Mobile, Remote Working and Personal Device Usage Policy

This policy sets out:

• the expected working practices and safeguards to be followed by individuals when working remotely and away on one of the University campuses; and
• the use of both University and personally owned devices for remote working.

It recognises that such working may take place at the individual’s address, elsewhere in the UK, or internationally.

This policy applies to all University staff and doctoral researchers, including those working remotely or while travelling, who access University information systems and data using either personal or university-owned devices. As well as visitors granted ‘Staff Like’ IT accounts, in accordance with the University’s Policy on the Management of User Access to Information, e.g. a visiting academic or agency staff working in a professional services role.

Both University and personally owned devices may be used for remote working and information security risks will need to be considered carefully in the context of the University’s information security policies depending on the category of the information to be accessed (See Information Categories and Safe Information Sharing Policy), the device(s) to be used, and the nature of the remote environment.

Examples of such devices include desktop computers (typically at home), laptops, tablets, smart phones, and smart watches.

The University recognises the advantages of allowing staff to use personal devices for work purposes.  This policy aims to minimise the risks associated with using such devices including the loss or theft of devices, loss of control over personal data, unauthorised or illegal access, or misuse that could lead to a compromise of university data, e.g. sharing account access or failing to lock a device when unattended.

You should not take encrypted devices into countries that prohibit use of such equipment; speak to IT Services to discuss your options.

If you use your own device to access University information or to conduct activities related to your role within the University, you must:

• Adhere, at all times, to the University’s Acceptable Use Policy,
• To protect University data, secure any devices accessing University systems. Including, enabling encryption, strong passwords, biometric login, and remote wipe features, IT Security Tips,
• So, you can verify your identity when you access the University network, set up multi factor authentication on your device using the Duo Mobile App. Alternatively, ensure that you have access to a hardware security token,
• Use separate accounts on shared devices, do not reveal your passwords or passcodes, and delete any unused or inactive accounts,
• Ensure that all relevant security features, including anti-virus protection and software firewalls, are enabled, where appropriate. Anti-virus software must be licenced and configured to update daily,
• Enable automatic updates for operating systems, firmware and applications wherever possible. If you maintain the device yourself, ensure that the operating system, firmware, software, and apps are regularly patched and kept up to date,
• To protect your device, ensure all security updates are installed within 14 days of release,
• Regularly review installed software and apps and remove any that are unused or inactive to minimise security risks and maintain device performance. Unsupported software (software which no longer receives updates or security fixes from the software provider) must be either removed or updated to a supported version,
• Personally owned devices must be enrolled onto approved device management software to ensure they meet the University’s minimum-security standards when accessing University information and services. The University will perform regular posture checks of personally owned devices to verify compliance.  If a device does not meet these standards, access to certain services will be restricted until the operating system, firmware, and additional software is updated to the minimum secure standard,
• Do not modify mobile device operating systems. Rooted or Jailbroken devices remove built-in security protection and may result in your access to the university network being refused or restricted.
• Set up unique and complex passwords, passcodes, passkeys or biometric equivalents known only to you. These will be enforced by appropriate IT Systems, and must be changed if shared with others or otherwise compromised,
• Devices must be encrypted where possible; modern smart phones and tablet devices are encrypted automatically by setting a six-digit PIN,
• Only download software from trusted sources e.g., Apple App Store and Google Play. All software must be appropriately licensed,
• Set up location tracking services and remote wipe facilities where available. If a device is lost or stolen, IT Services may be able to issue a remote wipe,
• Do not store Highly Confidential and Confidential information on the device itself, or in a personal cloud storage service, it must be stored on the University network or within O365 such as OneDrive, SharePoint or Teams, and in accordance with the University retention rules,
• If University information has been lost (including loss of control over), accessed without authorisation, or compromised, it must be reported immediately using the Report a data breach form,
• If a device containing Highly Confidential or Confidential information is lost or stolen, report it immediately to IT Services and implement a remote wipe, if possible,
• Before disposing of, selling, or giving away a personal device delete all University data, software, and apps and restore the device to its factory settings, by following the procedures which IT Services, Service Desk will provide; and
• For disposal of university owned devices, follow the WEEE guidelines. There are separate disposal procedures for laptops and for mobile phones.

Details of how to access University IT facilities such as email through your own device will be found on IT Services webpages.

The University takes no responsibility for supporting, maintaining, repairing, insuring or otherwise funding employee-owned devices, or for any loss or damage resulting from any support and advice provided.

This section is applicable to the use of information from university and personally owned devices, and some clauses are also relevant to hardcopy information.

When working away from campus, and when available, the use of the international eduroam wireless service should be used for security reasons and to avoid additional expensive wireless and mobile roaming costs. Further details are available at:
https://www.lboro.ac.uk/services/it/topics/about-eduroam/

The majority of Wi-Fi networks, including those in coffee shops and hotels, are shared access and therefore malicious people can view some of the activity happening from your device. It is therefore essential to use the University Off Campus VPN for working on university information. Further details on using the VPN service are available:

You should not use devices owned by third parties to access or process University information (e.g. Internet Cafes) unless these third parties are trusted partners whose relationship with the University is covered by a formal agreement e.g. research partners).

As you would when you are working on campus at your normal work location, when working on a mobile basis you should always ensure that unauthorised individuals cannot access your University IT account.

You must take all reasonable steps to:

• Prevent the theft or loss of information, or unauthorised access to highly confidential and confidential information. Your device must always be locked when not in use or you need to move away from your work area.  When not using your device for a long period of time (overnight), turn your device off,
• Ensure that no unauthorised access to Highly Confidential or Confidential information can take place, and follow the University’s Data Protection and Information Governance Policies, as well as any commercial agreements which may relate to the information you are accessing or processing,
• Maintain the confidentiality, integrity and availability of information, where possible work on information directly stored within OneDrive or Teams. If required ensure that relevant information is copied back to central University information systems or Microsoft 365 (OneDrive/Teams) where appropriate,
• Ensure that Highly Confidential or Confidential information is not retained on the device for longer than is necessary. Where possible do not create and retain local copies of such information,
• Report any personal data breaches immediately via the Data Breach reporting form in accordance with the Information Security Incident Handling Policy,
• Report any security breach immediately to IT Service desk in accordance with the Information Security Incident Handling Policy; and
• Ensure University devices or confidential information is not left where it would attract the interest of an opportunist thief. In the home it should be located out of sight of casual visitors and when not in use, it is recommended that it is stored in a locked or sealed environment.

The University has the right to monitor the security posture (status and quality of security features and protections) – of devices accessing University information and log data traffic transferred between your device and University systems, both over internal networks, VPN connections and entering the University via the Internet.

To protect University systems and data, all personally owned devices used to access University networks or services must meet minimum security standards. To support this, the University will perform automated posture checks on personal devices to ensure they are secure and do not pose a risk to the integrity of its systems and services. Including, protecting against access from unverified locations.  If a device does not meet the required security standards, access to its network and systems may be restricted or refused until the necessary updates or changes are completed. The University also reserves the right to:

• Prevent access from a particular device from either VPN, wired or wireless networks,
• Prevent access to a particular system,
• Enforce a minimum standard for devices which access University information or systems,
• Disable user accounts if deemed to have been compromised or abused; and
• Take all necessary and appropriate steps to retrieve information owned by the University.

The University requires that you install, and from time to time update the University-approved device management software on your own device.

Please see the Information Sharing policy for guidance on the use of, Cloud Services and third-party facilities for collaborative working and information sharing with external partners. Consideration must also be given to the confidentiality or sensitivity of the information you need to share. Please refer to the same policy.

If a device is damaged, lost or stolen that holds information belonging to the University, it must be reported immediately via the Lost, Stolen, or missing device reporting form in accordance with the Information Security Incident Handling Policy, regardless of whether the device is University or personally owned. Staff should make all possible enquiries to attempt to locate lost or stolen devices and report any potentially criminal activity to the appropriate authorities.

In the event that a personally owned device is used to access or share University owned information, then the University reserves the right to remotely wipe the device if it becomes damaged, lost or the University becomes concerned that the security of the information has been compromised.