BRING YOUR OWN DEVICE POLICY (BYOD)

Transcription

1 BRING YOUR OWN DEVICE POLICY (BYOD) APPROVED BY: South Gloucestershire Clinical Commissioning Group Quality and Governance Committee DATE August 2015 Date of Issue: August 2015 Version No: 7 Review due: August 2017 Author: Thomas Manning, Head of Information and Performance Management 1

2 Document status: Current Version Date Comments Draft October 2013 Draft Policy for operational use during test project Version 1 January 2014 Version 2 August 2014 Version 3 September 2014 Version 4 September 2014 First presentation of full policy to Quality & Governance Committee Following feedback from January s Quality & Governance Committee and Internal Audit on risk assessments and mitigations Following recommendations from The Internal audit Report: Bring Your Own Device (BYOD) undertaken by Audit South West Following advice from Alex Bunn, Data protection Practitioner, Information Governance Team, South West CSU Version 5 September 2014 Following advice taken from the Information Commissioner s Office publication, Data Protection Act 1998, Bring Your Own Device (BYOD) guides/online/byod Version 6 October 2014 Following completion of an Equalities Impact Assessment Version 7 July 2015 Amendments following Policy Review Group 2

3 CONTENTS Section Summary of Section Page Contents 3 1 Background 4 2 Eligibility 4 3 Devices and Support 5 4 Acceptable Use 5 5 Reimbursement 7 6 Security 7 7 Data Protection 8 8 Risk/Liabilities/Disclaimer 8 9 Equal Opportunities/Equalities Impact Assessment 9 10 Review Date 9 11 Links to other policies Appendices Appendix 1 Employee User Agreement 10 Appendix 2 Security Features Applied to Devices 12 Appendix 3 Setting Up Your Device with MobleIron 13 Appendix 4 Device Identification 14 Appendix 5 Consideration and Assessment of Risks 15 Appendix 6 User experience of the pilot 22 Appendix 7 MDM Software database queries 25 3

4 For the purposes of clarity this document refers to personal data and identifiable data. Personal data is defined as data and information held on devices pertinent to the owner and their non-work usage of the device. Identifiable data is defined as work-related information held on devices and enabled by the 3 rd party mobile device management software. 1. BACKGROUND 1.1. The Clinical Commissioning Group (CCG) recognises that mobile electronic devices are now an essential tool to some individuals in their everyday work and social environments, and that employees may have personal and specific preferences with regard to the mobile devices they use. This policy aims to specifically cover the use of non-ccg, personal smartphones and tablets and their integration with the CCG Exchange Server to access work-related calendars, contacts and s This Bring Your Own Device (BYOD) initiative aims to combine simplicity for individuals and effective, risk assessed security control for the CCGs identifiable data and technology infrastructure. CCG employees must agree to the terms and conditions in this policy in order to be able to use their device to access & process work-related communications. 2. ELIGIBILITY 2.1 All CCG employees, including Clinical Leads, are eligible for authorisation, provided they are risk assessed, undertake security awareness training and are able to satisfy the terms of access and sign the accompanying user agreement. Employees with on-call responsibilities will take priority, should there be simultaneous and multiple applications for access, when determining the timescales for set-up. Contractors are not eligible for authorisation. Contractors are not provided with CCG addresses and as such are unable to satisfy the terms of access. Temporary employees will be managed on a case-by-case basis. By default, temporary employees issued with a CCG address will be treated as permanent employees. Temporary staff who are not covered by an employment contract are required to sign a confidentiality agreement prior to being given access to information processing facilities as per the CCGs Use of Personal Information Policy. The Employee User Agreement is at Appendix 1. 4

5 3. DEVICES AND SUPPORT 3.1. For a personal smartphone and/or tablet device to be considered within this policy it must be able to encrypt at rest. This is primarily an operating system/software function and requirement. 3.2 The basic requirements are as follows, (as at September 2014) Apple devices running ios6 or later, and specifically; iphone 4 onwards ipad2 onwards, including the ipad Air and all versions of the ipad Mini Blackberry Phones Android devices - Due to concerns with security issues around 3 rd party applications devices running all versions of the Android operating system are not permitted Windows devices Adequate security conditions on Windows phones is currently unproven and therefore are not permitted. 3.3 Devices that do not support encryption at rest are not permitted to access the CCG IT infrastructure. 3.4 Devices must be presented to the Head of Information and Performance at the time of submission of the user agreement to validate the information requirements of the agreement. 3.5 Personally owned laptops are not permitted to connect with the CCG Exchange Server and as such are specifically excluded from this policy. 4 ACCEPTABLE USE 4.1 The CCG defines acceptable business use as activities that directly or indirectly support the business of NHS South Gloucestershire CCG. The CCG has an Acceptable Use of Information & Communication Technologies Policy as an element in the overarching CCG Information Governance Management System The CCG reminds staff annually, and new employees via an Acceptable Use of Information and IT Facilities message. 4.2 The CCG recognises that employee use of personal devices for work purposes occurs inside and outside of traditional office hours i.e at evenings and weekends. This policy does not therefore define working hours, however employees are encouraged to ensure they are familiar with the CCG Work Life Balance And Flexible Working Policy. 4.3 The CCG defines acceptable personal use on company time as reasonable and limited personal communication or recreation. 5

6 4.4 Staff should ensure that any personal data use does not put work-related identifiable information at risk. For example, sharing the device with identifiable information on it with others, such as family and friends, or downloading apps which could access such information. 4.5 Corporate identifiable data can only be created, processed, stored and communicated on personal devices running the CCGs chosen Mobile Device Management (MDM) client software. Devices not running MDM can connect to the CCG guest network providing an internet connection, but will not be granted access to the corporate infrastructure. 4.6 The CCG Information Governance Management System outlines considerations of acceptable use. Employees must not: Share personal usernames and/or passwords or leave devices logged in and unattended at any time. Save or transmit proprietary information belonging to another company that is outside of that company s intended usage, terms and conditions Engage in external business activities Cause offence to any individual (including members of staff or the public) or risk damaging the organisation s reputation by either creating, accessing, storing or sending/posting any images, files, messages or data that could be said to be abusive, sexist, racist, defamatory, obscene or otherwise offensive or inappropriate or breach confidentiality/privacy of any individual or commercial organisation. This includes personal use of social media outside of work Use social media to communicate on behalf of the organisation unless this is a normal or delegated and accepted part of their role. Use organisation facilities for advertising/fund raising not directly connected with the organisation, other than the use of any social notice board facilities. Use data that identifies individuals unless absolutely necessary. 4.7 Employee use of CCG IT infrastructure and access via personally owned devices is as follows; Calendars - Access permitted - Access permitted Contacts - Access permitted Documents - Access currently not permitted 4.8 Each element permitted above is individually configurable within personal devices. For example, whilst a device may be able to access the services listed above the user may wish to access only one or some of the permissions available to them. 4.9 Employees are not permitted to allow anyone else to access identifiable and organisationally sensitive information stored on their device. This will be managed as follows: 6

7 Calendars Staff will be expected to mark sensitive meetings as private in their calendar. Staff will be expected to ensure others do not access on their device. (see s within the CCG Acceptable Use of Information & Communication Technologies Policy ) Contacts Staff will be expected to ensure that others do not access their work related contacts. Documents when permitted access to documents will be via a further level of security The CCG has a zero-tolerance policy for texting or ing while driving (whatever the device make and model) and only hands-free talking while driving is permitted. 5 REIMBURSEMENT 5.1 The CCG will not reimburse employees for some or all of the cost of personal devices. Neither will the CCG pay employees an allowance to purchase a device for work purposes. 5.2 Staff should discuss with their line-manager any issues with cost implications as a result of using their device for business purposes (for example, where it is evident that specific business calls made have led to an employee call plan being exceeded). 5.3 South Gloucestershire CCG will not cover any damage to personal devices. It is recommended that device owners insure their device as part of their home contents insurance and, if necessary, advise their insurer that the device will be used for work purposes at home and at work locations. 6 SECURITY 6.1 Employees wishing to use their personal devices as per this policy will be required to download to their device an approved Third Party App (currently MobileIron). This application enables the organisations IT provider to manage the CCG infrastructure and enable certain security features on the device. 6.2 The security features enabled aim to ensure that; The CCG meets it s legal requirements for Information Governance and associated risk assessment. The Employee meets the expected standards of security as an employee. The Employee is able to use their device in a personal capacity with as little disruption as is possible. 7

8 6.3 The user agreement requires employees to log the device model and serial number and log the phone number where applicable. 6.4 In order to prevent unauthorized access, devices must be passcode protected using the features of the device. The device must also lock itself with a password or PIN if idle for five minutes. 6.5 Jailbroken Apple devices are strictly forbidden from accessing the CCG infrastructure. 6.6 The employee s device must be enabled with the Find my iphone App for Apple devices (and similar software for other operating systems where appropriate) in order that personal data may be remotely wiped by the user. Identifiable data may also be remotely wiped by the CCGs IT Provider using the Third Party Security Software if; the device is lost the employee terminates his or her employment IT detects a data or policy breach, a virus or similar threat to the security of the company s identifiable data and technology infrastructure. Security features and settings within the third party software can be found at Appendix 2. 7 DATA PROTECTION 7.1 Personal data provided by device owners in the sign-up to this policy will only be used by the CCG for the purposes of device registration and management. 7.2 The CCG, its contracted IT Provider and the MDM Software will not pass on or share personal data internally. 7.3 The CCG, its contracted IT Provider and the MDM Software will not pass on or share personal data to any other party or organisation. 7.4 The CCGs current IT provider is South, Central and West Commissioning Support Unit and the current preferred MDM software tool is MobileIron. 8 RISKS/LIABILITIES/DISCLAIMERS 8.1 The CCG and the CCG contracted IT support provider reserves the right to disconnect devices or disable services without notification. 8.2 Lost or stolen devices must be reported to the CCG IT Provider IT Service Desk promptly and within 24 hours via at ITServiceDesk@swcsu.nhs.uk or by phone on Employees are also responsible for notifying their mobile data carrier immediately upon loss of a device. 8

9 8.3 The employee is expected to use his or her device(s) in adherence to the CCG s acceptable use policy as indicated in Section 4 above. 8.4 The employee is personally liable for all costs associated with his or her device as per the paragraph on reimbursement above. 8.5 The CCG cannot be held accountable for any risks to an owners personal data, including but not limited to, the partial or complete loss of personal data due to an operating system crash, errors, bugs, viruses, malware, and/or other software or hardware failures, or programming errors that render the device unusable, unless the Mobile Device Management solution can be proven to be responsible. 8.6 The CCG reserves the right to take appropriate disciplinary action up to and including termination of contract for noncompliance with this policy. 9 EQUAL OPPORTUNITIES/EQUALITIES IMPACT ASSESSMENT 9.1 An Equality Impact Assessment has been completed for this policy and procedure and it does not marginalise or discriminate against minority groups. 10 REVIEW DATE 10.1 This policy and procedure will be reviewed every 2 years, or earlier at the request of either staff or management side, or in light of any changes to legislation or National Guidance. 11 LINKS TO OTHER POLICIES 11.1 In addition to this policy, this policy should be read in conjunction with the following CCG Policies:- The CCG Information Governance Management System specifically: Use of Personal Information Policy Acceptable Use of Information & Communication Technologies Policy Work Life Balance and Flexible Working Policy Policy and Procedure For Incident Reporting HR policies, developed in conjunction with the North Bristol Trust and other documentation. These include Equality and Diversity in the workplace, Employee Contract of Employment, IT Policy 9

10 APPENDIX 1 BRING YOUR OWN DEVICE (BYOD) - EMPLOYEE USER AGREEMENT By completing and signing this user agreement...(print name) agrees to adhere to the policy as is in place at the time of signing.(date) Make and Model of personal device; Phone Manufacturer Apple Model iphone. Serial Number Phone Number (+44) Software Version.. Tablet Manufacturer Apple Model ipad Serial Number.Software Version I confirm that this device is passcode protected I confirm that this device has not been Jailbroken I confirm that this device is set to lock itself with a password or PIN if idle for five minutes I confirm that the operating system on this device is up to date and will be maintained User Signature..Date... 10

11 Privacy Notice The personal data provided above will only be used for the purposes of device registration and management. South Gloucestershire CCG, its contracted IT Provider and the MDM Software will not pass on or share personal data internally. South Gloucestershire CCG, its contracted IT Provider and the MDM Software will not pass on or share personal data to any other party or organisation. South Gloucestershire CCGs current IT provider is South, Central and West Commissioning Support Unit and the preferred MDM software tool is MobileIron. User Acknowledgement The CCG and the CCG contracted IT support provider reserves the right to disconnect devices or disable services without notification. Lost or stolen devices must be reported to the CCG IT Provider IT Service Desk promptly and within 24 hours via at or by phone on Employees are also responsible for notifying their mobile data carrier immediately upon loss of a device. The employee is expected to use his or her device(s) in adherence to the CCG s acceptable use policy as indicated in Section 4 above. The employee is personally liable for all costs associated with his or her device as per the paragraph on reimbursement above. The CCG cannot be held accountable for any risks to an owners personal data, including but not limited to, the partial or complete loss of personal data due to an operating system crash, errors, bugs, viruses, malware, and/or other software or hardware failures, or programming errors that render the device unusable, unless the Mobile Device Management solution can be proven to be responsible. The CCG reserves the right to take appropriate disciplinary action up to and including termination of contract for noncompliance with this policy. For CCG Use only: All details provided above are correct at the time of Signing..(date) Signed for the CCG Position SIRO The original of this agreement will be held by the CCCG Chief Financial Officer who is the statutory Senior Information Risk Officer (SIRO) A copy of this agreement will be held by the employee, the CCG SIRO and the CCG IT Support Provider 11

12 APPENDIX 2 SECURITY SETTINGS OF THE MOBILE DEVICE MANAGEMENT SOFTWARE AS APPLIED TO DEVICES The table below lists the security parameters as installed by the Third Party Security Software (currently MobileIron). Individual device security options may also be applicable under the corporate policy which go further than the table below. Security Element Password Parameter in MobileIron Mandatory What this means? Device must have a passcode/password screen lock Password Type Simple Alphanumeric as a minimum Maximum Inactivity Timeout 5 minutes Device to be set to sleep 5 minutes after last touchscreen keystroke Minimum Password Length 4 Four digit passcodes allowable no maximum Minimum Number of Complex Characters Maximum Passcode Age Maximum Number of Failed Attempts 0 40 days Password History 5 10 Does not require non-alphanumeric characters User will be prompted after 40 days to change screen lock code Device will be locked out and require IT unlock after 10 unsuccessful attempts No repeat passcode/password for 200 days (5x40 days) Secure Apps Only Enabled Checks and disables Jailbroken devices Smartphone Encrytion Enabled Checks for encryption at rest Take Action if ios is less than 5.0 Take Action if ios Data Protection is not enabled Take Action if ios is compromised Take Action if MobileIron is deactivated Enabled Enabled Enabled Disables devices with old operating systems (pre-2012) Prompts user to apply encryption Prompts user to wipe device Prompts user to reactivate and notifies CCG IT Support It is possible to remove corporate data from a personally owned devices using MobileIron. MobileIron sends a profile to the device with a certificate. Corporate documents/data and apps, and address ie ccg.nhs/uk are managed by Mobile Iron and associated with certificates. When the certificates are removed remotely by Mobile Iron the apps/data/documents and data associated with the address are removed and the data is no longer accessible. Private accounts are not affected. Mobile Iron can retire devices wiping only the corporate data from the device and leaving personal data/apps untouched. Mobile Iron only controls the data which it has placed on the device and this is managed by certificates. 12

13 APPENDIX 3 SETTING UP YOUR DEVICE WITH MOBILEIRON Setup MobileIron on ios (iphone/ipad) If you haven t already installed the MobileIron App: Go to the App Store on your device and install MobileIron Mobile@Work. Once downloaded, open the App and enter the following information at the relevant prompts. User Name: firstname.lastname (as per staff login to desktop computer) Server: ahavsp.somerset.nhs.uk Password: your domain (Windows) login password. Follow on screen prompts : o Important: When prompted, allow MobileIron to use Location Services. o Ok to download configuration. o Install AIMTC profile. o Install Now o At prompt, enter your device passcode (if you have already set one up). o Done o Install when you see a certificate warning. o Done Return to home screen. o You may have to wait up to 5 minutes whilst the policies and settings (including mail) download to your device. 13

14 APPENDIX 4 SUPPORTED DEVICE IDENTIFICATION 4/4S 5 5c 5S 6 6Plus 14

15 CONSIDERATION AND ASSESSMENT OF RISKS APPENDIX 5 The CCG recognises that mobile electronic devices are now an essential tool to some individuals in their everyday work and social environments, and that employees may have personal and specific preferences with regard to the mobile devices they use. However, in trying to strike a balance between the use of personal devices for the functions which they were bought for, in conjunction with corporate accesses to calendars, s and documents, the CCG needs to risk assess and mitigate for the potential and real security issues that this policy might highlight. Bring Your Own Device (BYOD) policies are a recent development in IT infrastructure enablers for employees and there are few if any NHS policies available for comparison. It should therefore be noted that this policy, its risk assessment and the mitigation actions and decisions are not final and will undoubtedly be subject to both ad hoc and routine review and amendment. The Data Protection Act 1998 (the DPA) is based around eight principles of good information handling. These give people specific rights in relation to their personal information and place certain obligations on those organisations that are responsible for processing it. The seventh principle says: appropriate technical and organisational measures shall be taken against accidental loss or destruction of, or damage to, personal data. This means the CCG must have appropriate security in place to prevent the identifiable data held from being accidently or deliberately compromised. This is relevant if identifiable data is being processed on devices which the CCG may not have direct control over. It is important to remember therefore that the CCG, as data controller, must remain in control of the identifiable data for which it is responsible, regardless of the ownership of the device used to carry out the processing. The Information Commissioner s Office advises that organisations consider and assess the following risks; what type of data is held; where data may be stored; how it is transferred; potential for data leakage; blurring of personal and business use; the device s security capacities; what to do if the person who owns the device leaves their employment; and how to deal with the loss, theft, failure and support of a device. Each of the above considerations is evaluated in the Risk Assessment section below. 15

16 RISK ASSESSMENT What type of data is held? There are two elements of data that can be determined after consideration and the Information Commissioner s Office also advises that BYOD must not introduce vulnerabilities into existing secure environments. For the purposes of this assessment personal data is defined as data and information held on devices pertinent to the owner and their non-work usage of the device, and, identifiable data is defined as work-related information held on devices and enabled by the 3rd party mobile device management software. Personal Data - Users are requested to submit a small number of personal data items upon registration. This data is used for the following purposes; Name to identify the user Device manufacturer and model to identify the device and ensure compatibility Device software version to ensure compatibility Device serial number to enable linkage to mobile device management software and allow data flows Each of the above data items are essential for the registration of individual devices. Employees are under no obligation to register for BYOD access and a privacy notice is included with the registration form. There is no added vulnerability to organisational infrastructures in the provision or handling of this data. Identifiable Data Employees electing to register for BYOD access are only able to synchronize their s, calendar and contacts from the organisational Microsoft Exchange Server to the native mail, calendar and contacts apps on their device. Access is only available through the installation of approved Mobile Device Management (MDM) software. Without this MDM security feature each of these elements is already available to mobile device users via the Microsoft Outlook Web Access webpage that requires simple username/password entry to a web page. The MDM software therefore enhances security beyond website access and mitigates any vulnerabilities contained therein. 16

17 Where is data stored? Personal Data Users personal data is stored as per the users own configurations as chosen on the device. This could be on the device or in a private/community/public cloud. Identifiable Data The MDM software limits the storing of identifiable data to the organisations IT network, icloud and the device for one month s worth of s in users the inbox, drafts, sent items and deleted items only. No networked personal file storage is permitted. As the data controller, the CCG has therefore taken appropriate and reasonable measures to ensure data security in the event of device failure, loss or theft. How is data transferred? Corporate identifiable data involves the transfer of , calendar and contact data between the device and the CCG exchange server infrastructure. Whilst this element of the corporate infrastructure may be the target of malicious attack (hacking), any activity in this area would be most likely network based and unlikely to concentrate on one or several mobile devices as the point of entry. The MDM software forces data traffic through an encrypted channel using a Virtual Private Network (VPN). The Information Commissioner s Office considers this step to be one of the most important in evidencing that an organisation has taken appropriate and reasonable measures of data security. Another method of possible data transfer is through the use, and potentially misuse, loss or theft of removable media, such as memory cards. In specifying that only Apple devices are enabled, this risk is completely mitigated as there is no removable storage capability built into iphones or ipads. What potential is there for data leakage? The primary potential for data leakage lies with human error and the possibility of ing and forwarding s to inaccurate addresses. However, the potential is not considered to be higher than similar human error whilst communicating via from non-mobile devices (ie. CCG desktop PC). Users are reminded of the available guidance in the CCGs, Acceptable Use of Information & Communication Technologies Policy and this is reinforced in the BYOD staff training. icloud is another potential area for data leakage and back-up to icloud is currently enabled, and could if deemed necessary be disabled. However, at this time, users of the BYOD policy are not recipients of patient-level identifiable data, a prerequisite of sign-up. 17

18 Where are the Personal/Work Boundaries? There is no human monitoring of personal usage. The MDM software monitors and manages access to approved applications, but the in-app activities of individual users are not monitored as the organisation deems this to be an invasion of personal privacy. That said, staff are reminded of their corporate responsibilities as per the policies named on page 2 of this document. How capable is the device security? Apple devices employ encryption at rest as default. This means that data stored on the device is encrypted against malicious attack, even if retrieved illegally. MDM software further encrypts data during transmission and identifiable data, belonging to the CCG can be remotely erased by the CCGs IT Provider upon notification of failure, loss or theft. The MDM software is further configured to force users to use a keypad security access code upon waking their device, and apply a mandatory, maximum time-out duration of 5 minutes. Further, staff are required to; Enable the Find my iphone app to their device to locate their device should it be lost or stolen. Ensure operating systems are up to date, and Confirm that the device has not been jailbroken, that is that the device has not been locally hacked to allow unrestricted access to technical configurations within the device. Limiting the choice of connectable devices is a step that the Information Commissioner s Office considers to be one of the most important in evidencing that an organisation has taken appropriate and reasonable measures of data security. How are settings managed when employees leave or are dismissed? The CCG has an HR process that ensures the closure of individual accounts when an employee leaves the organisation, for whatever reason. An element of the leavers checklist is to determine whether the individual is registered with the MDM software. Where this is established the IT Provider remotely removes all accesses and data through the MDM software functionality. The individual is then responsible for the removal of the MDM application from their device. Access to identifiable data cannot occur in instances where the user fails to remove the application from the device. What happens in the event of loss, theft or failure of the device? Users are required to report loss, theft or failure of devices promptly, and within 24 hours via or by telephone to the CCGs IT Service Provider. Identifiable data, as described in this documentation can then be remotely wiped using the MDM software. 18

19 Users are also able to choose whether to wipe personal data using the Find My iphone app, its download being a prerequisite of sign-up. How is the device supported? The CCG only supports the users device in terms of the access provided through the MDM software. Users have a responsibility to notify the data controller in instances where devices are returned to manufacturers under warranty or sold in order that the identifiable data may be remotely wiped. The MDM software also has location finding functionality which is able to determine if the device is in a usual location. Users are also supported via staff training and a quick reference usage guide. Summary of Assessment The Information Commissioner s Office also advises that BYOD must not introduce vulnerabilities into existing secure environments. The MDM software separates personal data from identifiable data and enhances security beyond widely accessible website access to Outlook thereby mitigating the vulnerabilities of via web access. Data storage is enabled to allow personal back-ups to continue and limits identifiable data storage to one month s s in selected Outlook folders. The MDM software forces data traffic through an encrypted channel using a Virtual Private Network (VPN). The Information Commissioner s Office considers this step to be one of the most important in evidencing that an organisation has taken appropriate and reasonable measures of data security. The potential for data loss via is not considered to be any higher than when using non-mobile devices such as desktop computers. Device security is paramount for both personal data and identifiable data. The configurations of MDM software and the inherent security of Apple devices ensure integrity as far as is considered appropriate and reasonable. The CCG has an HR process that ensures the closure of individual accounts when an employee leaves the organisation, for whatever reason. Users are required to report the loss, theft or failure of devices in order that identifiable data may be remotely wiped. Users are also able to wipe personal data using Find my iphone. User support from the CCG is provided by the MDM software and managed by the CCG IT provider. 19

20 Probability of Event (P) Users are also supported via staff training and a quick reference usage guide. Scoring Risks & Risk Assessment Matrix Risks are scored using the matrix below. The level of consequence is decided which gives a sum between 1 (insignificant) and 5 (fatal); the probability of the risk happening is then decided which gives a sum between 1(remote) and 5 (certain). Multiplying the two sums together will give the risk score, e.g. Consequence (major) x probability (possible) would be 3 x 3 = risk score of 9. The risk scores are given on the matrix below. Risk scores at 15 and above are included in this register. 5x Certain 4x Probable 3x Possible 2x Improbable 1x Remote Act Soon 8 Act Soon Act Now 12 Act Soon 9 Act Soon Act Now 16 Act Now 12 Act Soon 8 Act Soon 25 Stop 20 Act Now 15 Act Now 10 Act Soon x Insignifica nt 2x Minor 3x Major 4x Severe Consequence/Severity of Event (C) 5x Fatal 20

21 Risk Assessment Ratings Risk Ref. Description of Risk Initial Risk Rating PxC Mitigating Actions Mitigated Risk Score Mitigated RAG Rating 1 Storage of identifiable data outside of approved locations 3x3=9 Implementation of MDM software to individual devices 2x3=6 2 Transfer of identifiable data from CCG network 4x3=12 MDM software configured to disable network folder access 1x3=3 3 Potential for identifiable data leakage 3x4=12 Staff training/ccg Policies re: usage to avoid incidents of human error however no greater perceived potential than users working from non-mobile devices 2x4=8 Implementation of MDM software to individual devices Requirement to enable the Find my iphone app to devices should it be lost or stolen. 4 Device security 4x4=16 Requirement to ensure operating systems are up to date, and confirmation that devices are not jailbroken Limiting the choice of connectable devices as per the Information Commissioner s Office consideration that this step is one of the most important in evidencing that an organisation has taken appropriate and reasonable measures of data security. 2x3=6 5 CCG Staff member leaves the organisation taking identifiable data with them 3x3=9 HR processes close down accounts and remove the MDM software 1x3=3 6 Loss, Theft or Failure of Device 3x4=12 User requirement to report loss, theft or failure. MDM software configured to erase identifiable data upon notification. 3x2=6 21

22 APPENDIX 6 User Experience of the Pilot From mid-august 2013 the CCG has piloted the implementation of MobileIron on personal devices for ten (9) users and eleven (11) devices. Two users piloted both phone and tablet devices. The pilot was limited to users with Apple devices as together with SWCSU, as the IT Provider, these were considered to be the most identifiable and robust devices to test. The spread of devices was as follows; Device Type/Model iphone 3S iphone 4 iphone 4S iphone 5 iphone 5S ipad 2 ipad 4 ipad Mini Number of Users One One Four One One One One One Over the twelve months of the pilot there have been no reported incidents of security software interference with users and no reported incidents of data loss, device loss or potential security breaches. During the course of the pilot the proprietary operating system software was internationally updated twice. Whilst this worked without incident for ipad users, iphone users reported twice daily text alerts (at various times of the day) of a reported passcode non-compliance. Whilst this has not affected device usage it has proved to be an annoyance and is likely to be resolved only when the final stable release of ios7 is available AND MobileIron has implemented its update to match. (This occurred in January 2014) 22

23 Risk Assessment The table below compares national guidance concerning nhs.net access with guidance from the Information Governance Team at the Commissioning Support unit and the settings in MobileIron and the CCG. National ISO27000 Current Recommende Parameter Guidance 1 MobileIron Security CCG Device d CCG Device Setting (nhs.net) Standard Setting Setting Password Required Required Required Required Required Password Type Maximum Inactivity Timeout Minimum Password Length Minimum Number of Complex Characters Maximum Number of Failed Attempts Maximum Passcode Age Complex Complex - unless risk assessed Simple Simple Simple 20 minutes 10 minutes 30 minutes 5 minutes 5 minutes 8 characters (for nhs.net access) A least one from 3 of 4 categories -Uppercase -Lowercase -Numeric -Non-Numeric Password History 4 Synchronisation Encryption at Rest 6 characters Alpha- Numeric 4 characters Disabled 4 characters 4 characters Disabled but allowable at user discretion Disabled but allowable at user discretion days 90 days 40 days 40 days 90 days 4 based on age above month Not Limited Not limited Not limited 1 month Key: CCG Parameter meets or exceeds risk-based standard CCG Parameter does not meet risk-based standard n/a Enabled Enabled Enabled Enabled One of the main priorities in the implementation of this policy has been to ensure, wherever possible, that the user is able to use the device in the manner to which they are accustomed without any apparent interference from the installation of MobileIron profiles. As such, the password type, minimum password length and complexity level of passcodes has been made mandatory but left at the discretion of the user. One of the main priorities in the implementation of this policy has been to ensure, wherever possible, that the user is able to use the device in the manner to which they are accustomed without any apparent interference from the installation of 1 Password Policy for Non-Spine Connected Applications, Good Practice Guideline, Connecting for Health, 2010 accessed via on 30/10/

24 MobileIron profiles. As such, the password type, minimum password length and complexity level of passcodes has been made mandatory but left at the discretion of the user. In using this basic principle the proposed mitigations to any perceived or real lack of security is to; Considerably reduce the inactivity timeout from 20 minutes to 5 minutes Increase the frequency of enforced passcode changes from 90 days to 40 days (from 4 to 9 times a year) Ensure only devices able to provide encryption at rest are permitted access. Recommendations The recommendations for further adjustments to increase security are to; Reduce the maximum number of failed attempts from 10 attempts to 5 attempts, with a view to reducing further to 3 attempts after a six-month review of implementation Amend the passcode history and maximum age parameters to meet national guidance. National guidance suggests a 90 day passcode age with no repeat for four passcodes. This equals 360 days between passcodes. Current MobileIron implementation is 200 days (40 day passcode with 5 histories). Set devices to only synchronise for one month. Note: No network or personal folders are made available through access to . 24

25 MDM SOFTWARE DATABASE QUERIES APPENDIX 7 25

26 26

27 27

28 28