Introduction
St Mary’s University (SMU) is fully aligned with all legislation applying to the use of Information Technology in the United Kingdom. Where possible the University is also committed to implementing best practice in this area in order to protect the interests of the organisation, its students and staff.
The use of non-University owned or issued devices for work purposes can be beneficial to the University, but may introduce new risks to SMU systems, data and users. Adherence to this policy reduces this risk and helps ensure data and users are protected.
This policy defines requirements for the acceptable use of personally owned devices by University staff when accessing university owned systems and when accessing, creating, modifying and deleting University data to ensure organisational systems and data, our staff and their personal devices remain safe and secure.
Scope of the policy
This policy applies to any device that is not deployed and managed by SMU Technology Services, used to access SMU systems and data. All such devices including personal computers, smart phones and tablets are classed as Bring Your Own Device (BYOD).
This policy applies to BYOD use in all locations, including both on and off campus.
This policy does not apply to students.
BYOD policy requirements
All BYOD devices that are accessing University systems or data must:
- be running a current, vendor supported operating system
- have endpoint protection (anti-virus and anti-malware) installed
- have a firewall enabled as appropriate to the device
- require log on with a username/password, PIN or biometrics as appropriate to the device. The password/pin must not be shared with anyone else
- not have an account with administrative privileges for day-to-day use
- be set to lock when left unattended
- ensure software installed on the device is licensed and from an authoritative source, and updated when security patches are released by the vendor
- have SMU data and information removed from the device when no longer required. We recommend using Office365 to access and update files online rather than downloading to the device
- Compliance with this BYOD policy is in addition to the SMU IT Policy and the JANET Acceptable use policy.
The following are recommended for BYOD devices accessing SMU systems or data:
- Storage disks should be encrypted, including USB pen sticks.
- Devices should be wiped/reset before disposal, sale or transfer to ensure any SMU information stored therein is removed.
Breach of policy
If a user is thought to be in breach of any of the University's procedures or regulations, including this Policy, they must be reported to HR, CIO or Data Protection Officer or their deputy who will take the appropriate action.
Access to facilities may be withdrawn pending an investigation into the actual circumstances. The result of such an investigation may result in disciplinary proceedings.
Disciplinary procedures
This policy is subject to, and in addition to the law. In addition, St Mary University reserves the right to take disciplinary actions against users breaching the policy.
Any user who violates this or any other related policy may be subject to:
- denial of access to IT systems
- suspension of their computing account
- disciplinary action as described in the Staff handbook, including action taken for misconduct or gross misconduct if appropriate; or
- civil or criminal prosecutions under UK, European, or International Law depending on the severity of the breach.
Other related policies
Users of St Mary's University’s systems data using BYOD are also bound by the following policies: