Phishing Attacks

The request was successful.

Dear University of Salford,

1. What is your policy for using personally owned devices accessing IT applications?
• We allow access to both student and staff with personal and corporate devices
• We allow access to staff with personal and corporate devices
• We only allow access to corporate devices

2. Do you have visibility into devices that are used to access University applications?
• Yes
• No

3. Do you use multi-factor authentication (such as a hardware token, software code generated by a mobile phone app, or an SMS code) to access IT applications? Please select one answer only.

• Yes, we use multi-factor authentication for all access by students, faculty and staff onto the devices, apps, intranet or IT network
• Yes, we only use it for access to all sensitive data such as financial payments, grades and personally identifiable data (PII) data held on the network
• No, we just use single factor authentication today
• We just use single factor authentication today but we are planning on implementing multi-factor authentication in the next 12 months.
4. What security risks in personal devices are you most worried about when accessing University applications?
• Out of date software. Ex: Operating systems, browsers
• Physical security of devices. Ex: passcode lock
• Jailbroken / Rooted devices
• Others (Please specify)

5. What is your policy regarding patching and updating digital devices, operating systems and apps which access your corporate network? Please select one answer only.

• We implement all patches/upgrades within 48 hours from notification
• We implement all patches/upgrades within 7 days of notification
• We implement all patches/upgrades within 30 days of notification
• It is impossible for us to maintain all devices, operating systems and apps at the latest version and patches/upgrades typically take longer than 30 days to implement.
• We outsource the patching and upgrade of all our devices and systems to a third party

6. Has your university ever been the victim of a phishing attack (where an individual is duped into disclosing their login, password or credit card details via an email purporting to be from a trusted source)? Please select one answer

• Yes
• No
• Don’t know

6a. If yes, how often have you experienced a phishing attack in the last 12 months? Please select one answer.

• 0-5 times
• 6-10 times
• 11-50 times
• 51+ times
• Don’t know

6b. If yes, which is the most common target of the phishing campaigns? (please select one)

• Students
• Lecturers/faculty staff
• Employees
• Other (please specify)

6c. What type of data was being targeted? (select all that apply)
• Student personally identifiable information (PII) e.g. date of birth. National Insurance Nos.
• Employee PII
• Financial/payroll data
• Research/patents
• Other (please specify)

6d. Did you identify the attackers and, if so, are they? (select all that apply).
• Organised cyber-criminals
• Opportunistic hackers (non-organised)
• Political hacktivists
• Disgruntled employees/former employees
• Disgruntled students/former students
• State sponsored hackers
• Other (please specify)

Yours faithfully,

Emily Quick

FOI, University of Salford

This is an automated email, sent in response to an email to
[1][University of Salford request email].

If your email is a request under the Freedom of Information Act 2000,
please consider this email an acknowledgement of your request.

Your request will be considered and you will receive the information
requested within the statutory timescale of 20 working days as defined by
the Act, subject to the information not being exempt or containing a
reference to a third party.

For your information, the Act defines a number of exemptions which may
prevent release of the information you have requested. There will be an
assessment and if any of the exemption categories apply then the
information will not be released. You will be informed if this is the
case, including your rights of appeal.

If the information you request contains reference to a third party then
they may be consulted prior to a decision being taken on whether or not to
release the information to you. You will be informed if this is the case.

There may a fee payable for this information. This will be considered and
you will be informed if a fee is payable. In this event the fee must be
paid before the information is processed and released. The 20 working day
time limit for responses is suspended until receipt of the payment.

If you have any queries or concerns then please contact me at the address
below, alternatively further information is also available from the
Information Commissioner at: Information Commissioner's Office, Wycliffe
House, Water Lane, Wilmslow, Cheshire, SK9 5AF, telephone: 01625 545 700
or online: www.informationcommissioner.gov.uk .

Yours sincerely,
Matthew Stephenson

Matthew Stephenson
Head of Information Governance  |  Governance Services
3 Acton Square, University of Salford, Salford  M5 4WT
t: +44 (0) 161 295 6856

[2][email address]|  [3]www.salford.ac.uk
[4]www.infogov.salford.ac.uk/

References

Visible links
1. mailto:[University of Salford request email]
2. mailto:[email address]
3. http://www.salford.ac.uk/
4. http://www.infogov.salford.ac.uk/

FOI, University of Salford

1 Attachment

Dear Ms Quick,

Thank you for your recent request made under the Freedom of Information Act 2000.

Your request has been considered.  Please find the University’s response attached.

Yours sincerely

Matthew Stephenson FIRMS
Head of Information Governance
Legal & Governance Directorate
620 Maxwell Building, University of Salford, Salford  M5 4WT
t: +44 (0) 161 295 6856
[email address]|  www.salford.ac.uk
www.infogov.salford.ac.uk/

show quoted sections