IMST 04: Secure Remote Working Standard
Information Classification - Public
Introduction and Purpose
This Secure Remote Working Standard forms part of the University’s Information Management Policy Framework and its parent policy is: IS02: Access Control Policy - University of WarwickLink opens in a new window
The Standard sets out the minimum requirements and practices which must be followed when accessing University information and systems outside of fixed work locations on University premises (e.g. offices).
Remote working is permitted at the University however this presents unique information security risks which must be mitigated.
Scope and Definitions
The Standard covers everyone who has a contractual (formal or informal/implied) relationship with the University, including employees, students, temporary workers (including those conducting short term academic work) and consultants. Please note that this list is not exhaustive. For the purposes of this Standard we refer to everyone as members.
This Standard covers all instances of working for or on behalf of the University outside of fixed work locations on University premises.
Responsibilities (Policy and Operational)
Policy Responsibilities
The Chief Information & Transformation Officer (CITO) retains overall accountability for this Standard. The Chief Information Security Officer (CISO) has delegated authority for ensuring the Standard meets legal and regulatory requirements; for keeping this Standard up to date; and for ensuring that controls, checks, and audits are carried out as part of compliance with this Standard.
Operational Responsibilities
Adherence to this Standard and its Standard Operating Procedures (SOPs) is achieved by following the policy principles and the data restrictions and security provisions. It is everyone’s responsibility to ensure that they follow this Standard.
| Role | Function |
|---|---|
| Designate of Head of Department (e.g. academic lead on research, individuals with delegated authority for information, system administrators) | Responsible – for overseeing compliance with the Policy within areas of responsibility |
| Head of Department | Accountable – for compliance with this policy within Departments |
| Information Risk and Compliance Team (with escalation to CISO and CITO required) | Consult – to discuss organisational level compliance with the Policy |
| IDG Digital Business Partners | Inform – must be informed of the content of the Policy to communicate it to their departments |
Principles of the Standard
When working remotely University members must comply with the Information Management Policy Framework.
The following section makes references to the information classification categories set out in the IMST 01 Information Classification Standard (Public, Internal, Confidential and Highly Confidential). Where information classification categories are used these will be referenced in bold font.
Working remotely presents unique risks to information (this includes verbal conversations), all members must be aware of this and adhere to the following controls:
Members must not work on, or discuss, Confidential or Highly Confidential Information as defined in the IMST 01 Information Classification Standard in public places.
Members must take steps to ensure that the environment offers a suitable level of privacy (i.e. from other individuals in the vicinity being able to view papers or screens being worked on, or being able to overhear private conversations) before working on any non-public Information outside of University premises.
University owned or provided devices must only be used by the person to which they are issued. They must not be used by any other individuals including friends, family members and colleagues.
Members must lock their device screens when out of sight of their workstation. Devices must only be left unattended in secure locations (I.E where no other person can access them).
Members must never leave papers or equipment containing Internal to Highly Confidential Information unattended unless they are appropriately physically secured from theft in line with IMST 03 Handling Information Standard.
Members must avoid using public or free wi-fi services (such as those commonly found in public libraries, public transport and coffee shops) or networks which they suspect to be insecure. Where using such services is unavoidable staff must use the Warwick VPN unless otherwise directed by the Working Abroad - Information Security Policy.
Members must not use public computers (such as those commonly found in: hotel lobbies, cyber cafes, libraries) for University business.
When travelling by car members must decide whether it is safer to leave their work devices in a locked vehicle out of sight or kept on their person after the vehicle is parked. In any cases devices must not be left in a vehicle overnight.
Approved Remote Connection Methods
When accessing University information and digital services outside of University premises, the following methods must be used:
- Via University managed applications (apps) e.g. Microsoft 365, MyWarwick, Sitebuilder, ServiceNow, SuccessFactors, SAP Concur (this is not an exhaustive list).
- These are accessed via the internet or maybe installed on your device. Members must use these in accordance with policies in the framework such as: Information Classification Standard, Handling Information Standard and Working Abroad – Information Security Policy.
- Only applications provided by the official vendor or the University must be used.
- Members must always access applications or services using University provided licenses and University login credentials if these are options.
- The VPN service - Campus VPN or WMG Always On VPN under the following circumstances:
- Connecting to a resource hosted on campus on the private network (on-premises).
- Synchronizing files with an on-premises file server, although OneDrive can be a viable alternative without the need for a VPN.
- Connecting from an insecure location or open wireless network, where the encryption provided by the VPN ensures confidentiality.
- When specified in the Working Abroad Information Security Policy and/or Standard.
N.B. Users must not set up their own VPN or remote access server solutions to access the University network. Inbound traffic of this type is blocked by the campus firewall or via NAT (private address space).
- WorkspaceLink opens in a new window (Virtual Desktop infrastructure) for staff who require the use of an on campus desktop such as to access particular software or perform functions which the device they are in possession of is unable to perform.
Exceptions
Exception requests under this Standard must be submitted to the CITO or their designate. Authority to approve exception requests is delegated to the Information Risk and Compliance Team. Activities that have received prior approval by the Research Ethics Committee will be exempt, but the CITO must be notified.
This Standard may have an impact on users of assistive technology or assistive software dependent on circumstances. These individual cases will be considered on a case-by-case basis.
Compliance Monitoring
It is everyone’s responsibility to report instances of non-compliance with this policy to the Information Risk and Compliance Team. The Information Risk and Compliance Team will use report data, and any other tools made available to it to monitor compliance with this policy and its associated standards and OPs. Issues that are deemed to merit escalation or further discussion will be brought to the attention of the Information Security and Data Protection Committee via the CISO. Where non-compliance presents a significant risk, it will be subject to the staff or student disciplinary process.
Version/document control
| Version | Date created | Date published | Nest review | Notes/outcomes |
| 1.0 | June 2025 | 14 July 2025 | July 2026 | A new Standard that replaces IS10 Mobile and Remote Working Policy which is withdrawn |