1. Introduction
1.1 Purpose
1.1.1 The purpose of this policy is to outline the University’s requirements for the use of individuals’ personal endpoint devices, also named as Bring Your Own Device (BYOD), to access information and services provided by the University, for the proper stewardship of the use of these assets and for the security of information accessed while using such devices.
1.1.2 This will help ensure that all users have access to the systems and services that they require to undertake their activities.
1.1.3 This policy is part of a set of University documentation covering information security and it should be read in conjunction with these documents. Please refer to section 4 for the Related Policies and Procedures.
1.1.4 All students and staff are required, where applicable, to follow the requirements of this policy. Failure to do so may result in disciplinary action in line with University policies or, where necessary, removal of access to services provided by the University.
1.2 Scope
1.2.1 The scope of this policy covers Bring Your Own Device (BYOD). The definition of BYOD is individuals’ personal endpoint devices used to access any University information asset and/or network service, and that are not managed by Digital, Data and Technology (DDaT). For the purpose of this policy, “endpoint device” refers to all forms of computing equipment that can store or access digital data, campus and University networks.
BYOD examples include, but are not limited to personal home computer, netbooks, tablets and mobile phones.
1.2.2 Exceptions to the above scope must be reviewed and approved by the IT Security Team.
2. Policy
2.1 The University allows the use of BYOD. This requires all individuals who wish to use their BYOD to agree to the University’s IT Acceptable Use Policy.
2.2 The University reserves the right to remotely remove any University information assets or remove access to systems from BYOD. For the definition of information asset, please refer to definition from the UK Government.
2.3 To ensure that information and services are protected, the University may require certain prerequisites for accessing data. This could include but is not limited to the operating systems version, firewall rules, active antivirus solution, and access control set to a minimum standard.
2.4 All University information accessed via BYOD must be handled in line with the University Information Classification Framework and Export Controls.
2.5 Highly restricted and restricted information must not be downloaded from University applications or systems to BYOD /personal cloud storage unless permission has been obtained from the data owner.
2.6 The University will require Multi-factor Authentication (MFA) to access its authenticated services and information remotely. Any attempt to circumvent this will result in access being removed and will be considered a breach of policy.
2.7 BYOD (including but not limited to home desktops, laptops, tablets and personal phones) must have access controlled by passcode, password or suitable biometric authentication where available.
2.8 Users of BYOD must ensure that the operating system on the device is supported by the developer or manufacturer and has the latest updates installed and operational.
2.9 Connecting via unknown Wi-Fi spots must be avoided unless using a reputable VPN service or encryption protocol.
2.10 BYOD must only use licensed software and applications, obtained from legitimate sources, to minimise the likelihood of interception and compromise of University information assets, and malware infection.
2.11 Users must consider what other services and systems they access from their BYOD and how these may impact their system to minimise any potential impact on University network.
2.12 Where possible, users of BYOD must ensure there is an up-to-date antivirus application installed and operating on the device.
2.13 University information must not be accessed from publicly shared devices.
2.14 Users must not use a BYOD that allows University information assets to be shared with others, including partners, friends and family members. For example, allowing a family member to use a tablet that has access to University information assets or sharing a local login / profile on a home computer where University documents or emails may be accessible.
2.15 When selling, transferring or disposing of a device that has been used for BYOD, it is essential that all University information assets is removed. Where possible the device should be wiped and / or factory reset.
3. Roles and Responsibilities
3.1 The University Executive Board is responsible for approving the Bring Your Own Device (BYOD) Policy.
3.2 The management and maintenance of the BYOD is the sole responsibility of the owner, this includes any issues relating to products and services that are not DDaT supported e.g. firewall, antivirus, operating system and installed software.
3.3 The CISO is responsible for ensuring this policy is implemented across the University to ensure information and the University network are protected.
3.4 Line managers in the University are responsible for ensuring that their staff are aware and understand the policy.
3.5 All members of staff should be aware of the University’s responsibility under this policy and of the measures set out above to comply with it.
3.6 All students and staff are required, where applicable, to follow the requirements of this policy. Failure to do so may result in disciplinary action in line with University policies or, where necessary, removal of access to services provided by the University.
4. Related Policies and Procedures
The following policies and procedures are related to the BYOD Policy:
- Information Security Policy (bath.ac.uk)
- Data Protection Policy
- Information handling protocol
- IT Acceptable Use Policy
- Research Data Policy
- Export Control Policy (bath.ac.uk)
- Reporting a lost or stolen University device (bath.ac.uk)
5. Appendix
5.1 Glossary
Acceptable Use Policy: An Acceptable Use Policy (AUP) is a set of rules applied by the owner of an information system, which restrict the ways in it may be used and sets guidelines as to how it should be used. Typically, users sign-up and accept the AUP or their employment contracts make it mandatory to conform.
BYOD: Bring your own device. The definition of BYOD is individuals’ personal endpoint devices used to access any University information asset and/or network service, and that are not managed by Digital, Data and Technology (DDaT). BYOD examples include, but are not limited to personal home desktops, laptops, netbooks, tablets and mobile phones.
CIDO: Chief Information and Digital Officer
CISO: Chief Information Security Officer
DDaT/DD&T: Digital, Data and Technology Group
Endpoint device: All forms of computing equipment that can store or access digital data, campus and University networks.
Home computer: The computer owned personally by the user and that are not managed by Digital, Data and Technology (DDaT).
Information assets: An information asset is a body of information, defined and managed as a single unit so it can be understood, shared, protected and exploited effectively. Information assets have recognisable and manageable value, risk, content and life cycles.
Information Asset Owner: People in the University who are responsible for ensuring that IT assets in their particular area are processed and shared in line with the Information Management Policy Framework.
MFA: Multi-factor authentication.
Staff: Staff, whether academic, administrative, technical or other, currently employed by the University or engaged on a contract of service.
Student: A person currently enrolled or registered with the University, or undertaking study of any kind provided by, at or under the auspices of the University.
UEB: University Executive Board.
University: University of Bath.
University network: Any of the University’s IT facilities, including email, connection from the campus to the Internet and other networks, and all computers, laptops, other mobile devices, and any other related software and hardware.
VPN: Virtual private network.