Laptop security policy

Please note that as this policy is periodically reviewed and updated, if you print it from the website, its accuracy cannot be guaranteed for more than a 24 hour period following printing.

• Introduction
• Physical security controls for HFRS laptops
• Virus protection of HFRS laptops
• Controls against unauthorised access to laptop data
• USB and Memory sticks
• Security
• Unauthorized software
• Inappropriate materials
• Health and safety aspects of using laptops
• Encryption
• Laptop Servicing

Introduction

This policy describes the controls necessary to minimise Information Security risks affecting HFRS laptops.  

All HFRS computer systems face information security risks.  Laptops are an essential business tool for HFRS but their portability makes them particularly vulnerable to physical damage, theft and viruses.

Staff shall be aware that the impact of such breaches include not just the replacement value of the hardware but also the value of any HFRS data on them, or accessible through them.  

This policy sets out the guidelines that shall be followed by all laptop users.

Physical security controls for HFRS laptops

The physical security of ‘your’ HFRS issued laptop is your personal responsibility and staff shall take all reasonable precautions to ensure its safety and the data kept on it.

All staff shall carry and store the laptop in the issued padded laptop computer bag to reduce the chance of accidental damage.

Virus protection of HFRS laptops

Viruses are a major threat to HFRS and laptops are particularly vulnerable if their anti-virus software is not kept up-to-date.  Anti-virus software shall be updated at least once a monthly and preferably weekly. The easiest way of doing this is simply to log on to the HFRS network for the automatic update process to run.  If you cannot log on for some reason, contact the IS Service Desk for advice on obtaining and installing anti-virus updates.

Email attachments are now the number one source of computer viruses.  Avoid opening any email attachment unless you were expecting to receive it from that person.  Virus scans will happen automatically in the background periodically.

Always virus-scan any files downloaded to your computer from any source (CD/DVD, network files, email attachments or files from the Internet).  Report any security incidents (such as virus infections) promptly to the IS Service Desk in order to minimise the damage to the HFRS network.

Respond immediately to any virus warning message on your computer, or if you suspect a virus, by contacting the IS Service Desk.  Staff shall not forward any files or upload data onto the HFRS network if they suspect their PC might be infected.

top

Controls against unauthorised access to laptop data

If your laptop is lost or stolen, the use of installed passwords and bio security devices offer protection against unauthorized access.  It is HFRS policy to supply new laptops with built in encryption.

Staff are personally accountable for all network and systems access under their user ID, so passwords shall be kept secret. Staff shall not write passwords down and leave with their laptop. If you think your password has been compromised please contact the IS Service Desk for advice on changing it.

HFRS laptops are only provided for use by authorized employees.  Staff shall not loan their laptop or allow it to be used by others such as family and friends.  

Staff shall not leave their laptop unattended and logged-on.  Always shut down, log off or activate the password-protected screensaver before walking away from the laptop.

Other HFRS controls for laptops

USB and Memory sticks

Staff shall only use USB devices for work purposes and are reminded that they shall remain virus free.  NB You risk having all the files on the USB device deleted if any viruses are detected.

Security

The use of USB keys increases vulnerability in several areas - portable devices may suffer from physical loss, theft or damage, affecting confidentiality and availability.

• No Protectively marked personal data relating to employees or customers or business critical information, shall be stored on USB keys unless it is encrypted and you have the permission of the data owner.
• If you lose or have a USB key stolen which contains unencrypted personal data, you may be liable to prosecution under the Data Protection Act.
• Any losses of USB keys shall be reported immediately to the IS Service Desk.
• Before you connect a USB key to HFRS Systems, staff shall ensure it is scanned for viruses (you risk having files on the key deleted if any viruses are detected)
• The use of USB keys shall be approved by the IS Service Desk.
• If the USB key is used for transitional storage (for example copying data between systems), the data shall be securely deleted from the device immediately upon completion.

Any user found to be found in breach of the above may be subject to disciplinary action.  If they are also in breach of the Data Protection Act, it could lead to criminal proceedings and prosecution.

top

Unauthorized software

Staff shall not download, install or use unauthorised software programs.  Unauthorized software could introduce serious security vulnerabilities into the HFRS network as well as affecting the working of your laptop.  No software other than that authorised and installed by the IS Department shall be used on HFRS laptops, this includes software that appears to be free, (does not require a licence). If staff require software loaded onto your laptop please contact the IS Service Desk who will assist you. Staff shall remember that HFRS as an organisation and you as an individual can be prosecuted for infringing software copyright.

Inappropriate materials

HFRS will not tolerate inappropriate materials such as pornographic, racist, defamatory or harassing files, pictures, videos or email messages that might cause offence or embarrassment.  Staff shall not store, use, copy or circulate such material on laptops and should steer clear of dubious websites.  IS personnel routinely monitor the network and systems for such materials and track use of the Internet and serious/repeated offenders shall be reported to management which may lead to disciplinary processes being initiated where appropriate.  If you receive inappropriate material by email or other means, delete it immediately.  If you accidentally browse an offensive website, click ‘back’ or close the window straight away.  

Health and safety aspects of using laptops

Laptops normally have smaller keyboards, displays and pointing devices that are less comfortable to use than desktop systems, increasing the chance of repetitive strain injury.  Balancing the laptop on your knees hardly helps the situation!  Limit the amount of time you spend using your laptop.  Wherever possible, place the laptop on a conventional desk or table and sit comfortably in an appropriate chair to use it.  If you tend to use the laptop in an office most of the time, you are advised to use a ‘docking station’ with a full-sized keyboard, a normal mouse and a display permanently mounted at the correct height.  Stop using the portable and consult Health and Safety for assistance if you experience symptoms such as wrist pain, eye strain or headaches that you think may be caused by the way you are using the portable.

top

Encryption

All new laptops will come with encrypted hard-drives. This will require pre-boot authentication of which the credentials will be supplied upon issue. This is not optional. All previously issued laptops that are not already encrypted shall be encrypted during routine servicing.

Laptop Servicing

It is Hampshire Fire & Rescue policy that any laptop that is issued to a member of staff be serviced annually. The Service Desk will contact you near the time that your laptop is due a service, offering a list of available dates that the service can be performed.  Laptop services take up to 2 full working days due to encryption and are required before 10:00 A.M.

In accordance with the ‘HFRS Software Compliance’ policy the Information Services Department reserve the right to remove any software that is considered to be unauthorized and/or a security risk.