Procedure: Bring your own device
This procedure defines the obligations for all authorised users who choose to connect a personally owned device to the University’s network or who use their personal device to access the University’s Information Technology (IT) services, data and networks. This procedure aims to protect University systems and data from unauthorised access, use or disclosure.
Definitions of additional terms used in this document are provided in the overarching policy, Acceptable use of Information Technology.
Bring Your Own Device (BYOD): the use of any electronic device not owned or leased by the University, and which is capable of storing data and connecting to a network (e.g. wireless, 4G, physical connection), to access or connect to the University’s IT services, data and networks. This includes but is not limited to mobile phones, smartphones, tablets, laptops, notebooks and portable storage devices.
Encryption: The University considers an appropriate level of encryption to be the standards specified in the Australian Government Information Security Manual.
Firmware: permanent software programmed into a read-only memory that provides control, monitoring and data manipulation within the device.
Operating system: the low-level software that supports a device’s basic functions, such as scheduling tasks and controlling peripherals.
Security patch: a piece of software designed to update a computer program, or its supporting data, to fix or improve it. This includes fixing security vulnerabilities and other bugs, with such patches usually called bug fixes, and improving the usability or performance of a device.
Software: computer software is designed to assist end users to carry out useful tasks. Examples of software may include the Microsoft Office suite of products or smartphone applications such as Google Maps.
Threat: any cause of harm, technological, natural, or otherwise, to an information asset; including software bugs, unlocked rooms, or well-known passwords.
1. This procedure applies to all users consuming Information and Communications Technology (ICT) services and all devices utilising ICT services provided by the University.
2. Authorised users may bring their own device to access or connect to the University’s IT services, data and networks, provided they meet the obligations of this procedure.
3. Devices which are specifically designed for network access, such as switches, WiFi access points and hubs may not be attached to the University’s network infrastructure.
4. The University aims to make ANU systems and interfaces accessible across a wide range of devices and platforms however will not guarantee that any particular combination of system and device will operate as intended.
5. Access to any highly sensitive University data is vested in the relevant system owner. System owners may change or restrict access to data from devices that are not University owned at their discretion.
6. Choosing to BYOD automatically implies consent that the University may interrogate such devices to ensure appropriate use, as defined by the Acceptable use of Information Technology policy and the Information Technology security policy.
7. Users who choose to BYOD are responsible for meeting minimum requirements as defined below.
Operating systems and software
Ensure that the operating system, firmware and installed software is sourced from the vendor or authorised source, is up to date and that required security patches have been applied to protect against known vulnerabilities. Security solutions must be employed where available, including anti-virus, firewall and threat intelligence capabilities.
Access and storage of data
Authorised users must not perform system administration of any University enterprise system using a device that the University does not control, without prior approval from the system owner. System administration tasks are those performed by users with privileged or elevated access.
University highly sensitive data, as specified in the Infrastructure security classification standard, must only be stored or accessed on non-University owned devices if encryption methods are employed.
If University data is stored on a personal device, or has been backed up to other locations (e.g. the cloud or external hard drives), it must be removed or transferred to a secure location when no longer required. All University data must be removed from personal devices at the end of its use within the University environment or when a device is at end of life.
The University reserves the right to inspect and verify that University data has been removed from the device.
Lost and stolen devices
Perform regular data backups to ensure information is available should the device be lost, stolen, damaged or data corrupted.
If any personal device carrying University data is lost or stolen, the ITS Cyber and Digital Security Team must be notified immediately by emailing IT.firstname.lastname@example.org.The University may perform a remote wipe on a device in order to prevent unauthorised access to University data.
Operating systems and applications running on, or required by personal devices are the sole responsibility of the device owner.
The software and services being used on the device for work related to the University must be within the conditions of use specified in the software license or within any license agreement between the University and the vendor.
Password protection/ User authentication
Ensure the device supports password or pin authentication and that this is enabled.
Automatic device lock
Ensure that the device has the automatic lock enabled.
The University is not responsible for the hardware, software or operating systems of personal devices. Limited support may be provided to assist users in accessing University systems and services.
The University accepts no responsibility for any damage or loss that occurs to any personal device.
|Printable version (PDF)|
|Title||Bring your own device|
|Purpose||This procedure defines the obligations for all authorised users who choose to connect a personally owned device to the University’s network or who use their personal device to access the University’s Information Technology (IT) services, data and networks. This procedure aims to protect University systems and data from unauthorised access, use or disclosure.|
|Audience||Staff, Students, Alumni, Affiliates|
|Topic/ SubTopic||Information Technology - Usage|
|Effective Date||1 Nov 2017|
|Review Date||1 Nov 2018|
|Responsible Officer||Director, Information Technology Services|
|Contact Area||Information Technology Services|
Information Infrastructure and Services Statute 2012
Information Infrastructure and Services Rule 2015
AS ISO/IEC 27002:2015
Australian National University Act 1991
Australian Government Protective Security Policy Framework
Public Governance, Performance and Accountability Act 2013
Public Governance, Performance and Accountability Rule 2014
Australian Government Department of Finance and Deregulation Finance Circular No. 2009/08
Crimes Act 1914 (Cth)
Privacy Act 1998
Telecommunications Act 1997
Telecommunications Regulations 2001