IT Services Alerts - IT Security & Mobile Devices

Information Systems Services would like  highlight  the risks associated with storing confidential College data on mobile IT devices such as Smartphones (for example iPhone, Android Phones), Tablet PCs (for example iPADs), Laptop computers, USB storage media and so on.  Confidential College data may include but is not limited to personal information relating to staff and students, financial data, medical data or confidential research data.
 
Mobile devices are frequently unprotected in their default configuration and, in addition, are relatively vulnerable to loss or theft. These factors together means there is an increased risk of unauthorised access to confidential College data which may be stored on the devices.
 
IS Services currently offers the following best practice guidance the security for all Mobile Devices:
 
•    Avoid joining unknown Wi-Fi networks.
•    Utilise anti-virus programs if available & keep the software current
•    Delete all information stored in a device prior to discarding, exchanging or donating
•    Know how to report lost or stolen devices immediately
•    Avoid using or storing confidential data on a mobile device whenever possible
•    Limit installation of unknown 3rd Party software applications
 
(NB  Smartphones are currently provisioned via the College contract with Vodafone which is managed and administered by Director of Buildings.)
 
Handheld Mobile Devices - Smartphones, Tablet PCs  IPADS
IS Services do not currently support the use of smartphones, tablet PCs, IPADs on the College network. However IS Services is aware that staff members may be using such devices.  It should be recognised that not all devices are created equally when it comes to security.  For example some devices are built for the general consumer market and are not as concerned by security and are less inherently secure than devices designed for enterprise environment.
 
It is important to note that these devices cannot be centrally managed by IS Services and are significantly different in this regard from a staff member’s desktop or laptop computer. It is therefore up to the end user to take appropriate steps to secure these devices and to maintain them.  In addition to the advice above IS Services would specifically recommend the additional following guidelines to protect data on staff members mobile devices:
 
•    Enable auto-lock & password protection settings on the device
•    Ensure that encryption is enabled on the device
•    Investigate whether the device has a remote tracking facility or remote data deletion option
•    Disable Bluetooth when it is not actively transmitting information and switch Bluetooth devices to hidden mode as usually the default is for this to be always-on and the setting to be always-discoverable.
 
Devices which cannot be securely configured should not be used to store confidential College documents.
 
Laptops
The use of Laptops on the College Network are governed by a range of IT and security policies.  The laptops, just like Desktop computers in College, are provisioned from the recommended hardware suppliers with a base image which includes a operating system which can be supported and maintained by IS Services.  IS Services also then provision and manage the enterprise anti-virus service, the Software Management System that will ensure that your laptop receives all the Microsoft Updates that it needs and is kept up to date with regard to security patches and has authentication, via a username and password, set to limit access to the Laptop.
 
IS Services are currently conducting an extended pilot of a centrally managed disk encryption product to protect sensitive College data which may be held on College owned laptops.  It is recognised that where confidential data is being stored on Laptops the data or the device should be encrypted, which ensures the data cannot be accessed by unauthorised individuals, should the laptop be subsequently lost or stolen. IS Services will be contacting a range of Administrative areas and an Academic School to take part in the pilot over the coming months and anticipate that if the trail is successful that we will make this service available to all College staff from Academic Year 2011-2012.
 
Virtual Private Network (VPN)
IS Services recommends the use of the College VPN Service to staff members who wish to access confidential data on College systems from laptops. The VPN service allows College users to make a secure encrypted connection to the TCD College network from a remote location. For example if using broadband from home or while abroad.
 
Staff members can request the VPN service by contacting the IS Services Helpdesk.  Please see http://www.tcd.ie/iss/network/vpn.php for further information
 
USB Devices
IS Services do not currently support the use of USB storage devices but we do recommended that any staff member purchasing or using such a device selects an encrypted USB device and ensures that the device is not the primary storage method and is only used for backup purposes.
 
Public Internet IT Services (Cloud Computing)
Cloud computing is a term used to describe IT offerings which can be purchased as a service and used across the internet. These services offer convenience and flexibility; however data security is often the weak link in cloud computing offerings. Users of public cloud services often have no visibility of where their data is stored or who ultimately has access to that data.
 
IS Services are developing a policy to assist College members in the selection and use of cloud services and aim to submit this in due course for board approval. Currently IS Services currently do not endorse the use of any public cloud computing offerings for the storage of confidential College data/documents.

For further information on any of these issues please contact the IS Services Helpdesk