1 Introduction
1.1 Purpose
There is a developing business need for increasing numbers of colleagues to use mobile computing devices to conduct University activities remotely from, and on, campus.
The purpose of this policy is to outline the University’s requirements of mobile computing users in relation to the proper stewardship of its mobile computing assets and the security of information accessed whilst using such devices.
This policy is part of a set of University documentation covering information security and it should be read in conjunction with the:
- Data protection policy
- Data handling protocol
- IT security policy
- IT acceptable use policy
- Research data policy
1.2 Scope
The aspects of this policy relating to stewardship of the University’s mobile computing assets apply to all mobile computing devices purchased with University-administered funding irrespective of source, including general funds, research grants and K1 accounts. The information security aspects of this policy apply to all mobile computing devices, both University-owned and BYOD (Bring Your Own Device), used to access university systems and services remotely. Where an individual opts to use a BYOD for work on ‘highly restricted’ data, they are advised to back-up any personal data stored on the device to allow for remote data wiping in the event of loss.
1.3 Definition
For the purpose of this policy, “mobile computing devices” refer to all forms of portable computing equipment that can store digital data. Examples include, but are not limited to, laptops, netbooks, tablets and mobile phones.
1.4 Roles and Responsibilities
Executive Committee is responsible for approving and regularly reviewing the institutional policies which contribute to the set of documentation covering information technology and security. The Office of the University Secretary is responsible for developing awareness and guidance in the area of information security. DD&T are responsible for advising Executive Committee and individual users on the use of mobile computing to meet business needs and the most appropriate technical responses to maintaining information security.
Users of mobile computing devices are responsible for ensuring that such devices are purchased, used and disposed of in accordance with institutional policies and procedures. In particular, users must ensure that they act in accordance with the University’s various information security policies and that they have completed the University’s mandatory training module on information security.
2 Policy
2.1 Stewardship of Mobile Computing Devices
Like all equipment purchased from University-administered funds (see 1.2 above), mobile computing devices remain the property of the University of Bath. They must be returned to the University on request or on termination of employment.
Laptops, tablets and mobile phones should be purchased in accordance with the University’s IT Purchasing Policy and using the ‘Procedure for the purchase of laptops, tablets and mobile phones using University funds’ as appropriate.
Mobile computing devices should be used for the intended business need and in accordance with the University’s information security and acceptable use policies, i.e. mobile devices should be used only by University staff and predominantly for University business. Incidental personal use, allowable by HMRC, where it is consistent with any requirements of the University’s IT policies and does not exceed the de minimis level outlined in the University’s Financial Regulations (UP4).
Mobile computing devices must be permanently marked (to make them less attractive to thieves, and to aid recovery if they are lost), have installed agents (report on Internet location and on potentially risky software installation and permit data destruction), and should be recorded as an institutional asset (reporting on the estate as a whole).
The security of any institutional data stored on a mobile computing device must be given due consideration. Any unique data generated on such a device should be copied onto the appropriate University data store at the earliest opportunity and interim backups stored on a secure USB key or other appropriate device.
Users with administrative privileges on laptops must ensure that any software, or media file loaded onto the machine is used in compliance with the appropriate license(s) and copyright considerations. If in any doubt, DD&T should be consulted.
Users are responsible for maintaining the currency of the computer operating systems, anti-malware and productivity applications (“patching”). Either automated (recommended) or manual method may be used. It is not permitted to make any alterations to the hardware or software that significantly impair security. If the user is not comfortable patching their device, they should return it to their IT supporter on a regular basis, allowing sufficient time for updates to be installed.
Users must maintain the mobile computing device under warrantee (“on-site” is preferred to “return to base”). Should the device be required beyond the period of its original warrantee, then a local IT supporter can add the machine to the University’s third-party maintenance contract if the nature of the device permits (and at a cost to the department). Failure to do so, will mean the costs of any necessary repairs or data recovery activities will fall to the department.
If a user has any reason to suspect that their device has become infected with malware, they should immediately cease to use it, and return it to supporters for examination / disinfection.
Users should seek advice from DD&T before passing on, discarding, or otherwise disposing of, any mobile computing device.
2.2 Information Security
All users of mobile computing devices which access institutional digital data must complete the University’s mandatory training unit on information security.
Users are responsible for the physical security of their mobile computing devices and any institutional data stored on it.
Information being accessed or processed using mobile computing devices should be treated in accordance with the ‘Data Handling Protocol’.
Users of mobile computing devices for University business should ensure that they have familiarised themselves with the University’s Information Classification Framework (ICF) in order to classify the information they wish to access correctly and have put in place the required security protection measures.
There are increased security and reputational risks associated with the processing of any data classified as ‘restricted’ or ‘highly restricted’ so users of mobile computing devices should give serious consideration before removing such data from within the safety of the University Network.
For ‘highly restricted’ information, users should consider encryption of the data.
Mobile computing devices used in pursuance of University business must have remote wiping agents installed upon them by DD&T to ensure sensitive data can be removed securely should the device be lost or stolen. Owners are responsible for ensuring that remote wiping agents are installed by DD&T on their BYODs if they intend to hold highly restrictive data on them, as defined in the Information Classification Framework. Owners are also responsible for backing-up any personal data stored on the device to allow for remote data wiping in the event of loss.
Any loss of mobile computing device or suspected breach of information security should be reported immediately to DD&T, the University Secretary, as well as the user’s Head of Department. Suspected theft of a mobile computing device should also be reported to Security.
In the event of loss of mobile computing devices, users should anticipate that the University will take steps to mitigate the risk of any potential information security breach by the remote wiping of equipment. In such an event, any personal data the user has stored on the equipment will also be deleted.
Users should avoid internet café and other public wi-fi connections as these pose information security risks and should be avoided especially when accessing highly sensitive information.
Users of BYOD devices are responsible for ensuring that they maintain anti-virus software, operating systems and security updates, as appropriate to the equipment, if they use it to access, store or process institutional digital data.
DD&T may monitor and log network usage as a means to protect information.
3 Breach of the policy
3.1 If a member of the University is found to have acted in breach of this policy, this may lead to disciplinary action being taken against them. In the case of staff, this disciplinary action could be up to and including dismissal.