User Security Requirements

Compliance

Within this document standards marked with a lock are Mandatory standards (i.e. they require immediate compliance by all). Standards marked with a unlock are Mandatory for users or departments who can comply. All others should make plans to comply at the earliest opportunity

General User Security Requirements

lock Mobile Data Device users agree to take shared responsibility for the security of their Mobile Data Device and the information it contains.

Upon allocation of a Laptop or other Mobile Data Device, users should undertake to comply with all applicable sections of this Mobile Data Device Security Standard.

lock Users need to take all reasonable steps to protect against the installation of unlicensed or malicious software.

The use of unlicensed software is illegal and puts the University at significant risk of legal action.  Executable software needs to be validated and approved by departmental Systems Administrator before being installed. Unmanaged installations can compromise the operating environment and also constitute a security risk, including the intentional or unintentional spreading of software viruses and other malicious software.

Commercial software (including shareware) needs to:

    1. have a valid license for each prospective user;
    2. be checked for all known security risks, including malicious software.

lockUsers need to take good care of their laptop.

Mobile Data Devices are more fragile than desktops and require more care. 

Physical Security

lockMobile Data Device users need to comply with physical security requirements.

Users should take the following physical security preventative measures:

    1. It is important that Mobile Data Devices not be:
      • left on view in an unattended vehicle, even for a short period of time;
      • left in a vehicle overnight;
      • positioned so that they are visible from outside a ground floor window, unless there is no alternative.
    1. Mobile Data Device displaying sensitive information being used in a public place, e.g. on a train, aircraft or bus, needs to be positioned so that the screen cannot be viewed by others. If this is not possible, the user should consider other options such as the use of a screen privacy filter, or postpone working with this sensitive information to a more appropriate and protected setting.
    2. When leaving a Mobile Device unattended for any extended period, e.g. lunch breaks or overnight, users should:
      • physically secure it with a cable lock and/or
      • lock it away in a robust cabinet or alternatively lock the door of an individually occupied office.
    1. It is important that in vulnerable situations, e.g. public areas such as airport lounges, hotels and conference centers, Mobile Devices never be left unattended.
    2. Portable computers should, whenever permitted, be carried as hand luggage when traveling, in bags sporting bright colours or large tags.
    3. Where any of the above rules are either inappropriate or impractical (e.g. academics on field trips) the user is responsible for taking all reasonable steps to minimize the risk of loss or damage to the laptop.
    4. Equipment that can be traced is not attractive to thieves. All equipment, where feasible, should be permanently marked with an identification number that can be traced by police. If the equipment is property of The Western University, it should be marked with an Operation Provident Number, which can be provided by Campus Community Police Services.

Access Control/Authentication

lockIt is critical that Mobile Data Device users select a complex password

All users of The Western University IT resources need to select a complex password. Please refer to the Cybersmart website for details on complex passwords.

lockComputer displays should be secured when left unattended.

All Mobile Data Device screens need to be secured with a password protected screen when left unattended.

Data Protection

lock All sensitive information should be stored on University network servers by default.

This ensures that such data is secure and is automatically backed-up as a matter of course. Only when working away from "base" should sensitive data be copied to a local drive on the Mobile Device.

In all cases the minimum information required should be copied to the local drive.

unlock Mobile Device users should use an encryption option when saving information that is considered to be confidential.

The Western University’s WTS department can advise on the most suitable data encryption options.

unlockWhen working away from base, it is important to back-up all sensitive data, on a regular basis, in a secure fashion.

Tracking/Recovery

lockMobile Device users should notify the appropriate authorities immediately if their device is lost or stolen.

If a Mobile Device is stolen or lost the Campus Community Police Services and then the Helpdesk and your Unit Head or delegate should be advised as soon as possible. This will ensure that recovery procedures can be activated as soon as is practicable.


Published on  and maintained in Cascade CMS.