1 Mobile Devices Security Policy 1.0 Policy Administration (for completion by Author) Document Title Mobile Devices Security Policy Document Category Policy ref. Status Policy Unique ref no. Issued by GSU (P0001) New Version Number V1.0 Reason for development Scope Executive Summary Lack of existing University wide policy This Policy applies to: All Staff and students issued with a University purchased / leased mobile device The policy specifies the University and individual user responsibilities for securing, managing and using University owned and leased mobile devices. This includes laptops, pda s, mobile and smart phones. Users issued with such mobile devices must explicitly comply with and sign the User Agreement at Appendix 1. Appendix 2 details a new single line of reporting for lost or stolen devices replacing the previous multiple and sometimes inconsistent reporting approach in the past. Author /developer Managing the issue, use and return of these devices is an essential part of the University non-pay savings. Senior Information Owner Security Officer Assessment Information Governance - completed Equality Impact Assessment - completed Academic Regulation not applicable Legal not applicable Consultation Not applicable Head of Governance Services Unit and Director IT Services. Approval May Authorised by Executive Committee Date: 13/06/2011 (Board) Effective from 20/06/2011 Review due 2 years by June Document location Document Dissemination / Communication Plan IT Services webpages for transfer to new University policy pages (Autumn 2011) US online briefing to all staff ITS Finance manager to brief all College and PAS Finance staff ITS briefing to all ITS and University Technicians Issue of User Agreement to all mobile device users for signature and return. Completion of user agreement will be a precondition to receipt of a mobile device for phased replacement or new Page 1 of 8
2 Document Control purchases All printed versions of this document are classified as uncontrolled. A controlled version is available from the University Policy page on the University of Salford website. 2.0 Purpose This policy provides a minimum specification for the security, management and use of University owned and leased mobile devices. 3.0 Scope The policy applies to all staff, students and associates within the University of Salford. The policy relates to University owned or leased mobile devices including (but not limited to); Laptops Mobile phones, PDAs and smart phones Portable audio visual equipment including data projectors, cameras etc Meeting and teaching room IT equipment Collections of mobile devices used for loan or pool schemes. This policy does not cover the purchasing process, taxable benefits issues, or health and safety aspects of mobile devices. It does not cover data storage media or the use of privately owned mobile devices to connect to University ICT facilities (see Related Policies). 4.0 Definitions Confidential data in this policy is defined as information relating to living individuals or commercially sensitive information, which, if compromised, may: cause damage or distress to individuals by compromising their right to confidentiality and privacy (Data Protection Act 1998); damage reputation of University in the sector; cause University to not meet its legal obligations; or compromise network security. Mobile worker in this policy is defined as a staff member for whom issue of a University laptop and / or mobile phone is justified and relevant to his / her work. Laptop issue is justified for staff members who are: Required to work away from their primary workspace / office desk, either across campus (where existing IT facilities are not available) or offsite and require computing facilities to undertake their role. Expected to work out of core hours e.g. from home evenings and weekend, as defined in their job description and have a need for access to files and work applications. Mobile phone / smart phone issue is justified for staff members who are: Page 2 of 8
3 Required to be contacted out of core hours Required to maintain frequent and immediate business communications access when away from the office i.e. calls, , calendar. Collections of mobile devices in this policy are defined as technician s stores, pool laptops, audio visual equipment or laptop loans schemes. 5.0 Governance and Management This policy is issued jointly by the Head of Governance Services Unit and the Director of IT Services (ITS) who, as Chief Information Officer of the University has the responsibility for (and the authority to delegate responsibility for); Issuing policies and procedures for the University ICT facilities and services Managing and protecting the ICT facilities and services Investigating breaches of this policy and applying sanctions directly or referring for disciplinary action where relevant. IT Services manages the University mobile phone contract, however the allocation and management of mobile phone usage is the responsibility of the relevant College PVC Dean or Professional Administrative Service (PAS) Director. ITS Purchasing will issue guidance on performance Indicators in this area. 6.0 Policy statements Secure storage and asset database 6.1 The nature of the University estate is to be open and accessible to staff and students. Unrestricted access poses risks to our data and assets therefore all protection measures should be appropriate to the risk to the asset and the consequences of a compromise. All mobile devices should be secured, when unattended, with a minimum of 2 barriers i.e. building controls and locked office or locked drawers/cabinet. 6.2 Collections of mobile devices (see Definitions) require more stringent physical security measures than a single item issued to a user. Physical security risk assessment should be requested from the Security Team, Estates & Property Services. 6.3 IT equipment must not be left unattended at any point in the delivery or installation process. The process will include signed receipt of delivery to the user (Appendix 1). 6.4 All University laptops will be uniquely identified and registered in the University s IT asset database. All new laptops will be asset tagged, security marked (where possible) and recorded in the University asset database as part of the installation process prior to delivery to user. 6.5 Accurate records will be held for any collections of mobile devices used for pool or loan schemes. Guidance on loan scheme documentation is available from the Senior Information Security Officer, Governance Services Unit. 6.6 Staff members are responsible for the security of the mobile device issued to them (including pool / loan scheme managers) and must not leave it unattended or insecure (Appendix 1). This includes making arrangements for secure storage with the support of his/her line manager. Page 3 of 8
4 6.7 University data should be stored within the University network drives or information systems. Mobile devices or external 3 rd party facilities must not be used as permanent storage for electronic information belonging to the University (See Related Policies). 6.8 Laptops for users dealing with confidential data (see Definitions) should be subject to additional care and protection to prevent unlawful loss or compromise of the data. Mobile Phones The following requirements relate to mobile phones and are in addition to those listed in the ICT Acceptable Use Policy. 6.9 Mobile devices are configured to standard builds and tariff bands before delivery to the user. Any changes required to these settings e.g. changing roaming rates must first be put in writing to the ITS Service Desk for assessment and authorisation by ITS Purchasing Issued mobile phones are for University business use. Usage should be reasonable and justified in relation to work. Personal usage is permitted however, this should be reasonable, not excessive and arrangements should be made locally to repay costs of personal use It is the responsibility of the relevant College Accountant / PAS Head of Finance to check itemised bills, ensuring that call volumes and costs are appropriate and not excessive (for work purposes as well as any personal use) within his / her College or Division. Where a user cannot justify call usage and costs on a repeated basis, it is the discretion of the PVC Dean / PAS Director to initiate disciplinary action in line with the Staff Disciplinary Policy. University property 6.12 University purchased and leased mobile devices are University property (regardless of the source of funding). They are not a user s personal property nor are they available for individual resale or remuneration All University purchased and issued laptops must be returned to IT Services upon termination of employment, research contract or work agreement. If devices are not returned, after a reminder process, the matter will be passed to the Police for their consideration to take further action or for recovery via civil litigation ITS will securely erase data on mobile devices and reformat the device before reissue to another University user. The device will also be securely erased when disposed of at the end of its lifecycle. Reporting loss or theft of device 6.15 In the event of loss or theft of a mobile device the user should follow the process in Appendix 2 and immediately report thefts to the Police, then inform the ITS Service Desk.. In relation to theft or loss of a mobile phone the user should also notify the Mobile provider directly. 7.0 Policy Enforcement and Sanctions Failure to comply with this policy will be investigated thoroughly in accordance with appropriate legislation and the University Disciplinary Policies. Sanctions for violations of the policy may include; Cost of replacing lost/stolen equipment charged to relevant School / PAS Page 4 of 8
5 Removal of rights as a mobile worker Referral of mobile device non-return for police attention or pursuance of civil litigation Initiation of Disciplinary Policy 8.0 Related Documentation IT Procurement Policy ICT Acceptable Use Policy Network Connection & Security Policy Data Storage Security Policy (in draft) Controls addressed in this policy from ISO/IEC27001:2005 Information Security Management Systems - Requirements Inventory of assets Security of equipment off premises Ownership of assets Secure disposal Return of assets Removal of property Physical security perimeter Management of removable media Physical entry controls Disposal of media Delivery and loading areas Unattended user equipment 9.0 Appendices Appendix 1: Mobile Devices User Agreement Appendix 2: Reporting procedure for lost / stolen mobile devices Page 5 of 8
6 Appendix 1 Mobile Devices Security Policy User Agreement You are responsible for the security and use of the mobile device issued to you and you are expected to take the reasonable steps as listed below to protect the device and its data from theft, damage, misuse or confidentiality breaches. This responsibility applies at all times irrespective of whether at work or off-site. All mobile device users must sign to confirm acknowledgement of and compliance with these conditions. Loan schemes and pool devices will also comply with the principles of this Agreement and those staff responsible for such schemes will sign the agreement for their pool / loan scheme devices and make users aware of their responsibilities. 1. Secure the device on University premises when unattended using a minimum of 2 barriers e.g. building controls and locked office or locked drawers/cabinet or a laptop security cable. Contact your line manager if such options are not available. 2. Do not leave a mobile device (your own or a pool device) unattended in insecure areas such as University meeting rooms or other public access areas. When off campus and the device is not in use, ensure that it is stored securely out of sight. Do not leave the device in your car boot for any period of time, especially overnight. Any devices left on display or unattended will be vulnerable to theft and / or data compromise. 3. Be aware of the potential for opportunistic or targeted theft of mobile devices in busy public places including airports, public transport or hotel lobbies. Keep it with you at all times especially at airport scanners and during travel. Be aware of shoulder surfing when working on confidential material. Do not leave your removable media in an unattended computer. 4. Do not take the mobile device overseas without: a) business trip authorisation of the Head of School / PAS Director and; b) tariff check from ITS Purchasing (via ITS Service Desk) to ensure the correct tariff band has been applied. 5. Do not tamper with or make changes to the standard settings and builds without written authorisation from ITS (via ITS Service Desk) 6. Ensure PIN / Password protection is enabled on the device as a minimum. 7. Connect the laptop to the network regularly to update the operating system and University anti-virus protection the laptop is only as secure as the last time it was updated. Staff and visitors must take care to virus check any removable media to reduce the risk of introducing viruses or malware to the network. 8. University data should be stored within the University network drives or information systems. Mobile devices or external 3 rd party facilities must not be used as permanent storage for electronic information belonging to the University. 9. Users dealing with confidential data (see Definitions) should take additional care to protect it from unlawful loss or compromise. 10. Do not allow family members or friends to use your University issued mobile device. 11. Do not download and install shareware/freeware/games on the mobile device. Approved software should only be installed after advice from ITS Service Desk or by an authorised University IT technician. 12. Do not use hand held mobile devices whilst driving (in line with UK and European legislation) 13. Do not incur excessive and unnecessary call costs to the University by repeatedly: 1. selecting incorrect tariff bands 2. failing to configure most cost effective connection method for data/ active synchronisation Page 6 of 8
7 Appendix 1 3. failing to make adequate and ITS authorised arrangements (in advance) for overseas travel regarding network coverage and costs 4. failing to repay personal use costs where required 14. Do not use the device for offensive, inappropriate or excessive personal use including (but not limited to); premium rate chat lines, gaming, pornography or streaming movies (see ICT Acceptable Use Policy for full details). 15. Where mobile devices are issued as part of your role you are required to carry the device at all reasonably appropriate times and ensure the device is charged and available for use. The device should be appropriately handled, kept in good working order using an appropriate carry case (considering crime prevention advice). In the event of any technical problems with your laptop contact the ITS Service Desk. Contact the phone provider directly. 16. Delete data from a pool / loan scheme device before returning it. 17. Pool/ loan scheme managers should carry out a regular check of mobile devices against their inventory and should notify any changes in role pool / loan scheme manager to the ITS Service Desk. 18. Return the mobile device to IT Services at the end of your work or research contract. It is University purchased property not personal property. If device(s) is / are not returned, the matter will be passed to the police for their consideration or for recovery via civil litigation. The device will be re-formatted before re-distribution to another University user. 19. Notify the ITS Service Desk of any change of role, office location, School or PAS. 20. In the event of loss or theft of a mobile device you should follow the process in Appendix 2 and immediately report thefts to the Greater Manchester Police on (obtaining the Crime Reference number), then inform the ITS Service Desk on If your University issued mobile phone is lost or stolen, please also notify the Mobile provider directly in addition to the above reports. Instructions: Sign and return this form by internal post to; IT Purchasing Team, IT Services, 4 th Floor Humphrey Booth Building as soon as possible. Keep a personal copy for your reference. Statement of Compliance: I understand and agree to comply with the Mobile Devices Security Policy and User Agreement for any mobile device issued to me. Name: Username: Signature: Date: Page 7 of 8
8 Appendix 2 Stolen Devices Reporting Process Reporting procedure for lost / stolen mobile devices UoS mobile device is lost or stolen Stolen User reports stolen device to Police (obtain Crime Ref) lost User reports lost / stolen device to ITS Service Desk SD create case incl. Crime Ref No. Change user s passwords. SD assign task to Compliance for investigation SD assign case to ITS Purchasing ITS purchasing update asset register User sends incident proforma to ITS purchasing SD Case info required for lost/stolen mobile device: Crime Ref No. Date stolen / last seen Location stolen from e.g. Building & room What happened Force a user password change ITS Purchasing case info to; Estates Security Finance Division School/PAS Finance Mger ITSERT ITS purchasing progress purchase End Page 8 of 8
Information Security Policy The purpose of this Policy is to describe the procedures and processes in place to ensure the secure and safe use of the federation s network and its resources and to protect
Information and ICT Security Policy Care Excellence Partnership Updated May 2011 Due for review July 2012 Senior Information Risk Owner (SIRO) P. Tilson I:drive/Policies/Information and ICT Security Status
Jefferson County School District Information Technology Policies and Procedures 575 S. Water Street Monticello, FL 32344 (850) 342-0100 www.jeffersonschooldistrict.org June 2014 Table of Contents 1.0 Overview...
Data Security Policy Member of Staff Responsible ICT Team Author: Sunil Pindoria Dated 03/02/2015 Date of next review 03/02/2016 Page 1 CONTENTS INTRODUCTION... 3 MONITORING... 4 BREACHES... 5 DATA SECURITY...
Version 2.0 This policy maybe updated at anytime (without notice) to ensure changes to the HSE s organisation structure and/or business practices are properly reflected in the policy. Please ensure you
Information Technology Policies and Procedures Wakulla County School District March 2014 Table of contents TABLE OF CONTENTS... 1 1.0 OVERVIEW... 2 2.0 PURPOSE... 2 3.0 SCOPE... 2 4.0 ACCEPTABLE USE POLICY...
Poplar Street Primary School ICT Security and Acceptable Use Policy E-Safety policy 2013/14 Working Together Aiming High! 1 Contents 1. Introduction... 3 2. Policy Objectives... 3 3. Application... 3 4.
Delgado Community College Information Technology Security Policy Approved: *November 5, 2010 ) Delgado Community College IT Security Policy Page 2 *November 5, 2010 Table of Contents Title Page 1.0 Introduction
St Vincent s Catholic Primary School e-safety Policy Policy e-safety Policy Date January 2015 Date of review January 2016 Signed Chair of Governors Signed Headteacher Effective Practice in e-safety E-safety
April 21, 2009 Dines Bjørner: MITS: Models of IT Security: 1 Models of IT Security Security Rules & Regulations: An Interpretation Dines Bjørner Fredsvej 11, DK 2840 Holte, Denmark Presented at Humboldt
Berwick Academy Policy on E Safety Overview The purpose of this document is to describe the rules and guidance associated with E Safety and the procedures to be followed in the event of an E Safety incident
Tameside Metropolitan Borough Council ICT Security Policy for Schools Adopted by: 1. Introduction 1.1. The purpose of the Policy is to protect the institution s information assets from all threats, whether
Internet Acceptance Use and Data Security Policy Last Updated: 08/10/2012 Date of Next Review: 08/10/2015 Approved by GB: 10/10/2012 Responsible Committee: Student Welfare and Development Internet Acceptable
School of Anthropology and Museum Ethnography & School of Interdisciplinary Area Studies Information Security Policy Page 1 of 10 Contents 1 Preamble...3 2 Purpose...3 3 Scope...3 4 Roles and responsibilities...3
School Information Security Policy Created By: Newport Education Service Date Created: 22 December 2009 Version: V1.0 Contents Background... 3 IT Infrastructure... 3 IT Access... 3 Acceptable use policy...
The Archbishop s Seminary Information Security Policy 1 Contents PURPOSE... 4 SCOPE... 4 POLICY STATEMENTS... 5 INFORMATION SECURITY POLICY... 5 THE SCHOOL S RIGHT TO ACCESS ITS PROPERTY... 5 THE SCHOOL
Cloud Software Services for Schools Supplier self-certification statements with service and support commitments Please insert supplier details below Supplier name Address Isuz Ltd. trading as Schoolcomms
Reducing the Cyber Risk in 10 Critical Areas Information Risk Management Regime Establish a governance framework Enable and support risk management across the organisation. Determine your risk appetite
Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered
Mediacom Online Internet Access Service Customer and User Agreement The following are terms and conditions for use of Internet access and related services offered to residential, business and other subscribers
1.0 BACKGROUND AND PURPOSE Information Technology ( IT ) includes a vast and growing array of computing, electronic and voice communications facilities and services. At the Colorado School of Mines ( Mines
E Safety Policy This e safety policy was approved by the Governing Body on: The implementation of this e safety policy will be monitored by: Monitoring will take place at regular intervals: Reporting to
Version: 1.1 Ratified by: NHS Bury CCG IM&T Steering Group Date ratified: February 2014 Name of originator /author (s): Responsible Committee / individual: Greater Manchester CSU - IT Department NHS Bury
Pay Monthly Terms Terms and conditions for the supply of Orange Network Services 1. Definitions The following words and expressions shall have the following meanings: Accessories: Account: Products approved
Page 1 of 5 Purpose This regulation implements Board policy JS by setting forth specific procedures, requirements and restrictions and conditions governing student use of District Information Technology
CUSTOMERS BANK ONLINE & MOBILE BANKING ACCESS AGREEMENT 1) Scope of Agreement 2) Definitions 3) Terms and Conditions of Online Banking A. Requirements B. Online Banking Services - General C. Electronic
Technology Department 1350 Main Street Cambria, CA 93428 Technology Acceptable Use and Security Policy The Technology Acceptable Use and Security Policy ( policy ) applies to all CUSD employees and any