Bring Your Own Device (BYOD) Policy

Transcription

1 Bring Your Own Device (BYOD) Policy Document History Document Reference: Document Purpose: Date Approved: 22 nd September 2017 To set out the operating principles and security controls that apply to personal devices that have been authorised to process organisational data. Approving Committee: Information Governance Management and Technology Committee Version Number: 2 Status: Approved Next Revision Due: 22 nd September 2019 Developed by: Policy Sponsor: Target Audience: Associated Documents: CCG Information Governance Leads, Nottinghamshire Health Informatics Service, Information Governance Management and Technology Committee Director of Outcomes and Information, Greater Nottingham CCGs This policy applies to any person directly employed, contracted or volunteering with the CCG All Information Governance Policies and the Information Governance Toolkit This information can be made available in alternative formats, such as easy read or large print, and may be available in alternative languages, upon request. Please contact or maccg.foi@nhs.net. 1

2 Revision History Version Date Summary of Changes 0.1 November 2013 First draft for consultation 0.2 November 2014 Second Draft NHIS capabilities statement for BYOD Mobile Device Management. 1.0 November 2016 No changes 1.1 August 2017 Reviewed by NHIS in line with NHS Digital guidance and best practice. 1.2 September 2017 Approved by Nottinghamshire Information Governance Management and Technology Committee 2.0 October 2017 Final version issued to all CCGs Policy Dissemination information Reference Number Title Bring your Own Device Policy Available from 2

3 Contents 1 Introduction Purpose Scope Duties and Responsibilities Organisational Policy Acceptable Use Devices and Support Reimbursement Security Risks/Liabilities/Disclaimers Equality and Diversity References... 9 Appendix One: Airwatch Provision of Corporate Bubble and Security Arrangements: Appendix Two: Bring Your Own Device Application Form BYOD - USER GUIDE Appendix Three NHSMail Account Management for Managers (Frequently Asked Questions)

4 1 Introduction This Policy applies to Nottinghamshire County Clinical Commissioning Groups (CCGs), subsequently referred to in this document as the CCG(s). They include: NHS Mansfield and Ashfield CCG NHS Newark and Sherwood CCG NHS Nottingham North and East CCG NHS Nottingham West CCG NHS Rushcliffe CCG The underlying feature of Bring Your Own Device (BYOD) is that the user owns, maintains and supports the device. This means that the data controller (the employing organisation) will have significantly less control over the device than it would have over a traditional corporately owned and provided device. Whilst ownership is not corporate, responsibility for the ownership of the data remains with the data controller. It is important to remember that the data controller must remain in control of the personal data for which they are responsible, regardless of the ownership of the device used to carry out the processing. Connection of a personally owned device to corporate networks is subject to all organisational policy in respect of information security and the protection of data and equipment as listed at section 5. 2 Purpose Bring Your Own device (BYOD) can be seen as a means of obtaining cost and resource efficiencies as the staff member may be providing the equipment e.g. Smartphone, Laptop etc. rather than the organisation purchasing this directly for them. The Bring Your Own Device Policy shall be used to enable appropriate controls and procedures to be enforced on personal devices that have been authorised to process NHS data. Mobile working solutions and VPN (Virtual Private Network remote connection) connections are only permitted on corporately owned devices, because of the significant support requirements, device management and encryption, in addition to end user training requirements. 3 Scope This policy applies to all employees (permanent, seconded, contractors, management and clinical trainees, apprentices, temporary staff and volunteers) of the CCG. Third Parties with whom the CCG may agree information sharing protocols will be governed by this policy and associated information sharing agreements. Any user seeking to connect a personally owned device, must gain authority via their line management structures to connect and provide a budget code to meet the cost of the 4

5 connection of the device to Airwatch, prior to the request being made to Nottinghamshire Health Informatics Service (NHIS) or through the NHS Customer Portal at Device Management and NHSmail NHSmail is the recommended system for transfer of personal confidential data (PCD) as the system is encrypted end-to-end. As a user of the NHSmail platform, individuals must operate in accordance to a clear set of guidance, policies and procedures to ensure the service is being used effectively, appropriately and safely. Every NHSmail user is required to accept the Acceptable Use Policy when they register for the service. For further guidance please see the Internet and policy. While it is recognised that one of the key benefits of NHSmail is that it can be accessed anywhere on any device via the Web application (OWA), staff choosing to access their NHSmail Web account on unencrypted, personal or non-work provided device must do so in line with the policy for Electronic Remote Working. Access under these circumstances is permitted for View Only purposes staff are advised to contact their Information Governance lead if further guidance is required. While using the NHSmail Web function staff must also abide by the following rules: a) Ensuring that if NHSmail is being accessed via the Web, staff must not auto save the password on their device; b) If accessing NHSmail Web on a personal device (such as an iphone) staff must ensure that a screen saver prompting a mandatory password is kept on the device at all times. If adding NHSmail Web as an app on to their device staff must contact Nottinghamshire Health Informatics Service to have AirWatch installed on the device prior to set up; c) Staff must be vigilant of the environment in which they access s and ensure confidentiality is maintained at all times (e.g. if accessing from a home computer ensure that no friends or family members are able to see s); d) Always check that NHSmail is logged out after use. As the personal device used to access NHSmail Web will likely not be encrypted staff must not save any s outside the secure web portal, access is permitted to merely view s or calendar. User guidance and frequently asked questions regarding use of NHS Mail is available at Appendix 3. Should an individual wish to use either a personal device to connect to NHSmail, or a mobile device that cannot be encrypted or allow the organisational policies to be applied, they must have approval from their own organisation to ensure compliance with local information governance policies. BYOD Policy applies Smart Phone Tablet/iPad Home Laptop 5

6 VPN connection* NO NO YES Access to Mail via app YES YES NO Access to Mail via Portal YES YES YES 4 Duties and Responsibilities The CCG has a legal duty to comply with the Data Protection Act The Accountable Officer is responsible for ensuring that the responsibility for data protection is allocated appropriately within the CCG and that the role is supported. All staff must adhere to CCG policies and procedures relating to the processing of personal information, and the data controller (organisation) must assure themselves that the technical solutions for the security of data are sufficient for the data being processed, specifically where these risks are increased through mobile working and personal ownership of devices. Specific policies of note for all BYOD users and authorisers are listed in section 5 below. All devices shall be configured and operated in accordance with this policy and the organisation shall determine which types of devices are relevant to this policy. NHIS will maintain a list of authorised devices. All users will be required to sign the Acceptable Use Policy at Appendix 2. The capability assessment of Airwatch is contained at Appendix 1, as information for the product which is the supported solution provided via NHIS for the effective provision of Bring Your Own Device (BYOD). 5 Organisational Policy This policy should be read in conjunction with other relevant organisational Policies, including but not limited to: Confidentiality and Data Protection Policy Electronic Remote Working Policy Information Risk Policy Information Security Policy Internet and Policy Safe haven Procedure The CCGs grant their employees the privilege of purchasing and using smartphones and tablets of their choosing at work for their convenience. The organisation reserves the right to revoke this privilege if users do not abide by the policies and procedures outlined above. This policy is intended to protect the security and integrity of the CCGs data and guard against both data leakage and data loss. 6

7 6 Acceptable Use Employees remain subject to organisational policy and procedure in respect of personal conduct, data and information security, and physical security, including but not limited to those policies outlined above. Devices may not be used at any time to: Store or transmit illicit material Store or transmit proprietary information belonging to another organisation Harass others Engage in outside business activities The CCG has a zero-tolerance policy for texting or ing while driving and only handsfree talking while driving is permitted provided that it is safe and legal to do so. 7 Devices and Support NHIS Service Desk will discuss the connection of any device with the end user, to ensure that the device is authorised and can be connected prior to organisational authorisation and purchase of Airwatch licence and recurrent fee. In regard to support, personal owned devices are not organisationally supported devices. Only connectivity issues are supported by NHIS; employees should contact the device manufacturer or their carrier for operating system for hardware-related issues. NHIS will maintain a list of authorised devices that can be used as BYOD devices and will maintain a list of authorised users. 8 Reimbursement The CCG will not reimburse the employee for the cost purchase or associated with the device: including but not limited to: Roaming charges, plan charges and overcharges and applications for personal use. 9 Security Employees access to the organisation s data is limited based on user profiles defined by organisational policy and is automatically enforced. An essential element of maintaining the security of the data is that the BYOD applications are managed and controlled. In order to ensure that maximum protection is provided against malicious code, the permitted devices shall: Permit security patches and updates to be installed Be devices that shall enable the use of Mobile Device Management (MDM). 7

8 Users shall be required to update devices as soon as the update becomes available. The connection to the corporate bubble will be remotely wiped if: o the device is lost, o the employee terminates his or her employment, o NHIS or the CCG detect a data or policy breach, a virus or similar threat to the security of the organisation s data and technology infrastructure. For note for each organisation user and authoriser are associated risks of NHIS Service Desk Opening hours Mon Fri to 18.00, excluding public holidays. Devices lost, stolen or otherwise compromised during times when the service desk is closed are to be reported as soon as possible following the event. Organisations instructing NHIS to undertake mobile device management services do so with an understanding and acceptance of this risk. Provision of the corporate bubble includes a strong perimeter in that any content or attachments contained within the corporate bubble cannot be saved outside of the application or locally on the device, Any attempt to side step or circumvent security measures in place will be considered under the CCG disciplinary policies as outlined in policy requirements in section 5, for clarification this includes any attempt to screen capture or otherwise photograph content to enable its onwards transmission outside of security parameters. All users are required to report any incident on their BYOD as they would for any CCG IT equipment. 10 Risks/Liabilities/Disclaimers The organisation reserves the right to disconnect devices or disable services without notification should a security incident or risk occurs. The CCG reserves the right to take appropriate disciplinary action up to and including termination for noncompliance with this policy and those referenced as relevant in section 5. Lost or stolen devices must be reported to the NHIS Service Desk within 24 hours. Employees are responsible for notifying their mobile carrier immediately upon loss of a device. The employee is expected to use his or her devices in an ethical manner at all times and adhere to the CCGs related acceptable use policies as referenced in section 5. The employee is personally liable for all costs associated with his or her device. 11 Equality and Diversity 8

9 The CCG aims to design and implement policy documents that meet the diverse needs of our services, population and workforce, ensuring that none are placed at a disadvantage over others. It takes into account current UK legislative requirements, including the Equality Act 2010 and the Human Rights Act 1998, and promotes equal opportunities for all. This document has been designed to ensure that no-one receives less favourable treatment due to their personal circumstances, i.e. the protected characteristics of their age, disability, sex (gender), gender reassignment, sexual orientation, marriage and civil partnership, race, religion or belief, pregnancy and maternity. Appropriate consideration has also been given to gender identity, socio-economic status, immigration status and the principles of the Human Rights Act. In carrying out its functions, the CCG must have due regard to the Public Sector Equality Duty (PSED). This applies to all the activities for which the organisation is responsible, including policy development, review and implementation. 12 Due Regard This policy has been reviewed in relation to having due regard to the Public Sector Equality Duty (PSED) of the Equality Act 2010 to eliminate discrimination, harassment, victimisation; to advance equality of opportunity; and foster good relations. 13 References Information Commissioners Office Bring Your Own Device: NHS Digital To request connection of a Personally Owned device please go to: and select the option equipment, and BYOD Connection. 9

10 Appendix One: Airwatch Provision of Corporate Bubble and Security Arrangements: NHIS chose Airwatch as Industry leader in the support and maintenance of secure mobile access solutions: Enrol personal devices into Airwatch and enable employees to choose the most productive device Supports all operating systems and latest device models Isolate and protect corporate and personal information Configure policies and settings based on device ownership Configure what is collected based on the device ownership Locate, lock and perform and enterprise or full device wipe In connecting via Airwatch, mobile device management is available via organisation specific console, providing assurance of security, apps, status and last connection /update to the corporate network. Configuration specific to NHIS supported organisations has provided a MINIMUM criterion for the safe connection of devices ensuring that the configuration complies with organisational requirements and relevant UK Law. This MINUMIM criterion has been shared with all NHIS customers receiving Airwatch services. Enhancements to the MINIMUM are available, further details can be provided via the NHIS Business Relationships Team. NHIS MINIMUM mobile device management set up BYOD devices Corporate bubble delivering Outlook content only. Requirement Provisioned Managed Assured Secure Content Yes Group Policy : NHIS Standard Reporting Delivered Template available to Secure perimeter of Content Remote wipe / severance Password Reset enabled nominated CCG User Yes Group Policy: NHIS Standard Reporting Template available to nominated CCG User Yes Group Policy : NHIS Standard Reporting Template available to nominated CCG User Yes Individual Option; Can be mandated by NHIS GPS Tracking No Group Policy: NHIS Observance of Regulation of Investigatory Powers Act 2000 Standard Reporting Template available to nominated CCG User Standard Reporting Template available to nominated CCG User 10

11 Appendix Two: Bring Your Own Device Application Form Bring your Own Device Policy Statement Please note that all of the requirements below must be agreed prior to any connection to the NHIS managed networks, as a separate requirement to those relating to behaviours as stated by the individuals employing organisation. NHIS have provided support for Airwatch within existing Service Level Agreement Hours This means that any loss or compromise of devices outside of operational hours (Mon Fri, 9 5 excluding public holidays), must be reported by the service user on the next working day. Airwatch secures each device after 5 minutes of inactivity, minimising the risk of inappropriate access to corporate data, and this limitation is accepted by all customer organisations. The employing organisation has committed to supporting this process, by sharing HR starters and leavers information. At the close of employment, Airwatch will wipe content from the device. Requirement The mobile device remains your responsibility NHIS will not undertake fix / maintenance / replacement of your device. The device must be as factory settings i.e. not Jailbroken to be clear: Jailbreaking increases the risk of malware infection or hacking. A jailbroken device can be easily victimized by a Trojan or accessed remotely by an intruder. Any security measures provided by ios or installed third-party applications may be rendered inoperable or untrustworthy. The device must be included in the device listing of those which we can install Airwatch. Airwatch will be installed on the device, and the cost of this is to be met by: the individual / employing organisation * (delete as appropriate), and this mandates and enforces a 6 digit passcode to be in place at all times. Agreed (Yes or No) For NHIS Confirmation Signature of employee NHIS have the right to wipe the device if notified that security / access is compromised. Should the user input the incorrect passcode 11

12 Requirement in excess of the permitted number of attempts (5), Airwatch will automatically wipe the device. NHIS will take no responsibility for the loss / removal of any personal data held on the device associated with the operation of security on the device. If you lose your device then you must inform NHIS immediately if this is outside of operational hours, then on the next working day. Agreed (Yes or No) Signature of employee Employee Declaration I ( ) have read and understood the Bring Your Own Device Policy Statement and consent to adhere to the rules outlined. I understand this is in addition to any policy of my employing organisation in regard to mobile device access and behaviours. Employee Signature Date Print Name Manager Signature Date Print Name Managers Authorized Budget Code (agreed to be charged for Air watch license and annual support.) IT Admin Signature Date Print Name 12

13 BYOD - USER GUIDE Individuals will only be able to use their own IT equipment for official purposes if they have been given authorisation to do so. The use of personal IT equipment for work is termed Bring Your Own Device (BYOD) and includes devices such as: Laptop or MacBook Tablet or IPad Smartphone Work purposes is defined as Accessing your organisational i.e. work account Accessing, working on, storing and transmitting your organisations information data through a laptop, tablet or smartphone i.e. work documents Accessing your organisations Intranet, SharePoint or NHS/Social Care internal website Authorisation If an individual wishes to use their own device for work purposes, you will need your line manager and NHIS permission to do so. Devices should not be connected to the network until this permission has been received. There is a list of devices and operating systems that are authorised to be used as BYODs and the user will need to confirm that their device complies with the requirements. What do I need to know? Some or all of the following measures may be applied to your device: A passcode will be required for you to access your device. This is to ensure that it is you that is using the device. This is an authorisation procedure and will prevent anyone gaining access to the data on the device. A second passcode may be applied to use any of the applications on the device Your device will be set with a number of failed log in attempts after which the data will be remotely wiped of all data; this is usually between 3 and 5 failed login attempts You will be required to allow device patches and updates on your BYOD as soon as you are notified. These will appear as a prompt on your device and will come from NHIS If your BYOD is a smartphone your organisation will have installed Mobile Device Management (MDM) Airwatch on your device to control what can be loaded onto the device. This should not be removed. As your BYOD will be accessing, processing, transmitting and possibly storing work data that is potentially classified or sensitive, the device must be protected for the maximum classification of data that is processed on it. The organisations data handling procedures must be followed and the device treated as if it was a work device. 13

14 DO Protect the device lock it away when not in use Protect your passcode and any other passwords required for using the device Lock the screen when not in use DON T Leave the device in public areas, your car or around for other people to easily obtain it Share your passcode Lend it to friends, colleagues or family. What should I do if I lose my device? If your device has been lost or stolen, or you think its contents may have been compromised: Report it to your line manager as soon as possible Inform the NHIS Service Desk Treat the loss as an information security incident or data breach and report as indicated in your organisations Incident Reporting Procedure. 14

15 Appendix Three NHSmail Account Management for Managers (Frequently Asked Questions) Contents 1. New Member of Staff 1.1 How do I check if someone has an NHSMail Account? 1.2 I have a new member of staff that needs an NHSMail Account, how do I get one set up? 1.3 I have a new member of staff with an existing NHSMail account, what do I need to do? 2. Long Term Absence 2.1. I have a member of staff on long term absence, what do I need to do? 2.2. A member of staff has returned from long term absence, what should I do? 3. Amending an Account 3.1 How do I amend an NHSMail account? 3.2 I ve changed my name, will amending this change my address? 4. NHSMail Account Terminations 4.1. A member of staff is leaving the NHS what do I need to do? 4.2. A member of staff is leaving to work at another NHS organisation, what do I need to do? 4.3. I want the s created while in my organisation removing from a leavers account, what do I need to do? This document is designed to support managers with the process of managing NHSmail accounts for staff. NHS staff are permitted to have one publicly funded account. 15

16 1. New Member of Staff NHSmail accounts are transferrable between organisations. When a new member of staff is appointed it is therefore important to find out if they already have an NHSmail account before you request one from the Nottinghamshire Health Informatics Service desk. 1.1 How do I check if someone has an NHSmail Account? You can check for an existing NHSmail account on the NHSmail Portal using People Finder, alternatively you can search in the NHSmail global address list. Often the best approach is to ask the individual if they have an NHSmail account. 1.2 I have a new member of staff that needs an NHSmail Account, how do I get one set up? A new NHSmail account should be requested via the Nottinghamshire Health Informatics Service desk using the Nottinghamshire Health Informatics Service portal. At the top of the page access IT Accounts and select Request a New Account. On completion of the form you will be provided with a call reference number, when the account has been created you will be notified by . The mailbox owner will need to call the Nottinghamshire Health Informatics Service desk and quote the call reference number to obtain the account details. Please note the password on a newly created NHSmail account expires if the account is not activated within 30 days. 1.3 I have a new member of staff with an existing NHSmail account, what do I need to do? Before Nottinghamshire Health Informatics Service can add this account to your organisation the previous organisations IT service desk will need to mark the NHSmail account as a leaver, please advise the individual that if this hasn t already been done they need to action this before commencing their new role in the organisation. When the account has been marked as a leaver by the previous organisation, log into the Nottinghamshire Health Informatics Service portal and in the IT Accounts section select Amend an Account. Complete the form and in the Optional field at the bottom of the form add the existing NHSmail address. The service desk will join the account to the organisation. N.B If the user cannot remember the contact details of their previous IT department they should contact the NHSmail service desk and log a call for their account to be marked as a leaver. Please see section 4.3 for contact details. 16

17 2. Long Term Absence If an NHSmail account password is not changed within 90 days the account will be disabled, after a further 90 days the account is deleted. accounts for staff on long-term absence (e.g. maternity leave) need to be managed to ensure they are not deleted as part of this automated inactive account deletion process. 2.1 I have a member of staff on long-term absence, what do I need to do? Log into the Nottinghamshire Health Informatics Service portal and in the IT Accounts section select Delete an Account (you are not deleting the account). Enter the individual s name, Select the NHSmail 2 button then select continue. Complete the details section and in the drop-down box for Type of Leaver select Disable the account. This will hide the account from the address book, prevent the user from logging into the account, and keep the account available to be activated by the Nottinghamshire Health Informatics Service desk for 180 days. 2.2 A member of staff has returned from long-term absence, what should I do? Contact the Nottinghamshire Health Informatics Service desk on (Mitel 4040) and ask for their account to be enabled. If the individual requires a password re-set, they will need to contact the service desk personally. If the account has not been enabled for over 180 days Nottinghamshire Health Informatics Service will need to contact the national service desk with a request to re-instate the account. 3. Amending an Account If a member of staff changes their name, job role or phone number the Nottinghamshire Health Informatics Service desk should be contacted to amend the account. 3.1 How do I amend an NHSmail account? End staff are able to add and amend contact numbers linked to their NHSmail account, this is done by logging into the NHSmail Portal and BEFORE logging into , select the Profile link on the blue banner at the top of the page, from here you will be able to add and remove phone numbers. All other account changes e.g. name, job role and organisation, must be carried out by the service desk. Log into the Nottinghamshire Health Informatics Service portal 17

18 and select IT Accounts, select Amend an Account, complete and submit the changes form. 3.2 I have changed my name; will amending this change my address? The service desk can amend your name on your account by following the steps in section 3.1. The old address, with your previous name, will be held in the NHSmail portal, which means any s sent to your previous address will be automatically forwarded to your new address. 4. NHSmail Account Terminations When a member of staff leaves, it is important that the NHSmail account be removed from your organisation promptly. 4.1 A member of staff is leaving the NHS what do I need to do? Log into the Nottinghamshire Health Informatics Service portal, select the IT accounts section and then select Delete an Account; this will open a leaver form. Complete the form and at the end select in the type of leaver drop down box Mark as Leaver. As the account will not be joined to another NHS organisation, the account will be permanently deleted after 30 days. 4.2 A member of staff is leaving to work at another NHS organisation, what do I need to do? Log into the Nottinghamshire Health Informatics Service portal, select the IT Accounts section and then select Delete an Account, this will open a leavers form. Complete the form and in the type of leaver drop down box Mark as Leaver. The account can then be joined to the new NHS organisation by their IT service desk. They have 30 days in which to do this before the account is disabled. 4.3 I want the s created while in my organisation removing from a leavers account, what do I need to do? Firstly, you need to manage the account exactly as in point 4.2 above. For the s in the account to be deleted a call will need to be logged with the national service desk (Nottinghamshire Health Informatics Service are unable to delete data within accounts). The National NHSmail Helpdesk can be contacted on or helpdesk@nhs.net. 18