User Security Requirements
Within this document standards marked with a are Mandatory standards (i.e. they require immediate compliance by all). Standards marked with a are Mandatory for users or departments who can comply. All others should make plans to comply at the earliest opportunity
General User Security Requirements
Mobile Data Device users agree to take shared responsibility for the security of their Mobile Data Device and the information it contains.
Upon allocation of a Laptop or other Mobile Data Device, users should undertake to comply with all applicable sections of this Mobile Data Device Security Standard.
Users need to take all reasonable steps to protect against the installation of unlicensed or malicious software.
The use of unlicensed software is illegal and puts the University at significant risk of legal action. Executable software needs to be validated and approved by departmental Systems Administrator before being installed. Unmanaged installations can compromise the operating environment and also constitute a security risk, including the intentional or unintentional spreading of software viruses and other malicious software.
Commercial software (including shareware) needs to:
- have a valid license for each prospective user;
- be checked for all known security risks, including malicious software.
Users need to take good care of their laptop.
Mobile Data Devices are more fragile than desktops and require more care.
Mobile Data Device users need to comply with physical security requirements.
Users should take the following physical security preventative measures:
- It is important that Mobile Data Devices not be:
- left on view in an unattended vehicle, even for a short period of time;
- left in a vehicle overnight;
- positioned so that they are visible from outside a ground floor window, unless there is no alternative.
- Mobile Data Device displaying sensitive information being used in a public place, e.g. on a train, aircraft or bus, needs to be positioned so that the screen cannot be viewed by others. If this is not possible, the user should consider other options such as the use of a screen privacy filter, or postpone working with this sensitive information to a more appropriate and protected setting.
- When leaving a Mobile Device unattended for any extended period, e.g. lunch breaks or overnight, users should:
- physically secure it with a cable lock and/or
- lock it away in a robust cabinet or alternatively lock the door of an individually occupied office.
- It is important that in vulnerable situations, e.g. public areas such as airport lounges, hotels and conference centers, Mobile Devices never be left unattended.
- Portable computers should, whenever permitted, be carried as hand luggage when traveling, in bags sporting bright colours or large tags.
- Where any of the above rules are either inappropriate or impractical (e.g. academics on field trips) the user is responsible for taking all reasonable steps to minimize the risk of loss or damage to the laptop.
- Equipment that can be traced is not attractive to thieves. All equipment, where feasible, should be permanently marked with an identification number that can be traced by police. If the equipment is property of The Western University, it should be marked with an Operation Provident Number, which can be provided by Campus Community Police Services.
It is critical that Mobile Data Device users select a complex password
All users of The Western University IT resources need to select a complex password. Please refer to the Cybersmart website for details on complex passwords.
Computer displays should be secured when left unattended.
All Mobile Data Device screens need to be secured with a password protected screen when left unattended.
All sensitive information should be stored on University network servers by default.
This ensures that such data is secure and is automatically backed-up as a matter of course. Only when working away from "base" should sensitive data be copied to a local drive on the Mobile Device.
In all cases the minimum information required should be copied to the local drive.
Mobile Device users should use an encryption option when saving information that is considered to be confidential.
The Western University’s WTS department can advise on the most suitable data encryption options.
When working away from base, it is important to back-up all sensitive data, on a regular basis, in a secure fashion.
Mobile Device users should notify the appropriate authorities immediately if their device is lost or stolen.
If a Mobile Device is stolen or lost the Campus Community Police Services and then the Helpdesk and your Unit Head or delegate should be advised as soon as possible. This will ensure that recovery procedures can be activated as soon as is practicable.
Published on and maintained in Cascade CMS.