IT policies

Information Security policies, procedures and guidelines

These resources are particularly useful for those working with confidential and/or personal data

The policies and guidelines found on this page will help you stay secure while using information technology at LSE.

They are also critical for providing assurance to funders, regulators, auditors and governments that LSE takes seriously the confidentiality, integrity and availability of data placed in its care.

Information Security Policy and Information Classification 

Information Security Policy: The guidance is particularly useful for those working with confidential and/or personal data.

Information Security Classification Standard: How to classify your data, process, store and transmit it.

Policies and Regulations 

The following policies can be found under 'Information Technology' on the Policies and Procedures webpage. 

For a description of each IT policy, please see the index below:

Access Control Policy: DTS approach to controlling access to IT resources.

Application Control Policy: LSE's approach to the use of applications on its network.

Antivirus Policy: Antivirus must be installed on LSE-owned computers. Personally-owned devices without antivirus may be blocked from our network for the safety of all other connected devices.

Asset Management Policy: Everyone's responsibilities in regards to IT assets such as workstations or laptops.

Associates Policy: When and how non-LSE members are provided with access to LSE IT resources.

Comms Room Policy: Comms Rooms are a key part of LSE’s IT infrastructure, with specific requirements about how they must be set up and maintained.

Conditions of Use of IT Facilities at LSE: The conditions everyone must sign up to in order to use LSE IT facilities.

Conditions of Use of the Residences Network: Additional conditions for those using network connections at halls of residence.

Confidential Information Transfer Policy: How to approach the any requirements to move confidential information, either to or from external parties, or within LSE.

Electronic Messaging Policy: Rules and considerations governing the use of LSE's email systems, including the sending of confidential data and the privacy of people's email accounts.

Email Address Conventions Policy: Information about the format of LSE email addresses.

Encrypted Authentication Policy: All LSE applications (whether developed by us or developed or hosted by a third party) that perform user authentication must encrypt the username and password during transmission.

Hosting Non-Standard Websites and Internet-Facing Services: What replacement DTS will provide for servers currently situated outside LSE datacentres.

IT End User Equipment Policy: What IT equipment can be ordered and from which supplier.

IT User Accounts Policy: What types of user accounts we provide, what they give access to and when they expire.

Laptop Encryption Policy: All new LSE-issued laptops should be encrypted. Monitoring and Logging Policy: How and why we monitor and log traffic and activities across our systems and networks.

Monitoring and Logging Policy: How and why we monitor and log traffic and activities across our systems and networks. 

Network Connection Policy: The responsibilities concerning who can connect things to our network distribution layer, and how we respond to any system on our network that poses the potential threat, or is actually causing damage, to other systems. 

Password Policy: What passwords should contain and when they expire. 

Patch Management Policy: Stipulations around the patching of LSE systems.

Payment Card Gateway Policy: All services that take card payments must integrate with LSE’s provided Payment Card Gateway. 

PCI DSS Compliance Policy: LSE has to meet the Payment Card Industry’s Data Security Standard. This policy lays out what levels of PCI DSS compliance we can achieve, and where the risk for non-compliance lies.

PCI DSS Information Security Policy: Information Security Policy that is specific to LSE’s PCI DSS environments.

Remote Access Policy: What systems are available for use remotely and what considerations to make when using them.

Sharepoint Team Sites Provision Policy: Outlines the conditions under which SharePoint Team Sites will be allocated, monitored and deallocated.


AV Recording Guidelines: Steps to maintain your data security throughout the audio/video recording and transcription process

Confidentiality Agreement Template for Access to Deceased Staff Account: Please note this form should not be completed unless the Data Protection Officer or Cyber Security & Risk Team have requested it specifically.

Handling Copyright Infringement Notifications: The steps Information Security will take if informed of a copyright infringement that has happened via the LSE network.

Log Duration: How long DTS will keep logs that have been generated.

Non-Standard User Account Expiries: The maximum duration non-standard LSE user accounts will exist and at what point extensions will need to be requested.

Template-Transcriber Non-Disclosure Agreement: Sample agreement for third party transcribers to sign before engaging them to transcribe the audio or video recording files for LSE.

Virus Outbreaks on Campus Public Area Workstations: What we will do if we discover there is a virus outbreak on an LSE machine in the library, or in a computer room.


Encryption Guidelines: A guide on encrypting data and devices.

Encryption Guidelines for Students: A guide on encrypting data and devices for students.

Managing Access in SharePoint/Teams/OneDrive: Step-by-step instructions with screenshots on how to manage access in OneDrive/SharePoint/Teams 

Remote Access and Mobile Working: A guide on how to protect your devices and data when working remotely.

Using 7-Zip to Encrypt and Decrypt Files: A guide on using 7-Zip to encrypt files and make them more secure.

Using USB Storage Devices: Issues to consider before putting data on USB storage devices such as data sticks or external hard drives.

InfoSec Decision Making Tool (ISDMT): A tool developed by DTS to help you assess your confidential data and advice on how to protect it appropriately.


Application to Use IT Facilities at LSE: To be signed by all users.

Checklist for Leavers: A checklist for line managers to help ensure that the right steps are taken when a member of staff leaves LSE.

Data Assurance Form: A form for academics to complete prior to initiating a research project. 

External Suppliers User Accounts: The stipulations external suppliers have to meet before they are provided with user accounts.

Firewall Rule Request Form: A form for Service Owners to complete prior to commissioning or updating a service/system that requires a firewall rule change

Request to Access Someone Else's Data (docx): A form for requesting access to someone else's H: space or email account. 

Resources for Research 

Privacy Impact Assessment Template (docx): If you are required by a research data provider to fill in a Privacy Impact Assessment, you can use this template to guide you through the process.

Data Management Plans: All research projects should fill in a Data Management Plan. You can find a guide on how to do so here.

Information Security Training Package: If your research data provider requires you to undertake information security training, please contact us:

Using Zoom for Research Interviews