1. Incident Report [Security Regulation, art.9]

Users of the Universitat de València’s information systems who are aware of an incident are responsible for reporting by creating a ticket in the management tool https://solicitudes.uv.es.

An incident shall be any event that, in the user’s judgement, may put the information system at risk. Incidents include, but are not limited to, account lockout, loss of information, loss of password, suspicious behaviour and viruses.

The knowledge and non-notification of an incident by information system user is considered to be a breach of security by said person.

  1. Password policy

The passwords of the user accounts provided by the Universitat de València are personal and non-transferable, and are for the exclusive use of their owner. [Use of ICT resources, art.10.1]

Each user is responsible for confidentiality of their password. In the event that it becomes known accidentally or fraudulently by unauthorised persons, the user must change it, either through the account management service, or by immediately communicating it to the user support for computer incidents of the Universitat de València. [Use of ICT resources, art.10.2]

Users must change the password of their accounts with the frequency established by the security policy of the Universitat de València. Passwords must be created in accordance with the security standards, which are published in the corresponding guides, in order to prevent them from becoming easily known. [Use of ICT resources, art.11]

Personal user IDs and passwords must be protected and not disclosed to anyone. Passwords must not be stored in readable files, macros, computers without access control or in any form or place where they can be accessed by unauthorised third parties. [Security Regulations, art.4.9]

User and password details must never be given to third parties, even if they are staff of the Universitat. [Security Regulations, art.4.10]

  1. Workplaces control

Access to computers and equipment linked to the workplace must be carried out with the assigned username and password. [Security Regulations, art.4.5]

In the event of absence from the workplace during office hours, the computer must be locked, which in any case shall occur automatically after 15 minutes of inactivity. [Security Regulations, art.4.6]

The design of the workplace shall ensure that the screen is not easily accessible or readable by unauthorised third parties. [Security Regulations, art.4.7]

  1. Clear desks and printers’ policy

Documents with protected information must not be left unattended in the workplace or on the printer, fax or similar devices. [Security Regulations. art.5.1]

The printing or photocopying of documents should be limited to those that are strictly necessary and preferably double-sided. Rejected documents, including erroneous photocopies, cannot be reused when they contain personal data or confidential or restricted information, and must be destroyed immediately. [Security Regulations. art.5.2]

When leaving the workplace (breaks, lunchtime or end of working day), the user shall leave their desk completely free of documentation, using the drawers, filing cabinets, cupboards, etc. for this purpose.

Before leaving common rooms or allowing any outsider to enter, the blackboards in meeting rooms or offices shall be properly cleaned, making sure that no sensitive information or information that could be reused is left. [Security Regulations, art.5.5]

  1. Safekeeping of keys and closing of doors and cupboards

The user of the information systems of the Universitat de València must keep the keys to access offices, drawers, cupboards and any other element containing non-automated files with personal data in proper custody. These must be locked when the user is temporarily absent from this location, in order to prevent unauthorised access.

  1. Public information service

The user of the information systems, when dealing directly with the public, shall not have any information about another customer/user within their reach.

  1. Information storage

The use of removable information supports (USB storage devices, flash drives, etc.) with confidential or restricted data of the Universitat de València is expressly forbidden without the authorisation of the person in charge of the Management Unit. The use of corporate disk spaces is recommended as a suitable procedure for these purposes. Any information stored on removable information supports must be used exclusively for work purposes, and the information must be eliminated or stored in the places designated for this purpose. [Security Regulations, art.6.1]

With regard to non-automated files, storage shall be carried out in places that allow locking or mechanisms that prevent them from being opened, especially at the end of the working day.

  1. Creation of files and temporary files

Users of the Universitat de València's information systems are not authorised to create new files outside the existing ones. When, in the performance of their functions, they need to create a new file containing personal data, they must inform the security officer beforehand in order to authorise the creation and establish the rules applicable to its implementation.

The storage of copies of personal data from files in temporary archives must be avoided.

Temporary files are those in which personal data are stored, generated for the fulfilment of a specific need, as long as their existence does not exceed one month.

In the event that it is necessary to make these temporary copies, the data security officer must be informed beforehand in order to authorise their creation and establish the rules applicable to their implementation.

Temporary files must be deleted once they are no longer necessary for the purposes for which they were created, and while they are still in force, they must be stored in the folder provided for this purpose by the system administrators. If, after one month has elapsed, the user detects the need to continue using the information stored in the file, they must notify the security officer.

  1. Destruction of devices or storage medium containing protected information

The destruction of any type of automated support (CD, DVD, hard disk, USB memory, etc.) or manual (paper, video tapes, etc.) shall be carried out in such a way that the data they contain cannot be recovered and if necessary through the established procedures. [Security Regulations, art.5.6]

  1. Remote access to systems

Remote access (from outside the Universitat's network) to the information systems must be carried out via a secure connection. The user will apply to the equipment used the security rules contained in this section (see Security Regulations) for equipment located in Universitat de València sites. [Security Regulations,art.4.13]

When a secure connection (HTTPS or similar) cannot be guaranteed for access to the information systems, communication must be carried out through the VPN connection of the Universitat of València (vpn.uv.es).

  1. Duty of confidentiality

The information contained in the Universitat de València's Information Systems is its exclusive property; therefore, users must abstain from communicating, divulging, distributing or making this information known or accessible to third parties (external or unauthorised internal), except with the express authorisation of the Information Security Management and Coordination Committee. [Security Regulations, art.10.1]

All users (of the Universitat de València or third party organisations) who, by virtue of their professional activity, may have access to personal data, are obliged to keep this data secret and to apply the security measures foreseen in the security document. This duty will be maintained indefinitely, even beyond the employment or professional relationship with the Universitat de València.[Security Regulations, art.10.2]

Access and search of personal data will be strictly necessary for the performance of such functions.

  1. Responsability

All the users of the information systems under the scope of the National Security Framework at the Universitat de València are obliged to comply with the Information Security Regulations in the use of electronic media of the Universitat de València. Non-compliance will lead to responsibility that will be conducted in accordance with the procedure established for each case. [Security Regulations, art.15]

Failure to comply with the indications listed in this document by users of the information system of the Universitat de València may lead to the corresponding disciplinary measures. [Statutes of the Universitat de València, art.203,204], [Act 10/2010, of 9th July, on the organisation and management of the Valencian Public Service,art 138,139,140,141,142,143 i 144], [Law of the Basic Statute of the Public Employee, art.93,94,95 i 96].