | |
| Authentication | Passwords must have the following characteristics:
| Y | Y | Y | |
Mobiles must be locked with one of the following:
| Y | ||||
| Encryption | All systems must implement the encryption requirements detailed in the cryptography policy and standard (Student hub access required), including encrypting data both at rest (eg Bitlocker, Filevault) and in transit (eg TLS). | Y | Y | Y | Y |
| Systems communicating sensitive information must only do so over secure protocols such as SSH/HTTPS. Unused/insecure network services must be disabled. | Y | Y | Y | Y | |
| Brute Force Protection | The number of failed logins within a given timeframe must be limited to prevent brute force attacks. Baseline requirements: No more than 5 failed login attempts in 1 minute or the account is locked/logins limited for 10 minutes. | Y | Y | Y | |
| Firewall | All systems must have a firewall installed, enabled and configured appropriately. | Y | Y | ||
| Vulnerability Management | Software and operating system patches that remediate Critical and High (CVSS 7 or above) vulnerabilities must be applied within 14 days of release. Unpatched systems that present a security threat will be suspended from the University network. | Y | Y | Y | Y |
| Software that is no longer supported by the manufacturer must not be used. | Y | Y | Y | Y | |
| Software | The use of all software must be approved by IT Services. Use cases are submitted via the InfoRisk system. | Y | Y | Y | Y |
| Antivirus Software | Antivirus software, or equivalent security tooling, must be installed, enabled, updated and configured appropriately. | Y | Y | Y | |
| Unused Software & Features | Unused software, services and features must be disabled. | Y | Y | Y | Y |
| Auto-Run or Auto-Play features must be disabled. | Y | Y | Y | ||
| Security Testing | You must not carry out any unauthorised security tests (eg vulnerability testing of other people's systems). IT Services tests the security of systems connected to the University network. You can request a security test of your system or application by contacting Information Security (info-security@sheffield.ac.uk). | Y | Y | Y | Y |
| Network Management & Security | You must not extend the University network without authorisation (for example by using a wireless access point). | Y | Y | Y | |
| You should connect to the University VPN when working on sensitive data, projects & systems when working off campus. | Y | Y | Y | ||
| The use of any VPN services not approved by IT Services is not permitted. | Y | Y | Y | ||
| Security Incidents | You must report all security incidents to IT Services in accordance with the University’s information security incident policy. | Y | Y | Y | Y |
| System Security | Systems must be secured/hardened in accordance with vendor supplied and/or industry good practice guides. | Y | Y | Y | Y |
| Mobiles used to access University services must not be ‘Jailbroken’ or allow apps root access to the operating system. | Y | ||||
| Physical Media | Physical media, such as USB sticks and external hard drives, should only be used when absolutely necessary. All such media must have been checked for malware by a member of IT staff before use. | Y | Y | Y | |
| Secure Development | Ensure that the system has been developed in accordance with recognised good security practice, such as OWASP Top 10. | Y | Y | ||
Supporting policies and guidance
- IT Code of Practice
- Information Security policies (student or staff login required)
- Bring Your Own Device (BYOD) policy (student or staff login required)
- Authentication policy (staff login required)
- Firewall policy (student or staff login required)
- Vulnerability Management policy (staff login required)
- Cryptography policy (student or staff login required)
- Information Security Incident policy