Accessing UK Data Service

[jemrobinson]

The UK Data Service have some requirements about access to "Special Licence" data which we would like to meet. These are listed here and summarised below:

• [ ] I have checked that the data owners of the Special Licence data that I use on my project have agreed to Special Licence data being temporarily accessed from home.
• [ ] I will only access Special Licence data, where data owners have agreed (https://www.ukdataservice.ac.uk/covid-19/special-licence-data-covid-19-update), via my institutional PC, where my data is stored, under the terms and conditions of the Special Licence User Declaration. Under no circumstances will I store data locally onto my home device, whilst I am working at home.
• [ ] I understand that use of Special Licence data from home from data owners not listed at https://www.ukdataservice.ac.uk/covid-19/special-licence-data-covid-19-update will constitute a breach of the existing licence previously agreed. I understand that any breaches may incur the penalties listed under this existing agreement.
• [ ] I am signed up to an institutionally approved VPN.
• [ ] I will only connect to my institutional workstation using my institutionally-approved VPN.
• [ ] I confirm that the current Operating Systems of both my organisational/institutional machine and local home PC/laptop have all recommended security updates applied. Please keep proof of these using a screen capture of the computer updates.
• [ ] I confirm that the current Operating Systems of both my organisational/institutional machine and local home PC/laptop have anti-virus software installed and updated. Please keep proof of these using a screen capture of the anti-virus computer status.
• [ ] While I am remotely connected to my institutional workstation and working on Special Licence data, I will not access anything else on the internet and will close down all other windows and applications.
• [ ] I can confirm that I have completed an information security awareness training course (e.g. an online institutional course/module such as Information Security Essentials through Moodle or Blackboard), within the past 12 months. These are usually required to be taken and passed once a year by your institution. Please keep a record.
• [ ] I will ensure that my home screen is not being overlooked by other people in my household.
• [ ] I will comply with other key data security requirements set out in the Microdata Handling and Security Guide to Good Practice (https://ukdataservice.ac.uk/media/604725/cd171-microdatahandling.pdf).
• [ ] I understand that this is a temporary service offered by the UK Data Service and agree I will stop accessing special licence data via VPN immediately upon cessation of this service by the UK Data Service.

[thobson88]

I confirm that the current Operating Systems of both my organisational/institutional machine and local home PC/laptop have all recommended security updates applied. I confirm that the current Operating Systems of both my organisational/institutional machine and local home PC/laptop have anti-virus software installed and updated.

@sysdan Could I ask a couple of specific questions about the Chromebooks used for remote log in via the Tier 3 VPN (as per #542):

• do they get OS updates?
• do they have anti-virus installed and, if so, does it get updates?

[sysdan]

@thobson88

do they get OS updates?

Yes, the do and it is enforced centrally. The also do daily checks for new updates

do they have anti-virus installed and, if so, does it get updates?

No anti-virus is installed.

[thobson88]

No anti-virus is installed.

@sysdan Thanks. As this appears to be the only sticking point for accessing the UKDS data, I'd like to find out about the feasibility of installing anti-virus on a Turing Chromebook.

For instance, this Bitdefender Android app is available from the google Play store, which means it could (I think) be installed on a Chromebook.

On a technical level, could this installation be done remotely by one of the IT team? (and with automatic updates?)

[getcarter21]

To be clear when you use the Turing Global Protect VPN it also has a AV module and Threat Protection running on the Palo Alto Firewall https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/threat-prevention.html https://www.paloaltonetworks.com/products/secure-the-network/wildfire

Auto Updates are active on the Palo Firewall

[thobson88]

Thanks @getcarter21. To clarify, we're aware that the model for Chromebook access via the VPN is secure and makes installing anti-virus on the machine redundant, but the terms of the UKDS service require that we check a box with the following text:

I confirm that the current Operating Systems of both my organisational/institutional machine and local home PC/laptop have anti-virus software installed and updated. Please keep proof of these using a screen capture of the anti-virus computer status.

We're just looking for a way to be able to justifiably tick this box. Are you saying we can do that? (ideally including an anti-virus screenshot)

[getcarter21]

Hi @thobson88 we may be able to get the Sophos client/app on a Chromebook. We need to test and let you know.

[thobson88]

@getcarter21 that sounds like a great solution (if it works!).

I know that @fedenanni already has a Chromebook and would be happy to help if you need a guinea pig for the test.

[getcarter21]

@thobson88 Yeah have pushed out Sophos Intercept X for Mobile to all Turing Chromebooks. We are now looking to see if we can manage the Sophos app via our Sophos Cloud Management portal

[thobson88]

@fedenanni are you able to see Sophos on your Chromebook, and get a screenshot?

[fedenanni]

@thobson88 @getcarter21 hi both! here attached a couple of snapshots.

This appeared when I turned on the Chromebook

I can see the app installed

Inside the app (I had to click "agree" to the policy thing) I see this

And more details if I click

I hope this is useful!

[thobson88]

Thanks @fedenanni. Your first screenshot should do nicely. Worth keeping a look out for updates and getting screenshots of those too.

[fedenanni]

@thobson88 no prob - if it's something official I can get a proper screenshot and not a photo with my phone :D

[fedenanni]

@thobson88 lol - I can't take screenshots as the functionality is disabled, I hope those photos are enough. I also have this

[thobson88]

We now have measures in place to satisfy all of the UKDS requirements which are set out in a policy document on the Living with Machines wiki in reference to a specific dataset (census microdata).

The UKDS form (quoted in the OP) has been submitted by Fede so this issue is considered closed insofar as its original purpose has been achieved.

[martintoreilly]

@thobson88 @fedenanni If you have a pro forma or compliance statement, it would be useful to add to the Safe Haven repo also. Collating evidence / approvals for external requirements is useful in terms of both supporting future researchers working on ONS data and in terms of showing how our tiered information governance approach maps to the requirements of other organisations.

[thobson88]

If you have a pro forma or compliance statement, it would be useful to add to the Safe Haven repo also.

@martintoreilly I can add a modified version of the LwM statement. Not sure where it belongs though. Perhaps in a new directory docs/policy?