ISP S14 Mobile Computing Policy (DRAFT)



1.1 This policy forms part of the University’s Information Security Policy Set and should be read in conjunction with the Information Security Policy (ISP S1) and other supporting documentation.
1.2 Modern computing and telecommunication devices make it increasingly easy to work when away from the office.  Portable computing devices such as laptops, tablets and smartphones, for example, can carry information assets far from the organisation’s premises and thereby expose them to different and probably increased, risks.  The greatly increased availability of networked computers, from cybercafés to visitor facilities in other organisations, also encourages staff to access information assets when away from the office.  The organisation cannot rely on such devices and network connections having any security controls, so must ensure that any information assets that may be accessed from them have sufficient inherent controls to protect them.  Mobile computing of all kinds therefore raises significant issues for information security.

For some information assets it will be impractical to provide adequate protection for access or storage by mobile computing.  It is, therefore, likely and reasonable that the organisation will need to prevent some types of information being used through mobile computing systems.  In this, mobile computing differs from teleworking (cover in ISP S15 Teleworking Policy) where dedicated systems in a single, fixed, location are used for access.  Teleworking systems can be made as secure as office systems, mobile computing systems cannot.

1.3 Please refer to the appendix for further explanation of the points below.


Authorisation to use a mobile device for business purposes

2.1 Persons accessing information system remotely to support business activities must be authorised to do so by an appropriate authority within the organisation.  A risk assessment based on the criticality of the information asset being used must be carried out.
High Criticality Information Medium Criticality Information Low Criticality Information
The risks associated with access to organisational information processing facilities and assets from mobile devices shall always be assessed and strong security control implemented. The risks associated with access to organisational information processing and assets from mobile devices shall be separately assessed. The general user forum should discuss and agree baseline information security standards applicable.



Guidelines and good practice for using mobile devices

3.1 The organisation will publish guidelines for users of mobile computing equipment advising them on how these should be used to conform to the organisation’s Information Security Policy and other good practice.

Failure to comply with University Policy may lead to disciplinary action.