|
Business devices |
When we provide you with a device or service, it must be:
If a device is portable or battery operated you must have the device and its charger with you, ready to use whenever you attend work. If the device supports Wi-Fi, you should ensure that you are connected to Wi-Fi in Key’s offices and when using the device at home. Where we provide you with a device it will be managed by us. This is to enable us to keep it up to date, apply security updates and monitor its use. We will endeavour to do this “behind the scenes” as much as we can. If updates require that you restart your device, you should do this as soon as possible after the updates have installed. If you do not do this our management software will force a restart. This may not be at a time that is convenient for you. If a device we have provided to you is damaged or lost, you must report this to the ICT Support Team without delay. |
|
User accounts |
Everyone who works with us is provided with a Microsoft 365 account. This account provides access to Microsoft’s online services, as well as apps on smartphones and other devices. Whenever we shop or bank online, we are asked to verify our identity. This is often in the form of a username and password. Nowadays, we are often asked for additional information. This may be answering a security question, using a code shared by text, a phone call or by using an app or device. This is called multi-factor authentication. When accessing our services, we will ask for 2 ways of verifying who you are. This is something we must do to preserve our Cyber Essentials accreditation. We are contractually obliged to maintain our Cyber Essentials status. Your Microsoft 365 account can store several additional ways in which to verify your identity. We encourage you to set up at least 2 additional methods. The primary method should be the Microsoft Authenticator app. |
|
Online services |
The organisation uses Microsoft 365 and a small number of approved services such as Canva. Microsoft 365 is a collection of online apps and services. Included are apps for messaging, meeting, and collaborating, as well as email and web versions of the core Office apps. Users can access these apps and services on a variety of devices wherever they are. Requests to use other online services should be made to the ICT Support Team. If you request a service we have not vetted for others, it will be subject to a feature and security review. If a requested service replicates something available in Microsoft 365, we will direct you towards the feature we already support. |
|
Logical access control |
This is a security process that manages access to resources such as computers, networks, and data. It ensures only authorised users can access specific environments, protecting sensitive information from unauthorised access, tampering, or theft. It requires the validation of an individual's identity through some mechanism, such as a password, PIN, card, biometric, or other token. We provide logical access using the principle of “least privilege.” This ensures that users, and systems have the absolute minimum access required to perform their daily tasks, thereby reducing the potential for and impact of security breaches. |
|
Apps on business devices |
Smartphones, tablets, and computers are provided with a standard set of apps that enable the use of Microsoft 365, virtual desktop infrastructure (VDI) and other approved business applications. Additional apps may be installed on smartphones and tablets by contacting the ICT Support Team. If you request an app we have not vetted for others, it will be subject to a security review. For example, apps often store data on their servers. The Data Protection Act 2018 requires organisations to confirm data is stored only within the UK or the EU. Apps that do not store data within the UK or the EU cannot be used. |
|
Messaging apps |
Collaborating with teammates must be restricted to the apps we provide. You must not use other apps, even on personal devices, to message or share information that relates to the organisation’s business. Microsoft Teams is a workspace for real-time collaboration and communication, having meetings, and for sharing files and apps. It is available to everyone working with us. This app is our preferred tool for accessing the information you need to do your work. SMS (standard text messages) must always be a method of last resort and must never be used for time-sensitive messaging. |
|
|
Email is available to everyone, and it is to be solely used for business purposes. Email is the most common route for cyber-attacks, and we are working to reduce its use. You should open every email with caution and suspicion. Your email address is effectively an electronic representation of our letterhead. You must not put anything in an email that you would not put in a paper-based memo or letter. If your email includes sensitive or personally identifiable information (in its text or as an attachment) it must be encrypted before sending. Support workers and relief register workers must not routinely email persons outside the organisation. Exceptions to this restriction must be agreed with your Support and Development Manager. Concessions should be locally documented and subject to regular review and monitoring. |
|
Monitoring of use |
Microsoft 365 allows us to gather a range of information about how both devices and user accounts are used. Any communication sent or received via Microsoft 365 is the property of the organisation and can never be considered private for the purposes of monitoring or auditing. Monitoring may be carried out by ICT staff or senior and line managers. Senior and line managers can request time limited access to another person’s account via the ICT Support Team. The access will be logged detailing the purpose of the request. |