REFERENC

REQUEST

Thank you

Your reque

You asked f“Q1, How (please proetc.) Q2, The tofor the folloQ3, Pleasephones Response t

We are plea

Q1, GTS onmobile pho

Phone TypCat B100 rug

iPhone iPhone 5c iPhone 5s iPhone 6 Nokia Lumia

Nokia Lumia

Nokia Lumia

Nokia Lumia

Nokia Lumia

Nokia Lumia

Nokia Lumia

Nokia Lumia

Samsung A5

Samsung Ac

Samsung Ac

Samsung Co

CE NUMBE

UNDER TH

for your req

st

for: many mobi

ovide grand

otal cost incowing finance provide th

to your requ

ased to be a

nly holds thnes was the

2pe gged phone

a 200 a 220 a 222 a 225 a 365 a 635 a 640 a 930 5 e e 4 ore Prime

ER: IM480

HE FREEDO

quest dated

ile phones hd total and th

cluding VAT ncial years 2he policy or p

uest

able to prov

is informatie responsib

2014-2015

66I

OM OF INF

d 28 May 20

have been isthen a break

T charged fo2012 - 2013procedure w

vide a respo

ion since it’sbility of the i

5 Quan

11

4

41

37

2

1

13

11

148

4

50

67

1

2

1

24

17

1

FORMATIO

016

issued to Gokdown of m

or the use of3, 2013 - 20which instru

onse to you

s creation inindividual G

ntity Pho

1 iPho

iPho

1 iPho

7 iPho

iPho

iPho

3 Noki

1 Noki

8 Noki

Noki

0 Noki

7 Noki

Noki

Noki

Noki

4 Noki

7 Noki

ON ACT 20

overnment emake, model

of Mobile pho014, 2014 -ucts Govt em

ur request w

n April 2014Government

one Typene

ne 5

ne 5c

ne 5s

ne 6

ne S

ia 106

ia 135

ia 206

ia 208

ia 220

ia 225

ia 625

ia 635

ia Lumia 

ia Lumia 132

ia Lumia 132

015 (“the A

employees l etc e.g. Ap

hones issued- 2015 employees o

with answers

4, prior to tt departmen

2015-2

2

20

GoDOIsIMTeFaW

Act”)

since 11 Ocpple IPhone

d to Govt em

on the use o

s to your qu

his date punts.

2016

overnment OOUGLAS le of Man

M1 3PN el: (+44) 0ax: (+44) 0

Website www.

ct 2011 e 5 - 45

mployees

of mobile

uestions.

rchasing of

Quantity7

4

44

21

1

2

31

1

8

2

38

57

10

27

1

3

2

Office

01624 6862441624 685710gov.im/co

4 0

2

Samsung Galaxy 4 2 Nokia Lumia 320 1

Samsung Galaxy A5 21 Nokia Lumia 365 1

Samsung Galaxy Ace 4 66 Nokia Lumia 625 14

Samsung Galaxy Core Prime 22 Nokia Lumia 635 113

Samsung Galaxy J5 108 Nokia Lumia 636 1

Samsung Galaxy S5 1 Nokia Lumia 695 1

Samsung Galaxy S5 mini 8 Nokia Lumia 925 2

Samsung Galaxy X Cover 3 50 Nokia Lumia 930 9

Total 712 Nokia mobiles 5

Samsung Ace 4 5

Samsung B2710 1

Samsung Galaxy 3

Samsung Galaxy Ace 4 5

Samsung Galaxy Ace 5 1

Samsung Galaxy Mini 1

Samsung Galaxy mini S4 1

Samsung Galaxy phone 3

Samsung Galaxy S4 Mini 2

Samsung Galaxy S4 Mini 1

Samsung Galaxy S5 13

Samsung Galaxy s5 mini 3

Samsung Galaxy Tab 3 1

Samsung mobile 1

Samsung S5610 1

Total 448

Q2, GTS does not hold this information for the 2012-13 financial year, also the figures below do not include VAT as this is not recorded.

The costs identified include SIM rental as well as usage cost as GTS does not hold the information for just usage cost.

2012-13 information not held 2013-14 £316,558.08 2014-15 £313,107.68 2015-16 £364,925.02

Please note also that the 2015-16 figure includes costs for SMS Text Message Service which is not specifically related to mobile phone usage.

Q3, Please see attached document IOMG Mobile Device Management Policy

Your right to request a review

If you are unhappy with this response to your Freedom of Information request, you may ask us to carry out an internal review of the response, by completing a complaint form and submitting it electronically or by delivery/post to the FOI Co-ordinator, Cabinet Office, Government Office, Douglas, Isle of Man, IM1 3PN. An electronic version of our complaint form can be found by going to our website https://www.gov.im/about-the-government/access-to-government-

3

information/freedom-of-information-complaint, and a paper copy can be requested by contacting the Cabinet Office direct.

Your review request should explain why you are dissatisfied with this response, and should be made as soon as practicable. We will respond as soon as the review has been concluded.

If you are not satisfied with the result of the review, you then have the right to apply for a review of decisions by the Information Commissioner, for a decision on;

1) Whether we have responded to your request for information in accordance with Part 2 of the Act; or

2) Whether we are justified in refusing to give you the information requested.

In response to an application for review, the Information Commissioner may, at any time, attempt to resolve a matter by negotiation, conciliation, mediation or another form of alternative dispute resolution and will have regard to any outcome of this in making any subsequent decision.

More detailed information on your rights to review is on the Information Commissioner’s website at: https://www.inforights.im/

Should you have any queries concerning this letter, please do not hesitate to contact me.

Further information about Freedom of Information requests can be found at: www.gov.im/foi.

Government Technology Services

Isle of Man Government

Mobile Device Management Policy

April 2016

Contents Why is it necessary .................................................................................................. 3 Acceptable Standards for Use of mobile data and devices ........................................... 3 Scope – who and what does this policy apply to ......................................................... 4 Mobile Device Policy ................................................................................................. 5 Additonal Policy ....................................................................................................... 6 Appendix A - Terms and Conditions ........................................................................... 7

Why is it necessary Mobile technologies are transforming people’s everyday lives and in a work environment, offer an unprecedented ability to provide improved working efficiencies through access to information and services from any place at any time. This mobility is not without risk however and the most common risk with mobile devices is unauthorised access to this information and services. In an office environment there are often multiple levels of security surrounding access to electronic information physical barriers such as door access controls. Once inside the organisation a unique userId and a complex 9 digit alpha-numeric password that changes every 30 days is required in line with global best practice and UK Government guidelines. In a mobile environment however none of these physical controls exist and the employee is often familiar with an easy form of access to the device (such as a simple 6 digit PIN or even a fingerprint) and sharing the device with friends and family (allowing a friend to take a photo, or allowing a child to play a game). This policy is designed to reflect the increasing power that mobile technologies offer the organisation in potential for further productivity gains in its workforce, but also the practical risks and issues associated with doing so, and where possible to minimise these risks to an ACCEPTABLE level.

Acceptable Standards for Use of mobile data and devices The Isle of Man Government has adopted a Mobile Devcie Management system to add a layer of technical control, management and uniformity which will ultimately assist in keeping Government Information secure. The day to day management of the mobile estate and the Mobile Devcie Management (MDM) system has been delegated to GTS. This policy establishes the minimum acceptable usage standards in relation to mobile working. The intention is to provide protection to both users and Government Information by minimising any risks associated with mobile use. It does not replace any additional measures required by Departmental or Divisional Policies or Procedures. This policy does not apply to, what is commonly referred to as, radio communications equipment Where services or data are being considered for use within the mobile working environment, whether it be by email or mobile application, a risk assessment must be undertaken to ensure adequate protection is afforded. The policy is built around two core challenges:

1) Security Awareness - often users do not recognise that this ease of access represents a threat to information security and as a result users often do not apply the same vigilance, security and data protection consideration as they would on other devices such as desktop computers.

2) Convergence of work / home life - There is a demand for work and

personal information to be available on the same device – this may be allowing a work issued device to be used for personal browsing or installation of personal apps, or it may be allowing a personal owned device to access and process some work information such as simply email.

This policy is designed to address these risks through three principle pillars:

1) Awareness – Ensuring all staff who have access to organisational information or services on ANY mobile device, are aware of the security risks and the steps taken to mitigate these to protect this information, and ultimately their own employment;

2) Terms and Conditions – Ensuring all staff understand what the minimum standards are for the use of mobile devices that access any form of organisational data;

3) Personal Consent – Ensuring all staff who possess a device holding organisational information and services together with personal information, give clear consent for this information to be appropriately secured and controlled which will override any personal rights (and will allow it to be wiped).

Scope – who and what does this policy apply to People All Isle of Man Government1 employees or contractors who are provided with an organisationally owned mobile device for work related purposes – Mobile Phone, Tablet device or other mobile communications device.

Devices All mobile devices that have access to Government networks, data and systems by way of cellular telecommunications (i.e. GSM, 3G, 4G etc..) or Wi-Fi connectivity. This includes smartphones, tablet computers and other mobile communications device..

Exemptions: Where there is a business need to be exempted from this policy (too costly, too complex, adversely impacting other business requirements) a risk assessment must be conducted being authorised by security management and an appropriate risk raised within the Department’s Risk Register. This policy does not apply to radio systems such as Tetra

1 For the purposes of this document “Isle of Man Government” or “Government” is taken to mean all

‘designated bodies’ as defined within the Financial Regulations

Mobile Device Policy

1. Mobiles supplied by IOMG are supplied primarily for business use. While personal use of mobiles is permitted such use must adhere to this policy and the requirements of Financial Regulations.

2. IOMG may provide a mobile to any employee, including contractors, temps and other third parties, where it is considered necessary to maintain contact with that person both within and outside normal office hours. This may be determined by line managers and will be based on operational considerations.

3. A limited range of mobile devices will be made available under the terms of the contract with the chosen supplier – No mobiles other than the approved range will be supported by the contract and GTS. Details of the devices can be found in the Product Catalogue published on the the IOM Government Intranet.

4. Unless exceptional circumstances exist only the basic models of mobile should be purchased.

5. Where exceptional circumstances exist a business statement must be produced demonstrating why additional functionality is required for a particular user or group of users. This business statement must be approved by the departments accounting officer.

6. Employees may continue to use their own personal devices and provide a contact number. (There will be no access to Government information by this method.)

7. Where provision of an IOMG mobile is the most cost efficient option employees will be encouraged to adopt this option.

8. All users of IOMG mobile devices for personal use must adhere to the Financial Guidelines 12 “Use of Government Assets”

9. Any personal use of IOMG mobiles will be subject to scrutiny and regular monitoring.

10. Where employees are allocated a Government owned mobile device, personal calls, whether incoming or outgoing should be kept to a minimum.

11. Mobile services, applications and ALL content may be withdrawn or possibly remotely wiped from a user SIM or device without prior notification in the event of abuse, legal or reputational issues or anything relating to service improvement or availability.

12. Any persons using the services offered by IOMG for mobile device working must conform to all relevant legislation (current and future) on the use of mobile devices and mobile services together with IOMG Policy.

13. Under no circumstances should a Government SIM card be placed into a non-Government device.

Additonal Policy Your attention is drawn to the Isle of Man Government Electronic Communication and Social Media: Policy, Standards and Guidelines And the guidance contained in Guidelines for the use of Electronic Communications and Social Media’

Appendix A - Terms and Conditions These terms and conditions are mandatory for the scope above and all individuals falling within the scope of this policy should ensure they understand these minimum standards and the consequences of breaching them or any other relevant Government Policy. Awareness 1. All users must complete a Security Awareness Training programme within 1 month of

being issued with an organisational device;

2. All users must undertake refresher training at least annually or more regular if deemed a requirement by virtue of role or change of circumstances;

3. All users should remain vigilant at all times when allowing any mobile device to access

organisational information and services and take necessary steps to ensure unauthorised access is not permitted and the device whereabouts is known at all times;

4. Use of the devices must only be in accordance with Legal, Regulatory and IoM Government Policy requirements.

5. Users must report all lost or stolen devices to GTS immediately by phoning 685556 (GTS 24/7 response) and fill out the Information Security Reporting document

6. If a user suspects that unauthorised access to Government data has taken place via a mobile device they user must report the incident in alignment with Isle of Man Government Security incident reporting process – Information Security Reporting

7. Users may must be cautious about the merging of personal and work email accounts on

their devices. They must take particular care to ensure that Government data is only sent through the Government email system. If a user suspects that Government data has been sent from a personal email account, either in body text or as an attachment, they must notify Isle of Man Government GTS immediately and submit a Security Incident Report.

8. The Mobile Working Policy, together with these Terms & Conditions, do not obviate any

responsibility to comply with additional security measures applied by departmental or Divisional policy and procedures.

9. Users should acquaint themselves with the requirements of Financial Regulations in

respect of using mobile devices for Government purposes and in particular Financial Guidelines 12 & 13.

10. All mobile devices that connect to Isle of Man Government networks or

services must be enrolled into the Mobile Device Manager. Please ensure your device is enrolled if not contact GTS support.

Core Terms and Conditions Organisational Issued Devices Operating System

Devices must only use the current operating system level as approved by GTS.

Users must not upgrade the device to any new levels without prior consent from GTS

Devices must not be “jailbroken” or have any software/firmware installed which is designed to gain

access to functionality not intended to be exposed to the user.

Users must not load pirated software or illegal content onto their devices.

Password Policy

Devices must store all user-saved passwords in an encrypted password store.

Devices must be configured with a secure password that complies with Isle of Man Government’s password policy.

Connecting to other devices

Devices are not allowed to connect directly to the Government network at any time (e.g. plugged into PC) – without prior approval from GTS.

Users must not use Government workstations to backup or synchronise device content such as media files unless such content is required for legitimate business purposes.

Devices must not be connected to a PC which does not have up-to-date and enabled anti-malware protection and which does not comply with Government policy.

Information & Applications

Users must only load essential Government data onto their mobile device(s).

Applications must only be installed from official GTS approved sources. Installation of code from un-trusted sources is forbidden. If you are unsure contact GTS. (Authorised sources are iTunes App Store, Windows Store and Google Play)

Personal Use

Users are allowed to make reasonable personal use of the device including the installation of applications from official GTS sources as above.

Users may must be cautious about the merging of personal and work email accounts on their devices. They must take particular care to ensure that Government data is only sent through the Government email system.

Personal Consent In order to protect Isle of Man Government information, all users within the scope of this policy must accept that in order to ensure the security of such information, it may be necessary from time to time to remotely wipe the device – either for the purposes of upgrade or should the device be believed to be lost or compromised (including multiple wrong password attempts). For organisational issued devices this may mean that any personal information and applications are lost - Isle of Man Government accepts no responsibility for any such loss and it remains the responsibility of the user to ensure any personal information of value stored on the device is backed up appropriately. Consequently by accepting this policy and the terms and conditions of use, the user is also giving consent for personal information held on the device to be deleted from time to time and accepts responsibility for ensuring any such information of value is appropriately backed up.

I hereby acknowledge receipt of the terms and conditions laid out above for the

Issuing of an organisationally owned mobile phone or tablet to access Government information

Name : ____________________________________________ Date : ____________________

Government Technology Services Cabinet Office

1st Floor, St Andrew’s House, Finch Road, Douglas, Isle of Man, IM1 2PX, British Isles