IT Bring Your Own Device (BYOD) Policy
- Version 1.0
- Date of next review:
- Last updated:
- Download this document (Word, 42.0 KB)
Queries
For queries on this policy, contact IT Support:
- Email: it-support@cardiff.ac.uk
- Tel: 029 2251 1111 (ext. 11111 internally)
Purpose and scope
Cardiff University recognises the benefits of using personally owned devices in work and study. This policy seeks to reduce risk in using these devices, for example, if a device is lost or stolen.
This policy covers the use of electronic devices (e.g., smart devices, phones, tablets, e-readers, laptops, and desktop PCs) that are not provided by Cardiff University and therefore fall outside the scope of the IT Asset Management Policy.
This policy covers the usage of these Bring Your Own Device (BYOD) electronic devices to access university systems and information assets. It seeks to protect university IT services and the information assets from compromise, theft, or loss of integrity, and ensure that the University complies with data protection and other legislation.
This policy applies wherever a BYOD device is located or however IT services are accessed. It therefore applies to use on campus, at home, remote locations, and for any access using a university-approved remote access method for example, VPN, VDI.
BYOD devices used for Multi-Factor Authentication and not used to access university systems and information assets are excluded from the scope of this policy.
Related policies and procedures
This policy forms part of the Information Security Framework, and this policy should be read in conjunction with the Information Security Policy and related policies.
Users of devices categorised as BYOD must familiarise themselves and comply with the provisions of the University's information security and IT policies:
- Remote and Mobile Working Policy
- IT Acceptable Use Policy
- Information Security Classification and Handling Policy, specifically with reference to handling information classified as C1 Highly Confidential or C2 Confidential on BYOD devices
- IT Regulations
These policies can be found at the University's Policies and Procedures page.
Policy
- In order for BYOD devices to be permitted to access the University network and IT systems and information, the criteria specified in Annex 1 must be met.
- The University will check compliance with the criteria in Annex 1 whenever a device is connected to the University network or when attempting to access university-managed IT services. Devices that do not meet the criteria will be granted limited internet-only access until action by the device user is taken that ensures all criteria are met.
- All BYOD devices must consent to install any software required by the University in order to facilitate the checks described in Annex 1.
- The University reserves the right to prevent any access to the University network and IT services, including Internet access, for any BYOD devices whose condition or activity represents a risk to the integrity of the University IT infrastructure, systems, or information assets.
- In the event that a BYOD device is lost, and that device has been used to access the University networks, systems, or information assets, it must be reported to University IT Support immediately.
- All university-owned information assets and university-licensed software must be removed from BYOD devices when members (including all staff and all students) leave the University, or third parties cease to undertake activity on the part of the University.
- Previously owned devices (i.e. those with a previous owner, regardless of whether the device was used for business or personal use) must be reset to factory settings prior to accessing university systems or information assets. This is required irrespective of whether the criteria in Annex A would otherwise be met.
- Exceptions to this policy are at the discretion of the Chief Digital and Information Officer or their nominated representative.
Roles and responsibilities
The Chief Digital and Information Officer is the sponsor for this policy, and is responsible for approving the need to develop or substantively amend the policy, for presenting the final draft to the approving body and for ensuring that their policy-making documents comply with, and are monitored and reviewed in line with the Cardiff University Policy for the Development of Policy-making Documents. They are also responsible for ensuring that the technical components required to enforce the requirements of this policy are deployed and maintained, and for authorising exceptions.
All users of BYOD devices are responsible for:
- managing the configuration of their device(s) such that they meet the requirements of this policy
- removing university-licensed software and any university information assets from their device when they leave the University
- reporting the loss of their device(s) to University IT
Monitoring and review
This policy shall be reviewed every three years, or as and when required.
Exceptions to this policy shall be reviewed annually to ensure that they remain applicable and appropriate.
The volume of devices being denied access to the network/systems, the reasons, and trends, shall be monitored and analysed by the Cyber Security Operations Group within University IT.
Breaches of this policy may be treated as a disciplinary matter, dealt with under the University’s staff disciplinary procedures or the student disciplinary procedures as appropriate.
Annex 1 - BYOD Device Requirements
To connect to the University network or to access university systems or information assets, BYOD devices must meet the following minimum requirements:
- hardware support for the model of the device must be available from its manufacturer
- anti-virus/anti-malware software must be installed on computers and have current virus/malware definition files installed. Tablets and smartphones do not require anti-virus/anti-malware software, provided they only take applications from official app stores
- the device disks/storage must be encrypted to the level supported by the operating system, as a minimum
- the device must be set to automatically lock after no more than 10 minutes of inactivity
- the device must prompt for a PIN, password, biometric, or combination each time a device is unlocked or powered on
- the device operating system, software, and firmware must be appropriately licensed, supported by its manufacturer, and receive regular patches/updates
Further guidance is available from the National Cyber Security Centre.
Document control table
| Document title: | IT Bring Your Own Device (BYOD) Policy |
|---|---|
| Author(s): | Owen Hadall, Director of IT, University IT. |
| Version number: | 1.0 |
| Date of next review: | July 2028 |