Bring Your Own Device (BYOD)



Similar documents
Mobile Devices Policy

How To Understand The Bring Your Own Device To School Policy At A School

NOBLE TRUST COMPANY LTD. GENERAL TERMS OF BUSINESS. The following definitions and rules of interpretation shall apply:

Data Security and Extranet

Bring your own device - Legal Whitepaper

Bring Your Own Device (BYOD) Policy

Align Technology. Data Protection Binding Corporate Rules Processor Policy Align Technology, Inc. All rights reserved.

INTRODUCTION 1. Janet(UK) agrees to provide to the Customer the JVCRS subject to these Terms.

SWEDBANK AS TERMS AND CONDITIONS FOR PAYMENT CARDS SERVICING Valid from

Bring Your Own Device Policy

ECSA EuroCloud Star Audit Data Privacy Audit Guide

Data Protection Breach Management Policy

SourceIT User Notes. Specific Clauses. Licence and Support Contract Commercial off-the-shelf Software RELEASE VERSION 2.

(INDIVIDUALS ONLY) IndContPkge Version: 1.7 Updated: 18 Jul. 03

Sample Employee Agreement for Business Use of Employee-Owned Personal Computing Devices (Including Wearables 1 )

Data Protection Act Bring your own device (BYOD)

TERMS & CONDITIONS of SERVICE for MSKnote. Refers to MSKnote Limited. Refers to you or your organisation

Cyber and data Policy wording

IM&T POLICY & PROCEDURE (IM&TPP 01) Anti-Virus Policy. Notification of Policy Release: Distribution by Communication Managers

THE PUBLIC RELATIONS CONSULTANTS ASSOCIATION. Find A PR agency Terms and Conditions for Clients

Data Privacy: What your nonprofit needs to know. Donna Balaguer and Ed Lavergne Washington, D.C. February 5, 2015

BRING YOUR OWN DEVICE

Bring Your Own Device Security and Privacy Legal Risks

"choose your own device" : the employer still provides the hardware and the employee can choose e.g. the model.

How To Make Bring Your Own Device A Plus, Not A Risk

Other Review Dates: 15 July 2010, 20 October 2011

Secretary of the Senate. Chief Clerk of the Assembly. Private Secretary of the Governor

Social Media in the Workplace

Acceptable Use of Information Systems Standard. Guidance for all staff

Bring Your Own Devices (BYOD) Information Governance Guidance

North Carolina Health Information Management Association February 20, 2013 Chris Apgar, CISSP

Information Security

Breed Communications Limited - limited company consultancy agreement

University of Sunderland Business Assurance Information Security Policy

How To Make A Contract Between A Client And A Hoster

Norton Mobile Privacy Notice

Questions to ask about a cloud service. enter

Information Security Policies. Version 6.1

DATA PROTECTION IT S EVERYONE S RESPONSIBILITY. An Introductory Guide for Health Service Staff

Cloud Software Services for Schools

Privacy and Electronic Communications Regulations

REPAIR SERVICES AND PROCESSING FEES.

ICT SECURITY POLICY. Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation

Policy Checklist. Directorate of Performance and Reform. Stephen Hylands, Head of Information Technology

Document Control. Version Control. Sunbeam House Services Policy Document. Data Breach Management Policy. Effective Date: 01 October 2014

SCHOOL ONLINE SAFETY SELF REVIEW TOOL

CenSus ICT Strategy ( )

Information Governance Framework. June 2015

Module 12 Managed Services TABLE OF CONTENTS. Use Guidelines

Internet Services Terms and Conditions

INFORMATION REQUIRED FOR EMPLOYEE HANDBOOK

Privacy and Cloud Computing for Australian Government Agencies

IT Data Security Policy

Introduction to Data Security Breach Preparedness with Model Data Security Breach Preparedness Guide

Asset Protection Agreement Templates - Customer Explanatory Notes. Explanatory Notes on Asset Protection Agreement

Customer or you or your means the purchaser of KYOsupport.

BYOD BEST PRACTICES GUIDE

Our Customer Relationship Agreement ONLINE VAULT SERVICE DESCRIPTION

Cloud Software Services for Schools

BLACKBERRY AUTHORIZED ONLINE RETAILER BLACKBERRY HANDHELD REPAIR SERVICE TERMS AND CONDITIONS

COBAR SHIRE COUNCIL FILE:P5-90

ROYAL MAIL GROUP ADDRESS MANAGEMENT UNIT PAF DIRECT END USER LICENCE

SOCIAL MEDIA POLICY FOR VOLUNTEERS TEMPLATE

How To Write A Mobile Device Policy

Information Sheet: Cloud Computing

PsyBar, LLC 6600 France Avenue South, Suite 640 Edina, MN Telephone: (952) Facsimile: (952)

STFC Monitoring and Interception policy for Information & Communications Technology Systems and Services

ANZ Expense Manager TERMS AND CONDITIONS 03.10

BYOD At Your Own Risk Working in the BYOD Era. Shane Swilley (503)

Terms of Service. Your Information and Privacy

Catalyst Consulting & Events (CCE) takes seriously its commitment to preserve the privacy of the personal information that we collect.

Calwell High School Acceptable Use of ICT and Bring Your Own Device (BYOD) Guidelines & Agreement

Module 5 Software Support Services TABLE OF CONTENTS. Version 3.1

Federal Act on Combating Money Laundering and Terrorist Financing in the Financial Sector 1

Service Schedule 5 - Internet Connectivity Services Terms & Conditions v1.0

Acceptable Use of ICT Policy For Staff

AGREEMENT FOR ACCESS TO PROTECTED HEALTH INFORMATION BETWEEN WAKE FOREST UNIVERSITY BAPTIST MEDICAL CENTER AND

Transcription:

1. Introduction Introduction This document outlines the considerations that the Council needs to consider in relation to its decision whether or not to adopt the current trend (arising from the consumerisation of ICT) to use personal devices for work purposes, known as BYOD (Bring Your Own Device). 2. Background A couple of independently run internal (Horsham D.C. and Mid Sussex D.C) trials are in progress to investigate the business benefit of using IPAD s in the workplace i.e. printing costs savings being one. The Horsham trial is currently on-going and is being project managed through the Horsham Business Transformation Team and the Mid Sussex project managed by the Members Services section. A recommendation report is going forward to the Mid Sussex senior management team week commencing 10th September. With regard to BYOD currently CenSus ICT (at Mid Sussex) are in the process of running a Proof of Concept against a couple of BYOD software tools that would be required to manage a BYOD service. It has not been possible to set dates for completing the Proof of Concept work as the software tools are relatively new and CenSus ICT are dependant on the software suppliers to provide release dates when the software available for testing. The software tested so far with it being relatively new is rather clunky in operation and if adopted now may appear to ICT users as a backward step future releases should over come this problem. The following is some indicative BYOD Management licence pricing costs: 350 user licence (probably shared across partnership) = 80,000 1 user license = circa 235 3. BYOD Considerations These sections summarise the considerations that need to take in development of a BYOD service taking into account security, legalities and effect on the CenSus ICT service. 3.1 Policies a. The Council s information security policy suite requires certain security controls in order to comply with legislation and codes of connection. Is it possible to match these controls on personal devices? b. How will we enforce appropriate use policies on a personal device? c. Do the current policies protect the Council whilst allowing for the use of BYOD? Page 1 of 5

c.1. No, either a new Personal Device Use Policy is needed (as the current Information Security Policy Suite prohibits the connection of personal devices to the Council s network unless permission from CenSus ICT Services management has been received) or the existing Acceptable Use Policy and ICT Security Policy need updating to take account of any changes in the Council s approach to BYOD. 3.2 Legal a. If the individual owns the device then what rights do the council have in respect of a personal device used for council business? b. What are the legal ramifications of the Council losing an individual s personal data? c. What are the legal implications in relation to the Council s monitoring rules to meet its obligations under RIPA and the Computer Misuse Act? Monitoring may not be appropriate on a personal device. d. Individuals should sign a waiver consenting to any activities deemed necessary and holding the Council harmless for any such damage, loss of use or data loss. 3.2.1 Investigations a. What happens in the event of an investigation? a.1. The captured data is likely to include the employee s / Member s private personal information. However, if the Council is not able to preserve data that may constitute evidence in litigation, it could face court sanctions. b. It may be difficult to actually obtain access to or possession of the device (especially if the individual is the subject of an investigation). c. The individual would be unable to use their personal device while it is being investigated (potentially by a third party on the Council s behalf). 3.3 Data Confidentiality a. What if we didn t store any data on the device in the first place and used virtual desktops to ensure that council data stays on the council network? b. The problem is that people want the integration, e.g. ability to see all their personal and corporate e-mails and appointments in one view. So, if we do allow data to be stored on a device: b.1. How do we effectively wipe Council data from a personal device when lost or stolen? Page 2 of 5

b.2. What happens if the individual leaves the Council and takes their BYOD with council data on it to another company? b.3. Does the Council have the ability to selectively wipe data from lost or stolen devices remotely, i.e. wipe Council data but preserver personal? c. How will we segregate personal and corporate data, and apply the necessary controls to protect sensitive Council information? c.1. Do we accept a lesser set of controls and prohibit the storage of sensitive data on personal devices in the policy?. 3.4 Technical 3.4.1 Device Management and Support a. Which individuals will be permitted to use personal devices? a.1. Bear in mind that some people handle personal information on behalf of other organisations due to shared services, e.g. CenSus Revenues and Benefits, Building Control and Crawley BC (CBC), Procurement (CBC, HDC and MSDC). Where this is the case is our implementation of BYOD in accordance with any information sharing protocols or data exchange agreements? b. Who manages the device? Individual versus Council c. Who supports the device? Individual versus Council d. Which devices will be permitted as part of the BYOD policy? d.1. All personal devices? d.2. Restricted to approved devices? e. How will we effectively track and manage authorised personal devices and differentiate from rogue devices? f. How will we control what is installed on and update/patch these devices? g. What level of support will CenSus ICT Services offer across the huge number of new devices, across multiple OS platforms and carrier specific implementations of each? h. Where is the corporate information backed up to? h.1. Use of a home backup system would not be permitted. h.2. Council information should only stored on the Council network. 3.4.2 Mobile Application Management a. How will we securely distribute corporate mobile applications to personal devices? Page 3 of 5

b. How will we determine which platforms/devices to support from an application development standpoint? c. Will we even have the right skills to support secure mobile application development? 4. For the Individual This section outlines the implications that need to be fully understood by the individual who wishes to use their own device for council business. 4.1 Personal Data Loss a. Is the data in my device susceptible to automatic or remote deletion? b. What events trigger the automatic deletion? c. Is remote deletion part of the standard employee leaver process? d. Is my approval sought or required for the remote deletion? e. Is my personal data retained in case of automatic or remote wipe? f. Does the Council provide a means to recover the personal data deleted? g. Am I entitled to any reimbursement for the loss of personal content such as songs, videos or applications? 4.2 Personal Privacy a. May I be required to produce my personal devices for forensic analysis? b. Does this apply to devices shared with other family members? c. Who will get access to the personal information stored in my device? d. Is the Council able to track my location? Potentially yes. In exchange for using the corporate network, ICT may have the ability to locate your device at any time. d.1. Under what circumstances can this happen? d.2. Is my approval sought and required to track my location? d.3. Do I get notified? d.4. Are these systems active outside regular work hours? e. Is my personal online activity whilst connected to the Council s Wi-Fi network monitored and logged? f. Is this information retained when I leave the Council? Page 4 of 5

4.3 Device seizure and loss of use a. Under what circumstances may I be asked to surrender my personal device? b. Is the Council going to provide a replacement? c. Who is responsible for backing up and restoring personal data and applications if the device is seized? d. Under what circumstances can the Council initiate a remote lock of the device? e. Is my approval sought and required? f. What is the process to regain use of my device? 5. Recommendation If a CenSus Partnership Authority chooses to go down the BYOD route then it makes sense for BYOD to become a partnership project as it is critical that a standardise approach is used as having a disjointed approach to BYOD could seriously effect the CenSus ICT level of support. The relevant parties to be involved in a BYOD project are Business Transformation, CenSus ICT Services, the partnership Information Security Manager, Legal and Personnel services. A key factor being the development of a policy to support BYOD (together with appropriate standards, guidelines and procedures) to ensure that the Council does not increase its risk of an information security breach which could result in financial and reputational penalties. Main sources: 1. Article: The Security, Privacy and Legal Implications of BYOD (Bring Your Own Device) Info Law Group 2. Blog: BringYourOwnIT.com - Consumerization, BYOD and Mobile Security Page 5 of 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information