Information Security BYOD Procedure

Similar documents
Procedure: Bring your own device

BHIG - Mobile Devices Policy Version 1.0

Information Security Data Classification Procedure

INFORMATION ASSET MANAGEMENT POLICY

Mobile Device Policy. Augusta University Medical Center Policy Library. Policy Owner: Information Technology Support and Services

Bring Your Own Device

BRING YOUR OWN DEVICE: POLICY CONSIDERATIONS

Bring Your Own Device (BYOD) Policy

Policy. London School of Economics & Political Science. Remote Access Policy. IT Services. Jethro Perkins. Information Security Manager.

Responsible Officer Approved by

Sample BYOD Policy. Copyright 2015, PWW Media, Inc. All Rights Reserved. Duplication, Reproduction or Distribution by Any Means Prohibited.

The essential guide to creating a School Bring Your Own Device Policy. (BYOD)

Institute of Technology, Sligo. Information Security Policy. Version 0.2

Remote Working Policy

E-Security policy. Ormiston Academies Trust. James Miller OAT DPO. Approved by Exec, July Release date July Next release date July 2019

Date Approved: Board of Directors on 7 July 2016

POLICY 8200 NETWORK SECURITY

Trinity Multi Academy Trust

A practical guide to IT security

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

University of Liverpool

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

PS Mailing Services Ltd Data Protection Policy May 2018

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd

Juniper Vendor Security Requirements

Data protection. 3 April 2018

Polemic is a business involved in the collection of personal data in the course of its business activities and on behalf of its clients.

SERVICE DESCRIPTION & ADDITIONAL TERMS AND CONDITIONS VERSIEGELTE CLOUD. Service description & additional terms and conditions VERSIEGELTE CLOUD

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

Virginia Commonwealth University School of Medicine Information Security Standard

The purpose of this guidance is: To provide a comprehensive understanding to complying with the universities Acceptable Use Policy.

Terms and Conditions for External accounts Service

Information Handling and Classification Table

Privacy Policy Wealth Elements Pty Ltd

Data Protection Policy

INFORMATION SECURITY AND RISK POLICY

BYOD (Bring Your Own Device): Employee-owned Technology in the Workplace

Employee Security Awareness Training Program

Castle View Primary School Data Protection Policy

Gramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.

DIRECTIVE ON INFORMATION TECHNOLOGY SECURITY FOR BANK PERSONNEL. June 14, 2018

Wye Valley NHS Trust. Data protection audit report. Executive summary June 2017

Rationale: Why BYOD? BYOD Guidelines. BCR BYOD Agreement

General Data Protection Regulation

Terms and Conditions 01 January 2016

<Criminal Justice Agency Name> Personally Owned Device Policy. Allowed Personally Owned Device Policy

As set out in the Hong Kong ID card, or any relevant identification document referred to in 1(g) above.

Bring Your Own Device Policy

Bring Your Own Device Policy

St Bernard s Primary School Data Protection Policy

Enviro Technology Services Ltd Data Protection Policy

TELEPHONE AND MOBILE USE POLICY

Acceptable Use Policy

BISHOP GROSSETESTE UNIVERSITY. Document Administration. This policy applies to staff, students, and relevant data subjects

Securing Today s Mobile Workforce

Bring Your Own Device. Peter Silva Technical Marketing Manager

STUDENT ACCEPTABLE USE OF IT SYSTEMS POLICY

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

Bring Your Own Device (BYOD) Policy

Data Protection Policy

Securing Wireless Mobile Devices. Lamaris Davis. East Carolina University 11/15/2013

Xpress Super may collect and hold the following personal information about you: contact details including addresses and phone numbers;

Name of Policy: Computer Use Policy

ANZ Mobile Pay Terms and Conditions and Licence Agreement for Android Devices

CASE STUDY CHIEF INFORMATION OFFICER GROUP

Jacksonville State University Acceptable Use Policy 1. Overview 2. Purpose 3. Scope

a. UTRGV owned, leased or managed computers that fall within the regular UTRGV Computer Security Standard

LCU Privacy Breach Response Plan

Subject: University Information Technology Resource Security Policy: OUTDATED

Information Technology Standards

STUDENTS BRING YOUR OWN DEVICE POLICY

IT Security Standard Operating Procedure

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Data protection policy

GM Information Security Controls

FIRESOFT CONSULTING Privacy Policy

BT Compute Protect Schedule to the General Terms

World Wide Jobs Ltd t/a Findmyexpert.com Privacy Policy 12 th April 2018

Service Description VMware Workspace ONE

PS 176 Removable Media Policy

Privacy Policy Inhouse Manager Ltd

Department of Public Health O F S A N F R A N C I S C O

Privacy and Spam Policy Ten Tigers Grain Marketing Pty Ltd

NWQ Capital Management Pty Ltd. Privacy Policy. March 2017 v2

Altius IT Policy Collection

Ulster University Standard Cover Sheet

Revision of HSBC Bank Malaysia Berhad ( HSBC Bank ) Universal Terms and Conditions

Adkin s Privacy Information Notice for Clients, Contractors, Suppliers and Business Contacts

AUTHORITY FOR ELECTRICITY REGULATION

2.4. Target Audience This document is intended to be read by technical staff involved in the procurement of externally hosted solutions for Diageo.

Version 1/2018. GDPR Processor Security Controls

UWC International Data Protection Policy

Personal Communication Devices and Voic Procedure

University of Alabama at Birmingham MINIMUM SECURITY FOR COMPUTING DEVICES RULE July 2017

TERMS & CONDITIONS PLEASE READ THESE TERMS AND CONDITIONS CAREFULLY BEFORE USING THE SITE

UWTSD Group Data Protection Policy

CSBANK ONLINE ENROLLMENT FORM CITIZENS STATE BANK

A Mobile Security Checklist: The Top Ten Threats to Your Enterprise Today. White Paper

Virginia Commonwealth University School of Medicine Information Security Standard

Information Security Policy

Transcription:

Information Security BYOD Procedure A. Procedure 1. Audience 1.1 This document sets out the terms of use for BYOD within the University of Newcastle. The procedure applies to all employees of the University, including permanent and temporary staff, contractors, affiliates and students of the University. 1.2 It affects any device or accompanying media that you may use to access the systems and data of the University, whether they are used within or outside your standard working or study hours. 2. Purpose 2.1 Technology is part of the everyday life of the modern University worker. Consumer technology is evolving quickly and is often more advanced than the technology available in the workplace. Employees increasingly prefer to use their own smartphones, tablets and other devices to access corporate information. Empowering them to do so supports greater workplace mobility and flexibility. 2.2 The purpose of this procedure is twofold. Firstly, it aims to allow you bring your own device (BYOD) for business purposes. You can access University information when and where you need to do so. Secondly, the procedure aims to ensure that University systems and data are protected from unauthorised access, use or disclosure. 2.3 This BYOD Procedure has been informed by the NSW Government Mobility Solutions Framework. The Framework assists in defining the University s specific mobility strategy and 3. Terms and Conditions of BYOD Use 3.1 The purpose of this procedure is to allow you to use a BYOD if you wish to do so, while also ensuring you take steps to minimise the risk of unauthorised access to University systems or unauthorised use or disclosure of the data held by the University. 3.2 You must review this procedure before using any BYOD. Your acceptance of the terms of the Conditions of Use Policy also constitutes acceptance of the terms of this BYOD procedure. 3.3 Acceptance indicates agreement to the following standard terms:

(a) (b) (c) (d) (e) (f) (g) (h) Acceptable BYOD: Any device may be considered for use as a BYOD providing it meets the minimum requirements set out in this document. In general, an acceptable BYOD would be one of the devices listed in the document referenced in the definition at part 2.1 of this procedure. Minimum requirements: The burden of proof for meeting minimum requirements rests with you, the device owner. Matching our requirements and your needs: BYOD capabilities and device profiles must match University requirements as well as the scenarios where you need to use a device for work. For example, if you are usually a consumer of information when mobile, the profile of a tablet or smartphone would be a good match. If you are a creator of information, a laptop or desktop profile would be a better match. Authority: You agree to provide limited authority over the device for the sole purpose of protecting University data and access on the device. This authority includes permission to wipe the device in the event of loss or disposal. This may include personal data, address books and e-mail depending on the data classification of information locally stored, the device and whether an MDM tool is used. The authority is to remain in place from the time the device is registered until it is deregistered. Security: You are responsible for ensuring that your personal device is adequately secured against loss, theft or use by persons not authorised to use the device. Support: You are responsible for replacing, maintaining and arranging technical support for your BYOD. The University will only provide best efforts support for any applications that the University has provided and for network connection troubleshooting. Access at University s discretion: Access to University systems and data is provided at the sole discretion of the University. Your access may be revoked at any time and for any reason. Enforcement: All breaches of this procedure will be treated seriously. If you are found to have been in breach you may be subject to disciplinary action. 4. Requirements 4.1 Bring your own device minimum requirements (a) The table below summarises the University s minimum requirements for BYOD. Function Minimum requirement Configuration management

Operating systems Network authentication Password protection/user authentication Your device must use a legitimate operating system that meets the defined minimum standards (i.e. you may not use a jail broken device). Network authentication is subject to the University s requirements, being 802.1x for wireless or wired connection, and authentication via an SSL VPN for remote access to the network. Your device will support password authentication and automatic locking that must be used at all times. Automatic device lock Device hygiene Lost and stolen devices Mobile device disposal Software licensing Your device must have the automatic lock enabled. Your device must have appropriate and up to date anti-virus and antispyware installed. If your device is lost or stolen you must report the loss or theft immediately to the 17000 IT Service Desk. Any University data on your device must be removed from the device at the end of its use within the University environment. Operating systems and applications running on or required by BYOD will be your sole responsibility as the device owner. Security management Mobile device management (MDM) The University has the ability, through the MDM capabilities of Office 365, to enforce certain policies on mobile devices, including BYOD, to ensure the security of University data. This includes, but not limited to, enforcing screen locks, pin codes and the ability to remotely wipe University data. Service management BYOD authority If your device is used for BYOD, and linked to the University s Office 365 platform, you agree to surrender limited authority over the device for the sole purpose of protecting University data and access on the device. Mobile device application control Device support The University has implemented an MDM solution through Office 365, and has the ability to push and remove University data from your device to enhance its security or manageability. You and the device issuer are responsible for supporting your device. 5. Device Registration, Configuration and Management 5.1 Your BYOD will be automatically registered within Office 365 upon first connection to the exchange email service.

5.2 A limit may apply to the number of devices that can be registered. 5.3 You acknowledge that the University will directly and or remotely change security configurations of the device to protect University data and software stored on the device. These changes may include but are not limited to: (a) (b) (c) (d) (e) (f) (g) (h) (i) Refusal to register a device that fails minimum requirements (outlined above) or that currently has installed banned software and services listed at https://uonau.service-now.com/kb_view.do?sysparm_article=kb0020238. Configuring certain security settings Preventing the user from changing certain security settings Applying a login code with an acceptable level of complexity to enable secure access to the device Automatically locking the device after an inactive timeout period (you will need to re-enter the login code) Installing software and digital certificates necessary to maintain security Encrypting data stored on the device Automatically wiping (either all code and data OR all University code and data) depending upon University MDM, device capabilities and specific requirements from the device after a specific number of failed login attempts Should any configurations be removed that are required for proper use of the device with University systems, these may be re-applied or access to University systems, information and data will be prevented if the configurations cannot be maintained 5.4 You acknowledge that any University data stored on the BYOD remains the sole property of the University and that you have an obligation to protect the security of the data. 5.5 You acknowledge that the University has a right to inspect University data held on your personal BYOD. 5.6 You understand that the University may remotely monitor your device to ensure security and software configurations are maintained. 5.7 You will not be prevented from installing the software or applications of your choice on your device. However, the University may block your access to University ICT services if any software/applications/data present a threat to University ICT services, information or data 6. Device Usage and Support 6.1 The service and its use are at your sole discretion and risk. 6.2 The University does not impose a charge on you for registering your device.

6.3 You are responsible for supporting your device. The University will only provide limited support for any applications the University has provided. Support Physical provisioning Replacement of defective/damaged device Operating system support including licensing Application support of device including licensing University provided/supported mobile applications University provided/supported thin-client applications Device connectivity / access Mobile internet Home internet / broadband VPN client University wireless BYOD 17000 IT Service Desk 17000 IT Service Desk BYOD 17000 IT Service Desk 17000 IT Service Desk 6.4 The University is not responsible for any costs incurred by your use of your BYOD. The University will not reimburse any voice or data charges, software or application acquisition fees, and support or insurance costs associated with your device. 6.5 The University is not responsible for any inconvenience that you may experience in connection with using University ICT services on your BYOD. 6.6 You have sole responsibility for ensuring no other person has access to University software or data stored on your BYOD. 6.7 The University will not monitor the phone call or text message history of a BYOD. Where needed (for example, in the case of a disciplinary matter) the call and text messages may be requested. 6.8 The University will not monitor the web browser history on your BYOD when not connected to University network(s), unless the web traffic is directed through the University s network infrastructure. 6.9 The University may restrict access to internet websites, services or other elements for operational or policy reasons while your BYOD is connected to University networks including either wireless or cabled connections. 6.10 The University may monitor your use of your BYOD while it is connected to the University network. This information may be collected and archived and may be subject to public access. 6.11 You are responsible for abiding by all licence terms and conditions applicable to any software, apps, data or information provided by the University to your BYOD. 6.12 You acknowledge that your use of a BYOD may involve the University:

(a) (b) (c) Preventing you from accessing University ICT services Locking your device Wiping personal data from your device in accordance with the following circumstances: (i) (ii) (iii) (iv) (v) (vi) (vii) Your BYOD is reported as being lost/stolen to the 17000 IT Service Desk You cease employment/contract or studies with the University There is a suspected security breach, examples include but are not limited to, modification of the device s operating system, breaching University policies, or detection of viruses or malware on the device. The University may lock your device to prevent access to University information or data. Preventing your device from connecting to University ICT services. Applying either a full or selective wipe of your BYOD. Applying a manual selective wipe of your BYOD. 6.13 While the University will make all reasonable effort to ensure service is available, the University does not guarantee that access to University ICT services, information or data will be available at all times. 6.14 If your BYOD is lost or stolen, you are responsible for reporting the event as soon as practicable to the 17000 IT Service Desk on +61 2 492 17000. You must also: (a) (b) undertake a device wipe as soon as practicable via the Office 365 portal or via a personal configuration\management utility. take reasonable steps to ensure that it is replaced as quickly as possible. 7. Protection of University data on your BYOD 7.1 University information, documents, and data classified as Highly-Restricted or that are subject to legal or professional privilege must not be stored on BYODs and/or unapproved cloud-based services. 7.2 University data must only be backed up to approved locations within University systems. 7.3 You should check your device to ensure that automated cloud backup is disabled. 7.4 You should take reasonable steps to reduce the risk of losing your personal data. You may, for example, store your personal data separately from University data through file partitions or using a separate memory card.

7.5 You are responsible for backing up and restoring the data and configuration settings of your BYOD. Personal data is not to be backed up to or stored by the University. The University is not responsible for any personal loss or damage you may suffer by actions undertaken by the University to protect University data stored on your BYOD. 8. Device Deregistration 8.1 The University at its own discretion, may deregister any BYOD at any time without warning. 8.2 The University may deregister a BYOD that has not consumed University ICT services for more than 12 months. 8.3 You can deregister your BYOD at any time by visiting the Office 365 portal at https://outlook.office.com/owa/?path=/options/mobiledevice 8.4 You will no longer be able to connect to University ICT systems and data, unless the device is re-registered. 8.5 You are encouraged to remove any personal data if you are intending to dispose of your BYOD. If you intend to sell or gift the device to another person you should ensure that it is wiped B. Procedures (if required) 1. Purpose/Summary 1.1 Max 3 dot points 2. Heading 2.1 Paragraph (a) Sub-paragraph C. Guidelines (if required) 1. Purpose/Summary 1.1 Max 3 dot points 2. Heading 2.1 Paragraph 3. Heading 3.1 Paragraph

4. Definitions in the context of this procedure Defined Term Meaning Application Computer software designed to assist end users to carry out useful tasks. Examples of applications may include the Microsoft Office suite of products or smartphone applications such as Google Maps. Bring Your Own Device (BYOD) Any electronic device owned, leased or operated by an employee, contractor, affiliate or student of the University which is capable of storing data and connecting to a network, including but not limited to mobile phones, smartphones, tablets, laptops, personal computers and netbooks. Data Any and all information stored or processed through a BYOD. University data refers to data owned, originating from or processed by University systems. Device hygiene BYOD must have appropriate and up-to-date hygiene solutions installed. Device hygiene includes anti-virus, anti-spam and antispyware solutions. Minimum requirements The minimum hardware, software and general operating requirements for a BYOD. Mobile Device Management (MDM) Solution which manages, supports, secures and monitors mobile devices. Mobility Framework Personal information The NSW Government Mobility Solutions Framework. The Framework provides information and technical guidance to agencies when procuring mobility solution services. Personal information is defined by s 6(1) of the Privacy and Personal Information Protection Act 1988 (NSW): Information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion. Wipe A security feature that renders the data stored on a device inaccessible. Wiping may be performed locally, via an MDM product, or remotely by a network administrator.

5. Related Documents 5.1 This procedure supplements the University s Information Technology Conditions of Use Policy. 5.2 You should also have regard to the following statutory rules, policy documents and standards. They provide direct or related guidance for the use of technology and the collection, storage, access, use and disclosure of data by the University and NSW public sector agencies: (a) AS/NZS ISO 31000 Risk management - Principles and guidelines (b) Electronic Transactions Act 2000 (c) Government Information (Information Commissioner) Act 2009 (d) Government Information (Public Access) Act 2009 (e) Health Records and Information Privacy Act 2002 (f) (g) (h) University of Newcastle Information Security Policy NSW Government Open Data Policy NSW Government Cloud Services Policy and Guidelines (i) NSW Government ICT Strategy NSW Government ICT Technical Standards Mobility Framework (j) (k) NSW Government Social Media Policy and Guidelines TPP 09-05 - Internal Audit and Risk Management Policy for the NSW Public Sector (l) Privacy and Personal Information Protection Act 1998 (m) Public Finance and Audit Act 1983 (n) Public Interest Disclosures Act 1994 (o) NSW Procurement: Small and Medium Enterprises Policy Framework (p) State Records Act 1998 About this Document Further information TRIM Number Approval Authority Chief Information Officer

Subject Matter Expert Contact Details Patrick McElhinney Senior Security Specialist, IT Services It-security@newcastle.edu.au Review Date 1 st July 2017 Approval History No. Effective Date Approved by Amendment V1.0 31 st March 2017 CIO Initial release

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback