BHIG - Mobile Devices Policy Version 1.0

Similar documents
Information Security BYOD Procedure

Name of Policy: Computer Use Policy

Bring Your Own Device (BYOD) Policy

Date of Next Review: May Cross References: Electronic Communication Systems- Acceptable Use policy (A.29) Highway Traffic Act

Procedure: Bring your own device

BRING YOUR OWN DEVICE: POLICY CONSIDERATIONS

Bring Your Own Device Policy

Bring Your Own Device

POLICY 8200 NETWORK SECURITY

Data protection policy

NOTE: The first appearance of terms in bold in the body of this document (except titles) are defined terms please refer to the Definitions section.

Enviro Technology Services Ltd Data Protection Policy

Standard mobile phone a mobile device that can make and receive telephone calls, pictures, video, and text messages.

October 2016 Issue 07/16

Information Security Policy for Associates and Contractors

Eggar s School. BYOD Policy. Bring Your Own Device

Department of Public Health O F S A N F R A N C I S C O

Data protection. 3 April 2018

ACCEPTABLE USE ISO INFORMATION SECURITY POLICY. Author: Owner: Organisation: Document No: Version No: 1.0 Date: 10 th January 2010

Use of Mobile Devices on Voice and Data Networks Policy

GM Information Security Controls

BRING YOUR OWN DEVICE (BYOD)

Policy. London School of Economics & Political Science. Remote Access Policy. IT Services. Jethro Perkins. Information Security Manager.

Information Security Data Classification Procedure

Identity Theft Prevention Policy

INFORMATION ASSET MANAGEMENT POLICY

PS Mailing Services Ltd Data Protection Policy May 2018

Best Practices Guide to Electronic Banking

Internet, , Social Networking, Mobile Device, and Electronic Communication Policy

Computer and Internet Use Policy

Policies, Procedures, Guidelines and Protocols. John Snell - Head of Workforce Planning, Systems and Contributors

ANZ Mobile Pay Terms and Conditions and Licence Agreement for Android Devices

EA-ISP-009 Use of Computers Policy

PS 176 Removable Media Policy

STUDENT ACCEPTABLE USE OF IT SYSTEMS POLICY

Cell Phones PROCEDURE. Procedure Section: Business and Administrative Matters - Purchasing 607-A. Respectfully submitted by:

Wireless Communication Stipend Effective Date: 9/1/2008

Personal Communication Devices and Voic Procedure

Employee Security Awareness Training Program

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Date Approved: Board of Directors on 7 July 2016

Terms and Conditions for External accounts Service

Mobile Computing Policy

HSBC Expat Mobile Banking

First Federal Savings Bank of Mascoutah, IL Agreement and Disclosures

Mobile Device policy Frequently Asked Questions April 2016

Mobile Device Policy. Augusta University Medical Center Policy Library. Policy Owner: Information Technology Support and Services

Acceptable Use Policy

Ulster University Standard Cover Sheet

LCU Privacy Breach Response Plan

CELL PHONE POLICY Page 1 of 5 City of Manteca Administrative Policy and Procedure

TELEPHONE AND MOBILE USE POLICY

FERPA & Student Data Communication Systems

The purpose of this guidance is: To provide a comprehensive understanding to complying with the universities Acceptable Use Policy.

ISSP Network Security Plan

Access Control Policy

Jacksonville State University Acceptable Use Policy 1. Overview 2. Purpose 3. Scope

INFORMATION SECURITY POLICY

Responsible Officer Approved by

A practical guide to IT security

<Criminal Justice Agency Name> Personally Owned Device Policy. Allowed Personally Owned Device Policy

PCA Staff guide: Information Security Code of Practice (ISCoP)

UCL Policy on Electronic Mail ( )

Wireless Services Allowance Procedure

Juniper Vendor Security Requirements

HELPFUL TIPS: MOBILE DEVICE SECURITY

Vodafone Location Services. Privacy Management Code of Practice. Issued Version V1.0

GEORGIA DEPARTMENT OF CORRECTIONS Standard Operating Procedures

Trinity Multi Academy Trust

E-Security policy. Ormiston Academies Trust. James Miller OAT DPO. Approved by Exec, July Release date July Next release date July 2019

Eco Web Hosting Security and Data Processing Agreement

DIRECTIVE ON INFORMATION TECHNOLOGY SECURITY FOR BANK PERSONNEL. June 14, 2018

CSBANK ONLINE ENROLLMENT FORM CITIZENS STATE BANK

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

INFORMATION SECURITY AND RISK POLICY

Information Security Management Criteria for Our Business Partners

TERMS & CONDITIONS. Complied with GDPR rules and regulation CONDITIONS OF USE PROPRIETARY RIGHTS AND ACCEPTABLE USE OF CONTENT

Network Security Policy

Access to University Data Policy

Writer Corporation. Data Protection Policy

Prizetech Privacy Policy

OUR CUSTOMER TERMS CLOUD SERVICES MCAFEE ENDPOINT PROTECTION ESSENTIAL FOR SMB

Service Specific Terms & Conditions Mobile Service CAYMAN ISLANDS

If we provide the device, it is managed through Citrix XenMobile Enterprise. If you want access to our internal sites, then you have to be managed

Guidelines for Use of IT Devices On Government Network

a. UTRGV owned, leased or managed computers that fall within the regular UTRGV Computer Security Standard

Information Technology Standards

Nebraska State College System Cellular Services Procedures Effective Date June 15, 2012 Updated August 13, 2015

Department of Public Health O F S A N F R A N C I S C O

Subject: University Information Technology Resource Security Policy: OUTDATED

3CX Mobile Device Manager

GDPR Draft: Data Access Control and Password Policy

Junos Pulse Mobile Security Dashboard

INFORMATION RESOURCE SECURITY CONFIGURATION AND MANAGEMENT

Virginia Commonwealth University School of Medicine Information Security Standard

ISC10D026. Report Control Information

I. Policy Statement. University Provided Mobile Device Eligibility Policy Effective Date: October 12, 2018

COUNTY OF EL DORADO, CALIFORNIA BOARD OF SUPERVISORS POLICY

Data Processor Agreement

Mobile Wallet Service Terms and Conditions

Transcription:

Version 1.0 Authorised by: CEO Endorsed By: Chief Operations Officer

1 Document Control Version Date Amended by Changes Made 0.1 20/01/2017 Lars Cortsen Initial document 0.2 29/03/2017 Simon Hahnel Incorporate TS Team Feedback 1.0 14/04/2017 Simon Hahnel Executive Feedback and Approval 2 Purpose The purpose of this policy is to provide appropriate guidelines, so that BHIG employees, Students, third party contractors and suppliers can use Mobile Devices (defined as including but not limited to the following: laptops, netbooks, MAC s or similar mobile PC s, Android devices (Google, Samsung, Sony etc..), ios devices (iphones, ipads), tablets, Wireless dongles/modems (3-4-5G or similar/future mobile technology) with or without cellular capability) to connect to, and access BHIG data residing on BHIG network(s). This Policy also addresses the procurement, management and support of all Mobile Devices to ensure proper control, while providing employees flexibility to choose their Mobile Device without sacrificing BHIG s ability to manage and support these devices. This policy also describes associated security requirements and employee s responsibility for appropriate use of mobile devices. 3 Scope This policy applies to anyone accessing BHIG s network or accessing BHIG data, such as employees, students, third parties, contract workers etc. It also applies to anyone who wishes to use a BHIG or a personally owned mobile device (also known as BYOD Bring Your Own Device) connecting to BHIG s networks and data. 4 Policy Statement 4.1 Procurement guidelines For a current list of approved devices (BHIG owned and provided) refer to the latest mobile device procurement procedure specifying the specific mobile phones and tablets available and used at BHIG. These can always be requested via a formal request to BHIG IT Support Team. 4.2 Personally Owned Devices Employees, Students or contractors may connect their personal mobile devices to the BHIG s network to access, download and manage BHIG data, provided their mobile device meets the minimum security and management standard set by BHIG IT. To connect a Bring Your Own Device (BYOD) to BHIG s corporate network a user must submit a service request to the BHIG IT Service Team, in order to get their mobile device connected to BHIG s corporate network. Anyone wishing to access BHIG s corporate network may be required to sign an agreement allowing BHIG to wipe any device using to access BHIGs corporate network, or any device that contains BHIG Page 1 of 7

data in the event their employment or contract (Students or contractors etc.) is terminated or ends or if the device is or suspected to be lost or stolen. All BYOD users must comply with the BHIG Code of Conduct at all times. Applications that are not provided by a legitimate source, are not permitted under any circumstances. Examples of legitimate application are itunes or Google Play If exceptions apply, the BYOD owner must get a written approval from BHIG IT, by creating a service request with the BHIG IT support Team. BHIG does not tolerate the use of any mobile device when driving. Hands free conversation is acceptable as defined by Victorian traffic law. BHIG does not undertake any liability for the employee s personal data that may be stored on the users device. The device user undertakes responsibility for any loss of company/personal data due to errors, bugs, viruses, malware and other software or hardware issues that arise or any other errors that make the device unusable. The BYOD user is personally liable for all costs associated with his/her own device. BHIG may disconnect or disable services provided without notifying the user if deemed necessary. 4.3 Students, visitors and public access Student access to the BHIG network is limited, but will allow all students to access data that is required to perform their Box Hill Institute Group studies. Public access for BHIG visitors to BHIG provided Internet, can be accessed by accepting BHIG s public Terms and Conditions. 4.4 Reimbursement of cost for personally owned mobile devices Users who wish to re-charge BHIG for the cost of communications associated with a personally owned Mobile Device, which has been authorized to connect to the BHIG corporate network must obtain approval from his/her department manager before such cost has occurred. 4.5 Lost, stolen or broken mobile devices (BHIG owned and BYOD) BHIG will not be liable for any damage to or loss of employee owned mobile Devices. Employees who replace their personally owed mobile device, and want to connect a new personally owed device to BHIG s corporate network(s) must follow the process as described in this policy. In the event a company or employee owned mobile Device that is connected to the BHIG corporate network is lost, stolen or misplaced, BHIG IT must be notified immediately through the BHIG IT Service Team, so that appropriate steps can be taken to remotely delete the data contained on such device, or otherwise manage the increased risk for BHIG s network. 4.6 Configuration of a mobile device (BHIG owned and BYOD) BHIG employees or third parties must not change any BHIG configured security settings of the mobile device (except changing device passwords) after they have been configured by a BHIG IT technician. Before using a mobile device accessing BHIG s corporate network, the BHIG IT function must have configured the security settings as per the BHIG IT Standard Operating Procedures (SOP). 4.7 Software of a mobile device (BHIG owned and BYOD) For ease of understanding this section is split into laptops and other mobile devices Page 2 of 7

4.7.1 Laptops and similar mobile PC s All mobile PC s must have the following BHIG approved software installed before accessing any part BHIG s corporate network: 1. A BHIG IT approved virus scanner software solution 2. A BHIG IT approved firewall software solution Furthermore, all mobile PC s must: 3. Be part of BHIG s Active Directory (AD) domain to enable BHIG Group Policies to be applied 4.7.2 Mobile devices excluding laptops/netbooks and similar mobile PC s All mobile devices accessing BHIG s corporate network and data, but excluding mobile PC s must be managed by a BHIG IT approved Mobile device management (MDM) platform 4.8 Acceptable use of a mobile device (BHIG owned devices only) Mobile service users are responsible to ensure the following: Ensure that proper care, use and maintenance of their mobile devices. That their mobile devices are kept securely and always utilise password access/protection. Ensure personal mobile service usage is kept at a absolutely minimum (Max $10 a month) BHIG IT is advised of faults immediately for timely replacement/repair of the unit Advise BHIG IT of loss or theft of any device to ensure the carrier is alerted immediately (by next working day at a minimum) 4.9 Physical security (any device that accesses BHIG s corporate network) Mobile service users are responsible to ensure that mobile computing devices: Are not left unattended visibly in a vehicle or in a public place Are properly secured when not on or with the individual 4.10 Mobile data protection BHIG IT must ensure that mobile computing devices are configured to ensure: Passwords or codes are required to access the device Data is encrypted on the device Use anti-malware software where possible Allow remote erase capability (for stolen mobile devices) The device must lock itself with a password/access code if left for more than 6 minutes. Users are responsible for: Abide by the BHIG corporate Network Security policies Not rely on mobile computing devices as the only repository of data Ensure all data is backed up to the BHIG network Not alter any BHIG mobile computing device without prior permission from IT Page 3 of 7

Report any lost, damaged or stolen devices to the IT service hub BHIG does not take responsibility for any personal information stored or managed on a mobile computing device in the event of loss or damage 4.11 Mobile connectivity All users are expected to ensure that the mobile computing devices comply with the staff electronic communications policy as published by BHIG 4.12 Termination of mobile service (BHIG owned devices only) The following are necessary for termination of mobile services: Where a mobile service is terminated, the SIM card and the mobile device, is to be returned to BHIG IT within 24 hours, or by the next business day by the employee/user whatever comes first. The direct supervisor of the employee must recover the mobile device and SIM card from the user where the user is no longer providing services to BHIG. The direct supervisor must inform the Manager -, that the device and SIM card has been recovered. When an employee is leaving BHIG, IT will action the collection of any mobile device as authorised by the employee manager. When a mobile device has been lost, stolen, involved in a security breach, has had unacceptable usage, BHIG IT may suspend the mobile device, and return it to its default settings. 4.13 Password requirements The following requirements apply specifically to mobile devices (but excluding mobile PC s) to ensure proper passwords are used: BHIG may audit the device to ensure users have password enabled. Simple password is disabled to prevent password like 1234, 1111 etc. Maximum failed login attempts before device is locked and/or wiped (depending on the device) will be set at 10 failed attempts. Recommendation to have maximum inactivity time lock at 10 minutes. Please consult the generic BHIG Password Policy as well. All mobile PC s must follow the BHIG Password Policy. 4.14 Generic Security requirements for all mobile devices All mobile devices, without exception, must meet the following criteria before connection to BHIG corporate network is permitted: Data traffic between any BHIG s corporate network, and any mobile device should be encrypted BHIG data stored on the mobile device should be encrypted, and password/login protected (see password requirements in section 4.13) BHIG must have the ability and authority from the employee/user to remove any data (to include wiping the entire device (if required) from the mobile device at any time without prior Key user rules a summery Page 4 of 7

Action Usage of a mobile device PC s included Configuration of a mobile device Software on a mobile device Rule - Report the loss or theft of devices. - Report any found device. - Report any unknown device. - Report the manipulation of devices. - Store the device in a safe place resp. take care of the device when you are on the way. - Never use non BHIG provided or BYOD that s not approved and configured by BHIG IT. - Back up the data regularly. - Do not change the security settings. - Have the security settings configured before using the device. - Use virus scanner software. - Use personal firewall software. - Use access control software. - Assign access rights. - Use encryption software where possible. 5 Code of Conduct All employees are expected to conduct themselves in a manner consistent with the Box Hill Institute Group Code of Conduct for Employees. 6 Definitions Term Mobile Service Service User Carrier Mobile Device Smart Device SIM Corporate Network Definition A company that offers mobile communication services to users of mobile devices such as smartphones and tablet PCs. Individual accessing mobile services through a smartphone or device to complete their job/task. A telecommunications company that provides voice and telecommunication services. A small computing device, usually small enough to be handheld having a display screen with touch input and/or miniature keyboard. An electronic device that is connected to other devices or networks via different wireless protocols. (Subscriber identity/identification module) a removable card inside a cell phone that stores data unique to the user, as an identification number, phone numbers, passwords and message. BHIG Network restricted to staff for corporate application access. Student Network BHIG Network made available to all student and public guests for the distribution of BHIG Learning Materials. BHIG Network made available to corporate and convention centre Page 5 of 7

Public Network guests. 7 Related Procedures N/A 8 Related Operating Guidelines N/A 9 Related Forms N/A 10 Related Legislation and Registration 10.1 Box Hill Institute Group 10.2 External Related Legislation and Registration SEC POL 01 Information Security Management Policy, Victorian Government CIO Council, October 2012. Victoria: Financial Management Act 1994 Victoria: Regulations to the Financial Management Act 1994 Victoria: Standing Directions of the Minister of Finance under the Financial Management Act 1994 AS/NZS ISO 27001, Information Security Standards, Standards Australia. AS/NZS ISO 27002, Information Technology - Security Techniques, Code of Practice for information security information controls Page 6 of 7

11 Records Records will be maintained in accordance with the requirements of Box Hill Institute s Records Management Policy and Procedures. Where the privacy of individuals may otherwise be compromised, records will be maintained as confidential. 12 Review This policy must be reviewed no later than three (3) years from the date of CEO endorsement. The policy will remain in force until such time as it has been reviewed and re-approved or rescinded. The policy may be withdrawn or amended as part of continuous improvement prior to the scheduled review date. 13 Responsibilities 14 Approval Body The CEO is the approval body. Owner Chief Operation Officer Author Manager Page 7 of 7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback