/
ISPF_016 - Bring Your Own Device

ISPF_016 - Bring Your Own Device

Owned by Matthew Mulligan
Last updated: Jan 24, 2024
7 min read

ISPF_016 – Information Security Standard - Remote Working & Bring Your Own Device

Version

Approved by

Approval date

Effective date

Next review date

1.0

 

 

1 March 2023

1 March 2025

Standard Statement

 

 

 

 

 

 

 

 

 

 

 

 

Purpose

 

 

 

 

 

 

The Seventh-Day Adventist Church recognises the benefits that can be achieved by allowing staff to use their own electronic devices when working, whether that is at home, at work premises or while travelling. Such devices include laptops, smart phones and tablets, and the practice is commonly known as ‘bring your own device’ or BYOD. Adventist Technology is committed to supporting staff in this practice and ensuring that as few technical restrictions as reasonably possible are imposed on accessing Church provided services on BYOD.

 

The use of such devices to create and process Church information and data creates issues that need to be addressed, particularly in the area of information security. The Church must ensure that it remains in control of the data for which it is responsible, regardless of the ownership of the device used to carry out the processing. It must also protect its intellectual property as well as empowering staff to ensure that they protect their own personal information.

 

The purpose of this standard is to ensure that the Church complies with data protection legislation and that Church information, in particular personal and sensitive information, is protected from unauthorised access, dissemination, alteration or deletion. It complements and supports the existing Data Protection Policy and Guidelines and Regulations for the Use of the Church’s IT Facilities and Systems. Though not exhaustive, this standard also defines recommendations and requirements of use, when connecting personally owned devices to the Seventh-Day Adventist Church network.

 

 

 

Scope

 

 

This standard provides the minimum requirements and applies to all users including but not limited to staff (including casuals), subscribing entities, consultants, and contractors, third parties, volunteers, and visitors to the Seventh-Day Adventist Church.

 

Standard

 

 

Contents

 

 

 

Controls

 

The Seventh-Day Adventist Church Responsibilities

 

The Seventh-Day Adventist Church reserves the right to disconnect any device that places the Church ITC environment at risk.

 

IT support for BYOD devices is provided on a best-efforts basis only. Device owners are encouraged to follow the controls detailed within this document.

 

Adventist Technology will monitor device usage in line with the Church’s Acceptable Use, Privacy and Workplace Surveillance Act (NSW).

 

Requirements

 

Remember your smartphone or tablet device is a computer, therefore best practises to protect your personal, Church and business sensitive information should be employed. The table below summarises the Seventh-Day Adventist Church’s minimum requirements for BYOD.

 

Configuration Management

 

Function

 

 

Minimum Requirement

Operating System

Your device must use a legitimate operating system that meets the defined minimum standards (i.e. you may not use a ‘jail broken’ device).

Network Authentication

Network authentication is subject to the Church’s requirements, being 802.1x for wireless or wired connection, and authentication via an SSL VPN for remote access to the network.

Password Protection/User Authentication

Your device will support password authentication and automatic locking that must be used at all times.

Automatic Device

Lock

Your device must have the automatic lock enabled.

Device Hygiene

Your device must have appropriate and up to date anti-virus and anti-spyware installed.

Lost and stolen

Devices

If your device is lost or stolen you must report the loss or theft immediately to the Adventist Technology IT Service Desk.

Mobile Device Disposal

Any Church data on your device must be removed from the device at the end of its use within the Church environment.

Software Licensing

Operating systems and applications running on or required by BYOD will be your sole responsibility as the device owner.

 

 

1.2.2 Security Management

 

 

Function

 

 

Minimum Requirement

 

The Church has the ability, through the MDM capabilities of Office 365, to enforce certain policies on mobile devices, including BYOD, to ensure the security of Seventh-Day Adventist Church data. This includes, but not limited to, enforcing screen locks, pin codes and the ability to remotely wipe Church data.

 

 

1.2.3 Service Management

 

 

Function

 

 

Minimum Requirement

BYOD Authority

If your device is used for BYOD and linked to the Seventh-Day Adventist Church’s Office 365 platform, you agree to surrender limited authority over the device for the sole purpose of protecting Church data and access on the device.

Mobile Device Application Control

The Church has implemented an MDM solution through Office 365 and has the ability to push and remove Church data from your device to enhance its security or manageability.

Device Support

 

You and the device issuer are responsible for supporting your device.

 

 

Device Registration, Configuration and Management

 

Your BYOD will be automatically registered within Office 365 upon first connection to the exchange email service.

 

A limit may apply to the number of devices that can be registered.

 

You acknowledge that the Church will directly and or remotely change security configurations of the device to protect the Church data and software stored on the device.

 

You acknowledge that any Church data stored on the BYOD remains the sole property of the Seventh-Day Adventist Church and that you have an obligation to protect the security of the data.

 

You acknowledge that the Seventh-Day Adventist Church has a right to inspect Church data held on your personal BYOD.

 

You understand that the Church may remotely monitor your device to ensure security and software configurations are maintained.

 

You will not be prevented from installing the software or applications of your choice on your device. However, the Church may block your access to Church ICT services if any software/applications/data present a threat to the Seventh-Day Adventist Church ICT services, information, or data.

 

Device Usage and Support

 

The service and its use are at your sole discretion and risk.

 

The Church does not impose a charge on you for registering your device.

 

You are responsible for supporting your device. The Church will only provide limited support for any applications the Church has provided.

 

The Church is not responsible for any costs incurred by your use of your BYOD. The Church will not reimburse any voice or data charges, software or application acquisition fees, and support or insurance costs associated with your device.

 

The Church is not responsible for any inconvenience that you may experience in connection with using Church ICT services on your BYOD.

 

You have sole responsibility for ensuring no other person has access to Church software or data stored on your BYOD.

 

The Church will not monitor the phone call or text message history of a BYOD. Where needed (for example, in the case of a disciplinary matter) the call and text messages may be requested.

 

The Church will not monitor the web browser history on your BYOD when not connected to Church network(s) unless the web traffic is directed through the Church’s network infrastructure.

 

The Church may restrict access to internet websites, services, or other elements for operational or policy reasons while your BYOD is connected to Church networks including either wireless or cabled connections.

 

The Church may monitor your use of your BYOD while it is connected to the Church network. This information may be collected and archived and may be subject to public access.

 

You are responsible for abiding by all licence terms and conditions applicable to any software, apps, data, or information provided by the Church to your BYOD.

 

While the Church will make all reasonable effort to ensure service is available, the Church does not guarantee that access to Church ICT services, information or data will be available at all times.

 

If your BYOD is lost or stolen, you are responsible for reporting the event as soon as practicable to the Adventist Technology IT Service Desk. You must also:

 

Undertake a device wipe as soon as practicable via the Office 365 portal or via a personal configuration\management utility.

 

Take reasonable steps to ensure that it is replaced as quickly as possible.

 

Protection of Church Data on your BYOD

 

Church information, documents, and data classified as Highly Restricted or that are subject to legal or professional privilege must not be stored on BYODs and/or unapproved cloud-based services.

 

Church data must only be backed up to approved locations within Church systems.

 

You should check your device to ensure that automated cloud backup is disabled.

 

You should take reasonable steps to reduce the risk of losing your personal data. You may, for example, store your personal data separately from Church data through file partitions or using a separate memory card.

 

You are responsible for backing up and restoring the data and configuration settings of your BYOD. Personal data is not to be backed up to or stored by the Church. The Seventh-Day Adventist Church is not responsible for any personal loss or damage you may suffer by actions undertaken by the Church to protect Church data stored on your BYOD.

 

Device Deregistration

 

The Church at its own discretion, may deregister any BYOD at any time without warning.

 

The Church may deregister a BYOD that has not consumed Church ICT services for more than 12 months.

 

You will no longer be able to connect to Church ICT systems and data unless the device is re-registered.

 

You are encouraged to remove any personal data if you are intending to dispose of your BYOD. If you intend to sell or gift the device to another person you should ensure that it is wiped

 

Portable Storage Devices and Cloud Storage Solutions (Guidelines)

 

Perform an anti-virus scan of all portable (USB) media before executing files.

 

Only store Church sensitive information on your device or in the cloud if absolutely necessary, i.e. justified business need. Ensure sensitive information is encrypted.

 

If you store sensitive information on your device or in the cloud, ensure it is securely removed or transferred to a secure location when no longer required.

 

Control Exceptions

All exemption requests must be reviewed assessed and approved by the relevant business stakeholder.

 

References

 

  • Workplace Surveillance Act (NSW)

  • AS/NZS ISO 31000 Risk Management – Principles and guidelines

 

Sign Off

 

Approved by:

Date

 

 

 

 

 

 

 

 

 

Accountabilities

Responsible Officer

Chief Information Officer

Contact Officer

ITpolicy@adventist.technology

 

Supporting Information

Parent Document Policy

 

 

Related Documents

 

ISPF_008 – Logging & Monitoring Standard

ISPF_022 _ IT Acceptance Use

 

Relevant Legislation

File Number

 

 

 

 

Revision History

Version

Approved by

Approval date

Effective date

Sections modified

 

 

 

 

 

 

 

 

Related content

ISPF_022 - IT Acceptable Use
ISPF_022 - IT Acceptable Use
Adventist Technology Policies
More like this
ISPF_002 - Cyber Security
ISPF_002 - Cyber Security
Adventist Technology Policies
More like this
Adventist Technology User Guides Home
Adventist Technology User Guides Home
Adventist Technology User Guides
More like this