MOBILE COMPUTING POLICY Mobile Computing Policy Metadata Author.Contributor Derrick Bates Coverage.spatial UK, Cumbria Creator ICT Client Team Organisational Development & HR Date.issued 5th August 2009 Description The document sets out the corporate policy on mobile computing and wireless networking. Format Txt Identifier Language Eng Publisher Cumbria County Council Rights.copyright Cumbria County Council Status Version 1.0 Live Subject.category Information & Computer Security Subject.keywords Information management; resources; retrieval; policy; security; users; mobile; laptop; pda; notebook; portable; wireless; 3g; broadband; usb; bluetooth Title Cumbria County Council Mobile Computing Policy Distribution Issue Version Name Title Date Revision History Document Status Date Reason for review Author ID.version v0.1 Draft 2007-10-19 Initial creation D Bates V0.2 Draft 2008-04-08 Amended Directorate D Bates V0.3 Draft 2009-07-07 Amended post changes to D Bates mobile build V0.4 Draft 2009-07-08 Review of V0.3 prior to sign A Cook off V 1.0 Live 2009-08-05 Published D Bates Approval Name Position Date Signature A Cook Head of BI & IT 2008-08-05 This Policy will be reviewed by the corporate Information Technology Security Officer annually from the date of approval. Version 1.0, 5th August 2009 Page 2 of 7 Mobile Computing Policy Table of Contents 1 INTRODUCTION ...........................................................................................4 2 OBJECTIVE ..................................................................................................4 3 SCOPE ..........................................................................................................4 4 POLICY .........................................................................................................4 4.1 Physical Protection...............................................................................................................................4 4.2 Wireless Networking (Wi-Fi) ..............................................................................................................5 4.3 Virtual Private Network (VPN) ..........................................................................................................5 4.4 Access Control......................................................................................................................................5 4.5 Backup and Recovery ..........................................................................................................................5 4.6 Personal Firewall & Anti Virus ..........................................................................................................6 4.7 Encryption of Sensitive Information ..................................................................................................6 4.8 External Networks ...............................................................................................................................6 4.9 USB Memory Sticks (Flash Drives)....................................................................................................6 4.10 Blackberry .......................................................................................................................................7 4.11 Government Connect (GC) ............................................................................................................7 Version 1.0, 5th August 2009 Page 3 of 7 Mobile Computing Policy 1 Introduction All service areas within the Council have a requirement to have access to information whilst on the move, whether that is by use of a laptop, handheld computer, mobile phone or a combination of these. This mobile access creates potential risks to the confidentiality of the data we hold on behalf of individuals This policy sets out how mobile computing is to be used within Cumbria County Council to manage the risk to that data and balances the need for easy access to information with our responsibility to the individual to ensure we treat their data properly. 2 Objective It is the objective of this policy to ensure we achieve a balance between physical & information security when using mobile computing and business need. 3 Scope This document defines Cumbria County Council’s policy for the use of mobile computing in pursuit of its normal business activities. It covers: • Laptops • Netbooks • Hand held computers • Blackberry devices • USB Memory sticks • Mobile phones It does not lay down technical details of the security to be applied. It does not apply to mobile computing used by third parties where these mobile computers do not connect to the Council’s infrastructure. This policy applies to all Members and employees, consultants, temporary or contract workers working for the Council. 4 Policy 4.1 Physical Protection To guard against theft when travelling, laptops, handheld computers, mobile phones and USB memory sticks are not be left unattended. Where a theft occurs, the custodian of the equipment is to report the incident to the Police, their line manager and to the Corporate Information & Technology Security Officer. Mobile computing users who transfer information on memory sticks are to treat such devices in the same way that personal possessions are protected, e.g. purses, wallets or passports. Version 1.0, 5th August 2009 Page 4 of 7 Mobile Computing Policy Mobile computing equipment must not be exposed to extreme temperatures. Managers are to be aware of the quantity and location of all mobile computing assets allocated to their Department/Unit. 4.2 Wireless Networking (Wi-Fi) The County Council now has the facility to deploy Wireless Access Points (WAPs) sometimes referred to as “Wireless Hot Spots”. This allows members of staff and guests to access the County Council network directly from their wireless enabled laptop. The creation of these Hotspots is a decision for the business and can be ordered through the ICT Client Intranet site. The wireless network will use the highest security settings available to the technology at the time of installation under the guidance of the corporate IT Security Officer and the Strategic ICT Partner. All new County Council laptops are fitted with a wi-fi card to permit wireless connection to the corporate network. Some WAPs have already been established in common Council locations across the county, such as the main conference and meeting rooms. The laptop wi-fi card will also facilitate connection to a home wi-fi broadband access point and certain commercial hot spots. Users connecting via this method must read the information contained in the Mobile Computing Security pages of the corporate Intranet, In Touch. 4.3 Virtual Private Network (VPN) The Council utilises a VPN to provide users of mobile computers with a secure connection to the Council’s network. During use this method has the same levels of security as online banking and provides direct access to data files, e-mail, intranet and other corporate systems as though the user is directly connected to the network. 4.4 Access Control Portable computers should be adequately protected against unauthorised access whenever and wherever they are in use. Where mobile computing is used in public areas care must be taken to avoid the risk of being overlooked by unauthorized persons. Users in possession of a Blackberry are to ensure that it is protected by a strong password and is operated securely, especially in a public environment. With the exception of being asked to do so by the Council the device is not to be passed to any third parties and should be protected in the same manner as any other valuable personal object. Those Directorates that enable members of the public to access computer services must ensure that the equipment and data is safeguarded against theft, damage or unauthorised alteration. 4.5 Backup and Recovery The County Council has a rigorous process for the backing up of data held on the network to protect against accidental loss or failure of the system that accesses that data. In this way information is not lost when a PC fails or is stolen. Mobile devices have the potential to hold data on the device rather than the network. Storing information solely on the device would prevent us from being able to back it up and introduces a risk to the business. If that device should fail or be stolen the information is lost as well. Version 1.0, 5th August 2009 Page 5 of 7 Mobile Computing Policy All users of mobile computing are to ensure that their primary data store is held on the corporate network to ensure that it is regularly backed up. Line Managers should ensure that employees for whom they hold responsibility and who are allocated a portable computer are competent in protecting their files by the use of synchronized offline working. 4.6 Personal Firewall & Anti Virus The County Council protects the network and computers attached to it by the use of Firewalls and Anti-Virus software. Portable computers have the capacity to short circuit this protection as they are sometimes connected to the network and sometimes not. Portable computers must have a local, non Microsoft firewall enabled to the highest practical security level. Where a firewall is available from the VPN vendor as an option this is to be deployed as default. Portable computers must have their anti-virus protection updated regularly either by connection to the corporate network or by manual update via the Strategic ICT Partner’s Service Desk. 4.7 Encryption of Sensitive Information Encryption is the encoding of