IT Code of Connection

This code applies to all systems and devices connecting to University networks, or accessing University of Sheffield services or data.

Off
Version and ownership
VersionDateAuthor(s)Comments
1.013/11/2019Tom GriffinCreation
2.023/05/2023Matthew DoxeyMajor review
2.112/06/2024David Afflick and Matthew DoxeyReview
2.124/06/2024Tom GriffinApproved
3.017/09/2025Matthew DoxeyRestructure and additional content
3.019/09/2025Tom Griffin (CISO)Approved

Classification - Internal


If you have any questions, or require advice on configuring and securing your system, contact IT help and support.

If you are unable to comply with the any of the controls listed in the code of connection, you should contact Information Security to discuss and agree a solution.


Code of Connection

ControlStatementApplies to
EndpointsMobilesServersApplications and Cloud Systems
GovernanceYou must comply with the University’s IT Code of Practice and any other policies and procedures that are relevant to you.YYYY
Asset ManagementIT asset management records must be kept up to date for any hardware or software used.YYYY
Network registration details must be kept up to date (including ownership of an asset). If you fail to keep records up to date then systems may be disconnected from the network.YYY 
Access ControlOnly necessary accounts must be enabled. Any unused, guest or system accounts must be disabled or have default credentials changed.YYYY
Privileged accounts must be separated from user accounts, and you should never log in or unlock devices with privileged accounts.Y YY
Multi Factor Authentication (MFA) must be applied to all accounts.    
All accounts must be protected with strong passwords (as outlined in the section below).YYYY
Authentication

Passwords must have the following characteristics:

  • Minimum of 10 characters
  • At least 1 alphabetic letter
  • At least 1 numeric digit
  • At least 1 special character
Y YY

Mobiles must be locked with one of the following:

  • Minimum 6 digit PIN code
  • Biometrics
  • Pattern
 Y  
EncryptionAll systems must implement the encryption requirements detailed in the cryptography policy and standard (Student hub access required), including encrypting data both at rest (eg Bitlocker, Filevault) and in transit (eg TLS).YYYY
Systems communicating sensitive information must only do so over secure protocols such as SSH/HTTPS. Unused/insecure network services must be disabled.YYYY
Brute Force Protection

The number of failed logins within a given timeframe must be limited to prevent brute force attacks.

Baseline requirements: No more than 5 failed login attempts in 1 minute or the account is locked/logins limited for 10 minutes.

Y YY
FirewallAll systems must have a firewall installed, enabled and configured appropriately.Y Y 
Vulnerability ManagementSoftware and operating system patches that remediate Critical and High (CVSS 7 or above) vulnerabilities must be applied within 14 days of release. Unpatched systems that present a security threat will be suspended from the University network.YYY
Software that is no longer supported by the manufacturer must not be used.YYYY
Software

The use of all software must be approved by IT Services.

Use cases are submitted via the InfoRisk system.

YYYY
Antivirus SoftwareAntivirus software, or equivalent security tooling, must be installed, enabled, updated and configured appropriately.YYY 
Unused Software & FeaturesUnused software, services and features must be disabled.YYYY
Auto-Run or Auto-Play features must be disabled.YYY 
Security TestingYou must not carry out any unauthorised security tests (eg vulnerability testing of other people's systems). IT Services tests the security of systems connected to the University network. You can request a security test of your system or application by contacting Information Security (info-security@sheffield.ac.uk).YYYY
Network Management & SecurityYou must not extend the University network without authorisation (for example by using a wireless access point).YYY 
You should connect to the University VPN when working on sensitive data, projects & systems when working off campus.YYY 
The use of any VPN services not approved by IT Services is not permitted.YYY 
Security IncidentsYou must report all security incidents to IT Services in accordance with the University’s information security incident policy.YYYY
System SecuritySystems must be secured/hardened in accordance with vendor supplied and/or industry good practice guides.YYYY
Mobiles used to access University services must not be ‘Jailbroken’ or allow apps root access to the operating system. Y  
Physical MediaPhysical media, such as USB sticks and external hard drives, should only be used when absolutely necessary. All such media must have been checked for malware by a member of IT staff before use.YYY 
Secure DevelopmentEnsure that the system has been developed in accordance with recognised good security practice, such as OWASP Top 10.  YY

Supporting policies and guidance