<agency>

Bring your Own Device (BYOD)

Policy

December 2013

<agency> BYOD Policy

CONTENTS

1. OVERVIEW 3

1.1 Introduction and purpose 3

1.2 Scope and application 3

1.2 Reference documents 3

2. POLICY 4

2.1 Definitions 4

2.2 Terms and conditions of use 4

3. REQUIREMENTS 5

3.1 Bring your own device minimum requirements 5

3.2 Device Registration, Configuration and Management 6

3.3 Device Usage, Support and Costs 7

3.4 Protection of Agency data on your BYOD 9

3.5 Device Deregistration 109

DOCUMENT CONTROL 11

2

<agency> BYOD Policy

1. OVERVIEW

1.1 Introduction and purposeTechnology is part of the everyday life of the modern public sector worker. Consumer technology is evolving quickly and is often more advanced than the technology available in the workplace. Employees increasingly prefer to use their own smartphones, tablets and other devices to access corporate information. Empowering them to do so supports greater workplace mobility and flexibility.

The purpose of this policy is twofold. Firstly, it aims to allow you ‘bring your own device’ (BYOD) for business purposes. If your device is registered as a BYOD, you will be able to access <agency>’s programs when and where you need to do so. Secondly, the policy aims to ensure that <agency>’s systems and data are protected from unauthorised access, use or disclosure.

This BYOD Policy has been informed by the NSW Government Mobility Solutions Framework. The Framework assists NSW Government agencies to define their agency specific mobility strategy and approach.

1.2 Scope and applicationThis document sets out the terms of use for BYOD within <agency>. The policy applies to all employees of <agency>, including permanent and temporary staff, contractors and employees of <agency>’s partner organisations.

It affects any device or accompanying media that you may use to access the systems and data of <agency>, whether they are used within or outside your standard working hours.

1.2 Reference documentsThis policy supplements the <agency>’s <acceptable use policy name>.

You should also have regard to the following statutory rules, policy documents and standards. They provide direct or related guidance for the use of technology and the collection, storage, access, use and disclosure of data by NSW public sector agencies:

AS/NZS ISO 31000 Risk management - Principles and guidelines Electronic Transactions Act 2000 Government Information (Information Commissioner) Act 2009 Government Information (Public Access) Act 2009 Health Records and Information Privacy Act 2002 M2012-15 Digital Information Security Policy NSW Government Open Data Policy NSW Government Cloud Services Policy and Guidelines NSW Government ICT Strategy NSW Government ICT Technical Standards – Mobility Framework NSW Government Social Media Policy and Guidelines TPP 09-05 - Internal Audit and Risk Management Policy for the NSW Public Sector Privacy and Personal Information Protection Act 1998 Public Finance and Audit Act 1983 Public Interest Disclosures Act 1994 NSW Procurement: Small and Medium Enterprises Policy Framework State Records Act 1998

2. POLICY

3

<agency> BYOD Policy

2.1 DefinitionsApplication – Computer software designed to assist end users to carry out useful tasks. Examples of applications may include the Microsoft Office suite of products or smartphone applications such as Google Maps.

Bring Your Own Device (BYOD) - Any electronic device owned, leased or operated by an employee or contractor of <agency> which is capable of storing data and connecting to a network, including but not limited to mobile phones, smartphones, tablets, laptops, personal computers and netbooks. The accepted types of BYOD are listed in the Acceptable Device Types document attached to this policy.

Data - Any and all information stored or processed through a BYOD. <agency’s> data refers to data owned, originating from or processed by <agency>’s systems.

Device hygiene - BYOD must have appropriate and up-to-date ‘hygiene’ solutions installed. Device hygiene includes anti-virus, anti-spam and anti-spyware solutions. Minimum requirements - The minimum hardware, software and general operating requirements for a BYOD.

Mobile Device Management (MDM) – Solution which manages, supports, secures and monitors mobile devices. <Note: <Agency> will conduct risk assessments to determine whether their environment requires the implementation or not of such a solution. Implementation should ideally be done ‘as a Service’ in accordance with NSW Government policy>.

Mobility Framework – The NSW Government Mobility Solutions Framework. The Framework provides information and technical guidance to agencies when procuring mobility solution services.

Personal information – ‘Personal information’ is defined by s 6(1) of the Privacy and Personal Information Protection Act 1988 (NSW):

Information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion.

Wipe – A security feature that renders the data stored on a device inaccessible. Wiping may be performed locally, via an MDM product, or remotely by a network administrator.

2.2 Terms and conditions of useThe purpose of this policy is to allow you to use a BYOD if you wish to do so, while also ensuring you take steps to minimise the risk of unauthorised access to <agency>’s systems or unauthorised use or disclosure of the data held by <agency>.

You must review and accept this policy before using any BYOD. Your agreement to the requirements of this policy is indicated by your <signature/acceptance> of the <attached/electronic> BYOD Acceptance Form.

Acceptance indicates agreement to the following standard terms:

Acceptable BYOD: Any device may be considered for use as a BYOD providing it meets the minimum requirements set out in this document. In general, an acceptable BYOD would be one of the devices listed in the document referenced in the definition at part 2.1 of this policy.

4

<agency> BYOD Policy

Minimum requirements: The burden of proof for meeting minimum requirements rests with you, the requestor. The final decision on whether your device meets our requirements is subject to the approval of <title of approver>.

Matching our requirements and your work needs: BYOD capabilities and device profiles must match <agency>’s requirements as well as the scenarios where you need to use a device for work. For example, if you are usually a consumer of information when mobile, the profile of a tablet or smartphone would be a good match. If you are a “creator” of information, a laptop or desktop profile would be a better match.

Authority: You agree to provide limited authority over the device for the sole purpose of protecting agency data and access on the device. This authority includes permission to wipe the device in the event of loss or disposal. This may include personal data, address books and e-mail depending on the data classification of information locally stored, the device and whether an MDM tool is used. The authority is to remain in place from the time the device is registered until it is deregistered. <Non MDM option> You should also provide your device to <relevant ICT contact> for a manual check when you cease employment. You may be present at the time the device is manually checked. >

Security: You are responsible for ensuring that your personal device is adequately secured against loss, theft or use by persons not authorised to use the device.

Support: You are responsible for replacing, maintaining and arranging technical support for your BYOD. <Agency> will only provide hardware, operating system or application support for the applications that <agency> has provided.

Access at <agency>’s discretion: Access to <agency>’s systems and data is provided at the sole discretion of <agency>. Your access may be revoked at any time and for any reason.

Enforcement: All breaches of this policy will be treated seriously. If you are found to have been in breach you may be subject to disciplinary action.

3. REQUIREMENTS

3.1 Bring your own device minimum requirementsThe table below summarises <agency>’s minimum requirements for BYOD. You should read this table with the explanatory text in the rest of this section (3.1).

Function Minimum requirement

Configuration management

Operating systems Your device must use a legitimate operating system that meets the defined minimum standards (i.e. you may not use a ‘jail broken’ device).

Network authentication

The minimum network authentication is subject to agency’s local requirements, e.g. the agency’s End User Environment Directory Service with a minimum two factor authentication required for external, 3G or internet access.

Password protection/ User authentication

Your device will support password authentication and automatic locking that must be used at all times.

5

<agency> BYOD Policy

Automatic device lock Your device must have the automatic lock enabled.

Device hygiene Your device must have appropriate and up to date ‘hygiene’ solutions installed.

Lost and stolen devices

If your device is lost or stolen you must report the loss or theft immediately to the ICT Service Desk.

Mobile device disposal

Any agency data on your device will be removed from the device at the end of its use within the agency environment.

Software licensing Operating systems and applications running on or required by BYOD will be your sole responsibility as the device owner.

Security management

Mobile device management

<Agency> will conduct a risk assessment of the nature of services to be offered to mobile devices and specifically to BYOD. A risk assessment needs to be undertaken by <Agency> to determine whether an MDM platform is required to meet its security requirements. Note: If an MDM platform is to be used, insert details in this section

Service management

BYOD authority If your device is registered and used for BYOD, you agree to surrender limited authority over the device for the sole purpose of protecting agency data and access on the device.

Mobile device application control

If <Agency> has implemented a MDM solution, it has the ability to push and remove our supplied applications from your device to enhance its security or manageability.

Device support You and the device issuer are responsible for supporting your device.

3.2 Device Registration, Configuration and Management Your BYOD must be registered before connecting to any <Agency> internal IT service.

A limit will apply to the number of devices that can be registered. <MDM option> The device must be registered by connecting to <Agency> BYOD management service

<Non-MDM option> The device must be registered in accordance with <Agency> BYOD requirements

MDM option

The device must be registered by connecting to <Agency> BYOD management service.

Non-MDM option

The device must be registered in accordance with <Agency> BYOD requirements.

6

<agency> BYOD Policy

You acknowledge that <Agency> will <non MDM option> directly and or <MDM option> remotely change security configurations of the device to protect <Agency> data and software stored on the device. These changes may include but are not limited to:

o Refusal to register a device that fails minimum requirements (outlined above) or that currently has installed banned software and services listed at <web link>.

o Configuring certain security settings

o <MDM option> Preventing the user from changing certain security settings

o Applying a login code with an acceptable level of complexity to enable secure access to the device

o Automatically locking the device after an inactive timeout period (you will need to re-enter the login code)

o Installing software and digital certificates necessary to maintain security

o Encrypting data stored on the device

o <MDM option> Automatically wiping (either all code and data OR all agency code and data) depending upon Agency MDM, device capabilities and specific requirements from the device after a specific number of failed login attempts

o <MDM option> Should any <Agency> configurations be removed that are required for proper use of the device with Agency systems, these will be re-applied or access to <Agency> systems, information and data will be prevented if the configurations cannot be maintained.

You acknowledge that any <Agency> data stored on the BYOD remains the sole property of <Agency and/or NSW Government> and that you have an obligation to protect the security of the data.

You acknowledge that <Agency> has a right to inspect <Agency> data held on your personal BYOD.

MDM Option

The device must be registered at: <weblink to Agency MDM solution>

Non-MDM Option

The device must be registered in accordance with <Agency> BYOD requirements.

<MDM option> You understand that <Agency> may remotely monitor your device to ensure security and software configurations are maintained.

<MDM option> You will not be prevented from installing the software or applications of your choice on your device. However, <Agency> may block your access to <Agency> internal IT services if any software/applications/data present a threat to <Agency> IT services, information or data.

3.3 Device Usage, Support and Costs The service and its use are at your sole discretion and risk.

7

<agency> BYOD Policy

<Agency> does not impose a charge on you for registering your device.

You are responsible for supporting your device. <Agency> will only provide support for the applications <agency> has provided.

Support BYOD

Physical provisioning Device owner

Replacement of defective/damaged device Device owner

Operating system support including licensing Device owner

Application support of device including licensing Device owner

Agency provided/supported mobile applications Agency service desk

Agency provided/supported thin-client applications Agency service desk

Device connectivity / access BYOD

Mobile internet Device owner

Home internet / broadband Device owner

VPN client Agency service desk

Agency wireless Agency service desk

<Subject to agency requirements/internal policy: <Agency> is not responsible for any costs incurred by your use of your BYOD. <Agency> will not reimburse any voice or data charges, software or application acquisition fees, support or insurance costs associated with your device except in exceptional circumstances such as excessive business requirements.

<Agency> is not responsible for any inconvenience that you may experience in connection with using <Agency> internal IT services on your BYOD.

You have sole responsibility for ensuring no other person has access to <Agency> software or data stored on your BYOD.

<Agency> will not monitor the phone call or text message history of a BYOD. Where needed (for example, in the case of a disciplinary matter) the call and text messages may be requested.

<Agency> will not monitor the web browser history on your BYOD when not connected to <Agency> network(s).

<Agency> may restrict access to internet websites, services or other elements for operational or policy reasons while your BYOD is connected to <Agency> networks including either wireless or cabled connections.

<Agency> may monitor your use of your BYOD while it is connected to <Agency> network. This information may be collected and archived and may be subject to public access.

You are responsible for abiding by all licence terms and conditions applicable to any software, apps, data or information provided by <Agency> to your BYOD.

You acknowledge that your use of a BYOD may involve <Agency>:

o Preventing you from accessing <Agency> internal IT services

8

<agency> BYOD Policy

o Locking your device

o Wiping personal data from your device in accordance with the following circumstances:

Your BYOD is reported as being lost/stolen to <Agency> <MDM option>

You cease employment/contract with <Agency>

There is a suspected security breach, examples include but are not limited to, modification of the device’s operating system, breaching <Agency> policies, or detection of viruses or malware on the device <MDM option>

<Agency> may lock your device to prevent access to <Agency> information or data.

Preventing your device from connecting to <Agency> internal IT services.

Applying either a full or selective wipe of your BYOD <MDM option>.

Applying a manual selective wipe of your BYOD <non MDM option>.

Should you fail <number> times in a row to enter a correct login password for your BYOD, a full wipe may be performed automatically on the device <MDM option>.

While <Agency> will make all reasonable effort to ensure service is available <agency> does not guarantee that access to <Agency> internal IT services, information or data will be available at all times.

If your BYOD is lost or stolen, you are responsible for reporting the event as soon as practicable to <Agency> Service Desk on <phone number>. You must also:

o undertake a device wipe as soon as practicable via <Agency MDM portal> <MDM option> or via personal configuration utility <non MDM option>.

o take reasonable steps to ensure that it is replaced as quickly as possible.

<Subject to agency requirements> <Agency> will also provide you with a loan device so that you are able to carry out your normal work activities.

3.4 Protection of Agency data on your BYOD <Agency> information, documents, and data classified as <insert> or that are subject to legal or

professional privilege must not be stored on BYODs and/or unapproved cloud-based services.

<Agency> data must only be backed up to approved locations either within agency systems or approved cloud service locations or providers.

<Subject to agency requirements> You should check your device to ensure that automated cloud backup is disabled.

<Subject to agency requirements> You should take reasonable steps to reduce the risk of losing your personal data. You may, for example, store your personal data separately from <Agency> data through file partitions or using a separate memory card.

You are responsible for backing up and restoring the data and configuration settings of your BYOD. Personal data is not to be backed up to or stored by <Agency>. <Agency> is not responsible for any personal loss or damage you may suffer by actions undertaken by <Agency> to protect <Agency> data stored on your BYOD.

3.5 Device Deregistration

9

<agency> BYOD Policy

<Agency> at its own discretion, may deregister any BYOD at any time without warning.

<Agency> may deregister a BYOD that has not consumed <Agency> internal IT services for more than <insert> months.

MDM Option

You can deregister your BYOD at any time by visiting <MDM portal>.

Non-MDM Option

The device must be de-registered in accordance with <Agency> BYOD requirements.

You acknowledge that by deregistering your BYOD:

MDM Option

o <Agency> will remove all <Agency> data, applications and security controls.

Non-MDM Option

o You will need to present your BYOD to <Agency> Service Desk for inspection and removal of all <Agency> data, applications and security controls.

You will no longer be able to connect to <Agency> internal IT systems and data, unless the device is re-registered.

You are encouraged to remove any personal data if you are intending to dispose of your BYOD. If you intend to sell or gift the device to another person you should ensure that it is wiped.

10

<agency> BYOD Policy

DOCUMENT CONTROL

Document historyStatus: Draft

Version: 0.3

Approved by: <governance/approval body>

Approved on:

Contact: John Thomas, Director, ICT Services, Department of Finance and Services

Email: john.thomas@services.nsw.gov.au

Telephone: (02) 9372 8286

Review dateThis Policy will be reviewed in six months from the date of this version and on an annual basis thereafter.

11