BRING YOUR OWN DEVICE POLICY (BYOD)
|
|
- Kevin Parks
- 8 years ago
- Views:
Transcription
1 BRING YOUR OWN DEVICE POLICY (BYOD) APPROVED BY: South Gloucestershire Clinical Commissioning Group Quality and Governance Committee DATE August 2015 Date of Issue: August 2015 Version No: 7 Review due: August 2017 Author: Thomas Manning, Head of Information and Performance Management 1
2 Document status: Current Version Date Comments Draft October 2013 Draft Policy for operational use during test project Version 1 January 2014 Version 2 August 2014 Version 3 September 2014 Version 4 September 2014 First presentation of full policy to Quality & Governance Committee Following feedback from January s Quality & Governance Committee and Internal Audit on risk assessments and mitigations Following recommendations from The Internal audit Report: Bring Your Own Device (BYOD) undertaken by Audit South West Following advice from Alex Bunn, Data protection Practitioner, Information Governance Team, South West CSU Version 5 September 2014 Following advice taken from the Information Commissioner s Office publication, Data Protection Act 1998, Bring Your Own Device (BYOD) guides/online/byod Version 6 October 2014 Following completion of an Equalities Impact Assessment Version 7 July 2015 Amendments following Policy Review Group 2
3 CONTENTS Section Summary of Section Page Contents 3 1 Background 4 2 Eligibility 4 3 Devices and Support 5 4 Acceptable Use 5 5 Reimbursement 7 6 Security 7 7 Data Protection 8 8 Risk/Liabilities/Disclaimer 8 9 Equal Opportunities/Equalities Impact Assessment 9 10 Review Date 9 11 Links to other policies Appendices Appendix 1 Employee User Agreement 10 Appendix 2 Security Features Applied to Devices 12 Appendix 3 Setting Up Your Device with MobleIron 13 Appendix 4 Device Identification 14 Appendix 5 Consideration and Assessment of Risks 15 Appendix 6 User experience of the pilot 22 Appendix 7 MDM Software database queries 25 3
4 For the purposes of clarity this document refers to personal data and identifiable data. Personal data is defined as data and information held on devices pertinent to the owner and their non-work usage of the device. Identifiable data is defined as work-related information held on devices and enabled by the 3 rd party mobile device management software. 1. BACKGROUND 1.1. The Clinical Commissioning Group (CCG) recognises that mobile electronic devices are now an essential tool to some individuals in their everyday work and social environments, and that employees may have personal and specific preferences with regard to the mobile devices they use. This policy aims to specifically cover the use of non-ccg, personal smartphones and tablets and their integration with the CCG Exchange Server to access work-related calendars, contacts and s This Bring Your Own Device (BYOD) initiative aims to combine simplicity for individuals and effective, risk assessed security control for the CCGs identifiable data and technology infrastructure. CCG employees must agree to the terms and conditions in this policy in order to be able to use their device to access & process work-related communications. 2. ELIGIBILITY 2.1 All CCG employees, including Clinical Leads, are eligible for authorisation, provided they are risk assessed, undertake security awareness training and are able to satisfy the terms of access and sign the accompanying user agreement. Employees with on-call responsibilities will take priority, should there be simultaneous and multiple applications for access, when determining the timescales for set-up. Contractors are not eligible for authorisation. Contractors are not provided with CCG addresses and as such are unable to satisfy the terms of access. Temporary employees will be managed on a case-by-case basis. By default, temporary employees issued with a CCG address will be treated as permanent employees. Temporary staff who are not covered by an employment contract are required to sign a confidentiality agreement prior to being given access to information processing facilities as per the CCGs Use of Personal Information Policy. The Employee User Agreement is at Appendix 1. 4
5 3. DEVICES AND SUPPORT 3.1. For a personal smartphone and/or tablet device to be considered within this policy it must be able to encrypt at rest. This is primarily an operating system/software function and requirement. 3.2 The basic requirements are as follows, (as at September 2014) Apple devices running ios6 or later, and specifically; iphone 4 onwards ipad2 onwards, including the ipad Air and all versions of the ipad Mini Blackberry Phones Android devices - Due to concerns with security issues around 3 rd party applications devices running all versions of the Android operating system are not permitted Windows devices Adequate security conditions on Windows phones is currently unproven and therefore are not permitted. 3.3 Devices that do not support encryption at rest are not permitted to access the CCG IT infrastructure. 3.4 Devices must be presented to the Head of Information and Performance at the time of submission of the user agreement to validate the information requirements of the agreement. 3.5 Personally owned laptops are not permitted to connect with the CCG Exchange Server and as such are specifically excluded from this policy. 4 ACCEPTABLE USE 4.1 The CCG defines acceptable business use as activities that directly or indirectly support the business of NHS South Gloucestershire CCG. The CCG has an Acceptable Use of Information & Communication Technologies Policy as an element in the overarching CCG Information Governance Management System The CCG reminds staff annually, and new employees via an Acceptable Use of Information and IT Facilities message. 4.2 The CCG recognises that employee use of personal devices for work purposes occurs inside and outside of traditional office hours i.e at evenings and weekends. This policy does not therefore define working hours, however employees are encouraged to ensure they are familiar with the CCG Work Life Balance And Flexible Working Policy. 4.3 The CCG defines acceptable personal use on company time as reasonable and limited personal communication or recreation. 5
6 4.4 Staff should ensure that any personal data use does not put work-related identifiable information at risk. For example, sharing the device with identifiable information on it with others, such as family and friends, or downloading apps which could access such information. 4.5 Corporate identifiable data can only be created, processed, stored and communicated on personal devices running the CCGs chosen Mobile Device Management (MDM) client software. Devices not running MDM can connect to the CCG guest network providing an internet connection, but will not be granted access to the corporate infrastructure. 4.6 The CCG Information Governance Management System outlines considerations of acceptable use. Employees must not: Share personal usernames and/or passwords or leave devices logged in and unattended at any time. Save or transmit proprietary information belonging to another company that is outside of that company s intended usage, terms and conditions Engage in external business activities Cause offence to any individual (including members of staff or the public) or risk damaging the organisation s reputation by either creating, accessing, storing or sending/posting any images, files, messages or data that could be said to be abusive, sexist, racist, defamatory, obscene or otherwise offensive or inappropriate or breach confidentiality/privacy of any individual or commercial organisation. This includes personal use of social media outside of work Use social media to communicate on behalf of the organisation unless this is a normal or delegated and accepted part of their role. Use organisation facilities for advertising/fund raising not directly connected with the organisation, other than the use of any social notice board facilities. Use data that identifies individuals unless absolutely necessary. 4.7 Employee use of CCG IT infrastructure and access via personally owned devices is as follows; Calendars - Access permitted - Access permitted Contacts - Access permitted Documents - Access currently not permitted 4.8 Each element permitted above is individually configurable within personal devices. For example, whilst a device may be able to access the services listed above the user may wish to access only one or some of the permissions available to them. 4.9 Employees are not permitted to allow anyone else to access identifiable and organisationally sensitive information stored on their device. This will be managed as follows: 6
7 Calendars Staff will be expected to mark sensitive meetings as private in their calendar. Staff will be expected to ensure others do not access on their device. (see s within the CCG Acceptable Use of Information & Communication Technologies Policy ) Contacts Staff will be expected to ensure that others do not access their work related contacts. Documents when permitted access to documents will be via a further level of security The CCG has a zero-tolerance policy for texting or ing while driving (whatever the device make and model) and only hands-free talking while driving is permitted. 5 REIMBURSEMENT 5.1 The CCG will not reimburse employees for some or all of the cost of personal devices. Neither will the CCG pay employees an allowance to purchase a device for work purposes. 5.2 Staff should discuss with their line-manager any issues with cost implications as a result of using their device for business purposes (for example, where it is evident that specific business calls made have led to an employee call plan being exceeded). 5.3 South Gloucestershire CCG will not cover any damage to personal devices. It is recommended that device owners insure their device as part of their home contents insurance and, if necessary, advise their insurer that the device will be used for work purposes at home and at work locations. 6 SECURITY 6.1 Employees wishing to use their personal devices as per this policy will be required to download to their device an approved Third Party App (currently MobileIron). This application enables the organisations IT provider to manage the CCG infrastructure and enable certain security features on the device. 6.2 The security features enabled aim to ensure that; The CCG meets it s legal requirements for Information Governance and associated risk assessment. The Employee meets the expected standards of security as an employee. The Employee is able to use their device in a personal capacity with as little disruption as is possible. 7
8 6.3 The user agreement requires employees to log the device model and serial number and log the phone number where applicable. 6.4 In order to prevent unauthorized access, devices must be passcode protected using the features of the device. The device must also lock itself with a password or PIN if idle for five minutes. 6.5 Jailbroken Apple devices are strictly forbidden from accessing the CCG infrastructure. 6.6 The employee s device must be enabled with the Find my iphone App for Apple devices (and similar software for other operating systems where appropriate) in order that personal data may be remotely wiped by the user. Identifiable data may also be remotely wiped by the CCGs IT Provider using the Third Party Security Software if; the device is lost the employee terminates his or her employment IT detects a data or policy breach, a virus or similar threat to the security of the company s identifiable data and technology infrastructure. Security features and settings within the third party software can be found at Appendix 2. 7 DATA PROTECTION 7.1 Personal data provided by device owners in the sign-up to this policy will only be used by the CCG for the purposes of device registration and management. 7.2 The CCG, its contracted IT Provider and the MDM Software will not pass on or share personal data internally. 7.3 The CCG, its contracted IT Provider and the MDM Software will not pass on or share personal data to any other party or organisation. 7.4 The CCGs current IT provider is South, Central and West Commissioning Support Unit and the current preferred MDM software tool is MobileIron. 8 RISKS/LIABILITIES/DISCLAIMERS 8.1 The CCG and the CCG contracted IT support provider reserves the right to disconnect devices or disable services without notification. 8.2 Lost or stolen devices must be reported to the CCG IT Provider IT Service Desk promptly and within 24 hours via at ITServiceDesk@swcsu.nhs.uk or by phone on Employees are also responsible for notifying their mobile data carrier immediately upon loss of a device. 8
9 8.3 The employee is expected to use his or her device(s) in adherence to the CCG s acceptable use policy as indicated in Section 4 above. 8.4 The employee is personally liable for all costs associated with his or her device as per the paragraph on reimbursement above. 8.5 The CCG cannot be held accountable for any risks to an owners personal data, including but not limited to, the partial or complete loss of personal data due to an operating system crash, errors, bugs, viruses, malware, and/or other software or hardware failures, or programming errors that render the device unusable, unless the Mobile Device Management solution can be proven to be responsible. 8.6 The CCG reserves the right to take appropriate disciplinary action up to and including termination of contract for noncompliance with this policy. 9 EQUAL OPPORTUNITIES/EQUALITIES IMPACT ASSESSMENT 9.1 An Equality Impact Assessment has been completed for this policy and procedure and it does not marginalise or discriminate against minority groups. 10 REVIEW DATE 10.1 This policy and procedure will be reviewed every 2 years, or earlier at the request of either staff or management side, or in light of any changes to legislation or National Guidance. 11 LINKS TO OTHER POLICIES 11.1 In addition to this policy, this policy should be read in conjunction with the following CCG Policies:- The CCG Information Governance Management System specifically: Use of Personal Information Policy Acceptable Use of Information & Communication Technologies Policy Work Life Balance and Flexible Working Policy Policy and Procedure For Incident Reporting HR policies, developed in conjunction with the North Bristol Trust and other documentation. These include Equality and Diversity in the workplace, Employee Contract of Employment, IT Policy 9
10 APPENDIX 1 BRING YOUR OWN DEVICE (BYOD) - EMPLOYEE USER AGREEMENT By completing and signing this user agreement...(print name) agrees to adhere to the policy as is in place at the time of signing.(date) Make and Model of personal device; Phone Manufacturer Apple Model iphone. Serial Number Phone Number (+44) Software Version.. Tablet Manufacturer Apple Model ipad Serial Number.Software Version I confirm that this device is passcode protected I confirm that this device has not been Jailbroken I confirm that this device is set to lock itself with a password or PIN if idle for five minutes I confirm that the operating system on this device is up to date and will be maintained User Signature..Date... 10
11 Privacy Notice The personal data provided above will only be used for the purposes of device registration and management. South Gloucestershire CCG, its contracted IT Provider and the MDM Software will not pass on or share personal data internally. South Gloucestershire CCG, its contracted IT Provider and the MDM Software will not pass on or share personal data to any other party or organisation. South Gloucestershire CCGs current IT provider is South, Central and West Commissioning Support Unit and the preferred MDM software tool is MobileIron. User Acknowledgement The CCG and the CCG contracted IT support provider reserves the right to disconnect devices or disable services without notification. Lost or stolen devices must be reported to the CCG IT Provider IT Service Desk promptly and within 24 hours via at or by phone on Employees are also responsible for notifying their mobile data carrier immediately upon loss of a device. The employee is expected to use his or her device(s) in adherence to the CCG s acceptable use policy as indicated in Section 4 above. The employee is personally liable for all costs associated with his or her device as per the paragraph on reimbursement above. The CCG cannot be held accountable for any risks to an owners personal data, including but not limited to, the partial or complete loss of personal data due to an operating system crash, errors, bugs, viruses, malware, and/or other software or hardware failures, or programming errors that render the device unusable, unless the Mobile Device Management solution can be proven to be responsible. The CCG reserves the right to take appropriate disciplinary action up to and including termination of contract for noncompliance with this policy. For CCG Use only: All details provided above are correct at the time of Signing..(date) Signed for the CCG Position SIRO The original of this agreement will be held by the CCCG Chief Financial Officer who is the statutory Senior Information Risk Officer (SIRO) A copy of this agreement will be held by the employee, the CCG SIRO and the CCG IT Support Provider 11
12 APPENDIX 2 SECURITY SETTINGS OF THE MOBILE DEVICE MANAGEMENT SOFTWARE AS APPLIED TO DEVICES The table below lists the security parameters as installed by the Third Party Security Software (currently MobileIron). Individual device security options may also be applicable under the corporate policy which go further than the table below. Security Element Password Parameter in MobileIron Mandatory What this means? Device must have a passcode/password screen lock Password Type Simple Alphanumeric as a minimum Maximum Inactivity Timeout 5 minutes Device to be set to sleep 5 minutes after last touchscreen keystroke Minimum Password Length 4 Four digit passcodes allowable no maximum Minimum Number of Complex Characters Maximum Passcode Age Maximum Number of Failed Attempts 0 40 days Password History 5 10 Does not require non-alphanumeric characters User will be prompted after 40 days to change screen lock code Device will be locked out and require IT unlock after 10 unsuccessful attempts No repeat passcode/password for 200 days (5x40 days) Secure Apps Only Enabled Checks and disables Jailbroken devices Smartphone Encrytion Enabled Checks for encryption at rest Take Action if ios is less than 5.0 Take Action if ios Data Protection is not enabled Take Action if ios is compromised Take Action if MobileIron is deactivated Enabled Enabled Enabled Disables devices with old operating systems (pre-2012) Prompts user to apply encryption Prompts user to wipe device Prompts user to reactivate and notifies CCG IT Support It is possible to remove corporate data from a personally owned devices using MobileIron. MobileIron sends a profile to the device with a certificate. Corporate documents/data and apps, and address ie ccg.nhs/uk are managed by Mobile Iron and associated with certificates. When the certificates are removed remotely by Mobile Iron the apps/data/documents and data associated with the address are removed and the data is no longer accessible. Private accounts are not affected. Mobile Iron can retire devices wiping only the corporate data from the device and leaving personal data/apps untouched. Mobile Iron only controls the data which it has placed on the device and this is managed by certificates. 12
13 APPENDIX 3 SETTING UP YOUR DEVICE WITH MOBILEIRON Setup MobileIron on ios (iphone/ipad) If you haven t already installed the MobileIron App: Go to the App Store on your device and install MobileIron Mobile@Work. Once downloaded, open the App and enter the following information at the relevant prompts. User Name: firstname.lastname (as per staff login to desktop computer) Server: ahavsp.somerset.nhs.uk Password: your domain (Windows) login password. Follow on screen prompts : o Important: When prompted, allow MobileIron to use Location Services. o Ok to download configuration. o Install AIMTC profile. o Install Now o At prompt, enter your device passcode (if you have already set one up). o Done o Install when you see a certificate warning. o Done Return to home screen. o You may have to wait up to 5 minutes whilst the policies and settings (including mail) download to your device. 13
14 APPENDIX 4 SUPPORTED DEVICE IDENTIFICATION 4/4S 5 5c 5S 6 6Plus 14
15 CONSIDERATION AND ASSESSMENT OF RISKS APPENDIX 5 The CCG recognises that mobile electronic devices are now an essential tool to some individuals in their everyday work and social environments, and that employees may have personal and specific preferences with regard to the mobile devices they use. However, in trying to strike a balance between the use of personal devices for the functions which they were bought for, in conjunction with corporate accesses to calendars, s and documents, the CCG needs to risk assess and mitigate for the potential and real security issues that this policy might highlight. Bring Your Own Device (BYOD) policies are a recent development in IT infrastructure enablers for employees and there are few if any NHS policies available for comparison. It should therefore be noted that this policy, its risk assessment and the mitigation actions and decisions are not final and will undoubtedly be subject to both ad hoc and routine review and amendment. The Data Protection Act 1998 (the DPA) is based around eight principles of good information handling. These give people specific rights in relation to their personal information and place certain obligations on those organisations that are responsible for processing it. The seventh principle says: appropriate technical and organisational measures shall be taken against accidental loss or destruction of, or damage to, personal data. This means the CCG must have appropriate security in place to prevent the identifiable data held from being accidently or deliberately compromised. This is relevant if identifiable data is being processed on devices which the CCG may not have direct control over. It is important to remember therefore that the CCG, as data controller, must remain in control of the identifiable data for which it is responsible, regardless of the ownership of the device used to carry out the processing. The Information Commissioner s Office advises that organisations consider and assess the following risks; what type of data is held; where data may be stored; how it is transferred; potential for data leakage; blurring of personal and business use; the device s security capacities; what to do if the person who owns the device leaves their employment; and how to deal with the loss, theft, failure and support of a device. Each of the above considerations is evaluated in the Risk Assessment section below. 15
16 RISK ASSESSMENT What type of data is held? There are two elements of data that can be determined after consideration and the Information Commissioner s Office also advises that BYOD must not introduce vulnerabilities into existing secure environments. For the purposes of this assessment personal data is defined as data and information held on devices pertinent to the owner and their non-work usage of the device, and, identifiable data is defined as work-related information held on devices and enabled by the 3rd party mobile device management software. Personal Data - Users are requested to submit a small number of personal data items upon registration. This data is used for the following purposes; Name to identify the user Device manufacturer and model to identify the device and ensure compatibility Device software version to ensure compatibility Device serial number to enable linkage to mobile device management software and allow data flows Each of the above data items are essential for the registration of individual devices. Employees are under no obligation to register for BYOD access and a privacy notice is included with the registration form. There is no added vulnerability to organisational infrastructures in the provision or handling of this data. Identifiable Data Employees electing to register for BYOD access are only able to synchronize their s, calendar and contacts from the organisational Microsoft Exchange Server to the native mail, calendar and contacts apps on their device. Access is only available through the installation of approved Mobile Device Management (MDM) software. Without this MDM security feature each of these elements is already available to mobile device users via the Microsoft Outlook Web Access webpage that requires simple username/password entry to a web page. The MDM software therefore enhances security beyond website access and mitigates any vulnerabilities contained therein. 16
17 Where is data stored? Personal Data Users personal data is stored as per the users own configurations as chosen on the device. This could be on the device or in a private/community/public cloud. Identifiable Data The MDM software limits the storing of identifiable data to the organisations IT network, icloud and the device for one month s worth of s in users the inbox, drafts, sent items and deleted items only. No networked personal file storage is permitted. As the data controller, the CCG has therefore taken appropriate and reasonable measures to ensure data security in the event of device failure, loss or theft. How is data transferred? Corporate identifiable data involves the transfer of , calendar and contact data between the device and the CCG exchange server infrastructure. Whilst this element of the corporate infrastructure may be the target of malicious attack (hacking), any activity in this area would be most likely network based and unlikely to concentrate on one or several mobile devices as the point of entry. The MDM software forces data traffic through an encrypted channel using a Virtual Private Network (VPN). The Information Commissioner s Office considers this step to be one of the most important in evidencing that an organisation has taken appropriate and reasonable measures of data security. Another method of possible data transfer is through the use, and potentially misuse, loss or theft of removable media, such as memory cards. In specifying that only Apple devices are enabled, this risk is completely mitigated as there is no removable storage capability built into iphones or ipads. What potential is there for data leakage? The primary potential for data leakage lies with human error and the possibility of ing and forwarding s to inaccurate addresses. However, the potential is not considered to be higher than similar human error whilst communicating via from non-mobile devices (ie. CCG desktop PC). Users are reminded of the available guidance in the CCGs, Acceptable Use of Information & Communication Technologies Policy and this is reinforced in the BYOD staff training. icloud is another potential area for data leakage and back-up to icloud is currently enabled, and could if deemed necessary be disabled. However, at this time, users of the BYOD policy are not recipients of patient-level identifiable data, a prerequisite of sign-up. 17
18 Where are the Personal/Work Boundaries? There is no human monitoring of personal usage. The MDM software monitors and manages access to approved applications, but the in-app activities of individual users are not monitored as the organisation deems this to be an invasion of personal privacy. That said, staff are reminded of their corporate responsibilities as per the policies named on page 2 of this document. How capable is the device security? Apple devices employ encryption at rest as default. This means that data stored on the device is encrypted against malicious attack, even if retrieved illegally. MDM software further encrypts data during transmission and identifiable data, belonging to the CCG can be remotely erased by the CCGs IT Provider upon notification of failure, loss or theft. The MDM software is further configured to force users to use a keypad security access code upon waking their device, and apply a mandatory, maximum time-out duration of 5 minutes. Further, staff are required to; Enable the Find my iphone app to their device to locate their device should it be lost or stolen. Ensure operating systems are up to date, and Confirm that the device has not been jailbroken, that is that the device has not been locally hacked to allow unrestricted access to technical configurations within the device. Limiting the choice of connectable devices is a step that the Information Commissioner s Office considers to be one of the most important in evidencing that an organisation has taken appropriate and reasonable measures of data security. How are settings managed when employees leave or are dismissed? The CCG has an HR process that ensures the closure of individual accounts when an employee leaves the organisation, for whatever reason. An element of the leavers checklist is to determine whether the individual is registered with the MDM software. Where this is established the IT Provider remotely removes all accesses and data through the MDM software functionality. The individual is then responsible for the removal of the MDM application from their device. Access to identifiable data cannot occur in instances where the user fails to remove the application from the device. What happens in the event of loss, theft or failure of the device? Users are required to report loss, theft or failure of devices promptly, and within 24 hours via or by telephone to the CCGs IT Service Provider. Identifiable data, as described in this documentation can then be remotely wiped using the MDM software. 18
19 Users are also able to choose whether to wipe personal data using the Find My iphone app, its download being a prerequisite of sign-up. How is the device supported? The CCG only supports the users device in terms of the access provided through the MDM software. Users have a responsibility to notify the data controller in instances where devices are returned to manufacturers under warranty or sold in order that the identifiable data may be remotely wiped. The MDM software also has location finding functionality which is able to determine if the device is in a usual location. Users are also supported via staff training and a quick reference usage guide. Summary of Assessment The Information Commissioner s Office also advises that BYOD must not introduce vulnerabilities into existing secure environments. The MDM software separates personal data from identifiable data and enhances security beyond widely accessible website access to Outlook thereby mitigating the vulnerabilities of via web access. Data storage is enabled to allow personal back-ups to continue and limits identifiable data storage to one month s s in selected Outlook folders. The MDM software forces data traffic through an encrypted channel using a Virtual Private Network (VPN). The Information Commissioner s Office considers this step to be one of the most important in evidencing that an organisation has taken appropriate and reasonable measures of data security. The potential for data loss via is not considered to be any higher than when using non-mobile devices such as desktop computers. Device security is paramount for both personal data and identifiable data. The configurations of MDM software and the inherent security of Apple devices ensure integrity as far as is considered appropriate and reasonable. The CCG has an HR process that ensures the closure of individual accounts when an employee leaves the organisation, for whatever reason. Users are required to report the loss, theft or failure of devices in order that identifiable data may be remotely wiped. Users are also able to wipe personal data using Find my iphone. User support from the CCG is provided by the MDM software and managed by the CCG IT provider. 19
20 Probability of Event (P) Users are also supported via staff training and a quick reference usage guide. Scoring Risks & Risk Assessment Matrix Risks are scored using the matrix below. The level of consequence is decided which gives a sum between 1 (insignificant) and 5 (fatal); the probability of the risk happening is then decided which gives a sum between 1(remote) and 5 (certain). Multiplying the two sums together will give the risk score, e.g. Consequence (major) x probability (possible) would be 3 x 3 = risk score of 9. The risk scores are given on the matrix below. Risk scores at 15 and above are included in this register. 5x Certain 4x Probable 3x Possible 2x Improbable 1x Remote Act Soon 8 Act Soon Act Now 12 Act Soon 9 Act Soon Act Now 16 Act Now 12 Act Soon 8 Act Soon 25 Stop 20 Act Now 15 Act Now 10 Act Soon x Insignifica nt 2x Minor 3x Major 4x Severe Consequence/Severity of Event (C) 5x Fatal 20
21 Risk Assessment Ratings Risk Ref. Description of Risk Initial Risk Rating PxC Mitigating Actions Mitigated Risk Score Mitigated RAG Rating 1 Storage of identifiable data outside of approved locations 3x3=9 Implementation of MDM software to individual devices 2x3=6 2 Transfer of identifiable data from CCG network 4x3=12 MDM software configured to disable network folder access 1x3=3 3 Potential for identifiable data leakage 3x4=12 Staff training/ccg Policies re: usage to avoid incidents of human error however no greater perceived potential than users working from non-mobile devices 2x4=8 Implementation of MDM software to individual devices Requirement to enable the Find my iphone app to devices should it be lost or stolen. 4 Device security 4x4=16 Requirement to ensure operating systems are up to date, and confirmation that devices are not jailbroken Limiting the choice of connectable devices as per the Information Commissioner s Office consideration that this step is one of the most important in evidencing that an organisation has taken appropriate and reasonable measures of data security. 2x3=6 5 CCG Staff member leaves the organisation taking identifiable data with them 3x3=9 HR processes close down accounts and remove the MDM software 1x3=3 6 Loss, Theft or Failure of Device 3x4=12 User requirement to report loss, theft or failure. MDM software configured to erase identifiable data upon notification. 3x2=6 21
22 APPENDIX 6 User Experience of the Pilot From mid-august 2013 the CCG has piloted the implementation of MobileIron on personal devices for ten (9) users and eleven (11) devices. Two users piloted both phone and tablet devices. The pilot was limited to users with Apple devices as together with SWCSU, as the IT Provider, these were considered to be the most identifiable and robust devices to test. The spread of devices was as follows; Device Type/Model iphone 3S iphone 4 iphone 4S iphone 5 iphone 5S ipad 2 ipad 4 ipad Mini Number of Users One One Four One One One One One Over the twelve months of the pilot there have been no reported incidents of security software interference with users and no reported incidents of data loss, device loss or potential security breaches. During the course of the pilot the proprietary operating system software was internationally updated twice. Whilst this worked without incident for ipad users, iphone users reported twice daily text alerts (at various times of the day) of a reported passcode non-compliance. Whilst this has not affected device usage it has proved to be an annoyance and is likely to be resolved only when the final stable release of ios7 is available AND MobileIron has implemented its update to match. (This occurred in January 2014) 22
23 Risk Assessment The table below compares national guidance concerning nhs.net access with guidance from the Information Governance Team at the Commissioning Support unit and the settings in MobileIron and the CCG. National ISO27000 Current Recommende Parameter Guidance 1 MobileIron Security CCG Device d CCG Device Setting (nhs.net) Standard Setting Setting Password Required Required Required Required Required Password Type Maximum Inactivity Timeout Minimum Password Length Minimum Number of Complex Characters Maximum Number of Failed Attempts Maximum Passcode Age Complex Complex - unless risk assessed Simple Simple Simple 20 minutes 10 minutes 30 minutes 5 minutes 5 minutes 8 characters (for nhs.net access) A least one from 3 of 4 categories -Uppercase -Lowercase -Numeric -Non-Numeric Password History 4 Synchronisation Encryption at Rest 6 characters Alpha- Numeric 4 characters Disabled 4 characters 4 characters Disabled but allowable at user discretion Disabled but allowable at user discretion days 90 days 40 days 40 days 90 days 4 based on age above month Not Limited Not limited Not limited 1 month Key: CCG Parameter meets or exceeds risk-based standard CCG Parameter does not meet risk-based standard n/a Enabled Enabled Enabled Enabled One of the main priorities in the implementation of this policy has been to ensure, wherever possible, that the user is able to use the device in the manner to which they are accustomed without any apparent interference from the installation of MobileIron profiles. As such, the password type, minimum password length and complexity level of passcodes has been made mandatory but left at the discretion of the user. One of the main priorities in the implementation of this policy has been to ensure, wherever possible, that the user is able to use the device in the manner to which they are accustomed without any apparent interference from the installation of 1 Password Policy for Non-Spine Connected Applications, Good Practice Guideline, Connecting for Health, 2010 accessed via on 30/10/
24 MobileIron profiles. As such, the password type, minimum password length and complexity level of passcodes has been made mandatory but left at the discretion of the user. In using this basic principle the proposed mitigations to any perceived or real lack of security is to; Considerably reduce the inactivity timeout from 20 minutes to 5 minutes Increase the frequency of enforced passcode changes from 90 days to 40 days (from 4 to 9 times a year) Ensure only devices able to provide encryption at rest are permitted access. Recommendations The recommendations for further adjustments to increase security are to; Reduce the maximum number of failed attempts from 10 attempts to 5 attempts, with a view to reducing further to 3 attempts after a six-month review of implementation Amend the passcode history and maximum age parameters to meet national guidance. National guidance suggests a 90 day passcode age with no repeat for four passcodes. This equals 360 days between passcodes. Current MobileIron implementation is 200 days (40 day passcode with 5 histories). Set devices to only synchronise for one month. Note: No network or personal folders are made available through access to . 24
25 MDM SOFTWARE DATABASE QUERIES APPENDIX 7 25
26 26
27 27
28 28
Bring Your Own Device (BYOD) Policy
Bring Your Own Device (BYOD) Policy Document History Document Reference: Document Purpose: Date Approved: Approving Committee: To set out the technical capabilities of the chosen security solution Airwatch
More informationBYOD Policy for [AGENCY]
BYOD Policy for [AGENCY] This document provides policies, standards, and rules of behavior for the use of smartphones, tablets and/or other devices ( Device ) owned by [AGENCY] employees personally (herein
More information[BRING YOUR OWN DEVICE POLICY]
2013 Orb Data Simon Barnes [BRING YOUR OWN DEVICE POLICY] This document specifies a sample BYOD policy for use with the Orb Data SaaS MDM service Contents 1 ACCEPTABLE USE... 3 1.1 GENERAL RULES... 3 2
More informationUSE OF PERSONAL MOBILE DEVICES POLICY
Policies and Procedures USE OF PERSONAL MOBILE DEVICES POLICY Date Approved by Information Strategy Group Version Issue Date Review Date Executive Lead Information Asset Owner Author 15.04.2014 1.0 01/08/2014
More informationData Protection Act 1998. Bring your own device (BYOD)
Data Protection Act 1998 Bring your own device (BYOD) Contents Introduction... 3 Overview... 3 What the DPA says... 3 What is BYOD?... 4 What are the risks?... 4 What are the benefits?... 5 What to consider?...
More informationSTRATEGIC POLICY REQUIRED HARDWARE, SOFTWARE AND CONFIGURATION STANDARDS
Policy: Title: Status: ISP-S9 Use of Computers Policy Revised Information Security Policy Documentation STRATEGIC POLICY 1. Introduction 1.1. This information security policy document contains high-level
More informationEXECUTIVE DECISION NOTICE. ICT, Communications and Media. Councillor John Taylor. Deputy Executive Leader
EXECUTIVE DECISION NOTICE SERVICE AREA: SUBJECT MATTER: DECISION: DECISION TAKER(S): DESIGNATION OF DECISION TAKER(S): GOVERNANCE ICT, Communications and Media PERSONAL DEVICE POLICY That the Personal
More informationInformation Governance Officer 01427 676652 Steve.anderson@west-lindsey.gov.uk
B CPR.32 15/16 Corporate Policy and Resources Committee Date: 10 November 2015 Subject: Bring Your Own Device Policy Report by: Director of Resources Contact Officer: Purpose / Summary: Steve Anderson
More informationMobile Devices Policy
Mobile Devices Policy Item Policy description Division Director Contact Description Guidelines to ensure that mobile devices are deployed and used in a secure and appropriate manner. IT Services and Records
More informationInternet Use Policy and Code of Conduct
Internet Use Policy and Code of Conduct UNIQUE REF NUMBER: AC/IG/023/V1.1 DOCUMENT STATUS: Agreed by Audit Committee 18 July 2013 DATE ISSUED: July 2013 DATE TO BE REVIEWED: July 2014 1 P age AMENDMENT
More informationConsumer Device Policy (Smartphones / Tablets) BYOD (Bring Your Own Device)
Consumer Device Policy (Smartphones / Tablets) BYOD (Bring Your Own Device) Policy Number: 422 Supersedes: - Standards For Healthcare Services No/s 1, 5, 19 New Version Date Of Reviewer Completed Date
More informationWashwood Heath Academy Use by staff of private communication devices policy
As a learning community, Washwood Heath Academy wants all staff and students to be able to be safe users of ICT and all data storage. The development of responsible, independent users is a prime aim of
More informationONE Mail Direct for Mobile Devices
ONE Mail Direct for Mobile Devices User Guide Version: 2.0 Document ID: 3292 Document Owner: ONE Mail Product Team Copyright Notice Copyright 2014, ehealth Ontario All rights reserved No part of this document
More informationInformation Security Policy
Document reference: Version 3.0 Date issued: April 2015 Contact: Matthew Jubb Information Security Policy Revision History Version Summary of changes Date V1.0 First version finalised. February 2006 V1.1
More informationPolicy Checklist. Directorate of Performance and Reform. Stephen Hylands, Head of Information Technology
Policy Checklist Name of Policy: Purpose of Policy: Directorate responsible for Policy Name & Title of Author: Does this meet criteria of a Policy? Trade Union consultation? Equality Screened by: Date
More informationMobile Iron User Guide
2015 Mobile Iron User Guide Information technology Sparrow Health System 9/1/2015 Contents...0 Introduction...2 Changes to your Mobile Device...2 Self Service Portal...3 Registering your new device...4
More informationHow To Protect Decd Information From Harm
Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the
More informationICT SECURITY POLICY. Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation
ICT SECURITY POLICY Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation Responsibility Assistant Principal, Learner Services Jannette
More informationBOARD OF DIRECTORS PAPER COVER SHEET. Meeting date: 22 February 2006. Title: Information Security Policy
BOARD OF DIRECTORS PAPER COVER SHEET Meeting date: 22 February 2006 Agenda item:7 Title: Purpose: The Trust Board to approve the updated Summary: The Trust is required to have and update each year a policy
More informationRemote Access and Network Security Statement For Apple
Remote Access and Mobile Working Policy & Guidance Document Control Document Details Author Adrian Last Company Name The Crown Estate Division Name Information Services Document Name Remote Access and
More informationBYOD. opos WHAT IS YOUR POLICY? SUMMARY
BYOD WHAT IS YOUR POLICY? opos SUMMARY The organization s employees and contractors frequently perform employment-related tasks which require connecting to the organization s networks, systems, and/or
More informationBring Your Own Device Acceptable Use Policy
Bring Your Own Device Acceptable Use Policy Released On Author(s) Reviewed By Version and Date Master Document Index Number Protective Marking Irene Docherty v 1.3, 08/01/14 IS-WC-POL-0001 unclassified
More informationSecurity Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0
Security Guide BlackBerry Enterprise Service 12 for ios, Android, and Windows Phone Version 12.0 Published: 2015-02-06 SWD-20150206130210406 Contents About this guide... 6 What is BES12?... 7 Key features
More informationService Schedule for Business Email Lite powered by Microsoft Office 365
Service Schedule for Business Email Lite powered by Microsoft Office 365 1. SERVICE DESCRIPTION Service Overview 1.1 The Service is a hosted messaging service that delivers the capabilities of Microsoft
More informationInformation Systems. Connecting Smartphones to NTU s Email System
Information Systems Connecting Smartphones to NTU s Email System Connecting Smartphones to NTU s Email System Contents Things to be aware of before you start 3 Connecting a Windows Mobile 6 (6.0-6.5) Phone
More informationAppendix 1b. DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA. Review of Mobile Portable Devices Management
Appendix 1b DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA Review of Mobile Portable Devices Management DISTRIBUTION LIST Audit Team David Esling, Head of Audit and Assurance
More informationCCG LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY
CCG LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY (for Cheshire CCGs) Version 3.2 Ratified By Date Ratified November 2014 Author(s) Responsible Committee / Officers Issue Date November 2014 Review
More informationABERDARE COMMUNITY SCHOOL
ABERDARE COMMUNITY SCHOOL IT Security Policy Drafted June 2014 Revised on....... Mrs. S. Davies (Headteacher) Mr. A. Maddox (Chair of Interim Governing Body) IT SECURITY POLICY Review This policy has been
More informationFrequently Asked Questions & Answers: Bring Your Own Device (BYOD) Policy
Frequently Asked Questions & Answers: Bring Your Own Device (BYOD) Policy Converting a Device Whose phones will be wiped on Wednesday, January 30? If you continue to have a company-paid phone, you are
More informationBring Your Own Device Policy
Bring Your Own Device Policy Purpose of this Document This document describes acceptable use pertaining to using your own device whilst accessing University systems and services. This document will be
More informationNHSmail and mobile devices overview
NHSmail and mobile devices overview Version: V.7 Date: May 2011 THIS INFORMATION IS FOR NHS STAFF AND IS NOT TO BE DISTRIBUTED OR COPIED OUTSIDE OF THE NHS Version 7 Crown Copyright, May 2011 Contents
More informationMobile Security Standard
Mobile Security Standard Title Mobile Security Standard Mobile Device Security Category Version: 18/07/2013 PUBLISHED Author:, IT Services Contact: itsecurity@contacts.bham.ac.uk Mobile Security Standard
More informationREMOTE WORKING POLICY
Reference number Approved by Information Management and Technology Board Date approved 30 April 2013 Version 1.0 Last revised Review date March 2014 Category Owner Target audience Information Assurance
More informationIT ACCESS CONTROL POLICY
Reference number Approved by Information Management and Technology Board Date approved 30 April 2013 Version 1.0 Last revised Review date March 2014 Category Owner Target audience Information Assurance
More informationIT TECHNOLOGY ACCESS POLICY
IT TECHNOLOGY ACCESS POLICY Effective Date May 19, 2016 Cross- Reference 1. IT Access Control and User Access Management Policy Responsibility Director, Information 2. IT Acceptable Use Policy Technology
More informationINFORMATION SECURITY POLICY
INFORMATION SECURITY POLICY Rev Date Purpose of Issue/ Description of Change Equality Impact Assessment Completed 1. June 2011 Initial Issue 2. 29 th March 2012 Second Version 3. 15 th April 2013 Third
More informationKony Mobile Application Management (MAM)
Kony Mobile Application Management (MAM) Kony s Secure Mobile Application Management Feature Brief Contents What is Mobile Application Management? 3 Kony Mobile Application Management Solution Overview
More informationNHSmail mobile configuration guide Apple iphone
Only the Apple iphone 3GS and iphone 4 support encryption at rest. The iphone 3G and iphone 2G will not connect to NHSmail NHSmail mobile configuration guide Apple iphone Version: V.6 Date: November 2011
More informationStudents Mobile Messaging Registration & Configuration
Rutgers Biomedical and Health Sciences (RBHS) has implemented security controls to be applied to all mobile devices (Smart Phones and tablets) that contain RBHS (NJMS) email. These controls have been established
More informationData Loss Prevention Whitepaper. When Mobile Device Management Isn t Enough. Your Device Here. Good supports hundreds of devices.
Data Loss Prevention Whitepaper When Mobile Device Management Isn t Enough Your Device Here. Good supports hundreds of devices. Contents Shifting Security Landscapes 3 Security Challenges to Enterprise
More informationINFORMATION GOVERNANCE POLICY & FRAMEWORK
INFORMATION GOVERNANCE POLICY & FRAMEWORK Version 1.2 Committee Approved by Audit Committee Date Approved 5 March 2015 Author: Responsible Lead: Associate IG Specialist, YHCS Corporate & Governance Manger
More informationINFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER
INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER 3 APPLIES TO: ALL STAFF 4 COMMITTEE & DATE APPROVED: AUDIT COMMITTEE
More informationAdams County, Colorado
Colorado Independent Consultants Network, LLC Adams County, Colorado Bring-Your-Own-Device Policy Prepared by: Colorado Independent Consultants Network, LLC Denver, Colorado March 20, 2014 Table of Contents
More information1. What are the System Requirements for using the MaaS360 for Exchange ActiveSync solution?
MaaS360 FAQs This guide is meant to help answer some of the initial frequently asked questions businesses ask as they try to figure out the who, what, when, why and how of managing their smartphone devices,
More information{ipad Security} for K-12. Understanding & Mitigating Risk. plantemoran.com
{ipad Security} plantemoran.com for K-12 Understanding & Mitigating Risk Plante Moran The ipad is in K-12. Since its debut in April 2010, the ipad has quickly become the most popular tablet, outselling
More informationMobile Device Management for CFAES
Mobile Device Management for CFAES What is Mobile Device Management? As smartphones and other mobile computing devices grow in popularity, management challenges related to device and data security are
More informationWhy you need. McAfee. Multi Acess PARTNER SERVICES
Why you need McAfee Multi Acess PARTNER SERVICES McAfee Multi Access is an online security app that protects all types of devices. All at once. The simple monthly subscription covers up to five devices
More informationConditions of Use. Communications and IT Facilities
Conditions of Use of Communications and IT Facilities For the purposes of these conditions of use, the IT Facilities are [any of the University s IT facilities, including email, the internet and other
More informationAuthorised Acceptable Use Policy 2015-2016. Groby Community College Achieving Excellence Together
Groby Community College Achieving Excellence Together Authorised Acceptable Use Policy 2015-2016 Reviewed: Lee Shellard, ICT Manager: May 2015 Agreed: Leadership & Management Committee: May 2015 Next review:
More informationBYOD. and Mobile Device Security. Shirley Erp, CISSP CISA November 28, 2012
BYOD and Mobile Device Security Shirley Erp, CISSP CISA November 28, 2012 Session is currently being recorded, and will be available on our website at http://www.utsystem.edu/compliance/swcacademy.html.
More informationSample Employee Agreement for Business Use of Employee-Owned Personal Computing Devices (Including Wearables 1 )
Sample Employee Agreement for Business Use of Employee-Owned Personal Computing Devices (Including Wearables 1 ) Overview: The Bring Your Own Device (BYOD) program allows employees to use their own computing
More informationINFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK
INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK Log / Control Sheet Responsible Officer: Chief Finance Officer Clinical Lead: Dr J Parker, Caldicott Guardian Author: Associate IG Specialist, Yorkshire
More informationPlease Note: This guidance is for information only and is not intended to replace legal advice when faced with a risk decision.
May 2013 Bring Your Own Device Policy Template for Further Education Please Note: This guidance is for information only and is not intended to replace legal advice when faced with a risk decision. Table
More informationCOMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING
COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING INFORMATION TECHNOLOGY STANDARD Name Of Standard: Mobile Device Standard Domain: Security Date Issued: 09/07/2012 Date Revised:
More informationNote: Support: Never use your TruMobi email application for personal use.
BYOD - Setting up Email Access on your ios mobile device This document provides step-by-step instructions for setting up corporate account on your ios mobile device. Note: The TruMobi email application
More informationQuick Start Guide: NotifyLink for Symbian Series 60, 3 rd Edition
Quick Start Guide: NotifyLink for Symbian Series 60, 3 rd Edition Service Requirements Your device will require one of the following: Cellular connection supporting data transmission through your mobile
More informationSouthwest Airlines 2013 Terms of Use Portable Devices Feb 2013
1 TERMS OF USE As of February 3, 2013 The following terms and conditions of use ( Terms of Use ) form a legally binding agreement between you (an entity or person) and Southwest Airlines Co. ( Southwest
More informationBurton Hospitals NHS Foundation Trust. On: 16 January 2014. Review Date: December 2015. Corporate / Directorate. Department Responsible for Review:
POLICY DOCUMENT Burton Hospitals NHS Foundation Trust INFORMATION SECURITY POLICY Approved by: Executive Management Team On: 16 January 2014 Review Date: December 2015 Corporate / Directorate Clinical
More informationLAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY
LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY Version 1.0 Ratified By Date Ratified Author(s) Responsible Committee / Officers Issue Date Review Date Intended Audience Impact Assessed CCG Committee
More informationTameside Metropolitan Borough Council ICT Security Policy for Schools. Adopted by:
Tameside Metropolitan Borough Council ICT Security Policy for Schools Adopted by: 1. Introduction 1.1. The purpose of the Policy is to protect the institution s information assets from all threats, whether
More informationEnd User Devices Security Guidance: Apple ios 8
GOV.UK Guidance End User Devices Security Guidance: Apple ios 8 Published Contents 1. Changes since previous guidance 2. Usage scenario 3. Summary of platform security 4. How the platform can best satisfy
More informationCounty of Grande Prairie - Information Systems
County of Grande Prairie - Information Systems Title [Systems] [BRING YOUR OWN DEVICE - BYOD] - Procedure Location Buddie Systems and HR Documents Approved by Natalia Madden Collaborators Sophie Mercier,
More informationINFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK
INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK Policy approved by: Assurance Committee Date: 3 December 2014 Next Review Date: December 2016 Version: 1.0 Information Governance Strategic
More informationSchool Information Security Policy
School Information Security Policy Created By: Newport Education Service Date Created: 22 December 2009 Version: V1.0 Contents Background... 3 IT Infrastructure... 3 IT Access... 3 Acceptable use policy...
More informationSecuring Corporate Email on Personal Mobile Devices
Securing Corporate Email on Personal Mobile Devices Table of Contents The Impact of Personal Mobile Devices on Corporate Security... 3 Introducing LetMobile Secure Mobile Email... 3 Solution Architecture...
More informationGO!Enterprise MDM Device Application User Guide Installation and Configuration for Android
GO!Enterprise MDM Device Application User Guide Installation and Configuration for Android GO!Enterprise MDM for Android, Version 3.x GO!Enterprise MDM for Android 1 Table of Contents GO!Enterprise MDM
More informationSomerset County Council - Data Protection Policy - Final
Organisation Title Author Owner Protective Marking Somerset County Council Data Protection Policy - Final Peter Grogan Information Governance Manager Unclassified POLICY ON A PAGE Somerset County Council
More informationBring Your Own Device. Individual Liable User Policy Considerations
Bring Your Own Device Individual Liable User Contents Introduction 3 Policy Document Objectives & Legal Disclaimer 3 Eligibility Considerations 4 Reimbursement Considerations 4 Security Considerations
More informationAcceptable Use Policy
Sell your Products Online and Web by Numbers are brands of Web by Numbers Ltd (hereinafter referred to as Web by Numbers ) Acceptable Use Policy Web by Numbers has created this Acceptable Use Policy (AUP)
More informationGO!Enterprise MDM Device Application User Guide Installation and Configuration for Android with TouchDown
GO!Enterprise MDM Device Application User Guide Installation and Configuration for Android with TouchDown GO!Enterprise MDM for Android, Version 3.x GO!Enterprise MDM for Android with TouchDown 1 Table
More informationExchange 2010 ActiveSync: Connection
Westlands School Exchange 2010 ActiveSync: Connection Staff mobile phone email access Exchange 2010 ActiveSync provides Westlands School Staff with external access to their school email account from a
More informationFranciscan University of Steubenville Information Security Policy
Franciscan University of Steubenville Information Security Policy Scope This policy is intended for use by all personnel, contractors, and third parties assisting in the direct implementation, support,
More informationDublin Institute of Technology IT Security Policy
Dublin Institute of Technology IT Security Policy BS7799/ISO27002 standard framework David Scott September 2007 Version Date Prepared By 1.0 13/10/06 David Scott 1.1 18/09/07 David Scott 1.2 26/09/07 David
More informationMobile Security: Controlling Growing Threats with Mobile Device Management
Mobile Security: Controlling Growing Threats with Mobile Device Management As the use of mobile devices continues to grow, so do mobile security threats. Most people use their mobile devices for both work
More informationAcceptable Use Policy
Acceptable Use Policy TABLE OF CONTENTS PURPOSE... 4 SCOPE... 4 AUDIENCE... 4 COMPLIANCE & ENFORCEMENT... 4 POLICY STATEMENTS... 5 1. General... 5 2. Authorized Users... 5 3. Loss and Theft... 5 4. Illegal
More informationINFORMATION TECHNOLOGY SECURITY STANDARDS
INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL
More informationData Access Request Service
Data Access Request Service Guidance Notes on Security Version: 4.0 Date: 01/04/2015 1 Copyright 2014, Health and Social Care Information Centre. Introduction This security guidance is for organisations
More informationIntroduction. PCI DSS Overview
Introduction Manage Engine Desktop Central is part of ManageEngine family that represents entire IT infrastructure with products such as Network monitoring, Helpdesk management, Application management,
More informationEmail Policy and Code of Conduct
Email Policy and Code of Conduct UNIQUE REF NUMBER: CCG/IG/011/V1.2 DOCUMENT STATUS: Approved by Audit Committee 19 June 2013 DATE ISSUED: June 2013 DATE TO BE REVIEWED: June 2014 1 P age AMENDMENT HISTORY
More informationHow To Understand The Bring Your Own Device To School Policy At A School
The Thomas Hardye School Bring Your Own Device to School (BYOD) Policy for Students Adopted by Personnel & Resources Committee 1 st September 2014 Review date: 31 st August 2015 Signed by Chair:. CONTENTS
More informationService Schedule for BT Business Lite Web Hosting and Business Email Lite powered by Microsoft Office 365
1. SERVICE DESCRIPTION 1.1 The Service enables the Customer to: set up a web site(s); create a sub-domain name associated with the web site; create email addresses. 1.2 The email element of the Service
More informationBlackBerry 10.3 Work and Personal Corporate
GOV.UK Guidance BlackBerry 10.3 Work and Personal Corporate Published Contents 1. Usage scenario 2. Summary of platform security 3. How the platform can best satisfy the security recommendations 4. Network
More informationNewcastle University Information Security Procedures Version 3
Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations
More informationEnsuring the security of your mobile business intelligence
IBM Software Business Analytics Cognos Business Intelligence Ensuring the security of your mobile business intelligence 2 Ensuring the security of your mobile business intelligence Contents 2 Executive
More informationConfigure SLC Email to Smartphone/ Tablet
Configure SLC Email to Smartphone/ Tablet This is a manual that contains pertinent information about configuring your SLC Email to your smartphone/tablet. About Set up your email account on your smartphone/tablet
More informationEmerging threats for the healthcare industry: The BYOD. By Luca Sambucci www.deepsecurity.us
Emerging threats for the healthcare industry: The BYOD Revolution By Luca Sambucci www.deepsecurity.us Copyright 2013 Emerging threats for the healthcare industry: The BYOD REVOLUTION Copyright 2013 Luca
More informationPolicy: Remote Working and Mobile Devices Policy
Policy: Remote Working and Mobile Devices Policy Exec Director lead Author/ lead Feedback on implementation to Clive Clarke SHSC Information Manager SHSC Information Manager Date of draft 16 February 2014
More informationThis policy outlines different requirements for the use of PSDs based on the classification of information.
POLICY OFFICE OF THE INFORMATION COMMISSIONER Use of portable storage devices 1. Purpose A Portable Storage Device (PSD) is a mobile device capable of storing and transferring digital information. Examples
More informationA practical guide to IT security
Data protection A practical guide to IT security Ideal for the small business The Data Protection Act states that appropriate technical and organisational measures shall be taken against unauthorised or
More informationHow To Audit Health And Care Professions Council Security Arrangements
Audit Committee 28 Internal audit report ICT Security Executive summary and recommendations Introduction Mazars has undertaken a review of ICT Security controls, in accordance with the internal audit plan
More informationElectronic Messaging Policy. 1. Document Status. Security Classification. Level 4 - PUBLIC. Version 1.0. Approval. Review By June 2012
Electronic Messaging Policy 1. Document Status Security Classification Level 4 - PUBLIC Version 1.0 Status DRAFT Approval Life 3 Years Review By June 2012 Owner Secure Research Database Analyst Retention
More informationInformation Security
Information Security A staff guide to the University's Information Systems Security Policy Issued by the IT Security Group on behalf of the University. Information Systems Security Guidelines for Staff
More informationE-Mail Use Policy. All Staff Policy Reference No: Version Number: 1.0. Target Audience:
E-Mail Use Policy Authorship: Barry Jackson Information Governance, Security and Compliance Manager Committee Approved: Integrated Audit and Governance Committee Approved date: 11th March 2014 Review Date:
More informationNetwork and Workstation Acceptable Use Policy
CONTENT: Introduction Purpose Policy / Procedure References INTRODUCTION Information Technology services including, staff, workstations, peripherals and network infrastructures are an integral part of
More informationWorking Practices for Protecting Electronic Information
Information Security Framework Working Practices for Protecting Electronic Information 1. Purpose The following pages provide more information about the minimum working practices which seek to ensure that
More informationNETWORK SECURITY POLICY
NETWORK SECURITY POLICY Policy approved by: Governance and Corporate Affairs Committee Date: December 2014 Next Review Date: August 2016 Version: 0.2 Page 1 of 14 Review and Amendment Log / Control Sheet
More informationDocument Type Doc ID Status Version Page/Pages. Policy LDMS_001_00161706 Effective 2.0 1 of 7 Title: Corporate Information Technology Usage Policy
Policy LDMS_001_00161706 Effective 2.0 1 of 7 AstraZeneca Owner Smoley, David Authors Buckwalter, Peter (MedImmune) Approvals Approval Reason Approver Date Reviewer Approval Buckwalter, Peter (MedImmune)
More informationMobile Devices Security Policy
Mobile Devices Security Policy 1.0 Policy Administration (for completion by Author) Document Title Mobile Devices Security Policy Document Category Policy ref. Status Policy Unique ref no. Issued by GSU
More informationOWA vs. MDM. Once important area to consider is the impact on security and compliance policies by users bringing their own devices (BYOD) to work.
OWA vs. MDM Introduction SmartPhones and tablet devices are becoming a common fixture in the corporate environment. As feature phones are replaced with new devices such as iphone s, ipad s, and Android
More information