Policy Introduction and Purpose

This Mobile and Remote Working Policy is a sub-policy of the University’s Information Security Policy (IS01).

It sets out the additional principles, expectations and requirements relating to the use of mobile computing devices and other computing devices which are not located on University premises when these devices are used to access University information assets with a classification of protected or above.

While recognising the benefits to the University (and its members) of permitting the use of mobile devices and working away from the office, the University also needs to consider the unique information security challenges and risks which will necessarily result from adopting these permissive approaches. In particular, the University must ensure that any processing of personal data remains compliant with the Data Protection Act.

Scope and Definitions

This Policy applies to everyone who has a contractual relationship with the University including all employees (both full-time and part-time across all grades) and those engaged via the Variable Monthly Staff (VAM) Payroll and Unitemps/other agency contracts. It also includes visiting professors, consultants/self-employed carrying out roles which if carried out by an employee would require disclosure. For purposes of this Policy we will refer to everyone covered as “staff”.

This policy covers all mobile computing devices whether personally owned, supplied by the University or provided by a third party.

Personally owned, University owned, or third party provided non-mobile computers (for example desktops) which are used outside of University premises are also within scope if they are used to access University systems or information assets.

Definition

A mobile computing device is defined to be a portable computing or telecommunications device which can be used to store or process information. Examples include laptops, netbooks, smartphones, tablets, USB sticks, external or removable disc drives, flash/memory cards and wearable devices.

A glossary of the terms used throughout the Policy can be found in Document IM03 – Glossary of Terms for Information Management.

This policy sits within the Information Management Policy Framework and should be read in conjunction with the over-arching policies IM01 – Information Management Policy of Policies and IM02 – Information Management Training Policy.

Responsibilities

Principles of the Policy

Remote Working/Working from Home

When working remotely or on the move all members of the University shall ensure that University Information is handled in accordance with the Information Classification Policy (IG05) and Information Handling Policy (IS04), as applicable to the environment in which they are working.

At all times staff should guard against the possibility of unauthorised access to non-public University Information arising from an unrestricted environment. Specifically:

• Staff should not work on Restricted Information assets in public places.
• Staff should take steps to ensure that the environment offers a suitable level of privacy (i.e. from other individuals in the vicinity being able to view papers or screens being worked on, or being able to overhear private conversations) before working on any non-public Information outside of University premises.
• Staff should never leave papers or equipment containing non-public Information unattended outside of University premises unless they are appropriately physically secured from theft in line with the Information Handing Procedures.
• Staff should avoid using public or free wi-fi services (such as those commonly found in public libraries and coffee shops). Where using such services is unavoidable staff must use the Warwick VPN.
• Staff should not transmit University non-public Information (including sending their username and password) over an insecure network (e.g. one that does not start with ‘https’).

Any device which is used to store non-public University information should never be left in an unattended vehicle overnight.

Personally Owned Devices

Whilst the University does not require its staff or postgraduate researchers to use their own personal devices for work purposes, it is recognised that this is often convenient and such use is permitted subject to the following requirements and guidelines:

1. Devices must be enrolled in the University managed devices registry (i.e. InTune).
2. Users must, at all times, give due consideration to the risks of using personal devices to access University information and in particular, to information classified as protected or above.
3. The device must run a current version of its operating system. A current version is defined to be one for which security updates continue to be produced and made available to the device.
4. Mobile devices must be encrypted. (Older devices which are not capable of encryption may not be used.)
5. A secure passcode/password must be used for all accounts which give access to the device. (See User Account Management Policy for the university’s policy on passwords
6. A password protected screen saver/screen lock must be enabled.
7. The device must be configured to “auto-lock” after a period of inactivity (no more than 5 minutes).
8. Devices must remain up to date with security patches both for the device’s operating system and its applications.
9. Devices which are at risk of malware infection must run anti-virus software.
10. All staff should seek advice from IT Services to ensure personal devices are disposed of in a secure fashion.
11. The loss or theft of a device must be reported as soon as it is known using the University’s data breach reporting process. 
12. Any use of personal devices by others (family or friends) must be controlled in such a way as to ensure that these others do not have access to protected or restricted University information assets.
13. Do not undermine the security of the device (e.g. by “jail breaking” or “rooting” a smartphone). Affected devices must not be used to access University resources. 

In addition to the above requirements, the following recommendations will help further reduce risk:

1. Personal devices should be configured to “auto-wipe” to protect against brute force password attacks where this facility is available.
2. Consider implementing remote lock/erase/locate features where these facilities are available.
3. Do not leave mobile devices unattended where there is a risk of theft.
4. Be aware of your surroundings and protect yourself against “shoulder surfing”.
5. Minimise the amount of protected data stored on the device and do not store any data classified as Protected or above.
6. Access restricted information assets via the University’s remote access services wherever possible rather than transferring the information directly to a device.
7. Be mindful of the risks of using open (unsecured) wireless networks. Consider configuring your device not to connect automatically to unknown networks. When connecting to open networks use the University VPN.
8. If a personally owned device needs to be repaired, ensure that the company you use is subject to a contractual agreement which guarantees the secure handling of any data stored on the device.

University Owned Devices

The University may at times provide computing devices to some of its members.

Applications for University owned device should be made through Line Managers using the ‘Request a Device’ procedure.

The University will supply devices that are appropriately configured to maintain appropriate security.

Devices supplied by the University will meet the minimum-security requirements listed above for personally owned devices. In addition, the following are required:

• Non-members of the University (including family and friends) must not make any use of the supplied devices.
• No unauthorised changes to security settings may be made to the supplied devices.
• All devices supplied must be returned to the University when they are no longer required or prior to the recipient leaving the University, irrespective of how they were purchased (for example, grant funding).

Third Party Devices

In general, members should not use third party devices to access protected or restricted University information assets. This includes devices in public libraries, hotels and cyber cafes.

On occasion, staff and research postgraduates may be supplied with computing devices by third parties in connection with their research. These devices must be effectively managed, either by the third party or by the University or by the end user. In all cases, the device must meet the minimum-security requirements listed above for personally owned devices.

Reporting Losses

All members of the University have a duty to report the loss, suspected loss, unauthorised disclosure or suspected unauthorised disclosure of any University information asset to the information security incident response team.

All reports should be made to the CITO at CIDO@warwick.ac.uk.

Network and IT Systems Monitoring

The University (through appropriately authorised measures), will carry out relevant monitoring and/or logging in order to ensure the integrity and security of the University network and associated systems. Details of the University policy on monitoring is contained within the Investigation of Computer Use Policy (IS12).

Where devices or remote connections do not comply with this policy then they will be disabled or access to University resources blocked.

Exemptions

‘Exemption requests’ under this policy must be submitted to the CITO or their designate. Exemptions to this policy may only be granted by the CITO or their designate. Activities that have received prior approval by the Research Ethics Committee will be exempt, but the CITO must be notified.

This policy may have an impact on users of assistive technology or assistive software due to their disability. These individual cases will be considered on a case by case basis.

Compliance Monitoring

Compliance to this policy will be monitored on an ongoing basis. The compliance focus will be on:

• Reports of Incidences relating to device: loss, theft or security being compromised
• Breaches to this policy
• Exemption requests and granting of exemptions

Compliance performance will be reported monthly by the Information Asset Owners to the University Information Management Committee.

A failure to comply with this policy will be deemed to be a disciplinary offence and may lead to proceedings being taken through the University Disciplinary Process.