Defining the University’s approach to mobile and remote access
This control procedure defines the University’s approach to mobile and remote access, and directly supports the following policy statement from the Information Security Policy:
All assets (information, software, electronic information processing equipment, service utilities and people) will be documented and accounted for. Owners will be identified for all assets and they will be responsible for the maintenance and protection of their assets.
Access to all information will be controlled and will be driven by business requirements. Access will be granted or arrangements made for users according to their role, only to a level that will allow them to carry out their duties.
The University will maintain network security controls to ensure the protection of information within its networks, and provide the tools and guidance to ensure the secure transfer of information both within its networks and with external entities, in line with the classification and handling requirements associated with that information.
This procedure is intended to be read and understood by all staff who access University information from remote locations or using mobile devices.
It is the University’s preference that remote access to University systems is achieved using a University-managed device connecting over a University-managed channel. In practice this means a University laptop connecting over a certificate-based Virtual Private Network (VPN), administered by ISDS. Alternatively, a University-managed mobile phone or tablet can be synchronised with the University’s email system. If you have any questions about these access methods, please contact the IT Helpline.
The managed VPN is installed on all University-managed laptops and Macs, and is an always-on state. This means that your access is secure from non-University networks without the need for further authentication. VPN access mirrors that from on campus, so the user experience should be positive and familiar.
Under certain conditions, the University requires the use of a second factor such as a mobile phone app to provide an authentication token (known as multi-factor authentication or MFA). This is designed to prevent stolen credentials being reused to access University systems and data. The current conditions for MFA are connections from any device not managed by the University, from networks not managed by the University. For example, accessing some systems via a browser on your home computer would require MFA.
Some University systems – including Your Self Service and QLS – are available via a web browser, which allows external access without the need for the software client. Therefore this method can be used from devices that are not managed by the University. This method requires the use of MFA.
This tiered approach to system access broadly reflects the classification of the information stored in those systems. The University reserves the right to increase the security controls required to access certain systems based on ongoing risk assessments.
Any concerns about the University’s provision of remote access, or requirements for alternative methods of access, should be addressed to the Information Security team.
Where a personal computing device is used to access and store information that relates to the University or its partners, it is the user’s responsibility to keep the data secure in line with University Policy and supporting guidance. In practice, this means preventing theft and loss of data and keeping information confidential.
It is not possible to install the University’s managed VPN tool on personal devices. Personal devices – including laptops, phones and tablets – can be used to access some systems via a web browser, and can be synchronised with the University email system. Once this synchronisation is set up, settings are pushed to the device by Microsoft Exchange ActiveSync:
Where these settings are rejected, or cannot be implemented, the synchronisation will not occur.
Please note that the University reserves the right to wipe the device if it is lost, stolen or otherwise suspected to have been compromised. This wipe may impact personal information and settings, depending on the configuration of the device, the operating system and the email application used.
The University reserves the right to prevent access to its network by any device that is considered a risk to the network or its information. In exceptional circumstances, the University will require access to its data and information stored on your personal device. In those circumstances, every effort will be made to ensure that the University does not access private information.
If a personal device is used to access University information without synchronising and receiving security settings, then the user is responsible for ensuring that:
If a University-owned mobile device or a personal mobile device used to access data on behalf of the University is lost or stolen, it should be reported to the IT Helpline on 0161 247 4646.
If a University-owned mobile device has been stolen then it is the user’s responsibility to report the theft to the Police as a matter of urgency. The Police will provide a Crime Reference Number which needs to be submitted to the IT Helpline.
If a device has been stolen from University premises then it should also be reported to security on 0161 247 1334/3545.
On leaving the University, University-owned devices should be returned to ISDS. ISDS will wipe all of the information stored on the device, including any personal content which you may have saved to the device
On leaving the University, staff who use their personal devices are responsible for deleting all information belonging to MMU from any devices in their possession where University information is stored.
Failure to comply with this procedure could result in action in line with the University’s Disciplinary Procedure or Capability Procedure.
Compliance checks will be undertaken by the University’s Information Governance functions. The results of compliance checks, their risk assessment and their remediation will be managed by the Information Security Board.
This control procedure needs to be understood in the context of the other policies and procedures constituting the University’s Information Security Management System.
A review of this policy will be undertaken by the Information Security Manager annually or more frequently as required, and will be approved by the Information Security Board.