EXECUTIVE DECISION NOTICE. ICT, Communications and Media. Councillor John Taylor. Deputy Executive Leader

Transcription

1 EXECUTIVE DECISION NOTICE SERVICE AREA: SUBJECT MATTER: DECISION: DECISION TAKER(S): DESIGNATION OF DECISION TAKER(S): GOVERNANCE ICT, Communications and Media PERSONAL DEVICE POLICY That the Personal Device Policy at appendix 1 of the report is adopted. Councillor John Taylor Deputy Executive Leader DATE OF DECISION: 13 March 2013 REASON FOR DECISION: The Council wants to encourage its staff to work as efficiently as possible. It provides staff with the essential technology they need to do their job. However it cannot provide all employees with every type of device which might conceivably be useful to them in their work. The Council wants to allow its employees this facility as far as possible. However, the Council is subject to legal rules and must ensure that access to its data is safeguarded. A Personal Device Policy has been designed to allow as much flexibility as possible whilst meeting the operational needs of the Council. In order to manage these risks and ensure employees understand their responsibilities a policy has been drawn up that specifies the conditions under which personal devices may be used and how they will be managed to protect the Council s systems and data. ALTERNATIVE OPTIONS Continue with current arrangements this would not allow REJECTED (if any): employees to have secure and safe access to council systems and does not allow the Council to protect data to the extent that is required. The Council is under a legal duty to take appropriate organisational and technical safeguards to ensure the security of personal data. Do not allow access to the Council s systems and data at all this does not allow employees to work in a flexible way that is beneficial to the Council. CONSULTEES: FINANCIAL IMPLICATIONS: (Authorised by Borough Treasurer) LEGAL IMPLICATIONS: (Authorised by Borough Solicitor) None There is no additional cost to the Council in setting up the infrastructure Mobile Device Management (MDM) system, as ICT Services have sufficient server capacity to meet this requirement. The charge to Service Areas of 5.50 per device per month, is the full cost to the Council from Orange to operate the MDM software licence. IT Services will need to ensure that all software licence costs incurred are recovered from Service Areas. The Data Protection Act 1998 has always required organisations to take appropriate steps to maintain data security. This has become increasingly important as technology develops and high profile incidents have led to public concerns about this issue and

2

3 EXECUTIVE DECISION REPORT SERVICE AREA: SUBJECT MATTER: GOVERNANCE ICT, Communications and Media PERSONAL DEVICE POLICY DATE OF DECISION: 13 March 2013 DECISION TAKER REPORTING OFFICER: REPORT SUMMARY: RECOMMENDATIONS: JUSTIFICATION FOR DECISION: Councillor John Taylor Deputy Executive Leader Tim Rainey Assistant Executive Director, ICT Media and Communications The Council wants to encourage its staff to work as efficiently as possible. It provides staff with the essential technology they need to do their job. However it cannot provide all employees with every type of device which might conceivably be useful to them in their work. The Council wants to allow its employees this facility as far as possible. However, the Council is subject to legal rules and must ensure that access to its data is safeguarded. A Personal Device Policy has been designed to allow as much flexibility as possible whilst meeting the operational needs of the Council. That the Personal Device Policy at appendix 1 of the report is adopted. In order to manage the risks and ensure employees understand their responsibilities a policy has been drawn up that specifies the conditions under which personal devices may be used and how they will be managed to protect the Council s systems and data. ALTERNATIVE OPTIONS Continue with current arrangements this would not allow REJECTED (if any): employees to have secure and safe access to council systems and does not allow the Council to protect data to the extent that is required. The Council is under a legal duty to take appropriate organisational and technical safeguards to ensure the security of personal data. Do not allow access to the Council s systems and data at all this does not allow employees to work in a flexible way that is beneficial to the Council. CONSULTEES: FINANCIAL IMPLICATIONS: (Authorised by Borough Treasurer) LEGAL IMPLICATIONS: (Authorised by Borough Solicitor) None. There is no additional cost to the Council in setting up the infrastructure Mobile Device Management (MDM) system, as ICT Services have sufficient server capacity to meet this requirement. The charge to Service Areas of 5.50 per device per month, is the full cost to the Council from Orange to operate the MDM software licence. IT Services will need to ensure that all software licence costs incurred are recovered from Service Areas. The Data Protection Act 1998 has always required organisations to take appropriate steps to maintain data security. This has become increasingly important as technology develops and high profile incidents have led to public concerns about this issue and

4 with the Information Commissioner being given increased powers to impose civil monetary penalty notices on organisations. The policy seeks to balance the desire of employees to use their own technology to process personal data with the needs of the organisation to maintain data security. RISK MANAGEMENT: LINKS TO COMMUNITY PLAN: ACCESS TO INFORMATION: The potential risks identified are set out in the report. Indirectly the policy contributes to all elements of the Community Plan. Background papers can be inspected by contacting the report author Julie Hayes, Head of ICT Services on Tel: or

5 1. INTRODUCTION 1.1 Mobile computing devices have quickly become a critical business tool. Due to their flexibility, intuitive behaviour and convenience, increasingly people are turning to tablet devices such as the market leading ipad for business applications. 1.2 There are many benefits to using an ipad, not least their ease of use and the wealth of apps that are readily available for the devices. But these benefits are not without risks and as the potential grows for more and more employees to bring their personal ipad and iphone devices into the workplace these risks need to be recognised and mitigated. 1.3 One way of dealing with the security risks associated with ipads and iphones is to enforce an outright ban. Another approach would be to continue only allowing a limited number of corporately approved and controlled devices as we do presently. In reality neither of these traditional approaches is likely to be successful in practice. 1.4 Mobile technology is a fast moving and fast evolving field. Many people will already have more technologically advanced devices and smartphones at home for personal use than they have in the workplace. This coupled with our current financial situation - where less will be spent on technology refreshes in future - mean that the Council needs to address the issues of staff bringing their own devices, including ipads and iphones into the workplace and wanting to use them for work related activities such as Unlike the Blackberry fleet there is currently no policy in place to ensure that we can provide a level of secure access to our corporate network for personal devices to be used on our network, accessing our information. 1.6 The Council wants to encourage its staff to work as efficiently as possible and it acknowledges that many of its employees have purchased their own electronic devices for their personal use and that some staff are willing to use their device for work purposes in order to help them do their job. 1.7 The Council wants to allow its employees this facility as far as is reasonable and safe to do. However, the Council is subject to legal rules and must ensure that access to its data is safeguarded. This policy has been designed to allow as much flexibility as possible whilst meeting the operational needs of the Council. 1.8 The main risks associated with this are the potential loss or exposure of personal data. The Council is under a legal duty to take appropriate organisational and technical safeguards to ensure the security of personal data. Breach of data security means that the Information Commissioner can fine the Council up to 500,000 and fine individual employees up to 50, In order to manage these risks and ensure employees understand their responsibilities a policy has been drawn up that specifies the conditions under which personal devices may be used and how they will be managed to protect the Council s systems and data As the Policy covers the use of personal equipment in any setting, including in the home, the policy has been entitled Personal Device Policy

6 2 KEY POINTS OF THE POLICY 2.1 Employees can use their own equipment to access the Council s systems and data from the Council s network if they do so in accordance with the policy. The use of personal equipment to access council networks is prohibited under any other circumstances. 2.2 The policy only allows access to Council systems in one of the following ways: Via a website made available for that purpose (for example Outlook Web Application - OWA); Via Netilla (if they are an authorised Netilla user and they device supports this); In a way which is managed by the Council s approved mobile device management software (currently Mobile Iron); or Via a VPN connection (Virtual Private Network) configured by ICT services. 2.3 Whenever accessing council data the individual must ensure that they comply with the provisions of the policy as well as the ICT Security Policy, Acceptable Use Guidelines, the Data Protection Act 1998 and all Information Risk Management policies. Individuals must ensure that the Council s data is not viewed by friends or family. 2.4 The Council will not provide support or training in the use of personal devices except about Mobile Device Management software 2.5 The Council remains the owner of all council data on the device. It has the legal duty to control that data. For that reason employees who participate in the agreement give the Council some control over the device. The rights the individual is giving the Council are outlined in the policy. 2.6 The cost of the software to control and manage personal devices will be borne by the service the individual works for. 2.7 The policy contains the agreement which individuals must sign to indicate that they understand their responsibility for safeguarding all council data and will comply in full with the requirements of the policy. 2.8 The policy is attached at Appendix 1. 3 COSTS 3.1 Individuals who wish to take advantage of the policy do so at their own expense. The Council will not reimburse individuals for any support costs they incur nor will it reimburse data charges or for any damage to the device caused by the installation or removal of mobile device management software. 3.2 The cost of the Mobile Device Management software licence is 5.50 per device per month, which must be funded by each individual s service. 4 RISK ASSESSMENT AND MANAGEMENT 4.1 The potential risks identified are: Risks involved in viewing the Council s data on a personal device the Council has purchased Mobile Device Management software to control personal devices and access is restricted to the secure ways outlined in the policy. Employees must sign an

7 Additional financial cost around loss or damage of the device or use of the device for Council purposes. The policy makes it clear that all costs (other than the device management software) are to be borne by the individual. 5 CONCLUSIONS 5.1 The Council wants to allow its employees to use their personal devices as far as possible. However, the Council is subject to legal rules and must ensure that access to its data is safeguarded. This policy has been designed to allow as much flexibility as possible whilst meeting the operational needs of the Council. 5.2 The main risks associated with this are the potential loss or exposure of personal data. The Council is under a legal duty to take appropriate organisational and technical safeguards to ensure the security of personal data. Breach of data security means that the Information Commissioner can fine the Council up to 500,000 and fine individual employees up to 50, In order to manage these risks and ensure employees understand their responsibilities a policy has been drawn up that specifies the conditions under which personal devices may be used and how they will be managed to protect the Council s systems and data. 6 RECOMMENDATIONS 6.1 That the Personal Device Policy at appendix 1 of the report is adopted.

8 APPENDIX 1 Tameside MBC Bring Your Own Device (BYOD) Policy Contents Document Control Introduction When can I use my personal device to access Council Data? Use of personal devices 3 4. Use of personal devices with Mobile Device Management Software Costs 7 Appendix 1 Approved and Excluded Devices 8 Appendix 2 BYOD Agreement Document Control Name Version Description Date Julie Hayes.01 Draft 2 January 2013 Risk and Audit.02 Draft 3 January 2013 Organisational Development.03 Draft 4 January 2013 Paul Turner.04 Draft 8 January 2013 IRMG.04 Draft 9 January 2013 Live 1 1st Published version 1 Introduction 1.1 The Council wants to encourage its staff to work as efficiently as possible. It provides staff with the essential technology they need to do their job. However it cannot provide all employees with every type of device which might conceivably be useful to them in their work. 1.2 The Council recognises that many of its employees have purchased their own electronic devices for their personal use and that some staff are willing to use their device for work purposes in order to help them do their job. 1.3 The Council wants to allow its employees this facility as far as possible. However, the Council is subject to legal rules and must ensure that access to its data is safeguarded. This policy has been designed to allow as much flexibility as possible whilst meeting the operational needs of the Council. 1.4 The main risks associated with this are the potential loss or exposure of personal data. The Council is under a legal duty to take appropriate organisational and technical safeguards to ensure the security of personal data. Breach of data security means that the Information Commissioner can fine the Council up to 500,000 and fine individual employees up to 50, Managers are directly responsible for disseminating and implementing this policy. 1.6 All references to Council data refer to data for which the Council is data controller this is not limited to personal data but also includes data which is not known to the public. 1.7 In the event of any conflict the ICT Security Policy will take precedence except where it relates to the connection of personal devices to the Council s network.

9 2 When can I use my personal device to access Council Data? 2.1 You can use your own equipment to access the Council s systems and data from the Council s network if you do so in accordance with this policy. 2.2 This policy only allows access to Council systems in one of the following ways: Via a website made available to you for that purpose (for example Outlook Web Application - OWA) Via Netilla (if you are an authorised Netilla user and your device supports this) In a way which is managed by the Council s approved mobile device management software (currently Mobile Iron) Via a VPN connection (Virtual Private Network) configured by ICT services 2.3 The use of your own equipment to access council networks is prohibited except in accordance with this policy. 3 Use of personal devices 3.1 If you use your device via Netilla, VPN or websites you must not download documents containing personal data or other material to your device. 3.2 You must regularly check your device to ensure that no files have been accidentally downloaded and stored on the device (e.g. by accidentally downloading an attachment to an ). Any such file found must be deleted immediately. Unless you are sure that you do not have data on your device you should protect access to your device using a pass code and, where possible, encrypting that device. 3.3 In particular you must check the device before allowing someone else to use it or before you dispose of the device to make sure that nothing has been accidentally downloaded onto the device. 3.4 Whenever accessing council data you must ensure that you comply with the provisions of this policy as well as the ICT Security Policy, Acceptable Use Guidelines, the Data Protection Act 1998 and all Information Risk Management policies, which can be found on the intranet. By using a personal device to access the Council s systems and data, an individual is accepting responsibility for the safeguarding of data viewed on that device and will be held accountable for any incidents which compromise the safety of that data. Failure to adhere to these policies may lead to disciplinary action being taken and for more serious cases, where individuals have not followed guidance and policies, legal action. In addition it should be noted that an individual fine can be imposed by the Information Commissioner s Office (ICO) in the event that the personal device is purposefully used to obtain information for an individual s own financial or personal benefit. 3.5 You must not connect your personal device to the Council s private wifi network (although you are permitted to use the free public wifi hotspots located in some Council offices). 3.6 Individuals who wish to take advantage of this policy do so at their own expense. The Council will not reimburse individuals for any support costs they incur nor will it reimburse the cost of supplying data to the device or for any damage to the device caused by the installation or removal of mobile device management software. 3.7 Individuals must notify the Council IMMEDIATELY if any of the following occur, a device that has been set up to access the Council s systems is lost, the device has been damaged/has developed a fault, if the device is handed temporarily or permanently to a third party for repair or other reason. In all cases ICT Services will remove the facilities to access the Council s systems and data 4 Use of personal devices with Mobile Device Management Software 4.1 Mobile device management software will only be available where: (a) a service (or an individual employee) is prepared to pay the annual cost of the licence for that software

10 (b) the employee has a device covered by this policy as shown in Appendix 1 (c) the individual signs a bring your own device agreement (Appendix 2); and (d) the service agrees that this facility is appropriate for the employee concerned. For example, if an individual handles personal information on behalf of other organisations, steps should be taken to check that the Council is not breaching any information sharing protocols or data exchange agreements. If an individual handles very sensitive personal data then the service must ensure that the protection offered by the software is adequate to protect the data. 4.2 Once the fee has been paid, IT Services will set up the employee in the system and send a notification to confirm this has been done. 4.3 Once they receive the notification the employee is responsible for downloading the mobile device management software and installing it on their device. They must ensure that: (a) Only the employee can view the Council s data and that friends and family cannot access it. (b) The device is protected with a passcode lock requiring a PIN to be entered before use. (c) Council data is only stored on the device if that data is controlled by the mobile device management (training will be given about this) (d) Council data is not transferred from the device to any other device or storage medium. (e) Any instructions given in relation to their device are followed. This could include: A requirement to update software or operating system A requirement to install new software A requirement to delete software Configuring their device in a particular way (f) Council data is deleted if the Employee leaves the Council or if the Council requires. 4.4 The Council will not provide support or training in the use of your device except about Mobile Device Management software. 4.5 The Council remains the owner of all council data on the device. It has the legal duty to control that data. For that reason employees who participate in this agreement give the Council some control over the device. They are giving the Council the right to: (a) Delete Council data from the device or lock the device or that data. (b) Scrutinise the employee s device. (c) Require the employee to allow the device to be physically inspected. (d) Collect systems data about the personal device on an ongoing basis, which will be stored in the Mobile Device Management (MDM) system. The data will only be used by the Council for necessary administration, business purposes and to support the investigation of misuse, fraud, criminal activity or data loss if necessary. Data will include but is not limited to Telephone number International Mobile Equipment (IMEI) number Make and Model Operating System and version Configuration Applications installed In addition the Mobile Device Management (MDM) system will collect data in relation, but not limited to Device location Council systems and data accessed by the device (e) Collect data about applications an individual has installed on their device. If the Council considers that an application may compromise the Council s systems and data it will delete council data from the device and suspend access to council data. (f) Require the employee to attend training as necessary for the Mobile Device Management (MDM) software or in relation to Data Protection/Information Management. 4.6 ICT Services may remove the facilities to access the Council s systems and data, remote wipe and/or initiate a remote lock of the device if it considers it appropriate to do so. It may not be possible to give advance warning or seek permission on an individual basis.

11 5 Costs 5.1 The cost of the infrastructure to set up the Mobile Device Management (MDM) system will be funded by ICT Services. 5.2 The MDM software annual licence fee for each individual must be funded by that individual s service. Managers must therefore balance the benefits of the individual using their personal device with the cost of the licence to manage and protect the Council s systems and data on that device. This may be attractive where the individual was previously allocated a Council owned Blackberry. Licences may be transferred to another individual. If the individual is part of another service that service will take on the on-going annual commitment but there will be no in year adjustment 5.3 The individual granted permission to use their own device to access the Council s systems and data must ensure they understand their own contract and data/call allowances as they will be liable for all costs (except those identified in 4.1) incurred when using the device, including but not limited to, data costs (including roaming costs), call charges (even when used for business calls), support from their provider, repair and insurance costs. 5.4 The Council will not reimburse individuals for business calls made. Where an individual needs to make a large number of work-related calls it is likely that a Council issued device will be more appropriate. 5.5 The Council will not accept liability for damage, theft or loss of an individual s personal device, no matter how caused. This applies even in the event of a device being damaged whilst being used to access Council data. 5.6 The Council will not accept liability for damage, theft or loss of an individual s personal data including music and applications, no matter how caused. This applies even in the event of a device being damaged whilst being used to access Council data. 5.7 The Council may under certain circumstances reimburse individuals for additional charges in a disaster recovery situation emergency (but prior approval is needed for this). Appendix 1 Approved and Excluded Devices Excluded Devices Devices that have been Jailbroken, hacked, rooted or in any way tampered with. Devices with the following operating systems o IOS 3 or earlier o Symbian 3rd Edition, base, FP1, FP2, 5th generation o WebOS o Windows Mobile 5 Personal laptops or computers except as outlined in Section 2 of this Policy. Approved Devices Please note that list is subject to change without notice should a device become a security risk to the Council s systems or data. Devices with the following operating systems o Android 2.2 and later o Blackberry and later o IOS4.x+ MDM o Windows Mobile 6 o Windows phone 7.x Personal laptops or computers as outlined in Section 2 of this Policy. Appendix 2 BYOD Agreement Name Notes Service Device Authorised by Location of assessment Date effective from In consideration of the Council agreeing to allow me to access its data on my personal device I agree that:-

12 1. I wili comply in full with the requirements of the BYOD policy (as available on the Council s intranet from time to time). 2. The Council may take any action in relation to my device and collect information about my device in accordance with the BYOD policy (as available on the Council s intranet from time to time). 3. I will comply with all instructions given to me under the BYOD policy (as available on the Council s intranet from time to time). 4. I understand my responsibility for safeguarding all council data. 5. I understand that the Council and I can end this agreement at any time but that if the agreement is ended then the Council will have permission to delete its data and software from my device and that if necessary I will need to present the device to IT Services at my own expense and help staff ensure that Council data has been deleted from the device. I note that if I do not comply with the policy or break this agreement then I may be subject to disciplinary action. Signed... Dated