Bring Your Own Device (BYOD) Policy
|
|
- Wilfrid Warren
- 6 years ago
- Views:
Transcription
1 SH IG 58 Information Security Suite of Policies Bring Your Own Device (BYOD) Policy Version 1 Summary: Keywords (minimum of 5): (To assist policy search engine) Target Audience: Next Review Date: This policy outlines the processes and controls the Trust uses to facilitate a BYOD scheme to enable staff to use personal devices to access Trust resources. Bring Your Own Device, BYOD, Personal Devices, Mobile Working, Tablet, Smartphone, Good The policy relates to any staff member (or manages a staff member) who uses the Southern Health NHS Foundation Trust Bring Your Own Device (BYOD) scheme March 2019 or sooner if required. Approved and Ratified by: Information Governance Group (IGG) Date: 14/03/2016 Date issued: 22/03/2016 Author: Sponsor: Edward Purcell, ICT Security Specialist Helen Reading, Associate Director of Technology 1
2 Version Control Change Record Date Author Version Page Reason for Change 17/07/2015 Edward Purcell 1 All Original Draft 29/07/2015 Edward Purcell 1 All Updated Draft 28/01/2016 Edward Purcell 1 All Updated after feedback from A. Young and L. Barrington 11/02/2016 Edward Purcell 1 All Updated after feedback from P. Ballard Reviewers/contributors Name Position Version Reviewed & Date L. Barrington Head of Information Assurance 1 P. Ballard Head of ICT Operations 1 A. Young Service Desk and Desktop Support Team Leader 1 2
3 Contents 1. Introduction Scope Duties / Responsibilities Data Protection Physical Security Mobile Device Management Applying for the service Device Support Connecting Devices to the Trust Networks Reimbursement References and Associated Documentation... 8 Appendix 1 BYOD Request Form & Security Operating Procedures
4 Bring Your Own Device (BYOD) Policy 1. Introduction 1.1. The Trust aims to take advantage of the many benefits offered by new and emerging mobile technologies and, in line with the overall Trust strategy to facilitate a mobile and flexible workforce, seeks to enable the use of personal devices to access corporate data a scenario commonly referred to as Bring Your Own Device (BYOD) Along with the advantages of BYOD there are additional risks which must be effectively managed to protect the Trust, its staff, patients and the services and data on which they rely, against known and emerging threats. Any user of a personal device used to store and/or process Trust information shall comply with this policy in addition to the more general ICT Security Policy The key principle of BYOD is that the user owns, maintains and supports the device. This has advantages in terms of support requirements, although it also means that the data controller will have significantly less control over a BYOD device than it would have over a traditional corporately owned one. This policy outlines the controls, both process and technical, the Trust has in place to ensure data on non-trust devices remains secure and under the Trust s influence at all times. It also describes detailed instructions that must be followed whilst using a BYOD enabled device to carry out Trust related work 2. Scope 2.1. This policy applies to all Trust employees including voluntary workers employed under special contracts and employees of organisations contracted to the Trust who take part in the Trust BYOD scheme, it also applies to staff in management roles and whose team members are part of the scheme This policy focuses on smart phones and tablet computers, often categorised together as smart devices, and includes devices manufactured by a range of companies (Apple, HTC, Nokia, etc.) and running several different operating systems (Android, IOS, Win8.1, etc.). The important distinction is that these are personal devices and are not supported or maintained by Southern Health ICT services. 3. Duties / Responsibilities 3.1. Ultimately, responsibility for ICT Security rests with the Chief Executive who has delegated much of this responsibility to the Senior Information Risk Officer. Routinely, the ICT Security Specialist is responsible for developing, managing and implementing ICT Security policies/processes on a daily basis In addition to the responsibilities outlined in the Trust ICT Security Policy the ICT Department will: Ensure all requests to take part in the BYOD scheme are provisioned in line with the process outlined within this policy Ensure that all devices have a security policy applied which reflects the controls stated within this policy Provide advice on implementation of this policy as requested; 4
5 3.3. Line Managers are responsible for ensuring that: staff have an appropriate business need to be part of the BYOD scheme and give budgetary approval to cover the cost of the service staff authorised to take part in the BYOD scheme sign to confirm they have read and agree to the terms and conditions (appendix 1); staff comply with this policy and associated procedures; they take disciplinary action as appropriate against any member of staff in breach of this policy; notify any suspected breaches of this policy to the ICT Department; Immediately notify ICT if a staff member leaves the Trust or no longer requires BYOD; 3.4. Trust Staff, without exception, must: abide by this and associated policies & procedures; report any suspected breaches of this policy to their line manager or the ICT Department; understand that failure to comply with the rules and regulations contained in this policy, or any attempt to circumvent the security controls, may result in the withdrawal of this facility and/or disciplinary action; report the loss or theft of any BYOD enabled device to the Trust s ICT Service Desk at the earliest possible opportunity and in addition report the incident on the Trusts incident reporting system (Ulysses) inform the ICT department if BYOD is no longer required and access to the application will be removed and all data held within the application on the device will be deleted Report any lost or stolen devices to the ICT Service Desk immediately so that corporate data can be remotely wiped from the device. It will be the users responsibility to report the theft of their device to the police keep their username and password secret and not allow anybody else to access the information abide with the clauses of acceptable use outlined in both the Internet and Acceptable Usage Policy and the ICT Security Policy. 4. Data Protection 4.1. To fully take advantage of the benefits of BYOD the risks need to be mitigated and this can be achieved through process and technical controls. The overall objective is to remain in control of Trust data at all times and thus prevent breaches of confidentiality and/or data loss. Failing to adequately protect personal data is unlawful and in breach of the Data Protection Act (DPA), in particular Principle 7 which states; 5
6 Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data The Trust has a legal duty to comply with the DPA and failure to comply could lead to an investigation by the Information Commissioners Office (ICO). The ICO have the power to uphold the DPA and can fine organisations up to 500,000 where appropriate controls have not been in place. 5. Physical Security 5.1. Owners shall accept full responsibility for the security of the device, taking necessary precautions to avoid loss, theft or damage. In the event of loss, damage or theft, they must report this immediately to the ICT Service Desk and the police if appropriate. In particular owners must: take all reasonable care to prevent the theft or loss of this device. take extra vigilance if using any BYOD device during journeys on public transport to avoid the risk of theft of the device or unauthorised disclosure of Trust stored information by a third party overlooking. not leave the device unattended for any reason whilst working on it unless the session is locked and it is in a safe working place, not left in an unattended room for example ensure that other non authorised users are not given access to the device or the data it contains 6. Mobile Device Management 6.1. The Trust uses the Good suite of products to facilitate BYOD for approved staff and this can be delivered with a range of features, from the basic starting point of /calendar/contacts, and building on this with additional features such as presence, instant messaging, and access to SharePoint and network shares The BYOD security policy pushed via Good to personal devices creates a separate workspace separating Trust data and Personal data (personal data in this instance relating to data owned by that individual, not to be confused with patient identifiable data). Policies enforced on a BYOD device are aimed at managing and controlling corporate data only and personal information held on the device should not be affected The Good workspace on the device is fully encrypted and any content or attachments contained within the corporate workspace cannot be saved outside of the application or locally on the device All data in transit, between the Good infrastructure and handheld device, is fully protected by encryption In order to prevent unauthorised access, the work space is password protected using an 8 character password and this is in line with the Trust s password policy which requires all passwords to meet the following criteria; at least 8 characters in length containing at least 1 upper and 1 lower case letter and containing at least 1 number or special character The previous 4 passwords should not be used. 6
7 6.6. Passwords must be changed at least every 90 days, but more frequently if required Passwords must be kept safe at all time and should never be shared with other Trust staff or family members The Good workspace on the device can be remotely wiped by the Trust at any stage if there is cause to think the device has been compromised in any way. This will remove the Trust data held within the Good workspace and should not interfere with any personal data on that device. The device can be remote wiped in any of the following scenarios; the device is lost on termination of employment after 5 failed login attempts a data or policy breach is detected 7. Applying for the service 7.1. All staff who wish to take advantage of BYOD should ensure that their device(s) are compatible with the Good application(s) prior to applying for the service. A list of compatible handset and operating systems in available on the Trust Intranet Any user seeking to connect a personally owned device must gain approval via their line management and this includes the provision of a budget code to meet the annual cost of the Good license. This should be done prior to the request being made to the ICT Service Desk and should be captured on the BYOD Request Form & Security Procedures Appendix There will be a cost for this service which is available on the Good request form and is subject to change should there be changes in the license costs All Good request forms should be returned to the ICT Service Desk to process, either via the usual service desk number or using the using the online portal this is done using the LogIT icon/shortcut that is on all users desktop All users are required to agree and sign the BYOD Terms and Conditions as found on the BYOD Request Form & Security Procedures Appendix After a licence is purchased and your user account is authorised on the system you will be sent instructions on how to add your device to the service. 8. Device Support 8.1. Personally owned devices are not supported by Southern Health ICT services. Staff should contact the device manufacturer or their carrier for operating system or hardware-related issues The support provided by the organisation for personal devices using Good is strictly limited to; Initial user registration Resetting user configuration and/or resending set up codes Removing/Deleting old or unused devices Remote wiping lost or stolen devices 7
8 8.3. Detailed guidance for Good has been created by the Technology teams and is available on the Intranet and covers all major functions, including; Download and installation of the Good app Initial registration and set up Resetting/re-configuring a device 8.4. The employee assumes full liability for risks including, but not limited to, the partial or complete loss of company and personal data due to an operating system crash, errors, bugs, viruses, malware, and/or other software or hardware failures, or programming errors that render the device unusable In the unlikely event that personal data on the BYOD device is affected or lost the Trust will not be held responsible or liable for any damages or compensation. 9. Connecting Devices to the Trust Networks 9.1. Currently personal devices are not permitted to connect to the Trust network whether directly or indirectly including wired or wireless connections to other Trusts devices such as PCs or Laptops. Therefore, no assumption should be made that individuals permitted to take advantage of the Trust BYOD service will be permitted to use Trust networks. This situation will be kept under review subject to the capability of the Trust networks to support additional devices using it. 10. Reimbursement The Trust will not reimburse the employee for the purchase or associated costs with the device regardless of whether this was incurred during Trust business. This includes, but not limited to; roaming charges, plan charges and overcharges, cost of applications for personal use. 11. References and Associated Documentation This policy should be read in conjunction with other relevant organisational Policies: ICT Security Policy Mobile Working Policy Internet and Policy Acceptable use policy The following documents have been used as reference material in the development of this policy. ICO BYOD Guidance: IGTK standard : Policy and procedures ensure that mobile computing and teleworking are secure -f91c-4b9f-bd8b-5f5a61ac20c4&svieworgtype=2&sdesc=acute+trust HSCIC Password Policy for Non-Spine Connected Applications 8
9 Appendix 1 BYOD Request Form & Security Operating Procedures User Details (All fields are mandatory) Name Job Title Contact Number Address Cost of Service One off set up cost - TBC on application Annual Support Charge - TBC on application Limitations/Disclaimers The user will need a smartphone or tablet on a personally owned contract with an adequate data plan or has access to non-trust Wi-Fi. The organisation will not reimburse any additional data charges incurred by the user. Personal devices are not supported by Southern Health ICT Services. Staff should contact the device manufacturer or their carrier for operating system or hardware-related issues. The employee assumes full liability for risks including, but not limited to, the partial or complete loss of company and personal data due to an operating system crash, errors, bugs, viruses, malware, and/or other software or hardware failures, or programming errors that render the device unusable. The application will not work accounts. Good for Enterprise is not supported on all mobile operating systems and staff should check the list of supported devices before applying for the service. Conditions of Use All staff enabled for BYOD will abide by this and associated policies and procedures. The physical security of the device is the user s liability but the Trust does expect that individuals take suitable precautions to protect the physical asset. For security reasons, nobody else, including friends or members of your family, should be permitted to use your ipad / iphone whilst the Good application is unlocked. Your account names and passwords are not to be divulged to anybody. Staff use personal devices at their own risk and the Trust are not liable for any costs associated with the loss or damage of devices. 9
10 Staff use their own devices at their own cost - Staff should have an adequate data plan - the Trust will not pay for excess data usage The Trust will remove GOOD and all associated data from personal devices if the device is lost or stolen or if the staff member leaves the Trust Report the loss or theft of any personal device that has been enabled for BYOD to the ICT Service Desk as soon as possible, preferably within 24 hours. Notify as soon as the staff member leaves the Trust Notify any suspected breaches of this policy to the ICT Department; Failure to comply with the rules and regulations contained in this policy, or any attempt to circumvent the security controls, may result in the withdrawal of this facility and/or disciplinary action. User Declaration I hereby declare that I have read and understood the above Security Operating Procedures (SyOPs) and agree to comply with all of the schedules contained herein. Signature Date Line Manager Authorisation (All fields are mandatory) I authorise the member of staff, as noted in 11.1, and I am satisfied that this policy and associated Security Operating Procedures have been read and clearly understood by the User. I accept the relevant charges against the budget code(s) provided below Name Job Title Contact Number Address Signature* Date Cost Centre Subjective Code *Not required if ed directly from manager s account Please return completed form to: telecoms@southernhealth.nhs.uk /
Data Encryption Policy
Data Encryption Policy Document Control Sheet Q Pulse Reference Number Version Number Document Author Lead Executive Director Sponsor Ratifying Committee POL-F-IMT-2 V02 Information Governance Manager
More informationDate Approved: Board of Directors on 7 July 2016
Policy: Bring Your Own Device Person(s) responsible for updating the policy: Chief Executive Officer Date Approved: Board of Directors on 7 July 2016 Date of Review: Status: Every 3 years Non statutory
More informationInformation Security BYOD Procedure
Information Security BYOD Procedure A. Procedure 1. Audience 1.1 This document sets out the terms of use for BYOD within the University of Newcastle. The procedure applies to all employees of the University,
More informationBRING YOUR OWN DEVICE: POLICY CONSIDERATIONS
WHITE PAPER BRING YOUR OWN DEVICE: POLICY CONSIDERATIONS INTRODUCTION As more companies embrace the broad usage of individual liable mobile devices or BYOD for access to corporate applications and data,
More informationBHIG - Mobile Devices Policy Version 1.0
Version 1.0 Authorised by: CEO Endorsed By: Chief Operations Officer 1 Document Control Version Date Amended by Changes Made 0.1 20/01/2017 Lars Cortsen Initial document 0.2 29/03/2017 Simon Hahnel Incorporate
More informationBring Your Own Device
Bring Your Own Device Individual Liable User Contents Introduction 3 Policy Document Objectives & Legal Disclaimer 3 Eligibility Considerations 4 Reimbursement Considerations 4 Security Considerations
More informationA practical guide to IT security
Data protection A practical guide to IT security Ideal for the small business The Data Protection Act states that appropriate technical and organisational measures shall be taken against unauthorised or
More informationRemote Working & Mobile Devices Security Standard
TRUST-WIDE NON-CLINICAL DOCUMENT Remote Working & Mobile Devices Security Standard Standard Number: Scope of this Document: Recommending Committee: Approving Committee: SS02 All Staff Joint Information
More informationPS 176 Removable Media Policy
PS 176 Removable Media Policy December 2013 Version 2.0 Statement of legislative compliance This document has been drafted to comply with the general and specific duties in the Equality Act 2010; Data
More informationPS Mailing Services Ltd Data Protection Policy May 2018
PS Mailing Services Ltd Data Protection Policy May 2018 PS Mailing Services Limited is a registered data controller: ICO registration no. Z9106387 (www.ico.org.uk 1. Introduction 1.1. Background We collect
More informationBRING YOUR OWN DEVICE (BYOD)
BRING YOUR OWN DEVICE (BYOD) Bring your own device (BYOD) Some employees will often prefer to use their own personal mobile devices to access company networks/systems. However, this is potentially a security
More informationBring Your Own Device (BYOD) Policy
Bring Your Own Device (BYOD) Policy Document History Document Reference: Document Purpose: Date Approved: 22 nd September 2017 To set out the operating principles and security controls that apply to personal
More informationSAFE USE OF MOBILE PHONES AT WORK POLICY
SAFE USE OF MOBILE PHONES AT WORK POLICY Links to Lone Working Policy, Personal Safety Guidance, Lone Working Guidance, Information Governance Policy Document Type General Policy Unique Identifier GP31
More informationData Handling Security Policy
Data Handling Security Policy May 2018 Newark Orchard School Data Handling Security Policy May 2018 Page 1 Responsibilities for managing IT equipment, removable storage devices and papers, in the office,
More informationData protection policy
Data protection policy Context and overview Introduction The ASHA Centre needs to gather and use certain information about individuals. These can include customers, suppliers, business contacts, employees
More informationThe essential guide to creating a School Bring Your Own Device Policy. (BYOD)
The essential guide to creating a School Bring Your Own Device Policy. (BYOD) Contents Introduction.... 3 Considerations when creating a BYOD policy.... 3 General Guidelines for use (Acceptable Use Policy)....
More informationInformation Security Policy for Associates and Contractors
Information Security Policy for Associates and Contractors Version: 1.13 Date: 11 October 2016 Reference: 67972761 Location: Livelink Contents Introduction... 3 Purpose... 3 Scope... 3 Responsibilities...
More informationINFORMATION ASSET MANAGEMENT POLICY
INFORMATION ASSET MANAGEMENT POLICY Approved by Board of Directors Date: To be reviewed by Board of Directors March 2021 CONTENT PAGE 1. Introduction 3 2. Policy Statement 3 3. Purpose 4 4. Scope 4 5 Objectives
More informationTrinity Multi Academy Trust
Trinity Multi Academy Trust Policy: Bring Your Own Device Date of review: October 2018 Date of next review: October 2020 Lead professional: Status: Director of ICT and Data Non-Statutory Page 1 of 5 Scope
More informationPolicies, Procedures, Guidelines and Protocols. John Snell - Head of Workforce Planning, Systems and Contributors
Policies, Procedures, Guidelines and Protocols Document Details Title Staff Mobile Phone Policy Trust Ref No 2036-39774 Local Ref (optional) N/A Main points the document Procurement, allocation and use
More informationDate of Next Review: May Cross References: Electronic Communication Systems- Acceptable Use policy (A.29) Highway Traffic Act
Date Approved: January 27, 2010-Board Date of Next Review: May 2023 Dates of Amendments: May 17, 2018 Cross References: Electronic Communication Systems- Acceptable Use policy (A.29) Highway Traffic Act
More informationINFORMATION TECHNOLOGY SECURITY POLICY
INFORMATION TECHNOLOGY SECURITY POLICY Author Responsible Director Approved By Data Approved September 15 Date for Review November 17 Version 2.3 Replaces version 2.2 Mike Dench, IT Security Manager Robin
More informationComputer and Internet Use Policy
Computer and Internet Use Policy Author Simon Allan Date Written Autumn 2015 Review Date Autumn 2018 Date Ratified by the Governing Body Autumn 2015 Computer and Internet Use Policy Outline/Overview This
More informationCorporate Information Security Policy
Overview Sets out the high-level controls that the BBC will put in place to protect BBC staff, audiences and information. Audience Anyone who has access to BBC Information Systems however they are employed
More informationOctober 2016 Issue 07/16
IPPF: NEW IMPLEMENTATION GUIDES - IG 1100, IG 1110, IG 1111, IG 1120 and IG 1130 The IIA has released new Implementation Guides (IG) addressing the following standards: Standard 1100: Independence and
More informationDIRECTIVE ON INFORMATION TECHNOLOGY SECURITY FOR BANK PERSONNEL. June 14, 2018
DIRECTIVE ON INFORMATION TECHNOLOGY SECURITY FOR BANK PERSONNEL June 14, 2018 A. Overriding Objective 1.1 This Directive establishes the rules and instructions for Bank Personnel with respect to Information
More informationBring Your Own Device Policy
Bring Your Own Device Policy 2015 City of Glasgow College Charity Number: SCO 36198 Page 1 of 9 Table of Contents 1. Introduction... 3 2. Purpose and Aims... 4 3. Scope... 4 4. Policy Statement... 5 4.1
More informationINFORMATION SECURITY AND RISK POLICY
INFORMATION SECURITY AND RISK POLICY 1 of 12 POLICY REFERENCE INFORMATION SHEET Document Title Document Reference Number Information Security and Risk Policy P/096/CO/03/11 Version Number V02.00 Status:
More informationGMSS Information Governance & Cyber Security Incident Reporting Procedure. February 2017
GMSS Information Governance & Cyber Security Incident Reporting Procedure February 2017 Review Date; April 2018 1 Version Control: VERSION DATE DETAIL D1.0 20/04/2015 First Draft (SC) D 2.0 28/04/2015
More informationMobile Working Policy
Mobile Working Policy Date completed: Responsible Director: Approved by/ date: Ben Westmancott, Director of Compliance Author: Ealing CCG Governing Body 15 th January 2014 Ben Westmancott, Director of
More informationUWTSD Group Data Protection Policy
UWTSD Group Data Protection Policy Contents Clause Page 1. Policy statement... 1 2. About this policy... 1 3. Definition of data protection terms... 1 4. Data protection principles..3 5. Fair and lawful
More informationRemote Working Policy
[Type text] [Type text] [Type text] Information Management & Policy Services (IMPS) Remote Working Policy 1 Scope and definitions 1.1 This policy applies to all staff who use or access University systems
More informationGDPR Draft: Data Access Control and Password Policy
wea.org.uk GDPR Draft: Data Access Control and Password Policy Version Number Date of Issue Department Owner 1.2 21/01/2018 ICT Mark Latham-Hall Version 1.2 last updated 27/04/2018 Page 1 Contents GDPR
More informationDepartment of Public Health O F S A N F R A N C I S C O
PAGE 1 of 7 Category: Information Technology Security and HIPAA DPH Unit of Origin: Department of Public Health Policy Owner: Phillip McDown, CISSP Phone: 255-3577 CISSPCISSP/C Distribution: DPH-wide Other:
More informationACCEPTABLE USE ISO INFORMATION SECURITY POLICY. Author: Owner: Organisation: Document No: Version No: 1.0 Date: 10 th January 2010
INFORMATION SECURITY POLICY EMAIL ACCEPTABLE USE ISO 27002 7.1.3 Author: Owner: Organisation: Document No: Chris Stone Ruskwig TruePersona Ltd SP-7.1.3 No: 1.0 Date: 10 th January 2010 Copyright Ruskwig
More informationNetwork Security Policy
Network Security Policy Date: January 2016 Policy Title Network Security Policy Policy Number: POL 030 Version 3.0 Policy Sponsor Policy Owner Committee Director of Business Support Head of ICU / ICT Business
More informationData protection. 3 April 2018
Data protection 3 April 2018 Policy prepared by: Ltd Approved by the Directors on: 3rd April 2018 Next review date: 31st March 2019 Data Protection Registration Number (ico.): Z2184271 Introduction Ltd
More informationTARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS
Target2-Securities Project Team TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS Reference: T2S-07-0270 Date: 09 October 2007 Version: 0.1 Status: Draft Target2-Securities - User s TABLE OF CONTENTS
More informationData Breach Notification Policy
Data Breach Notification Policy Policy Owner Department University College Secretary Professional Support Version Number Date drafted/date of review 1.0 25 May 2018 Date Equality Impact Assessed Has Prevent
More informationWye Valley NHS Trust. Data protection audit report. Executive summary June 2017
Wye Valley NHS Trust Data protection audit report Executive summary June 2017 1. Background The Information Commissioner is responsible for enforcing and promoting compliance with the Data Protection Act
More informationInformation Governance Incident Reporting Procedure
Information Governance Incident Reporting Procedure : 3.0 Ratified by: NHS Bury CCG Quality and Risk Committee Date ratified: 15 th February 2016 Name of originator /author (s): Responsible Committee /
More information<Criminal Justice Agency Name> Personally Owned Device Policy. Allowed Personally Owned Device Policy
Policy Title: Effective Date: Revision Date: Approval(s): LASO: CSO: Agency Head: Allowed Personally Owned Device Policy Every 2 years or as needed Purpose: A personally owned information system or device
More informationPolicy on the Provision of Mobile Phones
Provision of Mobile Phones Policy on the Provision of Mobile Phones Originator name: Section / Dept: Implementation date: Date of next review: Related policies: Policy history: Roger Stickland Approval
More informationTERMS & CONDITIONS PLEASE READ THESE TERMS AND CONDITIONS CAREFULLY BEFORE USING THE SITE
TERMS & CONDITIONS PLEASE READ THESE TERMS AND CONDITIONS CAREFULLY BEFORE USING THE SITE 1. General The term PPS refers to: Professional Provident Society Holdings Trust, (The Holding Trust); Professional
More informationInformation Security Incident
Good Practice Guide Author: A Heathcote Date: 22/05/2017 Version: 1.0 Copyright 2017 Health and Social Care Information Centre. The Health and Social Care Information Centre is a non-departmental body
More informationEnviro Technology Services Ltd Data Protection Policy
Enviro Technology Services Ltd Data Protection Policy 1. CONTEXT AND OVERVIEW 1.1 Key details Rev 1.0 Policy prepared by: Duncan Mounsor. Approved by board on: 23/03/2016 Policy became operational on:
More informationUse of Mobile Devices on Voice and Data Networks Policy
World Agroforestry Centre Policy Series MG/C/4/2012 Use of Mobile Devices on Voice and Data Networks Policy One of the policies on information security and business continuity which will be audited by
More informationInformation Security Controls Policy
Information Security Controls Policy Classification: Policy Version Number: 1-00 Status: Published Approved by (Board): University Leadership Team Approval Date: 30 January 2018 Effective from: 30 January
More informationMobile configuration guide for NHSmail
Mobile configuration guide for NHSmail Version 3 Published July 2017 Copyright 2017Health and Social Care Information Centre. The Health and Social Care Information Centre is a non-departmental body created
More informationInformation Security Policy
Information Security Policy Author: Responsible Lead Executive Director: Endorsing Body: Governance or Assurance Committee Alan Ashforth Colin Sloey Implementation Date: September 2010 Version Number:
More informationCardiff University Security & Portering Services (SECTY) CCTV Code of Practice
Cardiff University Security & Portering Services (SECTY) CCTV Code of Practice Document history Author(s) Date S Gamlin 23/05/2018 Revision / Number Date Amendment Name Approved by BI annual revision Date
More informationNOTE: The first appearance of terms in bold in the body of this document (except titles) are defined terms please refer to the Definitions section.
TITLE MOBILE WIRELESS DEVICES AND SERVICES SCOPE Provincial APPROVAL AUTHORITY Alberta Health Services Executive SPONSOR Information Technology PARENT DOCUMENT TITLE, TYPE AND NUMBER Not applicable DOCUMENT
More informationMobile Computing Policy
Mobile Computing Policy Overview and Scope 1. The purpose of this policy is to ensure that effective measures are in place to protect against the risks of using mobile computing and communication facilities..
More informationCredentials Policy. Document Summary
Credentials Policy Document Summary Document ID Credentials Policy Status Approved Information Classification Public Document Version 1.0 May 2017 1. Purpose and Scope The Royal Holloway Credentials Policy
More informationICT Portable Devices and Portable Media Security
ICT Portable Devices and Portable Media Security Who Should Read This Policy Target Audience All Trust Staff, contractors, and other agents, who utilise trust equipment and access the organisation s data
More informationUlster University Standard Cover Sheet
Ulster University Standard Cover Sheet Document Title Portable Devices Security Standard 1.5 Custodian Approving Committee Deputy Director of Finance and Information Services (Information Services) Information
More informationNEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?
NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT? What the new data regulations mean for your business, and how Brennan IT and Microsoft 365 can help. THE REGULATIONS: WHAT YOU NEED TO KNOW Australia:
More informationDepartment of Public Health O F S A N F R A N C I S C O
PAGE 1 of 9 Category: Information Technology Security and HIPAA DPH Unit of Origin: Department of Public Health Policy Owner: Phillip McDown, CISSP Phone: 255-3577 CISSPCISSP/C Distribution: DPH-wide Other:
More informationSample BYOD Policy. Copyright 2015, PWW Media, Inc. All Rights Reserved. Duplication, Reproduction or Distribution by Any Means Prohibited.
Sample BYOD Policy Copyright 2015, PWW Media, Inc. All Rights Reserved. Duplication, Reproduction or Distribution by Any Means Prohibited. SAMPLE BRING YOUR OWN DEVICE POLICY TERMS OF USE This Sample Bring
More informationTELEPHONE AND MOBILE USE POLICY
TELEPHONE AND MOBILE USE POLICY Date first approved: 9 December 2016 Date of effect: 9 December Date last amended: (refer Version Control Table) Date of Next Review: December 2021 First Approved by: University
More informationData Protection Policy
Data Protection Policy Data Protection Policy Version 3.00 May 2018 For more information, please contact: Technical Team T: 01903 228100 / 01903 550242 E: info@24x.com Page 1 The Data Protection Law...
More informationRationale: Why BYOD? BYOD Guidelines. BCR BYOD Agreement
Rationale: Why BYOD? At Brigidine College Randwick, our vision for learning fosters a love of deep learning, encourages students to think critically and creatively and provides a foundation for authentic
More informationMobile Device Policy. Augusta University Medical Center Policy Library. Policy Owner: Information Technology Support and Services
Augusta University Medical Center Policy Library Mobile Device Policy Policy Owner: Information Technology Support and Services POLICY STATEMENT Augusta University Medical Center (AUMC) discourages the
More informationPolicies Procedures & Guidelines. Mobile Device Policy. Version: 1.3. Date ratified: May Date issued: 21 June 2010 Review date: 15/01/2011
Policies Procedures & Guidelines Mobile Device Policy Version: 1.3 Ratified by: IM&T Steering Group Date ratified: May 2010 Name of originator/author: Urszula Niewiadomska Date issued: 21 June 2010 Review
More informationGM Information Security Controls
: Table of Contents 2... 2-1 2.1 Responsibility to Maintain... 2-2 2.2 GM s Right to Monitor... 2-2 2.3 Personal Privacy... 2-3 2.4 Comply with Applicable Laws and Site Specific Restrictions... 2-3 2.5
More informationPCA Staff guide: Information Security Code of Practice (ISCoP)
PCA Staff guide: Information Security Code of Practice (ISCoP) PCA Information Risk and Privacy Version 2015.1.0 December 2014 PCA Information Risk and Privacy Page 1 Introduction Prudential Corporation
More informationData Loss Assessment and Reporting Procedure
Data Loss Assessment and Reporting Procedure Governance and Legal Services Strategy, Planning and Assurance Directorate Approved by: Data Governance & Strategy Group Approval Date: July 2016 Review Date:
More informationSTUDENTS BRING YOUR OWN DEVICE POLICY
STUDENTS BRING YOUR OWN DEVICE POLICY CRICOS Provider Code: 03425F Table of Contents Policy Statement... 2 1. Introduction... 2 2. Key Principles... 2 3. Student BYOD Agreement... 3 4. Cost... 3 5. Student
More informationThe purpose of this guidance is: To provide a comprehensive understanding to complying with the universities Acceptable Use Policy.
Policy Acceptable Use Guidance 1 Introduction This guidance compliments the University of East London s Acceptable Use Policy. It puts into perspective specific situations that will help you provide a
More informationEggar s School. BYOD Policy. Bring Your Own Device
Eggar s School BYOD Policy Bring Your Own Device Reviewer ICT Systems Manager Reviewed January 2018 New review date January 2019 Rationale The way in which we access information has changed in recent years
More informationInformation Security Controls Policy
Information Security Controls Policy Version 1 Version: 1 Dated: 21 May 2018 Document Owner: Head of IT Security and Compliance Document History and Reviews Version Date Revision Author Summary of Changes
More informationPolicy. London School of Economics & Political Science. Remote Access Policy. IT Services. Jethro Perkins. Information Security Manager.
London School of Economics & Political Science IT Services Policy Remote Access Policy Jethro Perkins Information Security Manager Summary This document outlines the controls from ISO27002 that relate
More informationE-Security policy. Ormiston Academies Trust. James Miller OAT DPO. Approved by Exec, July Release date July Next release date July 2019
Ormiston Academies Trust E-Security policy Date adopted: Autumn Term 2018 Next review date: Autumn Term 2019 Policy type Author Statutory James Miller OAT DPO Approved by Exec, July 2018 Release date July
More informationVirginia State University Policies Manual. Title: Information Security Program Policy: 6110
Purpose Virginia State University (VSU) uses information to perform the business services and functions necessary to fulfill its mission. VSU information is contained in many different mediums including
More informationVirginia Commonwealth University School of Medicine Information Security Standard
Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Personnel Security Standard This standard is applicable to all VCU School of Medicine personnel. Approval
More informationUse of and Instant Messaging (IM) Policy
Use of Email and Instant Messaging (IM) Policy Name of Author and Job Title: Mike Cavaye, IT & Digital Consultant Name of Review/Development Body: IT Services Ratification Body: Quality and Safety Group
More informationUT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES
ACCESS MANAGEMENT Policy UT Health San Antonio shall adopt access management processes to ensure that access to Information Resources is restricted to authorized users with minimal access rights necessary
More informationProcedure: Bring your own device
Procedure: Bring your own device Purpose This procedure defines the obligations for all authorised users who choose to connect a personally owned device to the University s network or who use their personal
More informationIT Security Standard Operating Procedure
IT Security Standard Operating Procedure Notice: This document has been made available through the Police Service of Scotland Freedom of Information Publication Scheme. It should not be utilised as guidance
More informationStopsley Community Primary School. Data Breach Policy
Stopsley Community Primary School Data Breach Policy Contents Page 1 Introduction... 3 2 Aims and objectives... 3 3 Policy Statement... 4 4 Definitions... 4 5 Training... 5 6 Identification... 5 7 Risk
More informationGovernance and Compliance Learning from the Private Sector. David Coverdale
Governance and Compliance Learning from the Private Sector David Coverdale Governance Challenges The Patient Journey CQC Business Continuity Policy QoF Data GDPR LHA2 GRC Training Risk IG BIA Resilience
More informationMobile / Smart Phone Policy
Mobile / Smart Phone Policy Policy reviewed by: Philippa Mills Review date: September 2017 Next review date: September 2018 School refers to Cambridge International School; parents refers to parents, guardians
More informationPILOT Palm Springs Unified School District PILOT BYOD PILOT Staff Mobile Device Agreement
PILOT Palm Springs Unified School District PILOT BYOD PILOT Staff Mobile Device Agreement Prior to accessing the Bring Your Own Device (BYOD) network, staff must initial each line, fill in the boxes, sign
More informationMade In Hackney Data Protection Policy Last Updated:
Made In Hackney Data Protection Policy Last Updated: 16.05.2018 Definitions Charity GDPR Responsible Person Register of Systems Made In Hackney (MIH), a registered charity. means the General Data Protection
More informationPOLICY 8200 NETWORK SECURITY
POLICY 8200 NETWORK SECURITY Policy Category: Information Technology Area of Administrative Responsibility: Information Technology Services Board of Trustees Approval Date: April 17, 2018 Effective Date:
More informationData Sharing Agreement. Between Integral Occupational Health Ltd and the Customer
Data Sharing Agreement Between Integral Occupational Health Ltd and the Customer 1. Definitions a. Customer means any person, organisation, group or entity accepted as a customer of IOH to access OH services
More informationIt s still very important that you take some steps to help keep up security when you re online:
PRIVACY & SECURITY The protection and privacy of your personal information is a priority to us. Privacy & Security The protection and privacy of your personal information is a priority to us. This means
More informationStandard mobile phone a mobile device that can make and receive telephone calls, pictures, video, and text messages.
Overview Fiscal Accountability Rule 10.9 Utilizing Mobile Devices to Conduct City Business establishes the mobile device rule for the City and County of Denver. This policy provides mobile device guidelines
More informationGDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd
GDPR Processor Security Controls GDPR Toolkit Version 1 Datagator Ltd Implementation Guidance (The header page and this section must be removed from final version of the document) Purpose of this document
More informationAcceptable Usage Policy (Student)
Acceptable Usage Policy (Student) Author Arthur Bogacki Date 18/10/2017 Version 1.1 (content sourced and consolidated from existing Email and Electronic Communication, and User Code of Practice policies.)
More informationInformation Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV
Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/identify/ndcbf _ITSecPlan_IDGV2017.pdf
More informationINFORMATION SYSTEMS SECURITY POLICY (ISSP)
INFORMATION SYSTEMS SECURITY POLICY (ISSP) Policy Number & Category IG 02 Information Governance Version Number & Date Version 3.7 February 2009 Ratifying Committee Date Approved March 2009 Next Review
More informationEmployee Security Awareness Training Program
Employee Security Awareness Training Program Date: September 15, 2015 Version: 2015 1. Scope This Employee Security Awareness Training Program is designed to educate any InComm employee, independent contractor,
More informationResponsible Officer Approved by
Responsible Officer Approved by Chief Information Officer Council Approved and commenced August, 2014 Review by August, 2017 Relevant Legislation, Ordinance, Rule and/or Governance Level Principle ICT
More informationCompany Policy Documents. Information Security Incident Management Policy
Information Security Incident Management Policy Information Security Incident Management Policy Propeller Studios Ltd is responsible for the security and integrity of all data it holds. Propeller Studios
More informationSeven Requirements for Successfully Implementing Information Security Policies and Standards
Seven Requirements for Successfully Implementing and Standards A guide for executives Stan Stahl, Ph.D., President, Citadel Information Group Kimberly A. Pease, CISSP, Vice President, Citadel Information
More informationInformation Security Data Classification Procedure
Information Security Data Classification Procedure A. Procedure 1. Audience 1.1 All University staff, vendors, students, volunteers, and members of advisory and governing bodies, in all campuses and locations
More informationName of Policy: Computer Use Policy
Page: Page 1 of 5 Director Approved By: Approval Date: Reason(s) for Change Responsible: Corporate Services Leadership April 22, Reflect current technology and practice Corporate Services Leadership Leadership
More informationInformation backup - diagnostic review Abertawe Bro Morgannwg University Health Board. Issued: September 2013 Document reference: 495A2013
Information backup - diagnostic review Abertawe Bro Morgannwg University Health Board Issued: September 2013 Document reference: 495A2013 Status of report This document has been prepared for the internal
More informationCell Phones PROCEDURE. Procedure Section: Business and Administrative Matters - Purchasing 607-A. Respectfully submitted by:
Matters - Purchasing PROCEDURE Effective: October 13, 2015 Respectfully submitted by: Kathleen O Flaherty, Assistant Superintendent of Business 1. Authorization Individuals may be authorized to receive
More information