Aerospace Technology Institute

Bring Your Own Device Policy

Aug 2021

G Elliott
G Elliott (Oct 4, 2021 14:11 GMT+1)

Oct 4, 2021
 Document Owner: CEO

Table of Contents
Revision History .......................................................................................................................... 2
1 Introduction .......................................................................................................................... 3
2 Policy ..................................................................................................................................... 3
2.1 Remote wipe................................................................................................................... 3
2.2 Review and Support ...................................................................................................... 3
2.3 Risks/ Liabilities/ Disclaimers ........................................................................................ 3
3 Compliance with Data Protection Obligations .................................................................... 4
4 Effect of non-compliance ..................................................................................................... 4
Annexure 1: Standard for Securing Personal Devices ............................................................. 5
1. Updates .......................................................................................................................... 5
2. Passwords and Secure Login ........................................................................................ 5
3. Software and Applications ............................................................................................ 5
4. Security Settings ........................................................................................................... 5
Annexure 2: User Confirmation .................................................................................................. 6
Declaration................................................................................................................................... 7

Revision History
VERSION NO. DATE ISSUED BRIEF SUMMARY OF CHANGE APPROVED BY
V1.0 05 July 2019 Document first issued Gary Elliot
V1.1. 11 Feb 2020 Information updated
V1.2 27 Mar 2020 Contact numbers changed
V2.0 19 Aug 2021 Annual Review and update with Gary Elliot
RightCue

Responsibility Matrix
Policy Role ATI Role Title / Organisation
Chief Information Security Officer Chief Operating Officer
Data Protection Compliance Manager Chief Technology Officer
IT Systems Manager IT Systems Manager
IT Administrator / IT Helpdesk Response IT

BYOD Template V1.0 Page 2 of 7 Internal Use only

 Document Owner: CEO

1 Introduction
This policy applies to all ATI directors, employees, independent contractors, including
suppliers and other third parties working for or on behalf of ATI who have access to ATI
systems, including network and related equipment, cloud services, documents, data and
information (“user”).
You may use laptops, PCs, smartphones, and tablets of their choosing at work for your
convenience. ATI can only continue with this arrangement should you abide by the policies and
procedures outlined below.
This policy is intended to protect the security and integrity of ATI’s data and technology
infrastructure and that of its customers. Limited exceptions to the policy may occur due to
variations in devices and platforms. All exceptions will need to be approved by the IT Systems
Manager.

2 Policy
• Use of personal devices to access company resources and information is allowed if the
devices meet the security requirements set out in the Annexure ‘Standard for Securing
Personal Devices’ to this policy. It is the responsibility of the users to ensure that their
personal devices always meet these requirements.
• Providing access to personal devices is at the discretion of the IT Systems Manager.
2.1 Remote wipe
You will allow the company data to be wiped remotely if:
• The device is lost.
• The engagement is terminated.
• We detect a data or policy breach, a virus or similar threat to the security of the
company’s data and technology infrastructure.
2.2 Review and Support
• ATI reserves the right to request an audit of your devices to review the configuration of
standard apps, such as browsers, office productivity software and security tools. This
audit would be carried out by the IT Administrator. It may involve a remote session
where the engineer will review your security setting and installed software.
• Before contacting the device manufacturer/ their carrier/the original retailer for
operating system or hardware-related issues, such issues should be first referred to the
IT Administrator so that the device can be disconnected from ATI services and ATI
related data removed. Connectivity, security, and software issues should also be
referred to the IT Administrator.
2.3 Risks/ Liabilities/ Disclaimers
• It is your responsibility to take precautions against data loss such as backing up
documents, email, contacts, etc., and you assume full liability for data loss for any
reason.
• Lost or stolen devices must be reported to ATI immediately, via the IT Helpdesk, IT
Systems Manager and Chief Operating Officer and in no event later than 24 hours after
discovery. You are responsible for notifying your mobile carrier immediately upon
discovery of the loss of a device. You should report any theft or burglary of devices to
the local law enforcement agency and obtain a crime reference number.
• You are expected to use your devices ethically at all times and adhere to ATI’s
Acceptable Use Policy as outlined above.

BYOD Template V1.0 Page 3 of 7 Internal Use only

Document Owner: CEO

• You are personally liable for all costs associated with your device unless otherwise
contractually agreed.
• You assume full liability for risks including, but not limited to, the partial or complete
loss of company and personal data due to an operating system crash, errors, bugs,
viruses, malware, and other software or hardware failures, or programming errors that
render the device unusable.

3 Compliance with Data Protection Obligations

• ATI is committed to treating all personal data fairly and lawfully in line with the UK
General Data Protection Regulation (GDPR)
• Users are required to comply with the ATI Data Protection Policy, which requires an
individual to process data in compliance with all aspects of the GDPR, and this applies
equally to the processing of data that takes place in the context of BYOD
• Users have a responsibility to ensure that data is stored, transferred, handled, and
destroyed according to ATI’s Information Security Policy. This requirement includes
company information originating from the user’s own device
• Users are also required to assist ATI in complying with subject access requests for
information, and users may be required to search his/her own device and to provide the
information requested to ATI

4 Effect of non-compliance
ATI reserves the right to take appropriate disciplinary action up to and including termination of
consultant/contractor status or appropriate disciplinary action in case of employees for non-
compliance with this policy

BYOD Template V1.0 Page 4 of 7 Internal Use only

 Document Owner: CEO

Annexure 1: Standard for Securing Personal Devices

Where you use your own device to access and store data that relates to ATI then dependent on
whether your device is under management or not will affect the level of access that will be permitted.
Unmanaged devices will have a more restricted access to ATI data and applications. In either case, it
is your responsibility to familiarise yourself with the device sufficiently to keep the data secure.
We will provide the necessary support and training to enable you to do so. This standard specifies the
minimum controls to be exercised by the IT Administrator to ensure an employee’s personal device
complies to ATI Information Security Policy and Cyber Essentials Scheme.
1. Updates
• Set the devices and applications to ‘auto-update’ wherever possible
• Update the operating system and applications regularly when prompted
• Rooted and jail-broken devices are not authorised for accessing ATI resources
2. Passwords and Secure Login
• Devices must be password protected using the features of the device and a strong
password. A strong password is defined as one that is difficult to guess and that is not
made up of common or predictable words such as “password” and “admin” or include
predictable number such as “12345”. The password should be a minimum of 8 characters
containing at least one lower case, one upper case, one number, and a special character.
• Use of Biometrics (e.g. fingerprint recognition, face recognition) is allowed if this is backed
by a secure PIN or password.
• All the default passwords for users and administrator accounts on all the laptops,
computers, tablets, smartphones, and Wi-Fi routers should be changed to stronger
passwords.
• The password must be unique i.e. the same password must not be used for different
devices and applications.
• The device must lock itself after a maximum of five incorrect login attempts.
• The devices should log out automatically after 10 minutes.
• Admin accounts should always be separate from normal user accounts. Admin accounts
should not be used for emails and web-browsing during normal course of business.
3. Software and Applications
• Only recommended software and applications should be used to access company data.
• The employee must ensure that all software installed onto the device is licensed correctly.
• Other applications on the devices should be limited to the authorised application store for
the respective devices.
• Make sure anti-malware software is installed on devices and is kept up to date for devices
that support them.
4. Security Settings
• Always keep device firewalls activated.
• Ensure that the devices are encrypted.
• Ensure that ‘Auto-play’ / ‘Auto-run’ and similar features that allow external peripherals to
start processes without user intervention have been disabled.

BYOD Template V1.0 Page 5 of 7 Internal Use only

 Document Owner: CEO

Annexure 2: User Confirmation

A BYOD user must provide additional confirmation by answering the following items to comply with
ATI’s BYOD policy.

Devices and Support Yes/No

Do your devices (e.g. laptops, mobile phones, tablets) that will be used for
business purpose comply with ATI’s BYOD policy?

The use of passwords

Are each of your devices protected with a strong password? Please refer to
Annexure 2 for password guidelines.

Are all defaults passwords on your user and administrator account disabled?

Have you enabled Auto-Lock on your devices?

Have you enabled your device to lock itself after five incorrect login attempts?

Use of software

Have you enabled software firewall on your laptop or PC?

Is all software installed on your device licensed correctly?

Malware Protection

Are all your devices protected by anti-malware?

Do you install all your applications from App-store, Play Store or Store (Apple,
Android, and Windows users respectively?)

Are auto-run / Auto-play disabled on your device?

Patches and Updates

Do you update operating systems/firmware on your devices within 14 days of

release?

Do you update applications on your devices within 14 days of release?

User and Admin accounts

Do you use a unique password and username when accessing your user account
on your device?

Do you use a unique password and username when accessing your admin
account on your device? (This applies to all users with administrative accounts)

User Device Management

Is your device jailbroken or rooted?

BYOD Template V1.0 Page 6 of 7 Internal Use only

 Document Owner: CEO

Devices and Support Yes/No

Compliance with data protection obligations

Have you familiarised yourself with ATI’s Data Protection Policy?

Encryption

Do you ensure ATI information in transit and at rest is encrypted?

Declaration
I_____________________________________________________ declare that I have read, understood and
will comply with ATI’s BYOD Policy.

Name

Signature

Date

BYOD Template V1.0 Page 7 of 7 Internal Use only