Like most of our business customers, your organisation will probably purchase their own computers, tablets or mobiles from us and have them pre-configured in such a way that ensures they support GDPR or Cyber Essentials compliance.
From time to time though, you may want some service users (who are often not employees) to access the your IT systems using equipment that is not owned by your organisation.
On the face of it this is a pretty straightforward request, but dig deeper an you’ll see this can present greater security and privacy risks. Such third party access to your systems ought to be carefully considered and a policy set to address this eventuality.
If you do not have a policy in place then this is the one we will attempt to enforce – though in line with our Policies and Procedures Framework if you do have a policy then we’ll adhere to that instead.
This policy allows users that are not members of staff who do not have access to devices owned by your organisation to access your IT systems in an acceptable way. The policy is not suitable for people that have access to a large quantity of sensitive information, for example employees, who should be issued with equipment owned by the organisation.
Example Service List
- Access to emails, files and other data using internet based services (e.g. Microsoft 365 / Hosted Exchange / Nextcloud )
- Access to the company network and all services thereon (e.g. by connecting to the wired or wireless network either directly or via VPN)
- Access to the organisations other systems. (e.g. accounts, web site etc from any location using a browser or proprietary software)
Standards and Requirements List
The user is obliged to ensure the following:
- Any computer they use to access the services is wholly owned by them.
- Any computer they use to access the services has an operating system that is current and up to date and is kept so on an ongoing basis.
- Any computer they use to access the services has a robust antivirus and firewall package installed which is configured with real-time protection and to perform at least daily updates and weekly threat detection scans.
- Any computer they use to access the services is protected with a password that is both strong and secret and will not be used by any other person – even a partner or other family member and especially a child.
- Any computer they use to access the services is to have full disk encryption enabled.
- When they have finished using the services they log out, or ensure the device is locked so another person cannot access the services.
- They have read, understood and agree to comply with the organisations various privacy policies and statements.
- They are “GDPR Aware” and have undergone GDPR training as necessary.
- Any emails they send or receive in respect of the organisations business is done strictly via the provided mailbox.
- Any personal data pertaining to the user that does not relate to his or her role in the organisation does not become stored in the organisations data storage systems.
- Personal mobile telephones or tablets are wholly owned by the user and must not be used to access the service unless they are suitable protected with passwords, encryption and updates.
- Sensitive documents pertaining to the organisation must not be saved to local storage unless absolutely essential and the documents will be deleted when no longer required.
- Sensitive documents pertaining to the organisation must not be saved to USB storage unless absolutely essential in in such cases an encrypted USB stick must be used.
- Sensitive documents pertaining to the organisation must never be saved to any other remote storage system other than those recognised and managed by the organisation .
- The third party agrees that at the outset of the access and from time to time, an IT specialist can inspect the computer to ensure these needs are met.
Once the organisation or its IT support contractors are satisfied these obligations will be met, accounts can be set up and support can be provided. This provides for mailbox backup, potential for oversight on what has been sent to or from the mailbox (as directed by a CEO or director only), enforces the organisations email signature and allows the organisation to revoke access to sensitive emails. Access to the mailbox should be revoked if a person ceases to have a role with the organisation.