Approved Date: / 22/04/2011 / Revision Number: / 2
Print Date: / 06/05/2011 / Page: / 5 of 5
Document Title: / Mobile Electronic Computing Devices & Removable Storage Media
Mobile Electronic Computing Devices
& Removable Storage Media
Contents
1. Introduction
2. Scope
3. Process / Procedure / Guidelines
4. Responsibilities
5. References
1. Introduction
Mobile computing electronic devices include a wide range of equipment from laptops to cameras and mobile phones. These devices are widely used by Fife Council, both internally, within the office environment, and externally through home and mobile working.
Removable storage media is increasingly being used within Fife Council both as a personal management tool and as a production tool. Examples include USB memory sticks, camera memory cards, CDs, DVDs and external hard drives.
This policy defines the permitted use of all such mobile devices / media types within Fife Council and the responsibilities that must be accepted by all users of them.
It applies whether the device / media type is accessed on Council premises or used remotely via mobile or home working.
2. Scope
This policy statement covers general use of all mobile electronic computing devices including:
· Laptops
· Tablets
· Electronic diaries
· pc-on-a-stick
· Personal Digital Assistants (PDA’s)*
· Mobile phones (including Blackberry’s)
· MP3 players
· Digital cameras
It covers all forms of removable storage media including:
· Flash memory cards including SD cards and compact flash
· USB pen drives, memory sticks, Flash Drives etc
· External Hard disks
· CDs / DVDs
· Any other medium, equipment or device capable of holding / transferring material in a computer readable format.
This list is not intended to be exhaustive. Employees must check with the Information Policy Manager, Performance and Organisational Support, in any instance where there may be any doubt.
It also defines policy where any type of mobile electronic computing device or removable storage media is attached to any of the Council’s computer systems. In this context, the word ‘attached’ covers connection to, loading, downloading or transferring of any material via any method of connection.
The word ‘material’ is intended to cover any stored programs, text, image, data, audio and video recordings, e-mail or anything else held in computer readable form.
It is imperative that all computer users take great care to protect the security of both the data and the device / media type, and avoid virus contamination.
*Definition
For the purposes of this policy, a Personal Digital Assistant is a small hand-held computer, typically offering facilities such as word processing, diary, spreadsheet and information storage and retrieval facilities for personal or business use. Some PDA’s have a built-in mobile telephone giving access to the Internet. Some can operate as a pager. Most can be connected to other computers to exchange information and to allow synchronisation of files, diaries and so on.
3. Process / Procedure Guidelines
To avoid exposing any of the council’s computer systems or data to unnecessary risk, the following requirements and constraints must be complied with:
Requirements:
3.1 You must be aware at all times that data stored on any mobile device or form of removable media is subject to information legislation including the Freedom of Information (Scotland) Act, the Environmental Information (Scotland) Regulations; and that personal data is covered by the Data Protection Act; the user must ensure it is safeguarded accordingly. Other information may be subject to Copyright, confidential, or sensitive for other reasons and it is the responsibility of the user to ensure it is properly safeguarded.
3.2 For any mobile device or removable media which has a password facility you must make full use of a high level password access control. The password used must comply with the guidelines defined in the Password Management Policy (2037).You must:
· Ensure passwords remain confidential.
· Make your password at least 8 characters long, where the system allows.
· Change your password at least every 60 days, where the system allows.
· Change your password immediately you believe someone else might know it.
· Use a password-protected screensaver.
3.3 Ensure the physical security of the mobile device / removable media.
3.4 Sensitive or confidential data stored on any mobile device or removable media leaving Council premises must be encrypted wherever this facility is supported and available on the device or media.
3.5 Large volumes of personal data must not be transferred to mobile devices or removable media. A large volume can be defined as the personal data of 100 or more individuals.
3.6 Data recovery is prohibitively expensive and generally impractical for most disk drives and data storage devices, so users should ensure regular backups are made to the Council’s network of all mobile electronic computing devices and removable storage media to ensure data is not lost. It is the user's responsibility to protect data from damage or loss.
3.7 All managers who authorise the use of mobile devices or removable media by their staff for work purposes are responsible for ensuring that the use for which the device is issued is in line with the Council’s policies and procedures. Managers should periodically review device usage to ensure that the devices are not being used inappropriately; this includes regular reminders of user responsibilities.
3.8 All security incidents involving mobile devices or removable media must be reported at the earliest stage possible to 1st Line Support as detailed in the Information Security Management Policy (2046).
Constraints:
3.9 Do not connect a non-Council device to any Council PC or system except those systems
· expressly provided for this purpose e.g. FISH Plus or the Virtual Private Network (VPN) Portal.
· where the device belongs to a supplier or authorised contractor for the purposes of demonstration or training.
· where the device contains learning materials and the employee or student has been authorised to use these at their workplace by their Line Manager
· expressly provided for public access e.g. Wireless Guest access to the Internet.
3.10 Do not connect a Council device to a non-Council PC or system, except in the following circumstances:
· where the device has been provided by Fife Council specifically for the purposes of home or mobile working. Use of the device must be authorised by your Line Manager.
· where the device is being used for the purposes of demonstration or training.
3.11 The connection of secure Council devices to non-Council communication mediums is permitted e.g. connecting a laptop to a broadband line or a WiFi hotspot. A definition of secure Council devices is provided in the Guidance associated with this policy.
3.12 Do not load onto a Council device any software that has not been authorised by the Head of IT Services or delegated officer (i.e. an individual identified by IT Services with the authority to make the decision to allow the introduction of software onto a Fife Council device).
3.13 External hard disks should not be used for archiving or routinely storing council data. The use of external drives for mobile use is specifically prohibited unless the drive is fully encrypted to internationally accredited standards as specified by IT Services. The current standard specified by IT Services is AES-256
4. Responsibilities
4.1 Each Executive Director is responsible for the implementation of this policy and for ensuring that it is disseminated to all staff in their areas of responsibility.
4.2 All users, every employee and elected member whether permanent, temporary or contract, has a responsibility to comply with the terms of this policy.
4.3 Third-party partners and suppliers and authorised non-Council employees are required to adhere to all relevant Council policies and procedures.
4.4 All users have a responsibility to report any actual, or suspected, data breaches involving mobile devices or removable media to 1st Line Support at the earliest opportunity by phoning 6000 (VOIP) or 01592 583600 (external).
5. References
This policy statement is supported by a range of policies, procedures and guidelines. The policies listed below are all available on FISH.
Code of Conduct for Councillors
Data Protection Policy
Employee Code of Conduct 2005
Fife Gold Standard Protocol for Sharing Information
Information Requests Policy
Information Security Policy
Information Security Incident Management Policy
Password Management Policy
Records Management Policy
Mobile Electronic Computing Devices & Removable Storage Media Guidance
REVISION HISTORY
Date: 12/09/08 Original Created by: E Whiffen
______
Date: 07/11/08 1 Modified by: Neil McKay
Agreed Council document.
______
Date: 7/4/11 2 Modified by: L Gauld and
Mike Coventry
Updated to reflect current business practices.