1. Objective
The company approves remote working to work-related cloud services and work email accounts, as long as the devices used to access these have been sanctioned by the company. Using public WiFi to conduct business, without the necessary safeguards, places our data at risk of theft. The purpose of this policy is to provide the framework for those safeguards.
2. Scope
The scope of the policy covers all individuals either employed or contracted to work with, or for, the company, either on a company site or remotely.
3. Definitions
- Public WiFi Network
-
Any wireless network access provided by a third party, such as hotels, cafes, airports, or public hotspots, that is open to public or unvetted access. For the purpose of this policy, eduroam connections other than those on an SR2 managed site are to be considered Public WiFi Networks.
- Sanctioned Device
-
A device (e.g., laptop, tablet, smartphone) that has been approved and provisioned by the company for business use, with appropriate security configurations and software installed.
4. Policy
Devices that are not sanctioned by the company, including home PCs or public access PCs, MUST NOT be used to access company cloud services, data, or email accounts.
Though the company takes every effort to ensure that sanctioned devices are adequately protected, the individual MUST ensure that, before connecting to the Wi-Fi network, the device has:
-
up-to-date antivirus and antispyware software;
-
a firewall that is activated and configured to company requirements (i.e. the settings have not been changed) since the device was configured;
-
all software (including the Web browser) is current with automatic updating;
-
file sharing (e.g. SMB) is switched off.
For security reasons staff and contractors MUST:
-
consider if mobile phone tethering is available and use this as the first choice;
-
consider delaying transmission of information until at a secure location;
-
not follow prompts to update software whilst connected to a public network;
-
not rely on the encryption provided by the Public WiFi Network (e.g. WPA) to protect company data;
-
ensure that an end-to-end encrypted connection is established and the user has been trained in setting up such a connection for each service to be used (for the avoidance of doubt, TLS is considered to be end-to-end providing that the certificate presented by the server is validated);
-
ensure that URLs in Web browsers are showing the correct Web addresses in case a criminal has hijacked the Wireless Access Point and is forwarding traffic to their site;
-
keep all information secure, including restricting the view of the screen from any unauthorised person(s);