INFORMATION SECURITY POLICY N Policy for Mobile Computing

lowlyoutstandingΚινητά – Ασύρματες Τεχνολογίες

24 Νοε 2013 (πριν από 3 χρόνια και 8 μήνες)

61 εμφανίσεις


INFORMATION SECURITY POLICY
N MOBILE COMPUTING.docx




N MOBILE COMPUTING.docx

1
/
3

CEM



INFORMATION SECURITY POLICY
N

Policy for
Mobile Computing



INTRODUCTION



Modern computing and telecommunications devices make it increasingly easy to work when away from the office.
Portable
computing devices such as laptops, personal digital assistants (PDAs) and mobile phones can carry information assets far from

the
organisation’s premises and thereby expose them to different, and probably increased, risks. The greatly increased av
ailability of
networked computers, from cybercafés to visitor facilities in other organisations, also encourages staff to access informatio
n assets
when away from the office. The organisation cannot rely on such devices and network connections having any s
ecurity controls, so
must ensure that any information assets that may be accessed from them have sufficient inherent controls to protect them. Mob
ile
computing of all kinds therefore raises significant issues for information security.

For some information
assets it will be impractical to provide adequate protection for access or storage by mobile computing. It is,
therefore, likely and reasonable that the organisation will need to prevent some types of information being used through mobi
le
computing systems
. In this, mobile computing differs from teleworking (covered in section O of this Policy) where dedicated
systems in a single, fixed, location are used for access. Teleworking systems can be made as secure as office systems, mobile

computing systems canno
t.

Notes

POLICY

Marjon Statement


N.1

Authorisation to use a mobile device for
business purposes


Devices used for mobile computing
(such as laptops, home computers
or personal digital assistants,
PDAs) cannot be assumed to
implement any security controls;
use of such devices could
compromise the information
security of the organisation. A risk
assessm
ent is needed, which might
reveal that some information assets
N.1.1

Persons accessing information systems
remotely t
o support business activities
must be authorised to do so by an
appropriate authority within the
organisation. A risk assessment based on
the criticality of the information asset being
used must be carried out.”

The authorisation must come from at least
the
level of a Department Head.


INFORMATION SECURITY POLICY
N MOBILE COMPUTING.docx




N MOBILE COMPUTING.docx

2
/
3

CEM


cannot be afforded sufficient
protection


these types of
information should never be
accessed from or stored on mobile
computing systems.


N.2

Guidelines and good practice for using
mobile devices


Technical controls alone cannot
provide sufficient security protection
for an organisation’s information if it
is to be accessed remotely; those
controls must be
supported by
sound operating practices by the
remote user. It is essential that
guidance is given to all users of
remote or mobile equipment.



N.2.1

The organisation will publish guidelines for
users of mobile computing equipment
advising them on how
these should be
used to conform to the organisation’s
Information Security Policy and other good
practices.

When a laptop is allocated or drawn from
library stock, security guidelines
produced by
Computing Services
will be included.

FURTHER DOCUMENTATION


The implementation of a mobile computing policy will also require the development of processes and procedures.

Documentary evidence of these will be required to satisfy an external party, such as an auditor, that the policy has

been fully implemented.









INFORMATION SECURITY POLICY
N MOBILE COMPUTING.docx




N MOBILE COMPUTING.docx

3
/
3

CEM


Document title:

MOBILE COMPUTING POLICY

Document reference:

N MOBILE COMPUTING

Author:

CEM/DR

Document date:

1 November 2010

Date last amended:


Confidential?

no

Document status:

A
pproved at I&LR 24
-
11
-
10

Document Version:

1.0

Circulation:

Published on the Intranet

EIA


History:

To be presented to the I&LR committee for
consideration and approval 24
th

November 2010
.

A
pproved at I&LR 24
-
11
-
10