Security Policy 07 - MOBILE COMPUTING POLICY
The objective of the ? The University’s Information Handling Policy sets out the minimum Mobile Computing standards that must be adhered to when handling sensitive information. Policy is to ensure Those standards apply equally when handling sensitive information on 1that effective mobile devices. measures are in place
to protect against the ? The physical and logical controls that are available within the University risks of using mobile environment are not automatically available when working outside of computing and that environment. There is an increased risk of information being communication subject to loss or unauthorised access. Mobile computing users must facilities. take special measures to protect sensitive information in these
Notes ? Removal off-site of the University’s information assets, on laptops or other mobile devices, must be properly authorised by the responsible 1 Examples of mobile 2 should information owner. Prior to authorisation a risk assessmentdevices are laptops, removable disks, USB be carried out, to protect against loss or unauthorised access, and pens, CDs and DVDs. appropriate risk management processes put in place. The risk However, the policy assessment must take into account the sensitivity of the information. applies equally to information stored on or accessed via home ? Staff accessing information systems remotely to support business PCs. activities (including from home PCs) must be authorised to do so by the 2 A risk assessment responsible information owner. Prior to authorisation a risk template is attached to assessment should be carried out and appropriate risk management this policy processes put in place. The risk assessment must take into account the 3 Information Services sensitivity of the information. and School-based Computing Officers will advise on appropriate ? As part of the risk assessments described above, information owners mechanisms for the and mobile users must take account of the risks associated with using secure transfer of wireless networks and non-University networks. The University’s sensitive information, particularly outside of Information Handling Policy stipulates that sensitive data or information the University’s secure may only be transferredacross networks when the confidentiality of the environment.
data or information can be assured throughout the transfer. The
following should be noted:
? Wireless networks and public networks are less secure than the
University’s private, wired network environment.
? Email is an inherently unsecure way of transferring sensitive
information and should be used with caution.
? Where there is no alternative to transferring/accessing sensitive
information across unsecure networks or by email, advice should be 3sought on appropriate steps to protect the information.
? Sensitive data stored on laptops and other mobile storage devices
should be kept to a minimum to reduce risk and impact should a
breach of security occur.
Version 3 23/02/09
? Loss of any mobile device containing sensitive data, or any other 4 See security breach, should be reported immediately to Information http://www.qub.ac.uk/isServices and Queen’s Security. /StaffComputing/SecuringyourComputer/
? Laptops and home personal computers should not be used for business 4activities without appropriate security measures, including up to date 5 The University has a security “patches” and virus protection. contract for the secure removal and destruction of ? Sensitive information held on any mobile device must be securely computers and disks – 5erased before the device is reassigned to another user or to another see http://www.qub.ac.uk/ispurpose. /StaffComputing/SoftwareEquipment/ITPurchasesMaintenanceDisp? USB memory sticks are prone to loss or theft. Add-on encryption to osal/ComputerEquipmthese devices can be left turned off. The product recommended by the entDisposal/. Where University is the IronKey. This has inbuilt encryption which cannot be necessary, advice should be sought from turned off, is resistant to physical disassembly and destroys the data Information Services after 10 failed attempts to access. These devices will be supplied and School-based Computing Officers on through the Information Services shop. appropriate tools for erasing information on ? Portable computers are vulnerable to theft, loss or unauthorised access PCs and mobile devices. when taken outside of the University’s physical environment. They must 4 be provided with appropriate forms of access protection to prevent 6 Practical advice on the available encryption unauthorised access to their contents: products and how to ? Password protection should be in place, while recognising that use them is available at [URL to follow]. passwords offer only limited protection against a determined attack. 7 For example, options ? Time-out protection (e.g. screen saver or hibernation with to automatically password) should be applied. “remember” passwords should not be ? Where sensitive information is held on laptops or mobile storage accepted. Passwords 6and passkeys should devices, data encryption must be applied to that information or to not be saved on the the entire device. mobile device.
? The mandated system for data encryption on laptop devices is
TrueCrypt and is covered in detail in SP UG 1 and SP UG 2. ? Full disk encryption offers the maximum protection for sensitive
information on laptops and other devices and should be used where
the sensitivity of data requires it. Alternatively and where
appropriate, data can be encrypted at the partition level or virtual
partition (a file encrypted to behave like a disk partition) level. In
most cases, encrypted virtual partitions or disks can be copied to
USB pens, CDs and DVDs for safe transportation. ? Note that data is only protected by encryption when the laptop is
powered off and not in normal use.
? Access to encrypted information is lost if the encryption key is
forgotten. Users should ensure that a secure, unencrypted backup
copy of encrypted information is retained on central systems. ? Information Services and School-based Computing Officers will offer
advice on encryption products, options and configuration.
8 See Annex A of the ? When undertaking mobile computing the following guidelines must be document at https://www.igt.connectfollowed: ingforhealth.nhs.uk/WhatsNewDocuments/Ex? When travelling, equipment (and media) must not be left emplar%20Laptop%20unattended in public places. Portable computers should be carried Security%20Policy.doc as hand luggage when travelling. ? When using a laptop, do not process personal or sensitive data in
public places e.g. on public transport.
? Passwords or other access tokens for access to the University’s
systems should never be stored on mobile devices where they may 6be stolen or permit unauthorised access to information assets. ? Security risks (e.g. of damage, theft) may vary considerably between
Version 3 23/02/09
locations and this should be taken into account when determining
the most appropriate security measures.
? Useful guidance on securing laptop devices is available from the 8. The NHS policy on laptop security applies to other NHSorganisations that process NHS information.
? This policy should be read in conjunction with the University’s Regulations
and Statements of Best Practice relating to:-
? Data Protection - SP05
? Information Handling – SP06
? Changes to this policy in response to changing demand, both operational
and legislative, will be available on the University WWW site.
Version 3 23/02/09
Information Handling Policy – Risk Assessment
Information Asset Information Owner
Description of Information
Description of Risk Impact Likelihood Impact * Action to reduce risk Respon- 1. Minor 1. Low Likelihood sibility 2. Moderate 2. Moderate 3. Significant3. High 4. Very High Gross Net Gross Net Gross Net
Version 1 24/08/08