MOBILE COMPUTING POLICY

Mobile Computing Policy

Metadata

Author.Contributor Derrick Bates Coverage.spatial UK, Cumbria Creator ICT Client Team Organisational Development & HR Date.issued 5th August 2009 Description The document sets out the corporate policy on mobile computing and wireless networking. Format Txt Identifier Language Eng Publisher Cumbria County Council Rights.copyright Cumbria County Council Status Version 1.0 Live Subject.category Information & Computer Security Subject.keywords Information management; resources; retrieval; policy; security; users; mobile; laptop; pda; notebook; portable; wireless; 3g; broadband; usb; bluetooth Title Cumbria County Council Mobile Computing Policy

Distribution

Issue Version Name Title Date

Revision History

Document Status Date Reason for review Author ID.version v0.1 Draft 2007-10-19 Initial creation D Bates V0.2 Draft 2008-04-08 Amended Directorate D Bates V0.3 Draft 2009-07-07 Amended post changes to D Bates mobile build V0.4 Draft 2009-07-08 Review of V0.3 prior to sign A Cook off V 1.0 Live 2009-08-05 Published D Bates

Approval

Name Position Date Signature A Cook Head of BI & IT 2008-08-05

This Policy will be reviewed by the corporate Information Technology Security Officer annually from the date of approval.

Version 1.0, 5th August 2009 Page 2 of 7 Mobile Computing Policy

Table of Contents

1 INTRODUCTION ...... 4

2 OBJECTIVE ...... 4

3 SCOPE ...... 4

4 POLICY ...... 4

4.1 Physical Protection...... 4

4.2 Wireless Networking (Wi-Fi) ...... 5

4.3 Virtual Private Network (VPN) ...... 5

4.4 Access Control...... 5

4.5 Backup and Recovery ...... 5

4.6 Personal Firewall & Anti Virus ...... 6

4.7 Encryption of Sensitive Information ...... 6

4.8 External Networks ...... 6

4.9 USB Memory Sticks (Flash Drives)...... 6

4.10 Blackberry ...... 7

4.11 Government Connect (GC) ...... 7

Version 1.0, 5th August 2009 Page 3 of 7 Mobile Computing Policy

1 Introduction

All service areas within the Council have a requirement to have access to information whilst on the move, whether that is by use of a laptop, handheld computer, mobile phone or a combination of these.

This mobile access creates potential risks to the confidentiality of the data we hold on behalf of individuals This policy sets out how mobile computing is to be used within Cumbria County Council to manage the risk to that data and balances the need for easy access to information with our responsibility to the individual to ensure we treat their data properly.

2 Objective

It is the objective of this policy to ensure we achieve a balance between physical & information security when using mobile computing and business need.

3 Scope

This document defines Cumbria County Council’s policy for the use of mobile computing in pursuit of its normal business activities. It covers:

• Laptops • Netbooks • Hand held computers • Blackberry devices • USB Memory sticks • Mobile phones

It does not lay down technical details of the security to be applied. It does not apply to mobile computing used by third parties where these mobile computers do not connect to the Council’s infrastructure. This policy applies to all Members and employees, consultants, temporary or contract workers working for the Council.

4 Policy 4.1 Physical Protection

To guard against theft when travelling, laptops, handheld computers, mobile phones and USB memory sticks are not be left unattended. Where a theft occurs, the custodian of the equipment is to report the incident to the Police, their line manager and to the Corporate Information & Technology Security Officer.

Mobile computing users who transfer information on memory sticks are to treat such devices in the same way that personal possessions are protected, e.g. purses, wallets or passports.

Version 1.0, 5th August 2009 Page 4 of 7 Mobile Computing Policy

Mobile computing equipment must not be exposed to extreme temperatures. Managers are to be aware of the quantity and location of all mobile computing assets allocated to their Department/Unit.

4.2 Wireless Networking (Wi-Fi) The County Council now has the facility to deploy Wireless Access Points (WAPs) sometimes referred to as “Wireless Hot Spots”. This allows members of staff and guests to access the County Council network directly from their wireless enabled laptop. The creation of these Hotspots is a decision for the business and can be ordered through the ICT Client Intranet site. The wireless network will use the highest security settings available to the technology at the time of installation under the guidance of the corporate IT Security Officer and the Strategic ICT Partner.

All new County Council laptops are fitted with a wi-fi card to permit wireless connection to the corporate network. Some WAPs have already been established in common Council locations across the county, such as the main conference and meeting rooms. The laptop wi-fi card will also facilitate connection to a home wi-fi broadband access point and certain commercial hot spots.

Users connecting via this method must read the information contained in the Mobile Computing Security pages of the corporate Intranet, In Touch.

4.3 Virtual Private Network (VPN)

The Council utilises a VPN to provide users of mobile computers with a secure connection to the Council’s network. During use this method has the same levels of security as online banking and provides direct access to data files, e-mail, intranet and other corporate systems as though the user is directly connected to the network.

4.4 Access Control

Portable computers should be adequately protected against unauthorised access whenever and wherever they are in use. Where mobile computing is used in public areas care must be taken to avoid the risk of being overlooked by unauthorized persons.

Users in possession of a Blackberry are to ensure that it is protected by a strong password and is operated securely, especially in a public environment. With the exception of being asked to do so by the Council the device is not to be passed to any third parties and should be protected in the same manner as any other valuable personal object.

Those Directorates that enable members of the public to access computer services must ensure that the equipment and data is safeguarded against theft, damage or unauthorised alteration.

4.5 Backup and Recovery

The County Council has a rigorous process for the backing up of data held on the network to protect against accidental loss or failure of the system that accesses that data. In this way information is not lost when a PC fails or is stolen. Mobile devices have the potential to hold data on the device rather than the network. Storing information solely on the device would prevent us from being able to back it up and introduces a risk to the business. If that device should fail or be stolen the information is lost as well.

Version 1.0, 5th August 2009 Page 5 of 7 Mobile Computing Policy

All users of mobile computing are to ensure that their primary data store is held on the corporate network to ensure that it is regularly backed up. Line Managers should ensure that employees for whom they hold responsibility and who are allocated a portable computer are competent in protecting their files by the use of synchronized offline working.

4.6 Personal Firewall & Anti Virus

The County Council protects the network and computers attached to it by the use of Firewalls and Anti-Virus software. Portable computers have the capacity to short circuit this protection as they are sometimes connected to the network and sometimes not. Portable computers must have a local, non Microsoft firewall enabled to the highest practical security level. Where a firewall is available from the VPN vendor as an option this is to be deployed as default.

Portable computers must have their anti-virus protection updated regularly either by connection to the corporate network or by manual update via the Strategic ICT Partner’s Service Desk.

4.7 Encryption of Sensitive Information

Encryption is the encoding of information held on a computer or transmitted across a network using a secret password. It is used to protect sensitive information. Sensitive information is information that is, for example, personal to a customer, of financial interest or of interest to a terrorist. It also refers to information that is not to be released to the public. If a computer or other device is stolen the data held on it is at risk. Sensitive Information held on a mobile computer is to be protected using the corporate encryption software. This is available via the Strategic ICT Partner.

4.8 External Networks

Where a user is required to use mobile computing as part of their duties and has been issued with a corporate laptop the security standards listed above must be applied to the equipment and the user taught how to maintain security whilst mobile.

Staff members who do not have access to an external wireless network may have to use a device that uses mobile phone technology to connect from anywhere. This is called a 3G device. Only County Council 3G devices should be used for this purpose. The use of personal 3G devices or mobile phones may not be secure and is therefore not permitted.

Connection to external wireless networks is permitted only where the network does not require the user to open a browser window to enter a user name and password. Further information on the use of such networks is available on the corporate Intranet, In Touch.

4.9 USB Memory Sticks (Flash Drives)

The use of these devices is governed by the same rules as 4.7 above. Where it becomes a requirement to move sensitive information an encrypted memory stick is to be used. These are available from the corporate Intranet ICT Procurement pages. If the user has an encrypted laptop it has the capability to encrypt any data loaded on to an ordinary USB stick.

Version 1.0, 5th August 2009 Page 6 of 7 Mobile Computing Policy

4.10 Blackberry

Blackberry hand held devices are miniature computers which can access data such as e-mails, open file attachments and with the capability to send and receive voice calls. Users must be extremely vigilant when using these devices as they are much smaller than a laptop and are consequently more easily lost or stolen.

When speaking or emailing with a Blackberry, users must not openly discuss sensitive issues or pass sensitive information whilst in a public area.

Use of Bluetooth with a Blackberry is permitted only in conjunction with an encrypted headset. This is obtained from Corporate Procurement. It is configured and installed by the Strategic ICT Partner.

4.11 Government Connect (GC)

Some of our work requires access to confidential information held by Central Government. To improve access to such information, the Government is introducing a service called Government Connect (GC). This access is granted through the issuing of a GC account.

Access to the GC system has a greater security burden than the County Council and some of the optional elements described above are mandatory. This will be discussed with the line manager and the ICT Security Officer Where a laptop user is required to have a GC account for connection to Central Government systems, that laptop is to have all of the above secure technologies installed prior to being granted access to GC.

Version 1.0, 5th August 2009 Page 7 of 7