Key provides a variety of devices and services to staff.
|
Business devices |
When we provide you with a device or service, it must be:
If a device is portable or battery operated, you must have the device and its charger with you whenever you attend work. You must use only this device and cannot opt to use a personal device in its place. If the device supports Wi-Fi, you should ensure that you are connected to Wi-Fi in Key’s offices and at home. Where we provide you with a device it will be managed by us. This is to enable us to keep it up to date, apply security updates and monitor its use. We will endeavour to do this “behind the scenes” as much as we can. If updates require that you restart your device, you should do this as soon as possible after the updates have installed. If you do not do this our management software will force a restart. This may not be at a time that is convenient for you. If a device we have provided to you is damaged or lost, you must report this to the ICT Support Team without delay. If you leave Key, you must return devices to ICT in full working order. |
|
User accounts |
Everyone who works with us is provided with a Microsoft 365 account. This account provides access to Microsoft’s online services, as well as apps on smartphones and other devices. Whenever we shop or bank online, we are asked to verify our identity. This is often in the form of a username and password. Nowadays, we are often asked for additional information. This may be answering a security question, using a code shared by text, a phone call or by using an app or device. This is called multi-factor authentication. When accessing our services, we will ask for 2 ways of verifying who you are. This is something we must do to preserve our Cyber Essentials accreditation. We are contractually obliged to maintain our Cyber Essentials status. Your Microsoft 365 account can store several additional ways in which to verify your identity. We encourage you to set up at least 2 additional methods. The primary method should be the Microsoft Authenticator app. |
|
Online services |
The organisation uses Microsoft 365 and a small number of approved services such as Canva. Microsoft 365 is a collection of online apps and services. Included are apps for messaging, meeting, and collaborating, as well as email and web versions of the core Office apps. Users can access these apps and services on a variety of devices wherever they are. Requests to use other online services should be made to the ICT Support Team. If a requested service replicates something available in Microsoft 365, we will direct you towards the feature we already support. |
|
Apps on business devices |
Smartphones, tablets, and computers are provided with a standard set of apps that enable the use of Microsoft 365, virtual desktop infrastructure (VDI) and other approved business applications. Additional apps may be installed on smartphones and tablets by contacting the ICT Support Team. If you request an app we have not vetted for others, it will be subject to a security review. For example, apps often store data on their servers. The Data Protection Act 2018 requires organisations to confirm data is stored only within the UK or the EU. Apps that do not store data within the UK or the EU cannot be used. |
|
Messaging apps |
Collaborating with colleagues must be restricted to the apps we provide. You must not use other apps, even on personal devices, to message or share information that relates to Key’sbusiness. Microsoft Teams is a workspace for real-time collaboration and communication, having meetings, and for sharing files and apps. It is available to everyone working with us. This app is our preferred tool for accessing the information you need to do your work. SMS (standard text messages) must always be a method of last resort and must never be used for time-sensitive messaging. |
|
|
Email is a method of communication available to everyone and is to be used solely for business purposes. Email is the most common route for cyber-attacks, and we are working to reduce its use. You should open every email with caution and suspicion. Your emails must reflect Key’s values, protect sensitive information, and support effective collaboration. If an email includes sensitive or personally identifiable information (in its text or as an attachment) it must be encrypted before sending. Support workers and relief register workers must not routinely email persons outside the organisation. Exceptions to this restriction can be agreed with your Support and Development Manager and subject to regular review and monitoring. Your mailbox is not to be used as a general repository for records. Emails must be retained or deleted in accordance with Key’s Record Retention and GDPR policies, and should also be considered in line with our Confidentiality policy and relevant codes of practice/conduct. Emails and attachments that require to be retained should be saved to an appropriate directory within our shared network and cloud document repositories. Emails that are not required for operational, legal or recordkeeping purposes should be deleted as soon as they’re dealt with. Removing irrelevant or out of date messages should be a routine practice for all users. |
|
Monitoring of use |
Microsoft 365 allows us to gather a range of information about how both devices and user accounts are used. Any communication sent or received, and any document created or edited via Microsoft 365 is the property of the organisation and can never be considered private for the purposes of monitoring or auditing. Monitoring may be carried out by ICT staff or senior and line managers. Senior and line managers can request time limited access to another person’s account via the ICT Support Team. The access will be logged detailing the purpose of the request. |