Bring Your Own Device (BYOD) Policy

Size: px
Start display at page:

Download "Bring Your Own Device (BYOD) Policy"

Transcription

1 SH IG 58 Information Security Suite of Policies Bring Your Own Device (BYOD) Policy Version 1 Summary: Keywords (minimum of 5): (To assist policy search engine) Target Audience: Next Review Date: This policy outlines the processes and controls the Trust uses to facilitate a BYOD scheme to enable staff to use personal devices to access Trust resources. Bring Your Own Device, BYOD, Personal Devices, Mobile Working, Tablet, Smartphone, Good The policy relates to any staff member (or manages a staff member) who uses the Southern Health NHS Foundation Trust Bring Your Own Device (BYOD) scheme March 2019 or sooner if required. Approved and Ratified by: Information Governance Group (IGG) Date: 14/03/2016 Date issued: 22/03/2016 Author: Sponsor: Edward Purcell, ICT Security Specialist Helen Reading, Associate Director of Technology 1

2 Version Control Change Record Date Author Version Page Reason for Change 17/07/2015 Edward Purcell 1 All Original Draft 29/07/2015 Edward Purcell 1 All Updated Draft 28/01/2016 Edward Purcell 1 All Updated after feedback from A. Young and L. Barrington 11/02/2016 Edward Purcell 1 All Updated after feedback from P. Ballard Reviewers/contributors Name Position Version Reviewed & Date L. Barrington Head of Information Assurance 1 P. Ballard Head of ICT Operations 1 A. Young Service Desk and Desktop Support Team Leader 1 2

3 Contents 1. Introduction Scope Duties / Responsibilities Data Protection Physical Security Mobile Device Management Applying for the service Device Support Connecting Devices to the Trust Networks Reimbursement References and Associated Documentation... 8 Appendix 1 BYOD Request Form & Security Operating Procedures

4 Bring Your Own Device (BYOD) Policy 1. Introduction 1.1. The Trust aims to take advantage of the many benefits offered by new and emerging mobile technologies and, in line with the overall Trust strategy to facilitate a mobile and flexible workforce, seeks to enable the use of personal devices to access corporate data a scenario commonly referred to as Bring Your Own Device (BYOD) Along with the advantages of BYOD there are additional risks which must be effectively managed to protect the Trust, its staff, patients and the services and data on which they rely, against known and emerging threats. Any user of a personal device used to store and/or process Trust information shall comply with this policy in addition to the more general ICT Security Policy The key principle of BYOD is that the user owns, maintains and supports the device. This has advantages in terms of support requirements, although it also means that the data controller will have significantly less control over a BYOD device than it would have over a traditional corporately owned one. This policy outlines the controls, both process and technical, the Trust has in place to ensure data on non-trust devices remains secure and under the Trust s influence at all times. It also describes detailed instructions that must be followed whilst using a BYOD enabled device to carry out Trust related work 2. Scope 2.1. This policy applies to all Trust employees including voluntary workers employed under special contracts and employees of organisations contracted to the Trust who take part in the Trust BYOD scheme, it also applies to staff in management roles and whose team members are part of the scheme This policy focuses on smart phones and tablet computers, often categorised together as smart devices, and includes devices manufactured by a range of companies (Apple, HTC, Nokia, etc.) and running several different operating systems (Android, IOS, Win8.1, etc.). The important distinction is that these are personal devices and are not supported or maintained by Southern Health ICT services. 3. Duties / Responsibilities 3.1. Ultimately, responsibility for ICT Security rests with the Chief Executive who has delegated much of this responsibility to the Senior Information Risk Officer. Routinely, the ICT Security Specialist is responsible for developing, managing and implementing ICT Security policies/processes on a daily basis In addition to the responsibilities outlined in the Trust ICT Security Policy the ICT Department will: Ensure all requests to take part in the BYOD scheme are provisioned in line with the process outlined within this policy Ensure that all devices have a security policy applied which reflects the controls stated within this policy Provide advice on implementation of this policy as requested; 4

5 3.3. Line Managers are responsible for ensuring that: staff have an appropriate business need to be part of the BYOD scheme and give budgetary approval to cover the cost of the service staff authorised to take part in the BYOD scheme sign to confirm they have read and agree to the terms and conditions (appendix 1); staff comply with this policy and associated procedures; they take disciplinary action as appropriate against any member of staff in breach of this policy; notify any suspected breaches of this policy to the ICT Department; Immediately notify ICT if a staff member leaves the Trust or no longer requires BYOD; 3.4. Trust Staff, without exception, must: abide by this and associated policies & procedures; report any suspected breaches of this policy to their line manager or the ICT Department; understand that failure to comply with the rules and regulations contained in this policy, or any attempt to circumvent the security controls, may result in the withdrawal of this facility and/or disciplinary action; report the loss or theft of any BYOD enabled device to the Trust s ICT Service Desk at the earliest possible opportunity and in addition report the incident on the Trusts incident reporting system (Ulysses) inform the ICT department if BYOD is no longer required and access to the application will be removed and all data held within the application on the device will be deleted Report any lost or stolen devices to the ICT Service Desk immediately so that corporate data can be remotely wiped from the device. It will be the users responsibility to report the theft of their device to the police keep their username and password secret and not allow anybody else to access the information abide with the clauses of acceptable use outlined in both the Internet and Acceptable Usage Policy and the ICT Security Policy. 4. Data Protection 4.1. To fully take advantage of the benefits of BYOD the risks need to be mitigated and this can be achieved through process and technical controls. The overall objective is to remain in control of Trust data at all times and thus prevent breaches of confidentiality and/or data loss. Failing to adequately protect personal data is unlawful and in breach of the Data Protection Act (DPA), in particular Principle 7 which states; 5

6 Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data The Trust has a legal duty to comply with the DPA and failure to comply could lead to an investigation by the Information Commissioners Office (ICO). The ICO have the power to uphold the DPA and can fine organisations up to 500,000 where appropriate controls have not been in place. 5. Physical Security 5.1. Owners shall accept full responsibility for the security of the device, taking necessary precautions to avoid loss, theft or damage. In the event of loss, damage or theft, they must report this immediately to the ICT Service Desk and the police if appropriate. In particular owners must: take all reasonable care to prevent the theft or loss of this device. take extra vigilance if using any BYOD device during journeys on public transport to avoid the risk of theft of the device or unauthorised disclosure of Trust stored information by a third party overlooking. not leave the device unattended for any reason whilst working on it unless the session is locked and it is in a safe working place, not left in an unattended room for example ensure that other non authorised users are not given access to the device or the data it contains 6. Mobile Device Management 6.1. The Trust uses the Good suite of products to facilitate BYOD for approved staff and this can be delivered with a range of features, from the basic starting point of /calendar/contacts, and building on this with additional features such as presence, instant messaging, and access to SharePoint and network shares The BYOD security policy pushed via Good to personal devices creates a separate workspace separating Trust data and Personal data (personal data in this instance relating to data owned by that individual, not to be confused with patient identifiable data). Policies enforced on a BYOD device are aimed at managing and controlling corporate data only and personal information held on the device should not be affected The Good workspace on the device is fully encrypted and any content or attachments contained within the corporate workspace cannot be saved outside of the application or locally on the device All data in transit, between the Good infrastructure and handheld device, is fully protected by encryption In order to prevent unauthorised access, the work space is password protected using an 8 character password and this is in line with the Trust s password policy which requires all passwords to meet the following criteria; at least 8 characters in length containing at least 1 upper and 1 lower case letter and containing at least 1 number or special character The previous 4 passwords should not be used. 6

7 6.6. Passwords must be changed at least every 90 days, but more frequently if required Passwords must be kept safe at all time and should never be shared with other Trust staff or family members The Good workspace on the device can be remotely wiped by the Trust at any stage if there is cause to think the device has been compromised in any way. This will remove the Trust data held within the Good workspace and should not interfere with any personal data on that device. The device can be remote wiped in any of the following scenarios; the device is lost on termination of employment after 5 failed login attempts a data or policy breach is detected 7. Applying for the service 7.1. All staff who wish to take advantage of BYOD should ensure that their device(s) are compatible with the Good application(s) prior to applying for the service. A list of compatible handset and operating systems in available on the Trust Intranet Any user seeking to connect a personally owned device must gain approval via their line management and this includes the provision of a budget code to meet the annual cost of the Good license. This should be done prior to the request being made to the ICT Service Desk and should be captured on the BYOD Request Form & Security Procedures Appendix There will be a cost for this service which is available on the Good request form and is subject to change should there be changes in the license costs All Good request forms should be returned to the ICT Service Desk to process, either via the usual service desk number or using the using the online portal this is done using the LogIT icon/shortcut that is on all users desktop All users are required to agree and sign the BYOD Terms and Conditions as found on the BYOD Request Form & Security Procedures Appendix After a licence is purchased and your user account is authorised on the system you will be sent instructions on how to add your device to the service. 8. Device Support 8.1. Personally owned devices are not supported by Southern Health ICT services. Staff should contact the device manufacturer or their carrier for operating system or hardware-related issues The support provided by the organisation for personal devices using Good is strictly limited to; Initial user registration Resetting user configuration and/or resending set up codes Removing/Deleting old or unused devices Remote wiping lost or stolen devices 7

8 8.3. Detailed guidance for Good has been created by the Technology teams and is available on the Intranet and covers all major functions, including; Download and installation of the Good app Initial registration and set up Resetting/re-configuring a device 8.4. The employee assumes full liability for risks including, but not limited to, the partial or complete loss of company and personal data due to an operating system crash, errors, bugs, viruses, malware, and/or other software or hardware failures, or programming errors that render the device unusable In the unlikely event that personal data on the BYOD device is affected or lost the Trust will not be held responsible or liable for any damages or compensation. 9. Connecting Devices to the Trust Networks 9.1. Currently personal devices are not permitted to connect to the Trust network whether directly or indirectly including wired or wireless connections to other Trusts devices such as PCs or Laptops. Therefore, no assumption should be made that individuals permitted to take advantage of the Trust BYOD service will be permitted to use Trust networks. This situation will be kept under review subject to the capability of the Trust networks to support additional devices using it. 10. Reimbursement The Trust will not reimburse the employee for the purchase or associated costs with the device regardless of whether this was incurred during Trust business. This includes, but not limited to; roaming charges, plan charges and overcharges, cost of applications for personal use. 11. References and Associated Documentation This policy should be read in conjunction with other relevant organisational Policies: ICT Security Policy Mobile Working Policy Internet and Policy Acceptable use policy The following documents have been used as reference material in the development of this policy. ICO BYOD Guidance: IGTK standard : Policy and procedures ensure that mobile computing and teleworking are secure -f91c-4b9f-bd8b-5f5a61ac20c4&svieworgtype=2&sdesc=acute+trust HSCIC Password Policy for Non-Spine Connected Applications 8

9 Appendix 1 BYOD Request Form & Security Operating Procedures User Details (All fields are mandatory) Name Job Title Contact Number Address Cost of Service One off set up cost - TBC on application Annual Support Charge - TBC on application Limitations/Disclaimers The user will need a smartphone or tablet on a personally owned contract with an adequate data plan or has access to non-trust Wi-Fi. The organisation will not reimburse any additional data charges incurred by the user. Personal devices are not supported by Southern Health ICT Services. Staff should contact the device manufacturer or their carrier for operating system or hardware-related issues. The employee assumes full liability for risks including, but not limited to, the partial or complete loss of company and personal data due to an operating system crash, errors, bugs, viruses, malware, and/or other software or hardware failures, or programming errors that render the device unusable. The application will not work accounts. Good for Enterprise is not supported on all mobile operating systems and staff should check the list of supported devices before applying for the service. Conditions of Use All staff enabled for BYOD will abide by this and associated policies and procedures. The physical security of the device is the user s liability but the Trust does expect that individuals take suitable precautions to protect the physical asset. For security reasons, nobody else, including friends or members of your family, should be permitted to use your ipad / iphone whilst the Good application is unlocked. Your account names and passwords are not to be divulged to anybody. Staff use personal devices at their own risk and the Trust are not liable for any costs associated with the loss or damage of devices. 9

10 Staff use their own devices at their own cost - Staff should have an adequate data plan - the Trust will not pay for excess data usage The Trust will remove GOOD and all associated data from personal devices if the device is lost or stolen or if the staff member leaves the Trust Report the loss or theft of any personal device that has been enabled for BYOD to the ICT Service Desk as soon as possible, preferably within 24 hours. Notify as soon as the staff member leaves the Trust Notify any suspected breaches of this policy to the ICT Department; Failure to comply with the rules and regulations contained in this policy, or any attempt to circumvent the security controls, may result in the withdrawal of this facility and/or disciplinary action. User Declaration I hereby declare that I have read and understood the above Security Operating Procedures (SyOPs) and agree to comply with all of the schedules contained herein. Signature Date Line Manager Authorisation (All fields are mandatory) I authorise the member of staff, as noted in 11.1, and I am satisfied that this policy and associated Security Operating Procedures have been read and clearly understood by the User. I accept the relevant charges against the budget code(s) provided below Name Job Title Contact Number Address Signature* Date Cost Centre Subjective Code *Not required if ed directly from manager s account Please return completed form to: telecoms@southernhealth.nhs.uk /

Data Encryption Policy

Data Encryption Policy Data Encryption Policy Document Control Sheet Q Pulse Reference Number Version Number Document Author Lead Executive Director Sponsor Ratifying Committee POL-F-IMT-2 V02 Information Governance Manager

More information

Date Approved: Board of Directors on 7 July 2016

Date Approved: Board of Directors on 7 July 2016 Policy: Bring Your Own Device Person(s) responsible for updating the policy: Chief Executive Officer Date Approved: Board of Directors on 7 July 2016 Date of Review: Status: Every 3 years Non statutory

More information

Information Security BYOD Procedure

Information Security BYOD Procedure Information Security BYOD Procedure A. Procedure 1. Audience 1.1 This document sets out the terms of use for BYOD within the University of Newcastle. The procedure applies to all employees of the University,

More information

BRING YOUR OWN DEVICE: POLICY CONSIDERATIONS

BRING YOUR OWN DEVICE: POLICY CONSIDERATIONS WHITE PAPER BRING YOUR OWN DEVICE: POLICY CONSIDERATIONS INTRODUCTION As more companies embrace the broad usage of individual liable mobile devices or BYOD for access to corporate applications and data,

More information

BHIG - Mobile Devices Policy Version 1.0

BHIG - Mobile Devices Policy Version 1.0 Version 1.0 Authorised by: CEO Endorsed By: Chief Operations Officer 1 Document Control Version Date Amended by Changes Made 0.1 20/01/2017 Lars Cortsen Initial document 0.2 29/03/2017 Simon Hahnel Incorporate

More information

Bring Your Own Device

Bring Your Own Device Bring Your Own Device Individual Liable User Contents Introduction 3 Policy Document Objectives & Legal Disclaimer 3 Eligibility Considerations 4 Reimbursement Considerations 4 Security Considerations

More information

A practical guide to IT security

A practical guide to IT security Data protection A practical guide to IT security Ideal for the small business The Data Protection Act states that appropriate technical and organisational measures shall be taken against unauthorised or

More information

Remote Working & Mobile Devices Security Standard

Remote Working & Mobile Devices Security Standard TRUST-WIDE NON-CLINICAL DOCUMENT Remote Working & Mobile Devices Security Standard Standard Number: Scope of this Document: Recommending Committee: Approving Committee: SS02 All Staff Joint Information

More information

PS 176 Removable Media Policy

PS 176 Removable Media Policy PS 176 Removable Media Policy December 2013 Version 2.0 Statement of legislative compliance This document has been drafted to comply with the general and specific duties in the Equality Act 2010; Data

More information

PS Mailing Services Ltd Data Protection Policy May 2018

PS Mailing Services Ltd Data Protection Policy May 2018 PS Mailing Services Ltd Data Protection Policy May 2018 PS Mailing Services Limited is a registered data controller: ICO registration no. Z9106387 (www.ico.org.uk 1. Introduction 1.1. Background We collect

More information

BRING YOUR OWN DEVICE (BYOD)

BRING YOUR OWN DEVICE (BYOD) BRING YOUR OWN DEVICE (BYOD) Bring your own device (BYOD) Some employees will often prefer to use their own personal mobile devices to access company networks/systems. However, this is potentially a security

More information

Bring Your Own Device (BYOD) Policy

Bring Your Own Device (BYOD) Policy Bring Your Own Device (BYOD) Policy Document History Document Reference: Document Purpose: Date Approved: 22 nd September 2017 To set out the operating principles and security controls that apply to personal

More information

SAFE USE OF MOBILE PHONES AT WORK POLICY

SAFE USE OF MOBILE PHONES AT WORK POLICY SAFE USE OF MOBILE PHONES AT WORK POLICY Links to Lone Working Policy, Personal Safety Guidance, Lone Working Guidance, Information Governance Policy Document Type General Policy Unique Identifier GP31

More information

Data Handling Security Policy

Data Handling Security Policy Data Handling Security Policy May 2018 Newark Orchard School Data Handling Security Policy May 2018 Page 1 Responsibilities for managing IT equipment, removable storage devices and papers, in the office,

More information

Data protection policy

Data protection policy Data protection policy Context and overview Introduction The ASHA Centre needs to gather and use certain information about individuals. These can include customers, suppliers, business contacts, employees

More information

The essential guide to creating a School Bring Your Own Device Policy. (BYOD)

The essential guide to creating a School Bring Your Own Device Policy. (BYOD) The essential guide to creating a School Bring Your Own Device Policy. (BYOD) Contents Introduction.... 3 Considerations when creating a BYOD policy.... 3 General Guidelines for use (Acceptable Use Policy)....

More information

Information Security Policy for Associates and Contractors

Information Security Policy for Associates and Contractors Information Security Policy for Associates and Contractors Version: 1.13 Date: 11 October 2016 Reference: 67972761 Location: Livelink Contents Introduction... 3 Purpose... 3 Scope... 3 Responsibilities...

More information

INFORMATION ASSET MANAGEMENT POLICY

INFORMATION ASSET MANAGEMENT POLICY INFORMATION ASSET MANAGEMENT POLICY Approved by Board of Directors Date: To be reviewed by Board of Directors March 2021 CONTENT PAGE 1. Introduction 3 2. Policy Statement 3 3. Purpose 4 4. Scope 4 5 Objectives

More information

Trinity Multi Academy Trust

Trinity Multi Academy Trust Trinity Multi Academy Trust Policy: Bring Your Own Device Date of review: October 2018 Date of next review: October 2020 Lead professional: Status: Director of ICT and Data Non-Statutory Page 1 of 5 Scope

More information

Policies, Procedures, Guidelines and Protocols. John Snell - Head of Workforce Planning, Systems and Contributors

Policies, Procedures, Guidelines and Protocols. John Snell - Head of Workforce Planning, Systems and Contributors Policies, Procedures, Guidelines and Protocols Document Details Title Staff Mobile Phone Policy Trust Ref No 2036-39774 Local Ref (optional) N/A Main points the document Procurement, allocation and use

More information

Date of Next Review: May Cross References: Electronic Communication Systems- Acceptable Use policy (A.29) Highway Traffic Act

Date of Next Review: May Cross References: Electronic Communication Systems- Acceptable Use policy (A.29) Highway Traffic Act Date Approved: January 27, 2010-Board Date of Next Review: May 2023 Dates of Amendments: May 17, 2018 Cross References: Electronic Communication Systems- Acceptable Use policy (A.29) Highway Traffic Act

More information

INFORMATION TECHNOLOGY SECURITY POLICY

INFORMATION TECHNOLOGY SECURITY POLICY INFORMATION TECHNOLOGY SECURITY POLICY Author Responsible Director Approved By Data Approved September 15 Date for Review November 17 Version 2.3 Replaces version 2.2 Mike Dench, IT Security Manager Robin

More information

Computer and Internet Use Policy

Computer and Internet Use Policy Computer and Internet Use Policy Author Simon Allan Date Written Autumn 2015 Review Date Autumn 2018 Date Ratified by the Governing Body Autumn 2015 Computer and Internet Use Policy Outline/Overview This

More information

Corporate Information Security Policy

Corporate Information Security Policy Overview Sets out the high-level controls that the BBC will put in place to protect BBC staff, audiences and information. Audience Anyone who has access to BBC Information Systems however they are employed

More information

October 2016 Issue 07/16

October 2016 Issue 07/16 IPPF: NEW IMPLEMENTATION GUIDES - IG 1100, IG 1110, IG 1111, IG 1120 and IG 1130 The IIA has released new Implementation Guides (IG) addressing the following standards: Standard 1100: Independence and

More information

DIRECTIVE ON INFORMATION TECHNOLOGY SECURITY FOR BANK PERSONNEL. June 14, 2018

DIRECTIVE ON INFORMATION TECHNOLOGY SECURITY FOR BANK PERSONNEL. June 14, 2018 DIRECTIVE ON INFORMATION TECHNOLOGY SECURITY FOR BANK PERSONNEL June 14, 2018 A. Overriding Objective 1.1 This Directive establishes the rules and instructions for Bank Personnel with respect to Information

More information

Bring Your Own Device Policy

Bring Your Own Device Policy Bring Your Own Device Policy 2015 City of Glasgow College Charity Number: SCO 36198 Page 1 of 9 Table of Contents 1. Introduction... 3 2. Purpose and Aims... 4 3. Scope... 4 4. Policy Statement... 5 4.1

More information

INFORMATION SECURITY AND RISK POLICY

INFORMATION SECURITY AND RISK POLICY INFORMATION SECURITY AND RISK POLICY 1 of 12 POLICY REFERENCE INFORMATION SHEET Document Title Document Reference Number Information Security and Risk Policy P/096/CO/03/11 Version Number V02.00 Status:

More information

GMSS Information Governance & Cyber Security Incident Reporting Procedure. February 2017

GMSS Information Governance & Cyber Security Incident Reporting Procedure. February 2017 GMSS Information Governance & Cyber Security Incident Reporting Procedure February 2017 Review Date; April 2018 1 Version Control: VERSION DATE DETAIL D1.0 20/04/2015 First Draft (SC) D 2.0 28/04/2015

More information

Mobile Working Policy

Mobile Working Policy Mobile Working Policy Date completed: Responsible Director: Approved by/ date: Ben Westmancott, Director of Compliance Author: Ealing CCG Governing Body 15 th January 2014 Ben Westmancott, Director of

More information

UWTSD Group Data Protection Policy

UWTSD Group Data Protection Policy UWTSD Group Data Protection Policy Contents Clause Page 1. Policy statement... 1 2. About this policy... 1 3. Definition of data protection terms... 1 4. Data protection principles..3 5. Fair and lawful

More information

Remote Working Policy

Remote Working Policy [Type text] [Type text] [Type text] Information Management & Policy Services (IMPS) Remote Working Policy 1 Scope and definitions 1.1 This policy applies to all staff who use or access University systems

More information

GDPR Draft: Data Access Control and Password Policy

GDPR Draft: Data Access Control and Password Policy wea.org.uk GDPR Draft: Data Access Control and Password Policy Version Number Date of Issue Department Owner 1.2 21/01/2018 ICT Mark Latham-Hall Version 1.2 last updated 27/04/2018 Page 1 Contents GDPR

More information

Department of Public Health O F S A N F R A N C I S C O

Department of Public Health O F S A N F R A N C I S C O PAGE 1 of 7 Category: Information Technology Security and HIPAA DPH Unit of Origin: Department of Public Health Policy Owner: Phillip McDown, CISSP Phone: 255-3577 CISSPCISSP/C Distribution: DPH-wide Other:

More information

ACCEPTABLE USE ISO INFORMATION SECURITY POLICY. Author: Owner: Organisation: Document No: Version No: 1.0 Date: 10 th January 2010

ACCEPTABLE USE ISO INFORMATION SECURITY POLICY. Author: Owner: Organisation: Document No: Version No: 1.0 Date: 10 th January 2010 INFORMATION SECURITY POLICY EMAIL ACCEPTABLE USE ISO 27002 7.1.3 Author: Owner: Organisation: Document No: Chris Stone Ruskwig TruePersona Ltd SP-7.1.3 No: 1.0 Date: 10 th January 2010 Copyright Ruskwig

More information

Network Security Policy

Network Security Policy Network Security Policy Date: January 2016 Policy Title Network Security Policy Policy Number: POL 030 Version 3.0 Policy Sponsor Policy Owner Committee Director of Business Support Head of ICU / ICT Business

More information

Data protection. 3 April 2018

Data protection. 3 April 2018 Data protection 3 April 2018 Policy prepared by: Ltd Approved by the Directors on: 3rd April 2018 Next review date: 31st March 2019 Data Protection Registration Number (ico.): Z2184271 Introduction Ltd

More information

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS Target2-Securities Project Team TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS Reference: T2S-07-0270 Date: 09 October 2007 Version: 0.1 Status: Draft Target2-Securities - User s TABLE OF CONTENTS

More information

Data Breach Notification Policy

Data Breach Notification Policy Data Breach Notification Policy Policy Owner Department University College Secretary Professional Support Version Number Date drafted/date of review 1.0 25 May 2018 Date Equality Impact Assessed Has Prevent

More information

Wye Valley NHS Trust. Data protection audit report. Executive summary June 2017

Wye Valley NHS Trust. Data protection audit report. Executive summary June 2017 Wye Valley NHS Trust Data protection audit report Executive summary June 2017 1. Background The Information Commissioner is responsible for enforcing and promoting compliance with the Data Protection Act

More information

Information Governance Incident Reporting Procedure

Information Governance Incident Reporting Procedure Information Governance Incident Reporting Procedure : 3.0 Ratified by: NHS Bury CCG Quality and Risk Committee Date ratified: 15 th February 2016 Name of originator /author (s): Responsible Committee /

More information

<Criminal Justice Agency Name> Personally Owned Device Policy. Allowed Personally Owned Device Policy

<Criminal Justice Agency Name> Personally Owned Device Policy. Allowed Personally Owned Device Policy Policy Title: Effective Date: Revision Date: Approval(s): LASO: CSO: Agency Head: Allowed Personally Owned Device Policy Every 2 years or as needed Purpose: A personally owned information system or device

More information

Policy on the Provision of Mobile Phones

Policy on the Provision of Mobile Phones Provision of Mobile Phones Policy on the Provision of Mobile Phones Originator name: Section / Dept: Implementation date: Date of next review: Related policies: Policy history: Roger Stickland Approval

More information

TERMS & CONDITIONS PLEASE READ THESE TERMS AND CONDITIONS CAREFULLY BEFORE USING THE SITE

TERMS & CONDITIONS PLEASE READ THESE TERMS AND CONDITIONS CAREFULLY BEFORE USING THE SITE TERMS & CONDITIONS PLEASE READ THESE TERMS AND CONDITIONS CAREFULLY BEFORE USING THE SITE 1. General The term PPS refers to: Professional Provident Society Holdings Trust, (The Holding Trust); Professional

More information

Information Security Incident

Information Security Incident Good Practice Guide Author: A Heathcote Date: 22/05/2017 Version: 1.0 Copyright 2017 Health and Social Care Information Centre. The Health and Social Care Information Centre is a non-departmental body

More information

Enviro Technology Services Ltd Data Protection Policy

Enviro Technology Services Ltd Data Protection Policy Enviro Technology Services Ltd Data Protection Policy 1. CONTEXT AND OVERVIEW 1.1 Key details Rev 1.0 Policy prepared by: Duncan Mounsor. Approved by board on: 23/03/2016 Policy became operational on:

More information

Use of Mobile Devices on Voice and Data Networks Policy

Use of Mobile Devices on Voice and Data Networks Policy World Agroforestry Centre Policy Series MG/C/4/2012 Use of Mobile Devices on Voice and Data Networks Policy One of the policies on information security and business continuity which will be audited by

More information

Information Security Controls Policy

Information Security Controls Policy Information Security Controls Policy Classification: Policy Version Number: 1-00 Status: Published Approved by (Board): University Leadership Team Approval Date: 30 January 2018 Effective from: 30 January

More information

Mobile configuration guide for NHSmail

Mobile configuration guide for NHSmail Mobile configuration guide for NHSmail Version 3 Published July 2017 Copyright 2017Health and Social Care Information Centre. The Health and Social Care Information Centre is a non-departmental body created

More information

Information Security Policy

Information Security Policy Information Security Policy Author: Responsible Lead Executive Director: Endorsing Body: Governance or Assurance Committee Alan Ashforth Colin Sloey Implementation Date: September 2010 Version Number:

More information

Cardiff University Security & Portering Services (SECTY) CCTV Code of Practice

Cardiff University Security & Portering Services (SECTY) CCTV Code of Practice Cardiff University Security & Portering Services (SECTY) CCTV Code of Practice Document history Author(s) Date S Gamlin 23/05/2018 Revision / Number Date Amendment Name Approved by BI annual revision Date

More information

NOTE: The first appearance of terms in bold in the body of this document (except titles) are defined terms please refer to the Definitions section.

NOTE: The first appearance of terms in bold in the body of this document (except titles) are defined terms please refer to the Definitions section. TITLE MOBILE WIRELESS DEVICES AND SERVICES SCOPE Provincial APPROVAL AUTHORITY Alberta Health Services Executive SPONSOR Information Technology PARENT DOCUMENT TITLE, TYPE AND NUMBER Not applicable DOCUMENT

More information

Mobile Computing Policy

Mobile Computing Policy Mobile Computing Policy Overview and Scope 1. The purpose of this policy is to ensure that effective measures are in place to protect against the risks of using mobile computing and communication facilities..

More information

Credentials Policy. Document Summary

Credentials Policy. Document Summary Credentials Policy Document Summary Document ID Credentials Policy Status Approved Information Classification Public Document Version 1.0 May 2017 1. Purpose and Scope The Royal Holloway Credentials Policy

More information

ICT Portable Devices and Portable Media Security

ICT Portable Devices and Portable Media Security ICT Portable Devices and Portable Media Security Who Should Read This Policy Target Audience All Trust Staff, contractors, and other agents, who utilise trust equipment and access the organisation s data

More information

Ulster University Standard Cover Sheet

Ulster University Standard Cover Sheet Ulster University Standard Cover Sheet Document Title Portable Devices Security Standard 1.5 Custodian Approving Committee Deputy Director of Finance and Information Services (Information Services) Information

More information

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT? NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT? What the new data regulations mean for your business, and how Brennan IT and Microsoft 365 can help. THE REGULATIONS: WHAT YOU NEED TO KNOW Australia:

More information

Department of Public Health O F S A N F R A N C I S C O

Department of Public Health O F S A N F R A N C I S C O PAGE 1 of 9 Category: Information Technology Security and HIPAA DPH Unit of Origin: Department of Public Health Policy Owner: Phillip McDown, CISSP Phone: 255-3577 CISSPCISSP/C Distribution: DPH-wide Other:

More information

Sample BYOD Policy. Copyright 2015, PWW Media, Inc. All Rights Reserved. Duplication, Reproduction or Distribution by Any Means Prohibited.

Sample BYOD Policy. Copyright 2015, PWW Media, Inc. All Rights Reserved. Duplication, Reproduction or Distribution by Any Means Prohibited. Sample BYOD Policy Copyright 2015, PWW Media, Inc. All Rights Reserved. Duplication, Reproduction or Distribution by Any Means Prohibited. SAMPLE BRING YOUR OWN DEVICE POLICY TERMS OF USE This Sample Bring

More information

TELEPHONE AND MOBILE USE POLICY

TELEPHONE AND MOBILE USE POLICY TELEPHONE AND MOBILE USE POLICY Date first approved: 9 December 2016 Date of effect: 9 December Date last amended: (refer Version Control Table) Date of Next Review: December 2021 First Approved by: University

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Data Protection Policy Version 3.00 May 2018 For more information, please contact: Technical Team T: 01903 228100 / 01903 550242 E: info@24x.com Page 1 The Data Protection Law...

More information

Rationale: Why BYOD? BYOD Guidelines. BCR BYOD Agreement

Rationale: Why BYOD? BYOD Guidelines. BCR BYOD Agreement Rationale: Why BYOD? At Brigidine College Randwick, our vision for learning fosters a love of deep learning, encourages students to think critically and creatively and provides a foundation for authentic

More information

Mobile Device Policy. Augusta University Medical Center Policy Library. Policy Owner: Information Technology Support and Services

Mobile Device Policy. Augusta University Medical Center Policy Library. Policy Owner: Information Technology Support and Services Augusta University Medical Center Policy Library Mobile Device Policy Policy Owner: Information Technology Support and Services POLICY STATEMENT Augusta University Medical Center (AUMC) discourages the

More information

Policies Procedures & Guidelines. Mobile Device Policy. Version: 1.3. Date ratified: May Date issued: 21 June 2010 Review date: 15/01/2011

Policies Procedures & Guidelines. Mobile Device Policy. Version: 1.3. Date ratified: May Date issued: 21 June 2010 Review date: 15/01/2011 Policies Procedures & Guidelines Mobile Device Policy Version: 1.3 Ratified by: IM&T Steering Group Date ratified: May 2010 Name of originator/author: Urszula Niewiadomska Date issued: 21 June 2010 Review

More information

GM Information Security Controls

GM Information Security Controls : Table of Contents 2... 2-1 2.1 Responsibility to Maintain... 2-2 2.2 GM s Right to Monitor... 2-2 2.3 Personal Privacy... 2-3 2.4 Comply with Applicable Laws and Site Specific Restrictions... 2-3 2.5

More information

PCA Staff guide: Information Security Code of Practice (ISCoP)

PCA Staff guide: Information Security Code of Practice (ISCoP) PCA Staff guide: Information Security Code of Practice (ISCoP) PCA Information Risk and Privacy Version 2015.1.0 December 2014 PCA Information Risk and Privacy Page 1 Introduction Prudential Corporation

More information

Data Loss Assessment and Reporting Procedure

Data Loss Assessment and Reporting Procedure Data Loss Assessment and Reporting Procedure Governance and Legal Services Strategy, Planning and Assurance Directorate Approved by: Data Governance & Strategy Group Approval Date: July 2016 Review Date:

More information

STUDENTS BRING YOUR OWN DEVICE POLICY

STUDENTS BRING YOUR OWN DEVICE POLICY STUDENTS BRING YOUR OWN DEVICE POLICY CRICOS Provider Code: 03425F Table of Contents Policy Statement... 2 1. Introduction... 2 2. Key Principles... 2 3. Student BYOD Agreement... 3 4. Cost... 3 5. Student

More information

The purpose of this guidance is: To provide a comprehensive understanding to complying with the universities Acceptable Use Policy.

The purpose of this guidance is: To provide a comprehensive understanding to complying with the universities Acceptable Use Policy. Policy Acceptable Use Guidance 1 Introduction This guidance compliments the University of East London s Acceptable Use Policy. It puts into perspective specific situations that will help you provide a

More information

Eggar s School. BYOD Policy. Bring Your Own Device

Eggar s School. BYOD Policy. Bring Your Own Device Eggar s School BYOD Policy Bring Your Own Device Reviewer ICT Systems Manager Reviewed January 2018 New review date January 2019 Rationale The way in which we access information has changed in recent years

More information

Information Security Controls Policy

Information Security Controls Policy Information Security Controls Policy Version 1 Version: 1 Dated: 21 May 2018 Document Owner: Head of IT Security and Compliance Document History and Reviews Version Date Revision Author Summary of Changes

More information

Policy. London School of Economics & Political Science. Remote Access Policy. IT Services. Jethro Perkins. Information Security Manager.

Policy. London School of Economics & Political Science. Remote Access Policy. IT Services. Jethro Perkins. Information Security Manager. London School of Economics & Political Science IT Services Policy Remote Access Policy Jethro Perkins Information Security Manager Summary This document outlines the controls from ISO27002 that relate

More information

E-Security policy. Ormiston Academies Trust. James Miller OAT DPO. Approved by Exec, July Release date July Next release date July 2019

E-Security policy. Ormiston Academies Trust. James Miller OAT DPO. Approved by Exec, July Release date July Next release date July 2019 Ormiston Academies Trust E-Security policy Date adopted: Autumn Term 2018 Next review date: Autumn Term 2019 Policy type Author Statutory James Miller OAT DPO Approved by Exec, July 2018 Release date July

More information

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110 Purpose Virginia State University (VSU) uses information to perform the business services and functions necessary to fulfill its mission. VSU information is contained in many different mediums including

More information

Virginia Commonwealth University School of Medicine Information Security Standard

Virginia Commonwealth University School of Medicine Information Security Standard Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Personnel Security Standard This standard is applicable to all VCU School of Medicine personnel. Approval

More information

Use of and Instant Messaging (IM) Policy

Use of  and Instant Messaging (IM) Policy Use of Email and Instant Messaging (IM) Policy Name of Author and Job Title: Mike Cavaye, IT & Digital Consultant Name of Review/Development Body: IT Services Ratification Body: Quality and Safety Group

More information

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES ACCESS MANAGEMENT Policy UT Health San Antonio shall adopt access management processes to ensure that access to Information Resources is restricted to authorized users with minimal access rights necessary

More information

Procedure: Bring your own device

Procedure: Bring your own device Procedure: Bring your own device Purpose This procedure defines the obligations for all authorised users who choose to connect a personally owned device to the University s network or who use their personal

More information

IT Security Standard Operating Procedure

IT Security Standard Operating Procedure IT Security Standard Operating Procedure Notice: This document has been made available through the Police Service of Scotland Freedom of Information Publication Scheme. It should not be utilised as guidance

More information

Stopsley Community Primary School. Data Breach Policy

Stopsley Community Primary School. Data Breach Policy Stopsley Community Primary School Data Breach Policy Contents Page 1 Introduction... 3 2 Aims and objectives... 3 3 Policy Statement... 4 4 Definitions... 4 5 Training... 5 6 Identification... 5 7 Risk

More information

Governance and Compliance Learning from the Private Sector. David Coverdale

Governance and Compliance Learning from the Private Sector. David Coverdale Governance and Compliance Learning from the Private Sector David Coverdale Governance Challenges The Patient Journey CQC Business Continuity Policy QoF Data GDPR LHA2 GRC Training Risk IG BIA Resilience

More information

Mobile / Smart Phone Policy

Mobile / Smart Phone Policy Mobile / Smart Phone Policy Policy reviewed by: Philippa Mills Review date: September 2017 Next review date: September 2018 School refers to Cambridge International School; parents refers to parents, guardians

More information

PILOT Palm Springs Unified School District PILOT BYOD PILOT Staff Mobile Device Agreement

PILOT Palm Springs Unified School District PILOT BYOD PILOT Staff Mobile Device Agreement PILOT Palm Springs Unified School District PILOT BYOD PILOT Staff Mobile Device Agreement Prior to accessing the Bring Your Own Device (BYOD) network, staff must initial each line, fill in the boxes, sign

More information

Made In Hackney Data Protection Policy Last Updated:

Made In Hackney Data Protection Policy Last Updated: Made In Hackney Data Protection Policy Last Updated: 16.05.2018 Definitions Charity GDPR Responsible Person Register of Systems Made In Hackney (MIH), a registered charity. means the General Data Protection

More information

POLICY 8200 NETWORK SECURITY

POLICY 8200 NETWORK SECURITY POLICY 8200 NETWORK SECURITY Policy Category: Information Technology Area of Administrative Responsibility: Information Technology Services Board of Trustees Approval Date: April 17, 2018 Effective Date:

More information

Data Sharing Agreement. Between Integral Occupational Health Ltd and the Customer

Data Sharing Agreement. Between Integral Occupational Health Ltd and the Customer Data Sharing Agreement Between Integral Occupational Health Ltd and the Customer 1. Definitions a. Customer means any person, organisation, group or entity accepted as a customer of IOH to access OH services

More information

It s still very important that you take some steps to help keep up security when you re online:

It s still very important that you take some steps to help keep up security when you re online: PRIVACY & SECURITY The protection and privacy of your personal information is a priority to us. Privacy & Security The protection and privacy of your personal information is a priority to us. This means

More information

Standard mobile phone a mobile device that can make and receive telephone calls, pictures, video, and text messages.

Standard mobile phone a mobile device that can make and receive telephone calls, pictures, video, and text messages. Overview Fiscal Accountability Rule 10.9 Utilizing Mobile Devices to Conduct City Business establishes the mobile device rule for the City and County of Denver. This policy provides mobile device guidelines

More information

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd GDPR Processor Security Controls GDPR Toolkit Version 1 Datagator Ltd Implementation Guidance (The header page and this section must be removed from final version of the document) Purpose of this document

More information

Acceptable Usage Policy (Student)

Acceptable Usage Policy (Student) Acceptable Usage Policy (Student) Author Arthur Bogacki Date 18/10/2017 Version 1.1 (content sourced and consolidated from existing Email and Electronic Communication, and User Code of Practice policies.)

More information

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/identify/ndcbf _ITSecPlan_IDGV2017.pdf

More information

INFORMATION SYSTEMS SECURITY POLICY (ISSP)

INFORMATION SYSTEMS SECURITY POLICY (ISSP) INFORMATION SYSTEMS SECURITY POLICY (ISSP) Policy Number & Category IG 02 Information Governance Version Number & Date Version 3.7 February 2009 Ratifying Committee Date Approved March 2009 Next Review

More information

Employee Security Awareness Training Program

Employee Security Awareness Training Program Employee Security Awareness Training Program Date: September 15, 2015 Version: 2015 1. Scope This Employee Security Awareness Training Program is designed to educate any InComm employee, independent contractor,

More information

Responsible Officer Approved by

Responsible Officer Approved by Responsible Officer Approved by Chief Information Officer Council Approved and commenced August, 2014 Review by August, 2017 Relevant Legislation, Ordinance, Rule and/or Governance Level Principle ICT

More information

Company Policy Documents. Information Security Incident Management Policy

Company Policy Documents. Information Security Incident Management Policy Information Security Incident Management Policy Information Security Incident Management Policy Propeller Studios Ltd is responsible for the security and integrity of all data it holds. Propeller Studios

More information

Seven Requirements for Successfully Implementing Information Security Policies and Standards

Seven Requirements for Successfully Implementing Information Security Policies and Standards Seven Requirements for Successfully Implementing and Standards A guide for executives Stan Stahl, Ph.D., President, Citadel Information Group Kimberly A. Pease, CISSP, Vice President, Citadel Information

More information

Information Security Data Classification Procedure

Information Security Data Classification Procedure Information Security Data Classification Procedure A. Procedure 1. Audience 1.1 All University staff, vendors, students, volunteers, and members of advisory and governing bodies, in all campuses and locations

More information

Name of Policy: Computer Use Policy

Name of Policy: Computer Use Policy Page: Page 1 of 5 Director Approved By: Approval Date: Reason(s) for Change Responsible: Corporate Services Leadership April 22, Reflect current technology and practice Corporate Services Leadership Leadership

More information

Information backup - diagnostic review Abertawe Bro Morgannwg University Health Board. Issued: September 2013 Document reference: 495A2013

Information backup - diagnostic review Abertawe Bro Morgannwg University Health Board. Issued: September 2013 Document reference: 495A2013 Information backup - diagnostic review Abertawe Bro Morgannwg University Health Board Issued: September 2013 Document reference: 495A2013 Status of report This document has been prepared for the internal

More information

Cell Phones PROCEDURE. Procedure Section: Business and Administrative Matters - Purchasing 607-A. Respectfully submitted by:

Cell Phones PROCEDURE. Procedure Section: Business and Administrative Matters - Purchasing 607-A. Respectfully submitted by: Matters - Purchasing PROCEDURE Effective: October 13, 2015 Respectfully submitted by: Kathleen O Flaherty, Assistant Superintendent of Business 1. Authorization Individuals may be authorized to receive

More information