Personal Devices

Shortcuts

A - Introduction 

B - Personally Owned Equipment and 'Bring Your Own Device (BYOD) 

C - Considerations for Non University, Personally Owned Equipment and BYOD 

D - Monitoring BYOD and Non University Equipment 

E - Why does the University allow the use of Non University devices and BYOD 

F - Differentiating services based on the relative risk of the device being used to access them 

G - Mobile Device Management (MDM) mechanisms and tools  

H - MDM, Registration and deregistration  

I - Requirements for the use of Personally Owned, Non Universuity Equipment and BYOD  

A - Introduction

This document should be read in conjunction with the University’s Electronic Information Security Policy (EISP)[1]. This document supports the EISP, and provides additional guidance for where non standard, non University and personally owned devices are used to access and process University data.  

The University is regulated and monitored for compliance with (for example; UK Data Protection legislation and by international copy right law). Anyone studying or working on any matter relating to the University, or using the University’s technology is deemed to be an agent of the University. All agents of the University must maintain their awareness of the prevailing and underlying intentions of the University’s policies, the regulatory framework, and the collective legal and ethical responsibilities of working in an organisation with potentially vulnerable adults and those under 18 years of age.  

The aim of the EISP is to guide users in how to comply with data protection legislation and protect University information, particularly that which is personal and sensitive information, from unauthorised access, dissemination, alteration, or deletion.

Compliance with the EISP is important in protecting the user themselves from harm to their work circumstances and device, but also pays particular attention to the (statutory) obligations to protect other people the user may collaborate with, or those whose other people whose data a user has access to, from any risks from the user’s awareness, devices and methods.

[1] https://help.chi.ac.uk/electronic-information-security-policy 

B - Non University, Personally Owned Equipment and Bring your Own Device (BYOD)

Bring Your Own Device (BYOD) is a term often commonly used to refer to any, non-standard, non University managed, electronic devices owned, leased, or operated by an employee, contractor, affiliate or student of the University which is capable of storing data and connecting to a network. These include for example; mobile phones, smartphones, tablets, laptops, personal computers, netbooks and IoT (Internet of Things) devices.

The term BYOD applies to equipment not owned by the University's IT Service. This equipment may be personally owned by you, or may be that which is provided to you by an employer, friend or relative. BYOD also applies to equipment procured by University departments other than the IT Service.

C - Considerations for Non University, Personally Owned Equipment and BYOD  

The increasingly interconnected home, on-campus and private lives opens the temptation to use a single device across the conflictions of a regulated work context with statutory obligation and consequences, and the freedoms expected in a non-work environment/context. These devices are sometimes shared with relatives, and other household members, or professional acquaintances outside of the University. Sometimes the device is shared across multiple professional roles with different employers.

However, even where used solely for work purposes, personally owned devices used for work or research purposes pose a high security risk to the University, as they may not have the in-built standards, maintenance and security utilities required for connecting to a University.  It is important to realise that these risks are evolving on a minute by minute basis.

BYOD and Personally Owned devices pose a range of threats, including untraceable exfiltration and credential hijack, and are more difficult to manage if the devices were to be stolen or lost. BYOD and Personally Owned devices present an additional data storage challenge, as the data stored on these devices is not protected by the University’s centralised storage and data backup technologies.

It is also the case that a University device used for unapproved, non-work purposes is high risk. University devices whilst protected with the prevailing industrial strength, market leading security products cannot avoid some of the risks associated with personal use.

Copying University data to personally owned, and departmental procured devices also reduces the ability for the University to know where University data is stored and makes it harder to comply with relevant legislation. The use of unmanaged personally owned devices to access University data may also be prohibited by contracts or agreements in place between the University and third parties.

University data held on personally owned devices is subject to the Freedom of Information Act and the Data Protection Act and must be processed in compliance with information related legislation and associated University policies.

Not all BYOD and Personally Owned devices are compatible with the University’s IT environment. Some devices may not have the capability to connect to our systems. Unless there is a formally agreed business case to do so, there will be no modification made to University systems to assist non University equipment to connect.

D - Monitoring BYOD and Personally owned Equipment  

As set out in the University’s privacy standard[1], the University does not monitor the content or use of your personal devices[2]. however, the University reserves the right to monitor and log data traffic transferred between your device and University systems, both over internal networks and entering the University via the Internet.

In very exceptional circumstances, for instance where the only copy of a University document resides on a personal device, a cyber or information security incident, or where the University requires access in order to comply with its legal obligations (e.g. under UK Data Protection Legislation and the Freedom of Information Act 2000, or where obliged to do so by a law enforcement authority) the University will seek your support in resolving an issue with University information stored on your personal device.

E - Why does the University allow Non University, Personally Owned Equipment and BYOD

As it is necessary to have an open architecture to enable students etc, the University’s IT systems already have password protection, and a range of security mechanisms ‘patrolling’ to safeguard systems, information and people from unauthorised access. 

It is also a fact of life that a University has a very broad federation of stakeholders, across research, and affiliations, partnerships etc. There has therefore to be a balance between perimeter security (i.e. you can not access under any circumstances) and logical, layered security throughout the whole of the University's IT ecosystem.

The Provisioning Policy[1]. sets out the arrangements for equipping staff appropriately to their role, and work and a range of open-access and loan equipment is available where there are circumstances such as individuals that do not work exclusively for the University, or may need to work off-campus. This might be for example those that work as Associate Lecturers who may need to use a non-University device from time to time. Similarly, the University does not provide a University device to for example external examiners and other partners.

Staff that use a personal device therefore join students, suppliers and partners in using a device that may have a lesser protection to the statutory entitlement of other University stakeholders, and that is less than what is expected within the regulators expectations of a secure organisation. The consequence of this reality, is that regulators therefore expect there to be safeguarding mechanisms that reflect the device(s) used, as well as the user’s role in allowing or disallowing access to more or less sensitive data.

BYOD can be a complex set of variations - It is important to recognise that its commonplace for a University’s information services to be accessible via the Internet, where they are protected by passwords etc. This ‘capability’, means that you may have multiple devices, (University provided and not) through which your work. For example sometimes accessing your email on your University provided laptop, and sometimes via your personal mobile phone or tablet.   

If employees have been supplied a device by the University's IT department, the preference should be to use this as the default device for business purposes rather than use a BYOD or any personally owned equipment.

F - Differentiating services based on the relative risks of the devices used to access them 

Across the range of user and device scenarios, there is a regulatory requirement for ensuring ‘end to end’ security, including the potential need to evidence that no unauthorised infiltration or exfiltration has occurred.

As noted above, BYOD therefore becomes a factor in allowing or disallowing access to more or less sensitive data and situations.  The HE sector, and this University have therefore begun to deploy a additional security mechanisms. These are often referred to as Mobile Device Management (MDM) solutions, which has a number of variations and ways in which it might be configured (see below).

G - Mobile Device Management (MDM) mechanisms and tools 

In its most simplistic form, a BYOD or user of a personally owned device will register their device in an automated (one-off) MDM e-form. This helps identify the internal identity of the device to the registered user when it is used to access University systems and services. 

In a more sophisticated form, MDM software will interrogate the device each time it tries to connect to the University, assessing the devices for the presence of malware, how well the devices security is configured, and absence of up to date safeguarding. Access to the University;'s Multi-factor-login mechanisms will only be granted if the device meets the MDM standards set out by University.

In a more advanced form, where MDM approves the device to access only low risk services, whilst also monitoring for any aberrant activity.

In is ideal form; MDM will download local software to the device to create a private (encrypted) session between the BYOD and the University,  allowing the same level of access as is afforded to a University device, using multi-factor-authentication, but ensuring there can be no  exfiltration.

MDM does not prevent the installation of software or applications on your BYOD. However, the University may block access to University ICT services if detects that any of your software, applications, device configuration, or data present a threat to the University.

It is important to recognise that access to University systems and data (irrespective of how, or through what device) is enabled at the discretion of the University and access may be revoked at any time and for any reason.

H - MDM, registration and de-registration

The EISP[1] sets out the policy for access to University systems and services. As set out above, BYOD requires conscientious, expert, management by the user, and exposes additional risks, due to the temptation to blend work, and non work situations and activity. MDM is used to support the expertise of BYOD users, and help them achieve the integrity inherent in University provided equipment.

As it is related to the network login (itself related to current status as an employee/student) planned de-registration happens automatically in the case of someone who leaves. It is intended that this automation will be extended to deinstalling any local MDM software, along with any local University data. Users may also deinstall any University MDM software. Re-registering, or registering a new device is straight forward, as it is also related to the (Multi-Factor-Authentication protected) network login, and is combined with the facility to install the MDM software.

Although it suspension from access would typically only be used in conjunction with a wider security situation, MDM will exclude any device that poses a threat, and access may in any case be suspended after a period of disuse.

I - Requirements for the use of Non Universuty, Personally Owned Equipment and BYOD 

BYOD users are required to;

• Enable the University to install and update MDM facilities on their BYOD, and give permission to the University to wipe the BYOD in the event of loss or disposal[1].
• Ensure the device is not counterfeit, rooted, or jail-broken,
• Install and maintain approved, up-to-date virus protection software and digital certificates necessary to maintain security,
• Ensure they know the whereabouts of the BYOD device, and adequately secure the device from loss or theft[2],
• Store information in suitable media, as set out in the additional guidance set out in the EISP,
• Ensure there is no risk of any personal data described as Unauthorised in the EISP becoming associated with the University, or being used to compromise the University,
• Ensure there are no automated synchronisations with local or cloud backup is disabled to ensure that University data is not inadvertently leaked, compromised or mishandled,
• Not allow any other users (family members for example) to use the device,
• Create separate University and personal log-in accounts on the device, ensuring there are no shared facilities such as storage and email,  
• Ensure the device has separated accounts, and that no-one user, can use another user’s device account, and that there are is storage (local or cloud) that transcends device accounts, 
• Apply a login code with an acceptable level of complexity to enable secure access to the device,
• automatically locking the device after an inactivity timeout period,
• Encrypt all data stored on the device,
• Apply a time-out device lock, and appropriately strong PIN/Password hygiene,
• Ensure they have their own technical support for their BYOD[3],
• Ensure appropriate current licencing for operating systems and applications running on a BYOD, and
• Ensure that they do not use a common email client for private and University email accounts.

In the event that any device that contains University data, (or that has the means to access University services) is lost or stolen, this must be reported to SIZ immediately.