Bring Your own Device (BYOD) Policy

This policy defines the rules, controls and behaviours for University staff when using non-University of Wolverhampton (UoW) managed or personal devices to access University systems and data.

Updated November 2021

Approved by the University's Corporate Management Team

1. PURPOSE

1.1.  The purpose of this Policy is to define the rules, controls and behaviours required for the use of non-University of Wolverhampton (UoW) managed personal devices by permanent or temporary employees, corporate suppliers, external contractors (hereafter referred to as “the employee” or “employees”) when accessing business resources and/or services. The BYOD device is defined as a non-UoW managed device, personal to an individual and not a company/supplier, with a computing capability connecting to University information systems and data (hereafter referred to as “BYOD device(s)”). Mobile and Tablet BYOD devices are expected to be compliant with the University Mobile Device Management (MDM) guidance. Access to, and continued use of, services is granted on condition that each user has read, understood and is following this Bring Your Own Device (BYOD) policy.   

1.2.  BYOD refers to all devices used by staff/third-parties or partners which are neither issued nor managed by the university Digital Services department. The term BYOD refers to all types of devices which used to access business data, email, calendar or any data source which contains personal identifiable data. This policy applies at all times, whether accessing data on campus or working remotely and includes personally owned devices used within the home environment where university data is imported or processed.  

1.3.  The use of BYOD on non-UoW issued devices does not exclude employees from compliance with all relevant UoW security policies, associated documents and or controls. BYOD is a privilege granted to employees and UoW reserve the right to decline the use of BYOD at its sole discretion and revoke BYOD privileges at any time without notice.

2.  SCOPE

2.1.  This Policy applies to the use of all BYOD devices. It is important to note that the use of a non-UoW device is by exception, and only when approved by the Digital Services Information Security Team.

2.2 BYOD refers to all devices accessing business data from university sources, whether on campus or remotely via the internet or other remote access technologies.

2.3 This Policy is intended to protect the security and integrity of UoW data and technology infrastructure. Limited exceptions to this Policy may occur due to variations in devices and platforms; however, these must be explicitly approved by the Digital Services Information Security Team.

2.4 This policy applies to all employees (students are excluded from accessing business data and therefore are excluded from the requirements of this policy) who are permitted to utilise BYOD. This policy prevents the use of employee-owned external removable storage media and or third-party subscription services with a UoW IT resources. University business data storage must comply with the requirements of the university Data Classification Policy and Data Protection requirement.

2.5 This policy is in force at all times and applies both on and off UoW premises.

3. POLICY STATEMENT

3.1.  UoW’s policy regarding BYOD is as follows:

  • UoW will permit the use of BYOD for mobile and tablet devices, which staff will be able to use via MDM technology without prior permission.
  • UoW will not permit the use of BYOD for laptops or PCs by default. In exceptional circumstances, staff will be required to submit written justification via this exemption form to Digital Services, in order to use BYOD laptops or PCs. 
  • BYOD device users must ensure the Confidentiality, Integrity and Availability of data assets and Information Technology (IT) systems owned or under UoW’s jurisdiction (IT resources).
  • Employees electing to BYOD are required to read and follow a UoW BYOD consent agreement. A signature will be required for BYOD usage of laptops and PC’s (where permitted).
  • Employees are required to complete any awareness induction, training course and qualifying test that may be required, to the satisfaction of UoW, and consent to commit to additional training refresh. Failure to comply with continuous awareness training will result in the suspension or removal of BYOD privileges.
  • BYOD privileges will be provisioned, managed and revoked using a formal, documented programme with defined ownership for cyclical review and recertification (E.g. annual).

3.2.  UoW applies a risk-focused approach to BYOD. It is accepted that permitted devices must have a proportionate and appropriate level of security management applied to the devices, and employees do not present an intolerable risk in line with the organisation’s risk tolerance levels.

4. ROLES AND RESPONSIBILITIES

4.1.  The University Registrar is responsible for this policy and shall ensure that this policy is up-to-date and relevant, through the Digital Services Information Security Team.

4.2.  Employees shall comply with this policy/facilitate implementation of this policy where applicable to BYOD.

4.3.  The Digital Services Information Security Team are responsible for implementation of this policy during all BYOD requests.

5. EXPECTATION OF PRIVACY

5.1.  UoW security will respect the privacy of any personal device and will only request access to the device to implement security controls or to respond to legitimate discovery requests arising out of administrative, civil, or criminal proceedings.

6. ACCEPTABLE USE

6.1.  The user of BYOD devices for business purposes should comply with all requirements of the IT Acceptable Use Policy. The following provides guidance for users of BYOD devices in the processing of business information. BYOD devices may not be used at any time to:

  • Store or transmit illicit materials,
  • Store long term or transmit proprietary company information, nor;
  • Harass others.

6.2.  The employee may use their mobile phone or tablet BYOD device to access company-owned systems and data, including but not limited to:

  • Microsoft O365,
  • Agresso,
  • Windows Virtual Desktops (WVDs),
  • Canvas, etc.

6.3. UoW has a zero-tolerance policy for texting or emailing while driving with only hands-free talking while driving permitted.

6.4  Laptop and PC devices must comply with the following acceptable use cases:

6.4.1 User must have a software firewall enabled on their device. If not, the user must change the default password on their home internet router, which must be at least 8 characters and compliant with the University’s password policy.

6.4.2 User to set up a separate user account profile without Admin elevated rights on their device for the purposes of accessing corporate data. This work profile must be password protected and subject to the University’s password policy. The profile should not be accessed by any other user. The profile must not have privileged permissions or administrator privileges.

6.4.3 Users to confirm that they have removed or disabled any software on their personal device that they no longer require.

6.4.4 Users to ensure the configuration in their system settings does not enable “auto-run” or “auto-play”.

6.4.5 Users must confirm all applications on their device are supported by a provider that produces regular security patches and critical updates. Users must remove or disable any software that is not supported by a supplier. Users must remove or disable any software on their device that they no longer require. Users must ensure all software on the device is licenced in accordance with the publisher’s recommendations.

6.4.6 Users must consent to providing information on their malware protection, internet browsers, email applications, and office applications

6.4.7 Users will be required to install all critical security updates for operating systems within 14 days of release or they will be blocked from accessing the network.

6.4.8 Users will be required to install all critical security updates for applications within 14 days of release

6.4.9 Users must only install applications on their device from an App Store that are approved by the organisation (eg Google Play Store, Apple Store).

6.5  Mobile and tablet BYOD users must comply with the following acceptable use cases:

6.5.1 Users will need to consent to MDM technology being installed on their personal device, which will report on their machine specifications, operating system, and other information.

6.5.2 Users will be required to install all critical security updates for operating systems within 14 days of release or they will be blocked from accessing the network.

6.5.3 Users will be required to install all critical security updates for applications within 14 days of release

6.5.4 Users must only install applications on their device from an App Store that are approved by the organisation. 

7. DEVICES AND SUPPORT

7.1.BYOD devices are supported on an exception basis only and, as such, must meet the current security standards and be approved by the Digital Services Information Security Team. Service Desk’s responsibilities regarding BYOD support are as follows:

  • BYOD devices will NOT be supported by the Service Desk beyond UoW installed software (E.g. Mobile Device Management (MDM) solutions, security tools etc.).
  • Connectivity issues are supported by the Service Desk. Employees should contact the device manufacturer or their carrier for operating system or hardware-related issues.
  • Mobile or tablet devices must be appropriately on-boarded through the formal MDM solution used by UoW.

7.2.  The employee must notify the helpdesk and their line manager in the event of any BYOD loss, theft or servicing. Upon notification, UoW reserve the right to perform a BYOD remote wipe of the UoW data and applications.

7.3.  The employee takes full responsibility for all BYOD device maintenance.

7.4.  UoW is not responsible or liable for any damage, loss or service interruption of any BYOD device.

8. SECURITY

8.1.  The following security requirements will be verified before granting BYOD access to UoW systems or data:

  • Mobile or tablet BYOD device users must consent to UoW installing management controls onto their devices to ensure security compliance.

  • In order to prevent unauthorised access, devices must be PIN or operating system applicable equivalent (E.g. password if PIN is not functionally available) protected using the features of the device and a strong password is required to access the company network aligned to the requirements of the Password Policy.

  • Enrolled mobile phones and tablets will be set to automatically re-lock after being idle after a fixed time duration, managed by the University.

  • Rooted (Android) or jailbroken (iOS) devices are strictly forbidden from accessing the network.

  • Non-UoW managed personal devices used to access or process UoW information must be protected by anti-malware software where applicable (E.g. Laptops) and using most up-to-date operating systems with security patches (E.g. mobile phones). Applicability is entirely the discretion of the university and not the individual.

  • Smartphones and tablets belonging to employees for personal use only are not permitted to connect to the network.

  • Employees’ access to company data is limited based on user access requirements and not provisioned through account cloning or ad-hoc access requests.

8.2.  TThe mobile and tablet device will only be wiped of UoW data and applications following approval by the Director of Digital Services through a formally defined approval process, capturing justification and data in question. The BYOD device may be remotely wiped of UoW data and applications, not personal data, if: 

  • The device is lost or stolen
  • The employee terminates his or her employment, or
  • IT detects a data or policy breach, a virus or similar threat to the security of UoW's data and technology infrastructure. 

8.3.  UoW security controls will apply and validate compliance with minimum mandatory device configurations and protection mechanisms. These controls may change, alter or limit the behaviour of some BYOD functionality and consume some device compute, storage or communication capacity.

8.4.  UoW reserve the right to update or change its controls without notice which could result in changes to the BYOD experience and or the re-installation, re-enrolment, suspension or removal of BYOD privileges.  

8.5.  Employees with BYOD privileges consent to UoW control solutions accessing device geography which may include location, activity logs of applications access and processing UoW data or build state to determine: 

  • Location of UoW data on non-UoW managed devices
  • Security monitoring of data processing actions on non-UoW managed devices
  • Potentially nefarious activity of users processing UoW data.

8.6.  UoW reserve the right to conduct monitoring should senior management deem it appropriate to mitigate an identified risk to UoW, following consent from end users. Refusal of consent can result in termination of BYOD access. 

9. RISKS, LIABILITIES AND DISCLAIMERS

9.1.  The employee bears the following risks and liabilities:

  • IT will take every practical precaution to prevent the employee’s personal data from being lost in the event it must remotely wipe a device, but it is the employee’s responsibility to take additional precautions, such as backing up the device’s information. Users of BYOD are responsible for taking whatever measures (backup) they deem appropriate to preserve their own personal data and any device or application configuration(s). UoW is not responsible or liable for any loss or corruption of user data or device configuration as a result of a user electing BYOD.

  • UoW reserves the right to disconnect BYOD devices or disable services without notification.

  • Lost or stolen devices must be reported to the University within 24 hours. Employees are responsible for notifying their mobile carrier immediately upon loss of a mobile device. Loss of data reporting must comply with the Data Breach Incident Reporting Policy and the Cyber Incident Response Policy requirements.

  • The employee is expected to always use their devices in an ethical manner and adhere to the organisation’s IT Acceptable Use Policy.

  • The employee is personally liable for all costs associated with their device.

  • Employee liabilities will be compliant with University policy and insurance provisions.

  • UoW reserves the right to take appropriate disciplinary action up to and including termination of UoW employment and rescinding of supplier contracts for non-compliance with this Policy. Supplier contract rescindment due to non-compliance may be subject to additional costs for the supplier as stipulated within the contract.

10. USER ACKNOWLEDGEMENT AND AGREEMENT

10.1.  In connecting their own device to UoW’s networks and systems, the employee agrees to comply with UoW’s BYOD Policy. The employee further agrees to a security policy being applied to their device which includes, but is not limited to, compulsory PIN and ability for UoW to remotely wipe the device should it be necessary in order to protect the confidentiality of UoW’s data. The employee also agrees to inspection and management of the device via UoW’s MDM systems.

10.2.  It is UoW’s right to restrict or rescind computing privileges, or take other administrative, disciplinary and dismissal, or legal action due to failure to comply with the above referenced Policy.

10.3.  Each employee that uses his or her personally owned mobile device to process UoW information must follow the agreement outlined in Appendix A – Employee BYOD Agreement.

11. DISCLOSURE

11.1.  The installation of UoW MDM solutions and BYOD device management capabilities may result in a slowing of BYOD device processing, and compatibility issues with specific applications/software.

12. POLICY REVIEW

12.1.  This policy shall be reviewed and appropriately updated on an annual basis. It shall also be reviewed and appropriately updated when there are any changes to relevant regulations on information security and/or data protection.