Ulster University Standard Cover Sheet

Transcription

1 Ulster University Standard Cover Sheet Document Title Portable Devices Security Standard 1.5 Custodian Approving Committee Deputy Director of Finance and Information Services (Information Services) Information Services Directorate (ISD) Policy approved date Policy effective from date Policy review date Changes to previous version Page 4 Added for staff

2 INTRODUCTION AND BACKGROUND The purpose of this document is to define University standards for the security of portable devices - both University owned and supplied (UOS), or Privately Owned (PO) that connect to the University s data networks, systems and services, or that store University sensitively classified information. Portable devices taken outside secure University environments are subject to special security risks: they may be lost or stolen and may be exposed to unauthorised access or tampering. Portable devices taken abroad may also be at risk of being confiscated by airport security, police or customs officials. Portable devices include: Laptops Tablets, slates and pads Netbooks Smartphones PDAs and MP3 players E-Book readers The loss of a portable device may mean not only the loss of availability of the device and its data, but may also lead to the disclosure of University sensitively classified information. This loss of information will often be considered more serious than the loss of the physical asset. Further information on ISD policies, standards and guidelines is available at: RELEVANT LEGISLATION The University will comply with all legislation and statutory requirements relevant to information and information systems, including: Computer Misuse Act 1990 Data Protection Act 1998 Communications Act 2003 Copyright, Designs and Patents Act 1988 Freedom of Information Act 2000 Human Rights Act 1998 Regulation of Investigatory Powers Act 2000 The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 ( the Lawful Business Regulations ) Page 1 of 5

3 AIMS, PURPOSE AND SCOPE OF THE STANDARD This standard aims to protect University sensitively classified information accessed or stored through the use of UOS or PO portable devices. The scope of the standard includes UOS, and PO portable devices that connect to the University s data networks, systems and services, or that store University sensitively classified information. DEFINITIONS AND CLARIFICATION The term: 1. University owned and supplied (UOS) refers to those portable devices purchased, owned and supplied by the University. Whether out of a general or project-related budget. 2. Privately Owned (PO) refers to privately owned portable devices not purchased, owned or supplied by the University. 3. University sensitively classified information refers to University information with a protective marking other than OPEN (ie. classified PROTECT or CONTROL). 4. Booting refers to the process that starts operating systems when the user turns on a computer system. The boot sequence is the initial set of operations that the computer performs when power is switched on. 5. ActiveSync and Microsoft Exchange ActiveSync (EAS) refer to the Microsoft Exchange facility that allows the synchronization of messages, calendars and contact lists with portable devices. PROCEDURE Even when protected by disk encryption, unauthorised access and tampering with a portable device, particularly if there are repeated opportunities for access, may: lead to compromise, possibly continuing and/or undetected, of information on the device lead to compromise, continuing and/or undetected, of information assets to which the device is connected, for example through stored file share links, cached passwords etc. undermine security measures (including encryption); intended to protect information on the device in the event of loss or theft IMPLEMENTATION PHYSICAL SECURITY 1. Users shall assure possession and physical control of all portable devices: a. Reasonable steps shall be taken to minimise risk of device theft. When travelling and not in use, users shall ensure that portable devices are stored securely. For example, when travelling by car, ensure portable Page 2 of 5

4 devices are not visible and/or locked in the boot. Devices left on display and unattended will inevitably attract attention and are likely to be stolen. b. Portable devices should not be left in the care of any person who is not trusted to protect the information it contains c. Portable devices should not be left unattended 2. Use anonymous bags or cases. It is good practice to carry laptops in protective anonymous bags or cases (i.e. those without manufacturer logos on them) when not in use. 3. Lost or stolen devices shall be reported immediately Portable devices that store University sensitively classified information that are lost or stolen should be immediately reported to the ISD Service Desk for escalation. In particular, smartphones that use ActiveSync or otherwise store e- mail need to be reported immediately and require to be disabled remotely. Due to their inherent mobility and vulnerabilities, smartphones should be regarded as uncontrolled endpoints, whether UOS or PO. 4. Secure storage and portable device encryption The requirement and detail for encryption of portable devices containing University information is given in the document Secure Storage and Archival Code of Practice. 5. Labelling Tamper-proof labels should be fitted to UOS portable devices for asset identification. 6. Minimise sensitive information on portable devices University sensitively classified information stored on portable devices should be kept to the minimum required for effective business use in order to minimise the risks and impacts should a security breach occur. 7. Eavesdropping Users shall be aware that when viewing confidential or sensitive information, others may be able to view screen contents. SOFTWARE SECURITY 1. Booting of devices from portable storage Portable Devices capable of booting from portable storage should have this ability disabled. Such devices should be configured to boot from the local hard disk or network only. Page 3 of 5

5 2. synchronisation Microsoft Exchange ActiveSync (EAS) shall be the sole protocol supported for portable device synchronisation with the University service. 3. Portable device security requirements Portable devices used to access: University using the Microsoft Exchange ActiveSync protocol; Networked information stores containing University sensitively classified information; Locally stored University sensitively classified information; shall be required to support and implement for staff: 1. Remote device locking This is the ability to send a command to a device which will remotely lock the device. 2. Remote wipe/data removal This is the ability to send a command to a device which will remotely erase all data from the device. 3. Device access control by password/pin protection A password/pin shall be required to access the device which will comply with a minimum password length, timeout and maximum number of password attempts configuration parameters. 4. Encryption Data on the device shall be encrypted. 5. Security and Anti-Malware The latest security and anti-malware updates shall be configured and installed. NETWORK SECURITY The use of portable devices will be monitored: To ensure acceptable use; To safeguard integrity, security and availability; To facilitate capacity planning and optimize performance; To assist in fault investigation and incident handling; To investigate any suspected or actual breaches of University policy, unauthorised use or criminal activity; To gather evidence for investigative or disciplinary purposes; To facilitate any other legal and security purposes. Page 4 of 5

6 Details of monitoring for acceptable use are contained in the University s IT Monitoring Policy and IT Monitoring Code of Practice. OTHER RELEVANT POLICIES Acceptable Use Code of Practice Secure Storage and Archival Code of Practice Protective Marking Standard IT Monitoring Policy IT Monitoring Code of Practice CONTACTS AND FURTHER INFORMATION Portable devices that store University information classified PROTECT or CONTROL that are lost or stolen should be immediately reported to the ISD Helpdesk for escalation. Page 5 of 5