UHI BYOD Policy
Please select the link below to view the UHI BYOD Policy:
1.2 Policy Summary
|
Overview Why is the policy required? |
This Bring Your Own Device Policy is part of the ISO/IEC 27001:2013 policy documentation set and provides guidelines for Users using their own devices. |
|
Purpose What will it achieve? |
This policy defines acceptable use by the university partnership users whilst using their own devices for accessing, viewing, modifying and deleting of university partnership held data and accessing its systems. |
|
Scope Who does it apply to? |
It applies to all personnel whether staff, contractor, other third party or members of organisations with access to the university partnership’s data or information systems. |
|
Consultation/notification Highlight plans/dates |
|
|
Implementation and monitoring (including costs) |
|
|
Enforcement Detail how the policy will be enforced and who will be responsible |
|
|
References (highlight any advice received from external organisations) |
|
1.3 Purpose
The university partnership recognises the benefits that can be achieved by allowing users to use their own electronic devices when working, whether that is at home, on campus or while travelling. Such devices include laptops, smart phones and tablets, and the practice is commonly known as ‘bring your own device’ or BYOD. It is committed to supporting users in this practice and ensuring that as few technical restrictions as reasonably possible are imposed on accessing the university partnership provided services on BYOD.
The use of such devices to create and process the university partnership’s information and data creates issues that need to be addressed, particularly in the area of information security.
The university partnership must ensure that it remains in control of the data for which it is responsible, regardless of the ownership of the device used to carry out the processing. It must also protect its intellectual property as well as empowering users to ensure that they protect their own personal information.
1.4 Scope
All relevant university partnership policies still apply to users using BYOD. Users should note, in particular, the university partnership’s information security related policies. Several of these are directly relevant to staff adopting BYOD.
• The university of the highlands and islands partnership’s acceptable use policy
• Guidance to Information Security for Mobile Devices
• Protection against Malicious Software Policy
• Data Protection Policy.
1.5 Compliance
All staff, students and contractors of the university partnership are required to understand the requirements placed upon them by the BYOD Policy and comply accordingly.
Indications of non-compliance with the provisions of this policy shall be investigated in accordance with the disciplinary or contractual procedures in place within the university partnership as appropriate.
1.6 Terminology
The word “shall” is used throughout this document to state where a policy is a mandatory requirement.
The word “should” is used throughout this document to state where a policy is a recommended requirement.
For the purposes of this policy the term “personnel” includes both UHI and partnership organisation staff, contractors, students and third parties who have access to Information Systems.
Terms that are specific to Bring Your Own Device are as follows:
|
Abbreviation |
Bring Your Own Device Term |
Description |
|
BYOD |
Bring Your Own Device |
Bring your own device refers to users using their own device (mobile phone, tablet, laptop or desktop) which is not owned or provided to you by the university partnership |
1.7 Policy Principles
This policy covers the use of non-university partnership owned electronic devices to access corporate systems and store university partnership information, alongside their own data. Such devices include, but are not limited to, smart phones, tablets, laptops and similar technologies. This is commonly known as ‘Bring Your Own Device’ or BYOD.
If you wish to BYOD to access the university partnership’s systems, data and information you may do so, provided that you follow the provisions of this policy and the advice and guidance provided through the learning and information systems (LIS) service desk.
It is the university partnership’s intention to place as few technical and policy restrictions as possible on BYOD subject to the university partnership meeting its legal and duty of care obligations.
The university partnership, as data controller’s, remain in control of the data regardless of the ownership of the device. As a user you are required to keep the university partnership’s information and data securely. This applies to information held on your own device, as well as on the university partnership’s systems. You are required to assist and support the university partnership in carrying out its legal and operational obligations, including co-operating with an approved person should it be necessary to access or inspect university partnership data stored on your personal device.
The university partnership reserves the right to refuse, prevent or withdraw access to users and/or particular devices or software where it considers that there is unacceptable security, or other risks, to its staff, students, business, reputation, systems or infrastructure.
1.8 Responsibilities
The university partnership takes information and systems security very seriously and invests significant resources to protect data and information in its care.
The use of your own device MUST adhere to the university partnership’s computer use regulations.
In particular, when you use your own device as a work tool, you MUST maintain the security of the university partnership’s information you handle (which includes but is not limited to viewing, accessing, storing or otherwise processing).
The university partnership may require that you install or update the security settings on your own device to allow you to access information from the university partnership’s systems.
It is your responsibility to familiarise yourself with the device sufficiently to keep data secure.
In practice this means:
• Preventing theft and loss of data (using PIN/Password/Passphrase lock)
• Keeping information confidential, where appropriate.
• Maintaining the integrity of data and information.
• Not storing password in the browser when requested by the browser.
You MUST NEVER retain personal data from the university partnership’s systems on your own device. If you are in any doubt as to whether particular data can be stored on your device, you are required to err on the side of caution and consult with the ITDI service desk.
You MUST:
• Use the device security features, such as a PIN (Pin must be a minimum of six characters), Password/Passphrase and automatic lock to help protect the device when not in use.
• Keep the device operating system and all software up to date, for example using Windows Update or Software Update services.
• Activate and use an encryption service if your device features such a service and install an anti-virus system.
• Install and configure tracking and/or wiping services, such as Apple’s ‘Find My iPhone app’, Androids ‘Where’s My Droid’ or Windows ‘Find My Phone’, where the device has this feature.
• Remove any university partnership information stored on your device once you have finished with it including deleting copies of attachments to emails, such as documents, spreadsheets and data sets, as soon as you have finished using them.
• Limit the number of emails and other information that you are syncing to your device to the minimum required.
• Remove all university partnership information from your device and return it to the manufacturers’ settings before you sell, exchange or dispose of your device.
In the event that your device is lost or stolen or its security is compromised, you MUST promptly report this to the Service desk, in order that they can assist you to change the password to all university partnership services (it is also recommended that you do this for any other services that have accessed via that device, e.g. social networking sites, online banks, online shops). You must also cooperate with university partnership officers in wiping the device remotely, even if such a wipe results in the loss of your own data, such as photos, contacts and music.
You MUST NOT attempt to circumvent the device manufacturer’s security mechanisms in any way, for example ‘jailbreak’ the device.
Further advice on securing personal devices is available from the Service desk.
Make your device available for Cyber Essentials audit if selected and follow the instructions issued at the time.
1.9 Monitoring of User Owned Devices
We will not monitor the content of your personal devices; however, we reserve the right to monitor and log data traffic transferred between your device and our systems, both over internal networks and entering our network via the Internet.
In exceptional circumstances, for instance where the only copy of a university partnership document resides on a personal device, or where the university partnership requires access in order to comply with its legal obligations (e.g. under the Data Protection Act 1998, the Freedom of Information Act 2000, or where obliged to do so by a Court of law or other law enforcement authority) the university partnership will require access to university partnership data and information stored on your personal device.. Under these circumstances all reasonable efforts will be made to ensure that the university partnership does not access your private information.
Under some circumstances, for example where you legitimately need to access or store certain types of information, such as student or financial records on your own device, you must seek authority from your data protection officer. The university partnership may then need to monitor the device at a level which may impact your privacy by logging all activity on the machine. This is in order to ensure the privacy, integrity and confidentiality of that data.
1.10 Support
Where possible the university partnership supports all devices, but you have a responsibility to learn how to use and manage your device effectively in the context of this policy.
Help and advice is available on a reasonable endeavours' basis, via the LIS service desk, including help installing and configuring apps and other software.
The university partnership takes no responsibility for supporting, maintaining, repairing, insuring or otherwise funding personally owned devices, or for any loss or damage resulting from support and advice provided.
1.11 Use of Personal Cloud Services
Personal data as defined by the Data Protection Act (2018) and university personal confidential information may not be stored on personal cloud services.
1.12 Review period
This policy shall be reviewed and updated, if appropriate, after a period of twelve months.