Mobile & remote working policy

1.1 Background

The ever increasing use of digitised and networked information at the University intensifies the risk of data being copied or stolen, or modified, hidden, encrypted or destroyed. Although technical controls provide an essential element of protection, these only deliver a percentage of the required protection, the most effective defence being achieved through awareness and good working practices.

Portable computers that are used for mobile working, and home computers that are used to remotely access to University computing resources, have to be managed effectively in order to minimise the risk that certain information will be denied, lost or compromised, or that staff using such devices will inadvertently fall foul of the law.

This document forms the University's Mobile and Remote Working Policy in support of the Information Security Policy. Compliance with this Policy will minimise risk to information that is being compiled, used, transported or held outside University premises, where security provision may be lower and exposure to risk may be greater.

The University's Information Security Policy and a full list of Supporting Policies within the Information Security Management System (ISMS) framework can be found at http://campus.leeds.ac.uk/isms.

1.2. Purpose, Applicability and Scope

This Policy is not intended to create an obstacle to mobile and remote working, and not is intended to support or advocate working from home. Its purpose is to provide controls in respect of remote access to the University's information assets to protect both individuals and the University from the consequences of accidental disclosure or loss of such information.
This Policy is primarily directed at:

• Staff who use either privately owned or University owned portable computers, such as laptop and tablet computers, personal digital assistants (PDA) and mobile phones with computing and storage capabilities (hereafter referred to as portable computers) to participate in mobile working;
• those who access University systems from home or other remote locations using either privately owned, third-party-owned or University owned equipment; and,
• ISS and faculty/departmental IT support staff who are responsible for systems that are accessed by users remotely.

Relevant requirements naturally extend to anyone else who is subjected to the Policy framework who undertakes activities governed by this Policy.

It is the personal responsibility of each person to whom this Policy applies to adhere fully with its requirements. However, Deans and Heads of Schools/Services* are responsible for implementing this Policy within their respective faculty, school or department and for overseeing compliance by staff under their direction or supervision.

Whilst it is recognised that compliance with all aspects of this policy cannot be 'policed', those to whom it applies will be held to account for any aspect of non-compliance involving them that subsequently comes to light.