BYOD | Guideline

1. Motivation / Preamble

The use of mobile IT end devices is a matter of course today and continues to increase. In addition to private use, there is a wide range of applications in the professional environment. Colleges and universities have recognised the advantages of mobile devices and are using them to support and optimise business processes and for mobile working. Students use mobile devices for personal organisation and for a variety of processes and services related to their studies. The increasing prevalence, the ever-growing range of functions of mobile devices and the self-evident, ever-deeper integration into existing processes also bring with them downsides: the more these devices are integrated into the system landscape and business processes of the university and the more important they become, the greater their potential risk to the university. On the one hand, this concerns IT security and, on the other, the risk that official university information is only stored on a mobile device and not on the university's storage space. This means that data security is not guaranteed and the availability of data for authorised departments is not ensured.

Privately purchased (mobile) devices are often also used for business purposes. As a rule, these devices are not designed by the manufacturer for professional use (in terms of data protection and IT security). It can therefore be assumed that data security is not guaranteed. Another problem is that no clear boundaries are drawn between personal and professional applications or data

Conversely, in practice, work devices are also used for private purposes (e. g. email traffic). As access to business devices by the department is always permitted in principle, precautions must be taken to ensure that the rights of the data subjects are not violated in accordance with the EU GDPR.

2. Goal, Scope of Application and Users

The goal of this policy is to ensure that all organisational units at TU Braunschweig use IT devices that are secured and maintained in accordance with the state of the art. This also includes private (mobile) IT devices used for business purposes and business devices with proportionate private use.

In the context of this policy, 'mobile IT devices' refer to hardware that can directly or indirectly transfer data to other network-connected systems and is not permanently installed at a fixed location. This includes notebooks, laptops, tablets and smartphones.

Improper handling of IT and communication systems exposes TU Braunschweig to unforeseeable risks, which can have considerable consequences. In the case under consideration here, these could include the compromise of systems, (sub)networks or services offered by malware. The implementation of the requirements significantly supports the IT security of TU Braunschweig.

A further goal of this policy is to ensure that members of TU Braunschweig comply with legal regulations when using official devices using private data or private devices using official data, in particular with regard to data protection laws and the EU General Data Protection Regulation (EU GDPR), and thus avoid legal violations.

The following rules are intended to minimise the risk to IT operations as far as possible, to make work on and with the IT infrastructure of TU Braunschweig as secure as possible and to impair the efficiency of IT-supported work processes as little as possible.

A prerequisite for the business use of private devices as well as for the private use of business devices is the individual signing of the corresponding supplementary agreement between TU Braunschweig and the members and affiliates in accordance with the basic regulations of TU Braunschweig.

To simplify the scope of application, the following illustration can be used for orientation:

3. Use of Private Devices for Business purposes

The use of private devices for business purposes is only permitted with the prior approval of the OU management. The approval must be documented and the OE must maintain and keep an up-to-date list of privately owned IT devices used for business purposes. The use of private devices for business purposes may only be granted if the employee has signed the supplementary agreement to the employment contract provided by the HR department on the use of private IT devices for business purposes and the private use of business IT devices, in which the details of access by the department are specified. The department must be granted permission to access business data within a reasonable timeframe. The supplementary agreement must also stipulate that the business data will be returned to the department and then securely deleted from the private device when the employee leaves the company or when the private device is sold. The supplementary agreement must also stipulate that the rules set out in this directive are also complied with on private IT devices used for business purposes (see next paragraph). Responsibility for compliance lies with the employee. The department must be able to monitor compliance with the rules (see paragraph 8. Further recommendations).

The statutory regulations on data protection and information security require that the department can ensure compliance with data protection on every IT device at all times, including private IT devices used for business purposes. In particular, this includes the obligation to demonstrably implement the rights of data subjects under the EU GDPR (right to erasure, right to rectification of incorrect data, right to information about stored personal data) on these devices as well. In accordance with the information security regulations, the department must also be able to access these IT devices at short notice in the event of information security incidents as part of security measures and for technical investigations.

Conversely, it must be ensured that the department does not access the private data on the private IT devices without sufficient prerequisites (e. g., when assisting law enforcement authorities). This requires a visible separation between private and business data when accessing the private IT device.

The establishment of this separation, e. g. through separate folders, is the responsibility of the user. The department may have unrestricted access to all data either marked as work-related or not marked as private. When accessing the device, the department must respect the employee’s privacy.

Any access by the department to private devices used for business purposes may only occur in compliance with the four-eyes principle. The affected person must be permitted to be present during the inspection.

4. Use of Business Devices for Private Purposes

The private use of work devices is only permitted if this use has been approved by the head of the organisational unit. The approval must be documented, and a list of company IT devices used for private purposes must be maintained and kept up to date. Private use shall only be permitted if the employee has signed the supplementary agreement provided by the personnel office regarding the business use of private devices and the private use of business devices, which sets out the details of departmental access. It must also be stipulated that the private data is securely deleted when the employee leaves the company and when the work device is returned to the department. Responsibility for compliance lies with the employee. The department must be able to monitor compliance with the rules (see section 8. Further recommendations).

Establishing this separation, for example through separate folders, is the responsibility of the users. The department may access without restriction any data that are either marked as business-related or not marked as private.

When the department accesses a device, the employee’s privacy must be safeguarded. Any access by the department to privately used business devices may only occur in compliance with the four-eyes principle. The affected person must be permitted to attend the inspection. For devices that have not been approved for private use, the department has unrestricted access.

5. Rules for all Users of the TU Braunschweig IT Infrastructure

In order to access the IT infrastructure of TU Braunschweig, it is mandatory for all persons covered by this regulation:

• All devices must be provided with an access lock (pin code, password or similar) to prevent unauthorised use.
• Automated locking of the device after a reasonable period of inactivity is mandatory. A maximum inactive period of 5 minutes for smartphones or notebooks, tablets or similar systems should only be exceeded in justified exceptions.
• Storage media in mobile devices must be encrypted to protect stored data if the device is lost.
• The operating system and applications should be updated regularly - ideally automatically.
• Security-relevant updates must be installed immediately.
• If no security-relevant updates are available or applicable for known security vulnerabilities, but so-called workarounds are known that prevent them from being exploited, these must be used.
• Devices for which security vulnerabilities have not been fixed may not be operated in the IT infrastructure of TU Braunschweig.
• User accounts with restricted administration rights must be used to use IT devices. User accounts with administrative privileges may only be used temporarily and exclusively for administrative purposes.
• Active malware protection software ("virus scanner", "endpoint protection") must be run on all devices. Automated or regular updates are mandatory. On devices where this cannot be realised, suitable alternative measures approved by the CISO must be implemented.

The following also applies:

• The function of installing software from trustworthy sources must be used (e. g. stores of the major providers Google (Play Store), Apple (App Store), Microsoft (Microsoft Store)). If this is not possible, the trustworthiness of the source must be ensured by other suitable measures. For Android devices without access to the official Google Play Store, F-Droid is recommended as the app store, unless a work instruction recommends otherwise. The trustworthiness of other sources should be technically traceable, which can be proven, for example, by cryptographic signature, original packaging, manufacturer website or similar. We strongly advise against sideloading software and obtaining it via online auction houses, filesharing networks or third-party websites if it cannot be ensured that an unaltered product is being obtained.
• When installing software, the permissions of the software to be installed must be checked. Software that requires rights without any permissions reference to functionality should be avoided or the requested rights should be limited to the bare minimum (for example, a fictitious torch app with access to the location or a calculator app with access to the calendar and contacts). Caution is particularly advised with small and/or free programmes, e. g. games, torches, but also email and calendar clients. The business model should always be scrutinised here. There is often a risk of unauthorised data collection, the introduction of malware or the transfer of data to third parties that does not comply with the EU GDPR. Email and calendar programmes often store the account data of email accounts in a vendor cloud. This is not permitted under the EU GDPR.
• Mobile devices must always be kept on the person or in a safe place to prevent theft or loss (for notebooks in the office or at conferences, for example, Kensington locks have proven to be effective in protecting against opportunistic theft). The simplest measure is to lock the office. • Devices must never be left unattended in public areas to prevent physical manipulation and theft. (For example, in a locked vehicle, devices that are left in plain sight are at increased risk of theft). • Only trustworthy and state-of-the-art encrypted WLAN access points may be used. If this cannot be guaranteed, the VPN connection provided by TU Braunschweig with encryption of all data traffic must be used. Exceptions for problematic third countries are regulated in a work instruction. (For example, WLAN access points must have at least WPA2 standard encryption. The VPN of the TU Braunschweig is to be used with the setting "Tunnel-AllTraffic". The usability of VPN in certain third countries can be problematic).
• The placement of compromised storage devices (e. g. USB sticks) is a known gateway for the introduction of malware. Therefore, the use and connection of data carriers and (USB) devices from unknown or untrustworthy sources is not permitted. Foreign storage devices and (USB) devices must be checked to ensure they are safe before use. This applies in particular to storage devices of unknown or problematic origin, which must first be checked with a scan programme (e. g. Desinfect from Heise-Verlag) or at scan stations or data locks of known manufacturers before being connected to the IT infrastructure of TU Braunschweig.
• Mobile devices should not be connected to external infrastructure via USB/Lightning without protective measures against attacks, not even to charge the device's battery. (For example, when charging at airports, in hotels, ports of third-party devices such as power banks etc., a USB data blocker should always be used to charge them. The using your own charger is the simplest method of protection).
• Only necessary apps or applications should be installed; apps or applications that are no longer required should be uninstalled, as every installed application represents a potential point of attack through which data can flow out or an attacker can gain access to the device.
• Interfaces and functions that are not required should only be activated when they are needed. This excludes them as a potential attack surface. (For example, Bluetooth, Apple AirDrop, WLAN, NFC, developer modes, USB development mode should be switched off if they are not in use.)

6. Rules for all Employees of the TU Braunschweig

In addition to the above rules, the following rules are binding for all employees of TU Braunschweig, both for business mobile and non-mobile IT devices and for private mobile and non-mobile IT devices used for business purposes.

If the following rules cannot be complied with, the device in question may not be used for business purposes.

• Only necessary apps and applications may be installed. Apps and applications that are no longer required must be uninstalled. Every installed application represents a potential point of attack through which, for example, data can flow out or attackers can gain access to the device.
• A On multi-user systems, it must be ensured that each user only receives exactly the privileges they need to fulfil their service tasks. User accounts that are no longer used must be removed from the system immediately.
• The function of installing software from trustworthy sources must be used exclusively (e. g. stores of the major providers Google (Play Store), Apple (App Store), Microsoft (Microsoft Store)). For Android devices without access to the official Play Store from Google (e. g. LineageOS, /e/OS, ...), F-Droid must be used as the AppStore. The trustworthiness must be technically verifiable (cryptographic signature, original packaging, etc.). The use of sideloading apps and the purchase of software via online auction houses and exchange platforms is not permitted if it cannot be ensured that an unaltered product that is permitted under licence law is being obtained.
• Mobile data carriers (USB sticks, SD cards, external SSD hard drives, etc.) must be encrypted6 as soon as documents with the classification TLP:AMBER, TLP:AMBER+STRICT or TLP:RED (or a comparable categorisation of another classification system) or personal data of protection level8 D or E are stored. Encryption is also recommended for lower protection levels. In addition, the legal regulations regarding confidentiality apply.
• Only by reporting the loss of a device used for business purposes (including private devices) can the associated liability issues be transferred to TU Braunschweig and, if necessary, personal liability avoided.
  
  For reporting, the currently published reporting process9 must be followed. In particular, the relevant bodies such as the responsible IT administration or the immediate supervisor must be informed, with the involvement of the Information Security Officer and, where applicable, the Data Protection Officer and the data protection management.
  
  The positions can be reached at the following addresses:
  - the Information Security Officer soc(at)tu-braunschweig.de,
  - the Data Protection Officer datenschutz(at)tu-braunschweig.de,
  - the Data Protection Management dsmgmt(at)tu-braunschweig.de.
  
  Furthermore, all credentials (passwords, cryptographic keys, etc.) that were used on a lost device must be changed immediately or the corresponding access must be deactivated to prevent unauthorised use. Device authorisations based on certificates or hardware features must be blocked immediately. If possible, a remote deletion of the device must be initiated, e. g. via ActiveSync, MDM (Mobile Device Management), the device manufacturer (Apple iCloud, Google Account) or the mobile phone provider. For private devices or privately used business devices that are reset by TU Braunschweig, the consent of the employee is required.
• Lost, leaked or compromised access data, authorisation credentials and hardware tokens must be reported immediately and blocked immediately by the staff responsible for access to TU Braunschweig's IT infrastructure; passwords must be changed immediately. Reasonable suspicion must be reported. Otherwise, the above procedure applies.
• If it cannot be ruled out that a mobile device has been accessed by an unauthorised person (with potential access to the data on the device) in the meantime, the same procedures must be followed as for the loss of a mobile device. Device erasure may be waived in individual cases if manipulation of the device (e. g. installation of malware or hidden remote access) can be ruled out and the integrity of the stored data can be ensured.
• The transfer of an unlocked work device or a privately owned device used for business purposes to third parties (or the negligent allowance of third-party access to data) is prohibited. The transfer of a work device or private device used for business purposes to third parties is only permitted under the supervision of the employee if the employee ensures that no access to or access to business data takes place.
• Only software for which the required licences are available may be installed and used.
• The installation of software not used for business purposes on business devices is not permitted.
• If available, lists provided by TU Braunschweig of software that may or may not be used on work and private devices must be observed.
• Any modification or manipulation of the operating system to obtain administrative rights (socalled "jailbreak" or "rooting") of devices used for business purposes is not permitted. After notification to the Information Security Officer, devices whose business use necessarily requires administrative rights may be exempted from this rule. Such an exemption may be revoked at any time.
• Before decommissioning - especially in the case of private devices used for business purposes - the business data stored on the device must be backed up accordingly if necessary and irretrievably deleted in any case. The configuration of the device must be reset so that the device can no longer be used to access protected resources such as email access, file storage or VPN access. This also applies to the sale and transfer of (private) devices used for business purposes.
• The backup of business data to university systems, for example by using the university's own cloud or shares, must be ensured. Synchronisation mechanisms in the cloud of the operating system manufacturer of the mobile device must be minimised or avoided as far as technically possible.
• Access to mobile devices by visitors, guests and students must be restricted to special networks (eduroam, guest network, temporary conference, etc.) within the university's IT infrastructure, which are separated from the rest of the IT infrastructure by security measures (firewalls, etc.). Only the services that these groups of people need to fulfil their tasks are to be made available in these networks (e. g. access to the Internet, special servers required for studies, conference servers, etc.).

7. Exceptions

In principle, the number of exceptions to this regulation must be limited to the minimum actually necessary in order to maintain information security at the Technische Universität Braunschweig. In order for the current situation to fall within the scope of the exception, it must therefore fulfil the following definition.

"Exception": the exception meant is not that you are using a private device, but that you cannot fulfil one of the specific rules in paragraphs 3-6.

If, for technical or organisational reasons, it is necessary to deviate from the above rules (Paragraphs 3-6) for technical or organisational reasons, an informal notification to this effect must be submitted to the Designated Office CISO by a person responsible for IT coordination. This notification shall include at least:

• Two contact persons (name, e-mail address, extension) within the OU,
• Name of the displaying OU,
• Brief description of the device,
• Characteristic features of the device,
• User(s), • Type of data processed,
• Specification of the deviation from the policy,
• Reason for deviation from the policy,
• Description of the planned measures to mitigate risks arising from the deviation,
• Implementation status of the planned measures, including an estimate of the remaining implementation period,
• Forecast duration of the deviation.

In addition to a valid reason, it is expected that any exception will be reported before the deviation is taken up and that it will be limited in scope, duration, and extent to what is strictly necessary.

The Designated Office CISO or an authorised person is responsible for reviewing the submitted report. The Designated Office CISO examines the reason and the proposed measures in terms of necessity, technical feasibility and safety, if necessary, with the advice of the GITZ, Data Protection Management and the Data Protection Officer. Submitted reports may be returned to the creators for the purpose of supplementation, may be subject to additional conditions or may be completely refused. The Designated Office CISO regularly reports to the IT Security Board on submitted reports and decisions on exceptions.

The Designated Office CISO maintains a register to document all existing exceptions and initiates an annual review for renewal. The named contact persons are requested for an update for this purpose.

8. Further Recommendations

• As few work-related data as possible should be stored on mobile devices. The integration of network drives or cloud-based services of the university ("on premise") is recommended for data storage.
• The use of cloud services offered outside the university ("off premise") should be avoided, if possible, in favour of the cloud services offered by the university.
  
  For business trips outside the EU, further measures must be implemented in addition to this policy (see footnote on BSI recommendations). In particular, the storage of work-related data on mobile devices taken on business trips should be avoided wherever possible in order to prevent foreign secret or intelligence services or other organisations from accessing workrelated data. Contrary to the above-mentioned binding requirement to generally encrypt the data, depending on the travel destination, for legal reasons it may be necessary to omitted from encryption, despite the general directive. In these cases, only the absolutely necessary data may be stored on the device. Under no circumstances may confidential or secret data be stored on the device. It is strongly recommended to completely reset IT devices after returning from travel to such countries.
• If employees require technical assistance in complying with the rules, they should contact the responsible Administrators/DP-Coordinators in their organisational unit for advice and support. If, after technical support, it turns out that it is not technically possible to comply with the rule, then the device is not suitable for the hybrid usage format. If the device continues to be used for business purposes, an exception procedure must be carried out. (See paragraph 7. Exceptions)

9. Concluding Remarks

All other policies on IT security or information security and data protection as well as all other policies on the use of IT also apply accordingly to mobile devices and apply in addition to this policy.

Users whose (mobile) devices do not meet the minimum technical requirements formulated here or whose usage behaviour does not comply with the recommendation formulated here can/may be technically and/or organisationally excluded from using the university infrastructure. This also applies to the period in which any measures under labour law are examined.