Mobile Device and Remote Working Policy

• Remote Working

Introduction

This policy gives an overview of mobile devices and remote working security principles and responsibilities within the Ministry of Justice (MoJ). It provides a summary of the MoJ’s related policies and guides in relation to mobile devices and remote working.

To help identify formal policy statements, each is prefixed with an identifier of the form: POL.MOB.xxx, where xxx is a unique ID number.

Audience

This policy is aimed at:

• Technical users

  These are in-house MoJ Digital and Technology staff who are responsible for implementing controls throughout technical design, development, system integration, and operation. This includes DevOps, Software Developers, Technical Architects, and Service Owners. It also includes Incident Managers from the Event, Problem, Incident, CSI, and Knowledge (EPICK) Team.

• Service Providers

  Any other MoJ business group, agency, contractor, IT supplier, and partner who in any way designs, develops or supplies services, including processing, transmitting,and storing data for, or on behalf of, the MoJ.

• General users

  All other staff working for the MoJ

“All MoJ users” refers to General users, Technical users, and Service Providers, as defined previously.

Mobile devices

POL.MOB.001: When using mobile devices, special care shall be taken to ensure that business information is not compromised. When issuing or using MoJ mobile devices, the following points shall be adhered to:

• POL.MOB.002: Mobile devices shall be registered as an MoJ asset.
• POL.MOB.003: Software installation shall not be available for general users, except when using an approved MoJ process or tool, such as an MoJ self-service app store.
• POL.MOB.004: There shall be an ability for remote disabling, erasure or lockout.
• POL.MOB.005: only MoJ approved web services and web apps may be used.

Use in public places

POL.MOB.006: Care shall be taken when using mobile devices in public places, meeting rooms, and other unprotected areas. Protection shall be in place to avoid the unauthorised access to, or disclosure of, the information stored and processed by these devices.

The MoJ Cryptography guide offers techniques and information used in the MoJ to support stronger security when using mobile devices.

The MoJ Access Control Guide explains how the MoJ manages access to its IT systems so that users have access only to the material they need, in a secure manner.

Theft or loss

POL.MOB.007: Mobile devices shall be physically protected against theft, especially when left unattended. Examples include leaving devices unattended in cars and other forms of transport, hotel rooms, conference centres, and meeting places.

Note: Sometimes, it might feel difficult to determine a sensible level of protection. For example, leaving a laptop unattended but in plain sight on the seat of car in a public car park is not very secure. But if the car is parked in an MoJ car park, then the vehicle - and therefore its contents - are probably more secure. The answer is that you should always apply the best possible protection for the assets you are responsible for, at all times. Don’t rely on other security mechanisms to provide protection that you neglected to apply.

POL.MOB.008: The MoJ shall have, and follow, a clear procedure covering legal, insurance, and security requirements for cases of loss or theft of mobile devices.

Use of private equipment

POL.MOB.009: You should not use personal devices for MoJ work purposes.

Exceptions are possible on a case-by-case basis, for example to accommodate Accessibility requirements. To discuss whether you have a case for exemption, contact the Security team in the first instance, before using a personal device for work purposes. If an exception is permitted, use of the personal device shall be in compliance with MoJ personal device guidance.

Remote working

Remote working refers to all forms of business activity that takes place outside of the office. Remote working is sometimes described as “Working From Anywhere”. Remote working locations include non-traditional work environments or contexts, such as:

• Coffee shops.
• Commuter hubs.
• Co-working spaces.
• Flexible workplace.
• Home offices or workspaces.
• Telecommuting.
• Virtual Work Environments.

POL.MOB.010: The MoJ allows remote working, but the following points shall be considered, confirmed, and documented as acceptable during the approval process:

• The existing physical security of the remote working site, taking into account the physical security of the building and the local environment.
• The communications security requirements, taking into account the need for remote access to the MoJ’s internal systems, the sensitivity of the information that will be accessed and passed over the communication link, and the sensitivity of the internal systems being accessed.
• Any threat of unauthorised access to information or resources from other persons using the remote working location, for example family or friends.
• The implementation of home networks, and requirements or restrictions on the configuration of wireless network services (wifi).
• Malware protection and firewall requirements.

POL.MOB.011: The guidelines and arrangements for remote working should be considered, including:

• The provision of suitable equipment and storage furniture for the remote working activities.
• A definition of the work permitted, the hours of work, the classification of information that may be held, and the internal systems and services that the remote worker is authorised to access.
• The provision of hardware and software support and maintenance.
• The provision of insurance.
• The procedures for information and asset backup, and for ensuring business continuity.
• Audit and security monitoring.
• Limitation or revocation of authority and access rights, and the return of equipment when the remote working activities are terminated.

Current supporting documentation:

• Remote Working
• Security Guidance for Using a Personal Device

Enforcement

This policy is enforced by lower level policies, standards, procedures, and guidance.

Non-conformance with this policy could result in disciplinary action taken in accordance with the MoJ’s Disciplinary procedures. This could result in penalties up to and including dismissal. If an employee commits a criminal offence, they might also be prosecuted. In such cases, the department always cooperates with the relevant authorities, and provides appropriate evidence.

Incidents

Note: If you work for an agency or ALB, refer to your local incident reporting guidance.

Security Team

• Email: security@justice.gov.uk
• Slack: #security

Contact details

For any further questions or advice relating to security, contact: security@justice.gov.uk.

Feedback

If you have any questions or comments about this guidance, such as suggestions for improvements, please contact: itpolicycontent@digital.justice.gov.uk.