Introduction
This policy is part of the medDigital ISMS and must be fully complied with.
medDigital allows its employees to work remotely in Great Britain provided they have been issued with a company
laptop, tablet or mobile phone to ensure information is protected when using these devices.
Employee use of devices not owned by medDigital to process medDigital information is prohibited.
The technical controls applied to company devices are sufficient to allow the processing of medDigital
information regardless of classification, anywhere in the world. However, staff must obtain consent before
travelling outside of Great Britain by emailing security@meddigital.com
prior to travel.
VPN
All medDigital desktops and laptops must have OpenVPN access software installed which allows them to connect to the VPN. Only when connected via the VPN can a system access the internal network.
Desktops/Laptops
In-line with our Cryptography Policy,
all medDigital information is encrypted.
The technical controls applied are:
- The C:\ drive is encrypted with Bitlocker
- Membership of the MEDDIGITAL Active Directory domain
- Permanent connection to the VPN
- After authenticating, the M: network drive is available which is encrypted, backed-up, subject to version control and audited
- Anti-virus software is always running, cannot be disabled and updates are automatically installed
- Anti-malware software is always running, cannot be disabled and updates are automatically installed
- Software firewall is always running, cannot be disabled, is automatically installed, and the ruleset cannot be modified
- Portable media presented to the device cannot be written to unless the media has been encrypted by a computer belonging to the MEDDIGITAL domain
Our Physical Security Policy and
Operations Security Policy contains
additional information.
Tablets and Phones
All tablets & mobile phones must have the Company Portal application installed so:
- To ensure the device OS hasn't been tampered with and is running a recent version of the OS
- To ensure a passcode/password is set and that it is at least 6 characters in length
- To allow the device to be remotely locked
- To check the serial number of the device against a list of known company devices
- To ensure the device is encrypted
Our Physical Security Policy and
Operations Security Policy contains
additional information.
Hardcopies
We encourage all employees and contractors not to make hard copies of any information where possible.
The information is much more secure when stored and processed electronically.
In the event that you do print information, you must ensure it is safely locked away when not in use in
line with our Physical Security Policy
Responsibilities
Paul Gardner is responsible for ensuring the availability of the VPN.
Paul Gardner is responsible for ensuring the technical controls for desktops/laptops are applied.
Individuals are responsible for the installation of the Company Portal application.
Individuals are responsible for obtaining consent to take equipment outside of Great Britain.
Individuals are responsible for exercising good judgement and considering the Information Classification Policy
when deciding to print information and to ensure that any printed information is safely locked away when not in use.