IT Code of Connection
This code applies to all systems and devices connecting to University networks, or accessing University of Sheffield services or data.
- Version and ownership
-
Version Date Author(s) Comments 1.0 13/11/2019 Tom Griffin Creation 2.0 23/05/2023 Matthew Doxey Major review 2.1 12/06/2024 David Afflick and Matthew Doxey Review 2.1 24/06/2024 Tom Griffin Approved Classification - Internal
If you have any questions, or require advice on configuring and securing your system, contact IT help and support.
If you are unable to comply with the any of the controls listed in the code of connection, you should contact Information Security to discuss and agree a solution.
| Control | Statement | Applies to Endpoint | Applies to Servers | Applies to Applications |
|---|---|---|---|---|
| Governance | You must comply with the University’s IT Code of Practice and any other policies and procedures that are relevant to you. | Yes | Yes | Yes |
| Asset management | IT asset management records must be kept up to date for any hardware or software used. Network registration details must be kept up to date (including ownership of an asset) - if you fail to keep records up to date then systems may be disconnected from the network. | Yes | Yes | Yes |
| Accounts |
Only necessary accounts must be enabled, unused accounts & any guest accounts must be disabled. Privileged accounts must not be used for non-administrative activities or to unlock devices. Where systems or hardware have accounts with default usernames and passwords, these must be changed. All accounts must be protected with strong passwords as outlined in the next section below. |
Yes | Yes | Yes |
| Password requirements |
Non-centrally authenticated devices and systems (for example, username and password is separate to primary University credentials):
Mobile devices:
|
Yes | Yes | Yes |
| Encryption | All systems must implement the encryption requirements detailed in the cryptography policy and standard (student of staff login required), including encrypting data both at rest (such as Bitlocker, Filevault) and in transit (such as TLS). | Yes | Yes | Yes |
| Brute Force Protection |
Any configuration options should be enabled on devices and systems to limit the number of failed logins within a given timeframe to prevent brute force attacks. Baseline requirements:
|
Yes | Yes | Yes |
| Firewall | All systems must have a firewall installed, enabled and configured appropriately. | Yes | Yes | No |
| Software patching | Security patches must be applied promptly as outlined in the vulnerability management policy (staff login required). Unpatched systems that present a security threat will be suspended from the University network. Unsupported software must not be used. | Yes | Yes | Yes |
| Software licences | All software must be licensed and used in accordance with the publisher’s recommendations. | Yes | Yes | Yes |
| Antivirus software | Antivirus software, or equivalent security tooling, must be installed, enabled, updated and configured appropriately. | Yes | Yes | No |
| Unused software and features | Unused software, services and features must be disabled. Auto-Run or Auto-Play features should be disabled. | Yes | Yes | No |
| Security testing | You must not carry out any unauthorised security tests (such as vulnerability testing of other peoples systems). IT Services tests the security of systems connected to the University network. You can request a security test of your system or application by contacting Information Security. | Yes | Yes | Yes |
| Network management | You must not extend the University network (for example by using a wireless access point) without authorisation. | Yes | No | No |
| Security incidents | You must report all security incidents to IT Services in accordance with the University’s information security incident policy. | Yes | Yes | Yes |
| System security | Systems must be secured/hardened in accordance with vendor supplied and/or industry good practice guides. Systems communicating sensitive information must only do so over secure protocols such as SSH/HTTPS. Unused/insecure network services must be disabled. | No | Yes | Yes |
| Secure development | If providing a service or application (such as a web application) then you must ensure that the system has been developed in accordance with recognised good security practice, such as OWASP Top 10. | No | No | Yes |
Supporting policies and guidance
- IT Code of Practice
- Information Security policies (student or staff login required)
- Authentication policy (staff login required)
- Firewall policy (student or staff login required)
- Vulnerability Management policy (staff login required)
- Cryptography policy (student or staff login required)
- Information Security Incident policy