Using a mobile device safely

Mobile devices, such as smartphones and tablets, make it easy to access your University work whilst on the move.

Before you start using your mobile device for University work then there a few simple, but essential, security considerations that apply equally to both University owned and personal mobile devices.

Summary

It is okay to use mobile devices for most types of University business providing the device has been adequately secured, risks have been assessed and relevant policies have been adhered to:
If you use a mobile device for University work then it must be secured with a PIN code as the absolute minimum.
If you have access to sensitive information (e.g. personal information or confidential information) then it must not be stored or accessed on a mobile device until you have assessed the risks and taken all necessary steps to secure the device. This includes, but is not limited to, encrypting the device.

By considering each of the points below you should be able to use your mobile device for University work safely.

1. Is it appropriate?

The responsibility for protecting University information is shared between the University and the person using that information, i.e. you! Creating, storing, accessing and processing University information on a mobile device exposes information to additional risks and so you must be careful.

Accessing information such as email, calendar and meeting agendas on a mobile device is normally not a problem providing sufficient protection is in place.

For sensitive information, (such as personal information or confidential information) then it may not be appropriate to use your mobile device until you have taken additional steps to assess the risk, seek authorisation and apply additional security. This is particularly important when using your mobile device to access “personal information” (information about people) that is controlled by the University and may include emails you receive.

There will be occasions where it is not appropriate to process information on a mobile device, for example where there are constraints from a third party such as a research partner.

2. Secure your mobile device

A PIN code must be enabled on any mobile device used to access University information. This simple step provides a good measure of protection for you, your device and any information stored on, or accessible by, the device in the event that it is lost or stolen.

If you plan on using your mobile device to store, create or access sensitive information (including email) then additional security measures must be employed. You can use encryption to prevent unauthorised access to a mobile device and data.

If you are at all unsure about the sensitivity of information or how to secure a mobile device then you must seek further advice from the CiCS Helpdesk before using it for University work.

3. Configure your mobile device

We strongly recommend using the settings on the CiCS website to ensure that you get safe and reliable access to your University work. Instructions for accessing Google Apps (email, calendar and Drive) from your mobile device can all be found on our Google Apps web pages:

Google Apps

4. Using software and online services

You can use software applications (apps) and online services to access your University work and add extra functionality to your device. When installing new software and/or using an online service for University work you should check carefully to ensure that information is going to be kept safe.

When installing new software and/or accessing online services they may request;

  • access to your device,
  • access to the data on that device, including University data,
  • access to your accounts, including University accounts.

You must decide if the access being requested is appropriate. For example, it is unlikely that a game really does require access to your University account.

5. Physical Security

Mobile devices are particularly vulnerable to damage, theft and loss. The loss of a device puts both you and the University at risk of harm. The Get Safe Online website has a good summary of physical security risks and solutions:

6. Lost or stolen devices

If you believe that the loss of the device presents a significant risk to sensitive information then you must contact CiCS immediately and report the loss as a potential information security incident:

If you have lost a personal device then you should report it to your mobile provider as soon as possible so your phone can be blocked. Notify the police and get a crime or loss reference number.

If you have lost a University phone then let us know as soon as possible by contacting the CiCS Helpdesk.

7. Disposing of mobile devices

Before disposing of a mobile device, or handing it on to someone else, it must have all University information and University accounts removed from it.

Further information

Both GetSafeOnline and the ICO website have some excellent general information relating to mobile device security.

If you would like to discuss any specific requirements or questions then please contact the CiCS Helpdesk.