1 Policy Statement
[Your Company Name] (hereinafter referred to as the “Company”) operates a controlled approach to remote access (or teleworking) and Bring Your Own Device (BYOD) and understands that due to the nature of our business, working from outside of the office and enabling the use of personal devices within the Company is a necessity. However, we also appreciate the additional risk posed by remote access, working off-site and BYOD and as such, have documented procedures and rules that must be followed.
For the purposes of this policy, ‘remote access’ refers to any work that takes place off-site and requires the use of any the Company information assets. This includes working from home, using the Company laptops, access to the Company network or taking personal information off-site.
Where client visits and travel are often a necessity, being able to access the Company information systems are an important part of our service, however we have strict protocols for security and restriction that apply to all employees and managers.
Bring Your Own Device (BYOD) refers to employees, clients or third parties (collectively referred to as ‘users’), using their personally owned devices for business purposes within the Company building. This specifically refers to using a device for business use and not just having such a device on the person. Restrictions apply to personal phones, laptops and tablets, which are only permissible with prior company authorisation and in accordance with the security measures and rules of this policy.
Many of the measures and controls in effect for remote access and BYOD overlap and are covered generically in this policy, however where specific protocols are provided for either/or, they are noted as such. BYOD mainly refers to a user’s own, personal device that is used within the Company building, but not externally. Remote access utilises devices provided by the Company for teleworking or working from home. This enables the Company to secure, register and monitor such devices.
2 Purpose
The purpose of this policy is to outline the Company’s approach, objectives and guidelines for remote access and BYOD activities. It documents acceptable devices, methods of access and reasons for using personal devices and/or remote access and places restrictions on these functions to ensure effective security for the Company, its clients and our employees, as well as protecting the personal data that we hold.
It is the Company’s policy to permit remote access and BYOD where there is a genuine business need, but only with prior permission and in accordance with the rules of this policy. Security measures must be enforced, and all employees agree to the terms of this document when working off-site or bringing personal devices into the office.
Regardless of who owns the device being used or where the access happens from, the Company remains the data controller in all instances and recognises its legal obligation to abide by the data protection laws. We place a high value on the information assets within our remit and aim to protect them at all times. All users are expected to adhere to the standards in this policy and agree to keeping data and devices secure, updated and safe.
3 Scope
This policy applies to all staff within the Company (meaning permanent, fixed term, and temporary staff, any third-party representatives or sub-contractors, agency workers, volunteers, interns and agents engaged with the Company in the UK or overseas). Adherence to this policy is mandatory and non-compliance could lead to disciplinary action.
The Company authorises remote access and BYOD on a case by case basis and reserves the right to refuse, prevent or withdraw access to users at any time.
4 Objectives
The Company permits the use of remote access and BYOD to better serve our clients and customers and to offer more flexibility to employees when they need to access the Company systems off-site. We also value the flexibility that using a personal device can afford, especially with reference to laptops and smartphones for visiting clients or service providers who may need to utilise their own devices or access the Company networks/wireless connections to carry out business functions.
However, due to these devices and practices needing additional security and running the risk of control being lost around their purpose and use, the Company have developed and abide by this policy to provide guidance and requirements of both functions.
With regards to BYOD and remote access, the Company ensures that: –
- We have a robust and maintained Remote Access & BYOD Policy that is compliant and disseminated
- All users are made aware of this policy and understand their responsibility and commitment to its rules
- All mobile devices accessing company networks or being brought onto the Company premises must be registered
- The Company reserves the right to check that any mobile devices are using up-to-date and effective firewalls, malware and anti-virus software
- Where a mobile device is predominately used for the Company purposes, installing software not authorised or approved by the Company is forbidden
- We utilise strong encryption and secure access connections for all remote access and mobile devices
- Where a user from a remote access location or connection via a mobile device uses unrecognised credentials 3 times, their device and access will be blocked until authentication by the IT Manager
- All mobile devices and remote access connections are secured with passwords and must follow the Company’s strong password policy
- The IT Manager can restrict access instantly and erase connections and data on a mobile device
- Any information or asset belonging to a client is never accessed or used via remote access or personal devices unless express written permission has previously been obtained
4.1 Bring Your Own Device (BYOD) Guidelines & Protocols
The Company grants its employees and third parties the privilege of using personal smartphones, laptops and tablets for their convenience, but reserve the right to revoke this privilege at any time or if users do not abide by the requirements and guidelines of this policy.
Protecting the information and assets controlled and processed by the Company is paramount to our business and promotes trust with our clients and customers. Controlling the use of BYOD enables us to maintain a secure and robust infrastructure and protects the integrity of the company.
All users must agree to the below terms to be able to use and connect their devices to the Company network. All users are required to: –
- Consider the requirement of using their own device and only do so where there is a specific business need or requirement
- Enable and keep up to date all security features and software on the device
- Utilise strong credentials for login authentication and adhere to our Access Control & Password Policy for any changes
- Activate the lock screen function whenever the device is left or not in use and ensure that unlock necessitates a re-login
- Keep the device updated with operating system and software updates
- Only use a secure company network connection for remote access and do so via a secure link (VPN) and only with prior authorisation
- Activate and use encryption services and anti-virus protection on all devices
- Turn off any camera and/or microphones
- Refrain from carrying out any external business activities
- Users are expected to use their devices in an ethical manner at all times and adhere to the Company’s acceptable use terms
- To remove any company information stored on their device once finished with, including copies of emails, attachments, downloaded documents and temporary files
- [Add/delete as applicable]
4.2 Remote Access Protocols
Employees and on occasion, clients or third parties, are required to access the Company assets and/or networks whilst off-site. Such remote access is heavily governed and controlled to prevent additional security risks and to protect the device being used, the Company network and infrastructure and the information being accessed.
Remote access is only available via a secure network, with prior approval and usually utilises devices provided by the Company (as opposed to a user’s own device). Connection is via authentication and is setup on a restricted and limited basis by the IT Manager.
All users via remote access are required to: –
- Only utilise the Company’s provided devices for remote access
- Obtain written authorisation from the Company to connect via remote access
- Take appropriate security measures to protect the device and the information being accessed
- Protect their device from being seen, used or copied by unauthorised individuals
- Access the network via the authenticated network using secure connections
The IT Manager has overall responsibility for any devised used off-site and connecting to the Company network via remote access. The [designated person] must: –
- Secure the device used for remote access with a firewall, anti-virus software and secure password login
- Register each remote access device and log who it has been supplied to
- Maintain control of the device and access connection at all times and be able to withdraw access immediately
- Secure all devices when not in use through security cables, locked cabinets or in a secure, access restricted room
- Never leave remote access devices or equipment unattended
- Where a system requires a PIN number and a VPN ‘security token’, store both separately and restrict access to them
- Ensure that a virtual private network (VPN) is used for all remote access connections
- Ensure that all devices used for remote access require a username and password
- Activate and keep updated effective anti-virus software, malware and a firewall
- Destroy remote access devices once no longer in use, by following the Data Retention Policy protocols
- [Add/delete as applicable]
4.3 Off-Site Working
It is not just BYOD and remote access that can pose an additional security risk to the Company and the information retained by us. Where employees are permitted to work from home or off-site (e.g. on client visits or service provider audits), this can also require taking information assets off-site, such as paperwork, reports, emails etc.
Where employees are required to take hard copy information off-site, this is required to be in a locked case during transit and to be in a secure, locked cabinet whilst at home. Hard copy information must be kept on the personal at all times if not locked aware and is not to be disclosed to any person without prior written permission and a signed non-disclosure agreement.
If the paperwork is no longer required, it must be brought back to the Company for archiving or destruction. All employees are expected to abide by this policy, its rules and guidelines.
[If you have employees who regularly work from home, you should customise this section to include your working from home policy objectives and rules]
4.3.1 Using and Securing BYOD and Remote Access
Using a personal device or using a Company device to connect via remote access poses additional security risks and as such are governed by the protocols and guidelines below. The following content refers to all forms of remote access, off-site working and use of external devices.
Secure remote access is always achieved through VPN set up by the IT Manager and approved by a manager or Director. Written permission to work off-site or bring/use a personal device on-site is always required and is retained for evidence and auditing purposes.
Where a Company device is used for remote access, this is restricted to only information that is essential for the purpose of the remote working and is configured to the minimum level required to perform the activities authorised.
Employees are blocked from accessing certain websites during work hours/while connected to the corporate network at the discretion of the Company and use of social media site is forbidden. Users with their own devices or using a Company connection are not permitted to access, share, transmit or store any restricted, confidential or inappropriate material.
Devices must be presented to the IT Manager for proper configuration and activation of security measures prior to use on-site or before they can access the network. To prevent unauthorised access, devices must be password protected using the features of the device and a strong password is required to access the company network.
Remote devices are assigned to a sole employee and are remotely wiped if the device is lost, compromised or the employee has their employment terminated (or resigns). Any device lost or stolen must be reported to the IT Manager within [1/25/12] hours. We have documented reporting lines and mobile phone access guidelines in place for contacting the IT Manager outside of work hours.
5 Responsibilities
The Company will ensure that all staff are provided with the time, training and support to learn, understand and implement the BYOD and Remote Access Policy and subsequent procedures. Management are responsible for a top down approach and ensuring that all staff are included and have the support needed to meet the regulatory and legal requirements.