Mobile & remote working policy

Applicability

• Staff who participate in mobile working, and those who access University systems from home or other remote locations using either privately owned or University owned equipment. (1.2)
• ISS staff and faculty, school and departmental IT support staff who are responsible for systems that are accessed by users remotely. (1.2)

Policy Requirements

• Participants must be familiar with their responsibilities under the University's Code of Practice on Data Protection. (2.3)
• The University's Remote & Mobile Access Service provides the default means for mobile and remote working for users in the Admin domain. It must also be used by those in the DS domain who have a need to access Highly Confidential or Confidential data. (3.1)
• Users within both the Admin and DS domains may use Outlook Web Access for remote access to email but this must not be used to access or detach Highly Confidential or Confidential attachments. (3.1)
• Under no circumstances are users to circumvent the policy controls for their particular role, such as by transferring data via removable media, sending it as an email attachment or by any other means such as ftp. (3.1)
• Those leading project or research work that is considered sensitive are to ensure that an appropriate policy is applied in terms of remote access. (3.1)
• The creation or storage of Confidential data on privately owned portable information assets is prohibited. (3.2)
• Confidential data can only be created or stored on University owned machines where cryptographic controls are in place. (3.3)
• Portable information assets may only be used for the creation or storage Critical data where an up to date backup or copy stored elsewhere. (3.2 & 3.3)
• Anyone wishing to process personal data outside the EEA, other than through the University's Remote & Mobile Access Service, must contact the IT Security Co-ordinator for advice. (3.4)
• Users are responsible for the safekeeping and protection of University-owned portable computers that have been issued or loaned to them. (3.5)
• Reasonable care and due diligence must be taken to prevent or reduce the possibility of loss or theft of University-owned portable computers. (3.6)
• University-owned portable information assets are not be left unattended on the University's premises unless they are locked away. (3.6)
• Mobile workers are to be extra vigilant and apply appropriate precautions when working outside the University's premises. (3.6)
• Care must be taken when working in transit to prevent the disclosure of sensitive University information. (3.6)
• Confidential data on University owned portable information assets must not be accessed or processed in public places. (3.6)
• University-owned portable information assets must be kept secure or under constant vigilance whilst in transit. (3.6)
• Connection of portable information assets to the University network must be in accordance with University controls and only with the correct level of authority. (3.7)
• Privately owned computer equipment used to access, produce or store University information must have up to date virus protection. (3.7)
• Mobile and remote users are responsible for ensuring that University data is regularly and frequently backed up and that backup media is handled and stored appropriately. (3.8)
• Privately owned computer equipment used to access, produce or store University information must have appropriate security controls in place. (3.9)
• The loss of any University-owned portable information asset must be reported. (3.10)