Operational Guidelines

Only use your logon when using the SDN during normal operations. You must not use another person’s log on.

The SDN data typically has a low intrinsic value but the data is classed as confidential as it could be used in ways we cannot predict.

It is permitted to pass data to an entity for diagnostic purposes only but only if it is encrypted first. However the entity must also sign a confidentiality agreement regardless of other contracts. It is included within this document for easy reference and printing. When you have a completed form please send it to the BMS system manager or if it’s security department sponsored, the Security Systems administrator.

Find out where the local OPC servers are and the access arrangements as you may have to use them in the event of a network failure.

During a network failure it is permitted to log on to the local OPC server for your area with a local account, the interface will look different though. Know how to log on and access the data in the event of such an occurrence.

Connections to the academic network should not be made from SDN machines. This by-passes many of the security features.

Finally, if you notice anything unusual, notify your line manager - don’t assume that someone else is dealing with it.


1What are the entities covered by this agreement?

Entities are not members of the University or one of it’ssubsidiaries.They may be under contract to the University as part of a project, consultation or support contract. They could include the following:

  • Hardware and/or software maintenance and back room or 1stline support staff.
  • Outsourced support or maintenances services.

They can be located on-site for a period of time as defined within their contract or based off site rarely visiting the University.

The Contractor undertakes:

  • To treat as confidential all information which may be derived from or be obtained in the course of the contract or which may come into the possession of the contractor or an employee, servant or agent or sub-contractor of the contractor as a result or in connection with the contract; and
  • To provide all necessary precautions to ensure that all such information is treated as confidential by the contractor, his employees, servants, agents or sub-contractors; and
  • To ensure that he, his employees, servants, agents and sub-contractors are aware of the provisions of the confidentiality agreement and that any information obtained from the University of Bristolshall not be disclosed or used in any detrimental manner; and
  • To indemnify the University of Bristol against any loss arising under this confidentiality agreement caused by any action, authorised or unauthorised, taken by himself, his employees, servants, agents or sub-contractors.

All employees, servants, agents and/or sub-contractors of the Contractor will be required to agree to and sign a confidentiality statement when they come to any of the University of Bristolsites where they may see or have access to confidential SDN Data.

2Code of Practise regarding the Secure Data Network Data

1The following Code of Practice applies where access is obtained to Secure Data Network data, for the purpose of preventative maintenance, fault diagnosis, hardware or software testing, repair, upgrade, replacement or any other related activity to devices connected to the Secure Data Network.

2The access referred to in paragraph 1 above may include:-

  1. Access to data/information on University or NHS premises
  2. Access to data/information from a remote site
  3. Examination, testing and repair of media (e.g. fixed disc assemblies)
  4. Examination of software dumps
  5. Processing using University or NHS organisations data/information

3The Supplier must certify that his organisation complies with the confidentiality agreement and legally entitled to undertake the work proposed.

4The Supplier must undertake not to transfer SDN data/information out of the European Economic Area unless such a transfer has been approved by the University of Bristol.

5The work shall be done only by authorised employees, servants, or agents of the contractor (except as provided in paragraph 12 below) who are aware of the requirements of the Data Protection Act 1998 of their personal responsibilities under the Act to maintain the security of the University of Bristolinformation.

6While the data/information is in the custody of the contractor it shall be kept in appropriately secure means.

7Any data/information sent from one place to another by or for the contractor shall be carried out by secure means and encrypted. These places should be within the suppliers own organisation or an approved sub-contractor.

8Data/Information from the SDN of the University of Bristolmust only be transferred electronically if previously agreed by the University. This will also apply to any direct-dial access to a computer or other system supported by the supplier or their agent.

9The data/information must not be copied for any other purpose than that agreed by the supplier and the University.

10Where information is recorded in any intelligible form, it shall either be returned to the University of Bristol on completion of the work or disposed of by secure means and a certificate of secure disposal shall be issued to the University.

11Where the contractor sub-contracts any work for the purposes in paragraph 1 above, the contractor shall require the sub-contractor to observe the standards set out in 3-11 above.

12The University of Bristolshall, wherever practical, arrange for the equipment or software to be maintained, repaired or tested using dummy data that does not include the disclosure of any information. Final witness testing however, is expected to be carried out on live data.

13The University of Bristolreserves the right to audit the supplier’s contractual responsibilities or to have those audits carried out by a third party.

14The University of Bristolwill expect an escalation process for problem resolving relating to any breaches of security and/or confidentiality of information by the suppliers employee and/or any agents and/or sub-contractors.

15Any security breaches made by the supplier’s employees, agents or sub-contractors will immediately be reported to the University of Bristol’s Information Security Manager.

Certification form:

Name of Entity:______

Address of Entity:______

______

______

______

Telephone number:______

E-mail details:______

On behalf of the above organisation I certify as follows:

  • The organisation is legally entitled to undertake the work agreed in the contract agreed with the University which requires the handling of SDN Data/Information.
  • The organisation will abide by the requirements set out above for handling any of the University of Bristolinformation disclosed to my organisation during the performance of such contracts

Signed:______

Name of Individual:______

Position in organisation:______

Date:______

Agreement outlining personal responsibility concerning security and confidentiality of SDN information

During the course of your interactions with the University of Bristol, you may acquire or have access to confidential information which must not be disclosed to any other person unless in pursuit of your duties as detailed in the contract between the University of Bristoland your employer. This condition applies during your interactions with the University of Bristoland after that ceases.

Confidential information includes all information relating to the business of the University of Bristoland it’s students and employees.

The SDN data has been classified as confidential by the University of Bristol. If you are found to have used any information you have seen, heard, givenor sent whilst interacting with the University of Bristolyou and your employer may face legal action.

I understand that I am bound by a duty of confidentiality and agree to adhere to the conditions within the Contract between the University of Bristoland my personal responsibilities to comply with the requirements of this confidentiality agreement.

NAME OF ORGANISATION:
CONTRACT DETAILS:
PRINT NAME:
SIGNATURE:
DATE:

Confidentiality agreement for Entities handling SDN Data

Dated Sept 2014 Version 8.0 Page 1 of 7