Phishing attacks

The request was successful.

Dear Bournemouth University,
1. What is your policy for using personally owned devices accessing IT applications?
• We allow access to both student and staff with personal and corporate devices
• We allow access to staff with personal and corporate devices
• We only allow access to corporate devices

2. Do you have visibility into devices that are used to access University applications?
• Yes
• No

3. Do you use multi-factor authentication (such as a hardware token, software code generated by a mobile phone app, or an SMS code) to access IT applications? Please select one answer only.

• Yes, we use multi-factor authentication for all access by students, faculty and staff onto the devices, apps, intranet or IT network
• Yes, we only use it for access to all sensitive data such as financial payments, grades and personally identifiable data (PII) data held on the network
• No, we just use single factor authentication today
• We just use single factor authentication today but we are planning on implementing multi-factor authentication in the next 12 months.
4. What security risks in personal devices are you most worried about when accessing University applications?
• Out of date software. Ex: Operating systems, browsers
• Physical security of devices. Ex: passcode lock
• Jailbroken / Rooted devices
• Others (Please specify)

5. What is your policy regarding patching and updating digital devices, operating systems and apps which access your corporate network? Please select one answer only.

• We implement all patches/upgrades within 48 hours from notification
• We implement all patches/upgrades within 7 days of notification
• We implement all patches/upgrades within 30 days of notification
• It is impossible for us to maintain all devices, operating systems and apps at the latest version and patches/upgrades typically take longer than 30 days to implement.
• We outsource the patching and upgrade of all our devices and systems to a third party

6. Has your university ever been the victim of a phishing attack (where an individual is duped into disclosing their login, password or credit card details via an email purporting to be from a trusted source)? Please select one answer

• Yes
• No
• Don’t know

6a. If yes, how often have you experienced a phishing attack in the last 12 months? Please select one answer.

• 0-5 times
• 6-10 times
• 11-50 times
• 51+ times
• Don’t know

6b. If yes, which is the most common target of the phishing campaigns? (please select one)

• Students
• Lecturers/faculty staff
• Employees
• Other (please specify)

6c. What type of data was being targeted? (select all that apply)
• Student personally identifiable information (PII) e.g. date of birth. National Insurance Nos.
• Employee PII
• Financial/payroll data
• Research/patents
• Other (please specify)

6d. Did you identify the attackers and, if so, are they? (select all that apply).
• Organised cyber-criminals
• Opportunistic hackers (non-organised)
• Political hacktivists
• Disgruntled employees/former employees
• Disgruntled students/former students
• State sponsored hackers
• Other (please specify)

Yours faithfully,

Kelly Friend

Freedom Of Information, Bournemouth University

Thank you for your enquiry.

Freedom of Information Act 2000 requests will receive a response (or request for clarification) within 20 working days.

Requests made under the Data Protection Act 1998 will receive a response within 40 calendar days following receipt by us of sufficient proof of identity, the standard fee currently ?10.00 per request and sufficient information for us to locate the information requested.

If your request is for information about programmes provided by Bournemouth University, please consult our courses database at: http://courses.bournemouth.ac.uk/Courses...

Full information about access to information at Bournemouth University, including our Publication Scheme, can be obtained at: www.bournemouth.ac.uk/foi<http://www.bournemouth.ac.uk/foi>
Please also refer to our prevailing Schedule of Charges for access to information.
Kind regards

Information Office
Legal Services
Bournemouth University M209,
Melbury House 1-3 Oxford Road Bournemouth
BH8 3ES
Tel: +44 (0) 1202 961315
Email: [email address]<mailto:[email address]>
BU is a Disability Two Ticks Employer and has signed up to the Mindful Employer charter. Information about the accessibility of University buildings can be found on the BU DisabledGo webpages This email is intended only for the person to whom it is addressed and may contain confidential information. If you have received this email in error, please notify the sender and delete this email, which must not be copied, distributed or disclosed to any other person. Any views or opinions presented are solely those of the author and do not necessarily represent those of Bournemouth University or its subsidiary companies. Nor can any contract be formed on behalf of the University or its subsidiary companies via email.

Freedom Of Information, Bournemouth University

Dear Ms Friend

We write further to your email of 21 November 2016.

Your request has been processed by us in accordance with the Freedom of Information Act 2000 (FOIA).

Please find below our response:

1. What is your policy for using personally owned devices accessing IT applications?
• We allow access to both student and staff with personal and corporate devices

2. Do you have visibility into devices that are used to access University applications?
• Yes - BU owned devices
• No - Personal devices

3. Do you use multi-factor authentication (such as a hardware token, software code generated by a mobile phone app, or an SMS code) to access IT applications? Please select one answer only.
• No, we just use single factor authentication today

4. What security risks in personal devices are you most worried about when accessing University applications?
• Out of date software. Ex: Operating systems, browsers • Physical security of devices. Ex: passcode lock • Jailbroken / Rooted devices • Others (Please specify)

All of the above in that we have to assume that there are many devices with at least one of the security risks mentioned. With this assumption in mind we implement, where possible, security measures to mitigate any risks.

5. What is your policy regarding patching and updating digital devices, operating systems and apps which access your corporate network? Please select one answer only.

• We implement all patches/upgrades within 30 days of notification - for all of our Servers

• It is impossible for us to maintain all devices, operating systems and apps at the latest version and patches/upgrades typically take longer than 30 days to implement. - due to possible compatibility issues in such a large and diverse environment we have to ensure that each update is tested to ensure no conflicts or issues which would adversely effect anyone using the device.

(We were unable to select a single answer)

6. Has your university ever been the victim of a phishing attack (where an individual is duped into disclosing their login, password or credit card details via an email purporting to be from a trusted source)? Please select one answer

• No - We have notifications of people receiving suspected phishing emails but no disclosure of details have been made that we are aware of

If you have any questions or are dissatisfied with this response, you should contact us at [email address]. The University’s Director of Finance & Performance or his nominated alternate will review any appeal and may amend the University’s current decision. Thereafter you may refer your request to the Information Commissioner in accordance with section 50 of the FOIA.

He can be contacted at:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
SK9 5AF

Telephone: 0303 123 1113 or 01625 545745

Website: www.ico.org.uk

There is no charge for making an appeal.

Yours sincerely

Information Office
Legal Services
Bournemouth University
Melbury House
1-3 Oxford Road
Bournemouth
DORSET BH8 8ES

Email: [email address]
Tel: 01202 961315

show quoted sections