You have appropriate mechanisms in place to manage the security risks of using mobile devices, home or remote working and removable media.
Ways to meet our expectations:
- You have a mobile device and a home/remote working policy that demonstrates how your organisation will manage the associated security risks.
- You have protections in place to avoid the unauthorised access to or disclosure of the information processed by mobile devices, for example, encryption and remote wiping capabilities.
- You implement security measures to protect information processed when home or remote working, for example VPN and two-factor authentication.
- Where you have a business need to store personal data on removable media, you minimise personal data and your organisation implements a software solution that can set permissions or restrictions for individual devices as well as an entire class of devices.
- You do not allow equipment, information or software to be taken off-site without prior authorisation and you have a log of all mobile devices and removable media used and who they are allocated to.
Can you answer yes to the following questions?
- Can staff find the policies and procedures?
- Are they aware of the main contents?
- Would a sample of devices have appropriate encryption?
- Could you demonstrate appropriate access arrangements for home or remote working?
- Are staff working from home or remotely aware of the authorisation requirements?