skip to primary navigationskip to content

Privacy Policy for the Managed Endpoint Protection Service

1. Managed Endpoint Protection Service: Description and Features

This policy applies to all traffic carried between any network in the University of Cambridge (including the wider Collegiate University) and the internet, irrespective of whether it originates from, or is being delivered to, an institutional or personal device (provided that device is using the managed service).

The University Information Services (UIS) offers a Managed Endpoint Protection Service that provides access to an instance of ePolicy Orchestrator (ePO). This can be used to deploy and manage McAfee Security Software. ePO can be delivered either as an 'off the shelf' service, or can be configured to the specific needs of a Department/Institution, and is part of the University's cybersecurity infrastructure.

UIS manages the default settings of ePO, ensuring that policy implementation remains consistent; when a Department/Institution takes on this responsibility, it is delegated to the appropriate local IT officers, who retain responsibility for ensuring security is protected at all times. 

The security software, by blocking malware, logs details of that malware and associated processes and traffic. Some of this information may include personal data within the meaning of the Data Protection Act (1998) and the EU General Data Protection Regulation.

1.1 What is logged?

Details of malware, associated processes, and traffic will include IP addresses, DNS name, mac address, application port numbers, time stamps, data volumes, names of documents, files, attachments, web addresses, and CRSid(s) of the relevant user(s)

1.2 Who has access to the logs?

Designated Department/Institution IT staff members have access to ePO's reports for their own Department/Institution only. These data are inspected regularly by the designated Department/Institution IT staff for the purposes of analysing usage and detecting patterns and security threats. If the data suggest a potential threat, they may be reported to the designated UIS staff for further investigation.

The Endpoint Protection Service Manager and other designated UIS operational staff members have access to ePO's reports for all Departments/Institutions that use the service.

The Endpoint Protection Service Manager inspects these data regularly, on a random 'spot-check' basis, for the purposes of analysing usage, detecting patterns and security threats. If the data suggest a threat or potential threat, the Service Manager and/or other designated UIS staff members will investigate further, liaising with the designated Department/Institution IT staff as necessary.

The data may also be used for responding to and resolving security threats, and for reporting purposes to UIS management, the Information Services Committee and Senior Officers of the University, as well as external agencies if compelled to do so by law.

1.3 How long are logs kept?

The data is held for a maximum of 24 months from the date of the activity (e.g. current calendar year to date plus all of the previous calendar year). This retention period has been set to enable detection trends to be analysed in a way that is useful for the business. Only data from the previous January will be held for 24 months; Data from the previous December will be held for only 13 months.

The only personal data held is the ID of the user logged on at time of detection; often this is a generic ID, rather than the CRSid of an individual user.

This retention period will be reviewed annually.

In some circumstances, certain data that form part of a security threat, or suspected security threat, may be stored for a longer/indefinite period, and analysed as part of responding to and resolving security threats. These can include supplementary information depending upon the threat, such as URLs.

 

November 2017