Mobile and remote access control procedure
Defining our approach to mobile and remote access.
Our approach to mobile and remote access
Contents
Policy statement
This control procedure defines the University’s approach to mobile and remote access, and directly supports the following policy statement from the Information Security Policy:
“All assets (information, software, electronic information processing equipment, service utilities and people) will be documented and accounted for. Owners will be identified for all assets and they will be responsible for the maintenance and protection of their assets.”
“Access to all information will be controlled and will be driven by business requirements. Access will be granted or arrangements made for users according to their role, only to a level that will allow them to carry out their duties.”
“The University will maintain network security controls to ensure the protection of information within its networks, and provide the tools and guidance to ensure the secure transfer of information both within its networks and with external entities, in line with the classification and handling requirements associated with that information.”
Audience
This procedure is intended to be read and understood by all staff who access university information from remote locations or using mobile devices.
Control statements
- Remote access
- Use of personal devices
- Physical security, loss and theft
- Data deletion and disposal of devices
Remote access
It is the university’s preference that remote access to university systems is achieved using a university-managed device connecting over a university-managed channel. In practice this means a university laptop connecting over a certificate-based Virtual Private Network (VPN), administered by IT & Digital. Alternatively, a university-managed mobile phone or tablet can be synchronised with the university’s email system. If you have any questions about these access methods, please contact the IT Helpline.
The managed VPN is installed on all university-managed laptops and Macs and is in an always-on state. This means that your access is secure from non-university networks without the need for further authentication. VPN access mirrors that from on campus, so the user experience should be positive and familiar.
Access to university systems for organisations or individuals contracted for support or development purposes, will be provisioned through the VPN if no direct web interface is available. This requirement should be discussed with the Cyber Security Operations team.
Under certain conditions, the university requires the use of a second factor such as a mobile phone app to provide an authentication token (known as multi-factor authentication or MFA). This is designed to prevent stolen credentials being reused to access university systems and data.
MFA is configured on a conditional policy basis for all staff accessible systems and services and a subset of student services. The parameters of the conditional policy enforcement include but are not limited to; source asset, source location, target services/system, data classification and user type.
This tiered approach to system access broadly reflects the classification of the information stored in those systems. The university reserves the right to increase the security controls required to access certain systems based on ongoing risk assessments.
Any concerns about the university’s provision of remote access, or requirements for alternative methods of access, should be addressed to the Information Security team.
Use of personal devices
Where a personal computing device is used to access and store information that relates to the university or its partners, it is the user’s responsibility to keep the data secure in line with university policy and supporting guidance. In practice, this means preventing theft and loss of data and keeping information confidential.
It is not possible to install the university’s managed VPN tool on personal devices. Personal devices – including laptops, phones and tablets – can be used to access some systems via a web browser, and can be synchronised with the university email system. Once this synchronisation is set up, settings are pushed to the device by Microsoft Exchange ActiveSync:
- A PIN of at least four characters must be set up
- Devices will automatically lock after 2 minutes of inactivity
- Device encryption will be enabled
Where these settings are rejected, or cannot be implemented, the synchronisation will not occur.
Please note that the university reserves the right to wipe the device if it is lost, stolen or otherwise suspected to have been compromised. This wipe may impact personal information and settings, depending on the configuration of the device, the operating system and the email application used.
The university reserves the right to prevent access to its network by any device that is considered a risk to the network or its information. In exceptional circumstances, the university will require access to its data and information stored on your personal device. In those circumstances, every effort will be made to ensure that the university does not access private information.
If a personal device is used to access university information without synchronising and receiving security settings, then the user is responsible for ensuring that:
- an appropriate password/PIN is in use, in line with the University standard
- screen lock or device lock is enabled
- the device is encrypted
- the device is running an up-to-date anti-malware programme and is set to receive software updates and patches
Physical security, loss and theft
If a university-owned mobile device or a personal mobile device used to access data on behalf of the university is lost or stolen, it should be reported to the IT Helpline on 0161 247 4646.
If a university-owned mobile device has been stolen then it is the user’s responsibility to report the theft to the Police as a matter of urgency. The Police will provide a crime reference number which needs to be submitted to the IT Helpline.
If a device has been stolen from university premises then it should also be reported to security on 0161 247 1334/3545.
Data deletion and disposal of devices
On leaving the university, university-owned devices should be returned to IT and Digital. IT and Digital will wipe all of the information stored on the device, including any personal content which you may have saved to the device.
On leaving the university, staff who use their personal devices are responsible for deleting all information belonging to MMU from any devices in their possession where university information is stored.
Compliance
Failure to comply with this procedure could result in action in line with the university’s disciplinary or performance improvement procedures.
Compliance checks will be undertaken by the university’s information hovernance functions. The results of compliance checks, their risk assessment and their remediation will be managed by the Information Security Board.
Related documents
This control procedure needs to be understood in the context of the other policies and procedures constituting the university’s Information Security Management System.
Browse Information Security policies and control procedures
Review
A review of this policy will be undertaken by the Information Security team annually or more frequently as required, and will be approved by the Information Governance Board.
| Version | 5.3 |
| Release date: | 24/10/2023 |
| Review date: | 24/09/2024 |