SH IG 58

Information Security Suite of Policies

Bring Your Own Device (BYOD) Policy

Version 1

Summary: This policy outlines the processes and controls the Trust
uses to facilitate a BYOD scheme to enable staff to use
personal devices to access Trust resources.

Keywords (minimum of 5): Bring Your Own Device, BYOD, Personal Devices, Mobile
(To assist policy search engine) Working, Tablet, Smartphone, Good

Target Audience: The policy relates to any staff member (or manages a staff
member) who uses the Southern Health NHS Foundation
Trust Bring Your Own Device (BYOD) scheme

Next Review Date: March 2019 or sooner if required.

Approved and Ratified by: Information Governance Date:

Group (IGG) 14/03/2016

Date issued: 22/03/2016

Author: Edward Purcell, ICT Security Specialist

Sponsor: Helen Reading, Associate Director of Technology

1
BYOD Policy
Version: 1
March 2016
 Version Control

Change Record

Date Author Version Page Reason for Change

17/07/2015 Edward Purcell 1 All Original Draft
29/07/2015 Edward Purcell 1 All Updated Draft
28/01/2016 Edward Purcell 1 All Updated after feedback from A. Young and L. Barrington
11/02/2016 Edward Purcell 1 All Updated after feedback from P. Ballard

Reviewers/contributors
Name Position Version Reviewed &
Date

L. Barrington Head of Information Assurance 1

P. Ballard Head of ICT Operations 1
A. Young Service Desk and Desktop Support Team Leader 1

2
BYOD Policy
Version: 1
March 2016
 Contents

1. Introduction .................................................................................................................... 4
2. Scope............................................................................................................................. 4
3. Duties / Responsibilities ................................................................................................. 4
4. Data Protection .............................................................................................................. 5
5. Physical Security ............................................................................................................ 6
6. Mobile Device Management ........................................................................................... 6
7. Applying for the service .................................................................................................. 7
8. Device Support .............................................................................................................. 7
9. Connecting Devices to the Trust Networks ..................................................................... 8
10. Reimbursement .............................................................................................................. 8
11. References and Associated Documentation ................................................................... 8

Appendix 1 – BYOD Request Form & Security Operating Procedures .................................. 9

3
BYOD Policy
Version: 1
March 2016
 Bring Your Own Device (BYOD) Policy

1. Introduction
1.1. The Trust aims to take advantage of the many benefits offered by new and emerging
mobile technologies and, in line with the overall Trust strategy to facilitate a mobile and
flexible workforce, seeks to enable the use of personal devices to access corporate
data – a scenario commonly referred to as Bring Your Own Device (BYOD).

1.2. Along with the advantages of BYOD there are additional risks which must be
effectively managed to protect the Trust, its staff, patients and the services and data
on which they rely, against known and emerging threats. Any user of a personal device
used to store and/or process Trust information shall comply with this policy in addition
to the more general ICT Security Policy.

1.3. The key principle of BYOD is that the user owns, maintains and supports the device.
This has advantages in terms of support requirements, although it also means that the
data controller will have significantly less control over a BYOD device than it would
have over a traditional corporately owned one. This policy outlines the controls, both
process and technical, the Trust has in place to ensure data on non-Trust devices
remains secure and under the Trust’s influence at all times. It also describes detailed
instructions that must be followed whilst using a BYOD enabled device to carry out
Trust related work

2. Scope
2.1. This policy applies to all Trust employees – including voluntary workers employed
under special contracts and employees of organisations contracted to the Trust – who
take part in the Trust BYOD scheme, it also applies to staff in management roles and
whose team members are part of the scheme.

2.2. This policy focuses on smart phones and tablet computers, often categorised together
as smart devices, and includes devices manufactured by a range of companies (Apple,
HTC, Nokia, etc.) and running several different operating systems (Android, IOS,
Win8.1, etc.). The important distinction is that these are personal devices and are not
supported or maintained by Southern Health ICT services.

3. Duties / Responsibilities
3.1. Ultimately, responsibility for ICT Security rests with the Chief Executive who has
delegated much of this responsibility to the Senior Information Risk Officer.
Routinely, the ICT Security Specialist is responsible for developing, managing and
implementing ICT Security policies/processes on a daily basis.

3.2. In addition to the responsibilities outlined in the Trust ICT Security Policy the ICT
Department will:

3.2.1. Ensure all requests to take part in the BYOD scheme are provisioned in line
with the process outlined within this policy.

3.2.2. Ensure that all devices have a security policy applied which reflects the
controls stated within this policy.

3.2.3. Provide advice on implementation of this policy as requested;

4
BYOD Policy
Version: 1
March 2016
 3.3. Line Managers are responsible for ensuring that:

3.3.1. staff have an appropriate business need to be part of the BYOD scheme and
give budgetary approval to cover the cost of the service.

3.3.2. staff authorised to take part in the BYOD scheme sign to confirm they have
read and agree to the terms and conditions (appendix 1);

3.3.3. staff comply with this policy and associated procedures;

3.3.4. they take disciplinary action as appropriate against any member of staff in
breach of this policy;

3.3.5. notify any suspected breaches of this policy to the ICT Department;

3.3.6. Immediately notify ICT if a staff member leaves the Trust or no longer requires
BYOD;

3.4. Trust Staff, without exception, must:

3.4.1. abide by this and associated policies & procedures;

3.4.2. report any suspected breaches of this policy to their line manager or the ICT
Department;

3.4.3. understand that failure to comply with the rules and regulations contained in
this policy, or any attempt to circumvent the security controls, may result in
the withdrawal of this facility and/or disciplinary action;

3.4.4. report the loss or theft of any BYOD enabled device to the Trust’s ICT Service
Desk at the earliest possible opportunity and in addition report the incident on
the Trusts incident reporting system (Ulysses).

3.4.5. inform the ICT department if BYOD is no longer required and access to the
application will be removed and all data held within the application on the
device will be deleted.

3.4.6. Report any lost or stolen devices to the ICT Service Desk immediately so that
corporate data can be remotely wiped from the device. It will be the users
responsibility to report the theft of their device to the police.

3.4.7. keep their username and password secret and not allow anybody else to
access the information.

3.4.8. abide with the clauses of acceptable use outlined in both the Internet and
Email Acceptable Usage Policy and the ICT Security Policy.

4. Data Protection
4.1. To fully take advantage of the benefits of BYOD the risks need to be mitigated and this
can be achieved through process and technical controls. The overall objective is to
remain in control of Trust data at all times and thus prevent breaches of confidentiality
and/or data loss. Failing to adequately protect personal data is unlawful and in breach
of the Data Protection Act (DPA), in particular ‘Principle 7’ which states;

5
BYOD Policy
Version: 1
March 2016
 “Appropriate technical and organisational measures shall be taken against
unauthorised or unlawful processing of personal data and against accidental loss or
destruction of, or damage to, personal data.”

4.2. The Trust has a legal duty to comply with the DPA and failure to comply could lead to
an investigation by the Information Commissioners Office (ICO). The ICO have the
power to uphold the DPA and can fine organisations up to £500,000 where appropriate
controls have not been in place.

5. Physical Security
5.1. Owners shall accept full responsibility for the security of the device, taking necessary
precautions to avoid loss, theft or damage. In the event of loss, damage or theft, they
must report this immediately to the ICT Service Desk and the police if appropriate. In
particular owners must:

 take all reasonable care to prevent the theft or loss of this device.
 take extra vigilance if using any BYOD device during journeys on public transport
to avoid the risk of theft of the device or unauthorised disclosure of Trust stored
information by a third party “overlooking”.
 not leave the device unattended for any reason whilst working on it unless the
session is “locked” and it is in a safe working place, not left in an unattended
room for example
 ensure that other ‘non’ authorised users are not given access to the device or the
data it contains

6. Mobile Device Management

6.1. The Trust uses the Good suite of products to facilitate BYOD for approved staff and
this can be delivered with a range of features, from the basic starting point of
email/calendar/contacts, and building on this with additional features such as
presence, instant messaging, and access to SharePoint and network shares.

6.2. The BYOD security policy pushed via Good to personal devices creates a separate
workspace separating ‘Trust’ data and ‘Personal’ data (personal data in this instance
relating to data owned by that individual, not to be confused with patient identifiable
data). Policies enforced on a BYOD device are aimed at managing and controlling
corporate data only and personal information held on the device should not be
affected.

6.3. The Good workspace on the device is fully encrypted and any content or attachments
contained within the corporate workspace cannot be saved outside of the application
or locally on the device.

6.4. All data in transit, between the Good infrastructure and handheld device, is fully
protected by encryption.

6.5. In order to prevent unauthorised access, the work space is password protected using
an 8 character password and this is in line with the Trust’s password policy which
requires all passwords to meet the following criteria;

 at least 8 characters in length

 containing at least 1 upper and 1 lower case letter
 and containing at least 1 number or special character
 The previous 4 passwords should not be used.

6
BYOD Policy
Version: 1
March 2016
 6.6. Passwords must be changed at least every 90 days, but more frequently if required.

6.7. Passwords must be kept safe at all time and should never be shared with other Trust
staff or family members.

6.8. The Good workspace on the device can be remotely wiped by the Trust at any stage if
there is cause to think the device has been compromised in any way. This will remove
the Trust data held within the Good workspace and should not interfere with any
personal data on that device. The device can be remote wiped in any of the following
scenarios;

 the device is lost

 on termination of employment
 after 5 failed login attempts
 a data or policy breach is detected

7. Applying for the service

7.1. All staff who wish to take advantage of BYOD should ensure that their device(s) are
compatible with the Good application(s) prior to applying for the service. A list of
compatible handset and operating systems in available on the Trust Intranet.

7.2. Any user seeking to connect a personally owned device must gain approval via their
line management and this includes the provision of a budget code to meet the annual
cost of the Good license. This should be done prior to the request being made to the
ICT Service Desk and should be captured on the BYOD Request Form & Security
Procedures – Appendix 1.

7.3. There will be a cost for this service which is available on the Good request form and is
subject to change should there be changes in the license costs.

7.4. All Good request forms should be returned to the ICT Service Desk to process, either
via the usual service desk number or using the using the online portal – this is done
using the LogIT icon/shortcut that is on all users’ desktop.

7.5. All users are required to agree and sign the BYOD Terms and Conditions as found on
the BYOD Request Form & Security Procedures – Appendix 1.

7.6. After a licence is purchased and your user account is authorised on the system you
will be sent instructions on how to add your device to the service.

8. Device Support
8.1. Personally owned devices are not supported by Southern Health ICT services. Staff
should contact the device manufacturer or their carrier for operating system or
hardware-related issues.

8.2. The support provided by the organisation for personal devices using Good is strictly
limited to;

 Initial user registration

 Resetting user configuration and/or resending set up codes
 Removing/Deleting old or unused devices
 Remote wiping lost or stolen devices

7
BYOD Policy
Version: 1
March 2016
 8.3. Detailed guidance for Good has been created by the Technology teams and is
available on the Intranet and covers all major functions, including;

 Download and installation of the Good app

 Initial registration and set up
 Resetting/re-configuring a device

8.4. The employee assumes full liability for risks including, but not limited to, the partial or
complete loss of company and personal data due to an operating system crash, errors,
bugs, viruses, malware, and/or other software or hardware failures, or programming
errors that render the device unusable.

8.5. In the unlikely event that personal data on the BYOD device is affected or lost the
Trust will not be held responsible or liable for any damages or compensation.

9. Connecting Devices to the Trust Networks

9.1. Currently personal devices are not permitted to connect to the Trust network whether
directly or indirectly including wired or wireless connections to other Trusts devices
such as PCs or Laptops. Therefore, no assumption should be made that individuals
permitted to take advantage of the Trust BYOD service will be permitted to use Trust
networks. This situation will be kept under review subject to the capability of the Trust
networks to support additional devices using it.

10. Reimbursement
10.1. The Trust will not reimburse the employee for the purchase or associated costs with
the device regardless of whether this was incurred during Trust business. This
includes, but not limited to; roaming charges, plan charges and overcharges, cost of
applications for personal use.

11. References and Associated Documentation

11.1. This policy should be read in conjunction with other relevant organisational Policies:
 ICT Security Policy
 Mobile Working Policy
 Internet and Email Policy Acceptable use policy

11.2. The following documents have been used as reference material in the development of
this policy.

 ICO BYOD Guidance:

https://ico.org.uk/media/for-
organisations/documents/1563/ico_bring_your_own_device_byod_guidance.pdf

 IGTK standard 13-314: Policy and procedures ensure that mobile computing and
teleworking are secure
https://www.igt.hscic.gov.uk/RequirementsList.aspx?tk=64&lnv=2&cb=97815b81
-f91c-4b9f-bd8b-5f5a61ac20c4&sViewOrgType=2&sDesc=Acute+Trust

 HSCIC Password Policy for Non-Spine Connected Applications

http://systems.hscic.gov.uk/infogov/security/infrasec/gpg/ppfnsca.pdf

8
BYOD Policy
Version: 1
March 2016
 Appendix 1 – BYOD Request Form & Security Operating Procedures

User Details (All fields are mandatory)

Name

Job Title

Contact Number

Email Address

Cost of Service
 One off set up cost - £TBC on application
 Annual Support Charge - £TBC on application

Limitations/Disclaimers
 The user will need a smartphone or tablet on a personally owned contract with
an adequate data plan or has access to non-Trust Wi-Fi. The organisation will
not reimburse any additional data charges incurred by the user.

 Personal devices are not supported by Southern Health ICT Services. Staff
should contact the device manufacturer or their carrier for operating system or
hardware-related issues.

 The employee assumes full liability for risks including, but not limited to, the
partial or complete loss of company and personal data due to an operating
system crash, errors, bugs, viruses, malware, and/or other software or hardware
failures, or programming errors that render the device unusable.

 The application will not work with @nhs.net email accounts.

 Good for Enterprise is not supported on all mobile operating systems and staff
should check the list of supported devices before applying for the service.

Conditions of Use
 All staff enabled for BYOD will abide by this and associated policies and
procedures.

 The physical security of the device is the user’s liability but the Trust does
expect that individuals take suitable precautions to protect the physical asset.

 For security reasons, nobody else, including friends or members of your family,
should be permitted to use your iPad / iPhone whilst the Good application is
unlocked.

 Your account names and passwords are not to be divulged to anybody.

 Staff use personal devices at their own risk and the Trust are not liable for any
costs associated with the loss or damage of devices.

9
BYOD Policy
Version: 1
March 2016
  Staff use their own devices at their own cost - Staff should have an ‘adequate
data plan’ - the Trust will not pay for excess data usage

 The Trust will remove GOOD and all associated data from personal devices if
the device is lost or stolen or if the staff member leaves the Trust

 Report the loss or theft of any personal device that has been enabled for BYOD
to the ICT Service Desk as soon as possible, preferably within 24 hours.

 Notify as soon as the staff member leaves the Trust

 Notify any suspected breaches of this policy to the ICT Department;

 Failure to comply with the rules and regulations contained in this policy, or any
attempt to circumvent the security controls, may result in the withdrawal of this
facility and/or disciplinary action.

User Declaration
I hereby declare that I have read and understood the above Security Operating
Procedures (SyOPs) and agree to comply with all of the schedules contained herein.

Signature

Date

Line Manager Authorisation (All fields are mandatory)

I authorise the member of staff, as noted in 11.1, and I am satisfied that this policy
and associated Security Operating Procedures have been read and clearly
understood by the User. I accept the relevant charges against the budget code(s)
provided below

Name

Job Title

Contact Number

Email Address

Signature*

Date

Cost Centre

Subjective Code
*Not required if emailed directly from manager’s email account

Please return completed form to:

telecoms@southernhealth.nhs.uk / 02380 687606

10
BYOD Policy
Version: 1
March 2016