Remote Working
Parent topic: Mobile Device and Remote Working Policy
Key points
- Do: Be professional, and help keep Ministry of Justice (MoJ) information and resources safe and secure at all times.
- Do: Think about where you are working, for example - can other people or family access what you are working on? Be thoughtful about information privacy.
- Do: Keep MoJ accounts and password information secure.
- Do: Take care of your equipment. Devices are more likely to be stolen or lost when working away from the office or home.
- Do: Get in touch quickly to report problems or security questions.
- Do: Use the VPN if you are handling sensitive MoJ information, or connecting to MoJ systems from a remote location.
- Do not: Send work material to personal email accounts.
- Do not: Use personal devices or accounts for work purposes - the exception is that a home wifi connection may be used to connect MoJ equipment.
- Do not: Leave MoJ equipment unattended.
Overview
The Remote Working Guide gives you advice and guidance on the main security issues that are likely to affect you as a remote worker or a user of mobile computing facilities, (e.g. desktop/laptop computer, smart phones, etc), within the MoJ, including its Agencies and Associated Offices.
It also sets out your individual responsibilities for IT security when working remotely.
Audience
This guide applies to all staff in the MoJ, its Agencies, Associated Offices and Arm’s Length Bodies (ALBs), including contractors, agency and casual staff and service providers, who use computing equipment provided by the Department for remote working or mobile computing, or process any departmental information while working remotely or while using MoJ mobile computing equipment.
What is remote working?
Remote working means you are working away from the office. This could be from home, at another MoJ or government office, whilst travelling, at a conference, or in a hotel.
Protecting your workspace and equipment
Remote working is when you work from any non-MoJ location, for example, working at home. It’s important to think about confidentiality, integrity and availability aspects as you work. This means protecting equipment, and the area where you work.
- Do: Keep MoJ equipment and information safe and secure.
- Do: Protect MoJ information from accidental access by unauthorised people.
- Do: Lock or log off your device when leaving it unattended. For long periods of non-use, shut down your device.
- Do: Ensure that your devices are powered off when you first enter a country when travelling outside the UK.
- Do: Keep your workspace clear and tidy. Follow a ‘clear desk policy’ for information, including paperwork, to ensure MoJ information isn’t seen by unauthorised people.
- Do: Use MoJ IT equipment for business purposes in preference to your own equipment such as laptops or printers.
- Do: Be wary of anyone overlooking or eavesdropping what you are doing. Consider whether you, or the MoJ information, might be Overseen, Overheard, or Overshared.
- Do: Protect chargers and other computer accessories, especially MoJ equipment, when travelling. This is to prevent them from being tampered with. Keep them secure and out of sight as much as possible, for example in your hand luggage or on your person.
- Do: Ensure that a laptop BitLocker PIN or similar access control is enabled.
- Do: Use an MoJ-issued VPN when connecting to Hotel or other public wifi spots.
- Do not: Let family or other unauthorised people use MoJ equipment.
- Do not: Leave equipment unattended.
- Do not: Work on sensitive information in public spaces, or where your equipment can be seen by others.
- Do not: Advertise the fact that you work with MoJ materials. However, pre-installed materials such as backgrounds provided as standard with MoJ equipment are acceptable.
- Do not: Take part in conference or video calls when you are in public or shared spaces such as cafes or waiting rooms.
- Do not: Send your work material to your personal devices or your personal email address.
- Do not: Redirect print jobs from MoJ printers to a personal printer.
- Do not: Use public ‘charging stations’ provided at airports, conference venues, hotels, or similar public locations. They might be used to upload malicious software onto your device.
- Do not: Connect MoJ equipment to vehicles, using either USB or Bluetooth. These connections can download information from the device or upload malicious software.
Working securely
It’s important to consider the security of how you work remotely.
- Work locations - as with home working discussed previously, you need to be equally, if not more, vigilant when working in public spaces.
- Confidentiality - be aware of others eavesdropping or shoulder surfing, both what you are working on and what you are saying, for example during conference and video calls.
- Keep MoJ equipment and information, including printouts and documents, safe and secure.
Even when working remotely, you must still follow the security policies and operating procedures for MoJ systems you access and work with.
Using public wifi or internet, and home broadband
Some locations, such as hotels, coffee shops, or public transport, offer ‘public’ wifi or internet access.
The public services are usually offered for free. They only need you to agree to some terms of service.
While apparently convenient, these services can have some serious problems:
- They have no security appropriate for protecting MoJ information.
- There is no guarantee about keeping information transmitted through them private or confidential.
- Public services are usually shared. This means that performance can often be very slow and unreliable.
If you need network access, but cannot connect to an MoJ network or home broadband service:
- Do: Use an MoJ hotspot. This is usually provided on your MoJ-issued mobile device.
If you need to use a public wifi or internet service, or home broadband, with your MoJ equipment, because you do not have an MoJ hotspot, then:
- Do: Connect using an MoJ-issued VPN. Before doing any work, check that the MoJ-issued VPN is working correctly.
Using your own equipment
The main guidance is available here.
- Do: Use official MoJ equipment for business purposes.
- Do not: Send your work material to your personal devices or your email accounts.
If you are working remotely, or do not have access to MoJ equipment, it might be tempting to use your own equipment, especially printers. Avoid doing this.
Printing
The advice is to avoid printing anything when working remotely, and in particular not to use personal printers.
However, if you really must print MoJ information:
- Do: Connect directly to the printer using USB, not wifi.
- Do: Consult the information asset owner or line manager before printing the information.
- Do: Store any and all printed materials safely and securely until you return to MoJ premises, when they must be disposed of or filed appropriately.
- Do not: Print out personal information relating to others.
- Do not: Redirect print jobs from an MoJ printer to a personal printer.
- Do not: Dispose of unshredded MoJ information in your home rubbish or recycling. Use a cross-cut shredder to destroy printed materials securely, before disposal at non-MoJ locations.
Basically, think before you print.
Privacy
It is important to protect privacy: yours and that of the MoJ. Events like the Covid-19 (Coronavirus) pandemic are often exploited by people wanting to get access to sensitive or valuable information. This often results in an increase in attempts to get access to personal information or MoJ accounts, using phishing and email scams. Be extra vigilant whenever you get an unexpected communication.
Be aware of your working environment when you work with MoJ information. If anyone might access the data, or hear you talk about it as you use it, that could cause privacy problems. Be aware of SMART devices around your remote location, and ensure they are switched off if conducting video or voice communications.
Guidance and suggestions for improving Privacy appear throughout this guide, but it’s worthwhile highlighting these points:
- Do: Lock your computer, even when unattended for short periods.
- Do: Think about whether an unauthorised person, such as a family member, might access the information you are working with.
- Do not: Write down passwords. Use a password manager.
Contacts for getting help
In practice, all sorts of things can go wrong from time-to-time. Don’t be afraid to report incidents and issues; you will be creating a better and safer work environment.
General enquiries, including theft and loss
Technology Service Desk - including DOM1/Mojo, and Digital & Technology Digital Service Desk. Use one of the following two methods for contacting service desk:
- Tel: 0800 917 5148
- MoJ Service Portal and Live Chat
Note: The previous itservicedesk@justice.gov.uk
and servicedesk@digital.justice.gov.uk
email addresses, and the Digital & Technology Digital Service Desk Slack channel (#digitalservicedesk
), are no longer being monitored.
HMPPS Information & security:
- Email: informationmgmtsecurity@justice.gov.uk
- Tel: 0203 334 0324
Incidents
Note: If you work for an agency or ALB, refer to your local incident reporting guidance.
Security Team
- Email: security@justice.gov.uk
- Slack:
#security
Privacy Advice
Data Protection Team
- Email: DataProtection@justice.gov.uk>
- Slack:
#security_privacy_and_live_service_team
- Intranet: https://intranet.justice.gov.uk/guidance/knowledge-information/protecting-information/
Cyber Security Advice
Cyber Consultants and Risk Advisors
- Email: security@justice.gov.uk
- Slack:
#security
Historic paper files urgently required by ministers, courts, or Public Inquiries
MoJ HQ staff
HMCTS and HMPPS staff
JustStore
- Email: KIM@justice.gov.uk
Related information
NCSC Home working: preparing your organisation and staff CPNI Home Working Advice
To access the following link, you’ll need to be connected to the HMPPS Intranet.
Contact and Feedback
For any further questions or advice relating to security, or for any feedback or suggestions for improvement, contact: security@justice.gov.uk.