© 2008 Page 1 of 6

Mobile Device (including Blackberry) Policy

DQ Status Live Policy
DQ Content Controller IT (Keith Little)
Authority
Contact(s) for Help Julia Harris (Head Information Security)
Description This policy describes the rules covering use of mobile computing devices that
can be attached to BBC Networks, or containing BBC Information. This
includes, but is not restricted to, Personal Digital Assistants (PDA’s), tablets,
Smartphones, Mobile phones and Blackberries.

DQ Reference Version Date Last Reviewed

Is_18 01.00 12/03/2006 February 2008
Key Words mobile, blackberry, pda, smartphones

Mobile Device (Including Blackberry)

Julia Harris
Version 01.00 / 12/03/06
Please ensure you are using the current version of the document which is located:-
on gateway :- http://guidelines.gateway.bbc.co.uk/dq/is/mobile.shtml
on bbc.co.uk :- : http://www.bbc.co.uk/guidelines/dq/contents/information_security.shtml
BBC Mobile Device (Including
Blackberry) Policy

1 Background
This is a policy that applies to employees, temps, freelancers and contractors working for the BBC and
any subsidiaries or service providers under contract and is issued under the authority of the Head of IT
and Data Assurance. It describes the rules covering use of mobile computing devices that can be
attached to BBC Networks, or containing BBC Information. This includes, but is not restricted to,
Personal Digital Assistants (PDA’s), tablets, Smartphones, Mobile phones and Blackberries.

As technology and business demand moves forward, there has been an introduction of many devices
that can be classed as Portable Media. The BBC allows usage of these devices as part of normal
business processes, but care needs to be taken over their use, and of the data that they hold

Information Processing Equipment, Internet, Intranet and e-mail access provided by the BBC is intended
primarily for BBC business use, but limited access for Personal Use is allowed.
Any enquiries should be made to the BBC Information Security Team (ism@bbc.co.uk).

2 Policy
All BBC supplied mobile devices and their contents remain the property of the corporation and are
subject to regular audit and monitoring. These devices should only be connected to a laptop or desktop
that has been approved for use at the BBC.

Users must be aware that the device contains BBC data, and take appropriate action to protect the
device from being lost or stolen.

Only devices which have been built to BBC published standards and/or from approved suppliers, should
be attached to the BBC data network either directly or through a BBC (owned or leased) PC or laptop.
This should ensure that appropriate security controls have been built into the implementation. Once
received, the user is not authorised to change any security device settings without reference to the
service desk, as they may affect the security of the device, or stop it functioning with the supplied service.
(This does not apply to resetting the PIN)

In certain business situations there is a need to attach non-BBC owned devices. Only devices that do
not directly attach to the BBC data network can be authorised (i.e. only devices that connect to a BBC
desktop or laptop PC, via infrared, Bluetooth or USB – this is restricted to a few PDA’s and
smartphones). Devices eligible for this dispensation are limited to smartphones or PDA’s that are
currently on the BBC authorised hardware list. Both the Technology Controller (was Head of Technology)
and equivalent, of the area, and BBC Information Security must have pre agreed that personal
equipment attachment is appropriate for the area concerned. These devices must have their security

Mobile Device (Including Blackberry)

Julia Harris
Version 01.00 / 12/03/06
Page 2 of 6
settings (passwords etc) configured as per the requirements detailed in this document.

If a BBC owned device is lost or stolen, then the Service Desk should be contacted on x02 26333
(external 020 875 26333) as a matter of urgency, so that the BBC data network can be protected from
the device. Your call will be passed to the relevant service desk if not supported by Siemens.

Ensure that you regularly back-up BBC data on the device to BBC equipment (including Sim readers), to
protect the data from damage or loss. Where there are security settings held in the device (such as a
PDA), ensure you back the device up to a removable memory device (such as an SD card), to ensure
that it can easily be reconfigured should complete battery loss cause deletion of the data on the device
(instructions for this will be found in the device manuals). Where your device gets backed up to the BBC
network, there is no need to backup to a removable device, the backup on the BBC network will suffice.
Ensure that the backup media is securely stored, and not with the device. Devices on the MyConnect
Mobile service have secure memory locations on the phone, so the user does not need to back-up their
own security settings. The SD card may be used for additional back-up.

Do not back up data from the device to non BBC equipment.

Only applications provided with the device, or provided/approved by the BBC can be run. Please refer to
the Alarms site for further information. (http://sbsportal.bbc.co.uk/alarms/)

If the information you carry has been classified as BBC Confidential, then this information should not be
carried on mobile devices unless it is encrypted (where this facility is available on the device, where it is
not, the user must consider carefully before allowing it to be stored on the device). Blackberries will
potentially receive confidential information via e-mail, this is recognised and dispensated until an
encrypted solution is available. A facility to do this is being developed by Siemens, but until that service
is available confidential information is not allowed to be stored on mobile devices.

2.1 Authorised Device and controls table

Please ensure that your devices are configured as below:

Approved Device Security Requirement

Blackberry Alphanumeric password, locked whilst not in use.

Mobile Phone (including camera phones)
USB Memory Stick
Personal Digital Assistant (PDA)
PIN, locked whilst not in use. Please refer to the
Photographs, Filming and Recording Code Of Practice
at
http://hss.gateway.bbc.co.uk/pagedata.asp?id=858
Encrypted if confidential information stored. This
service is still under development. If the stick has the
capability of password or PIN control, the password or
PIN should be lodged with management to ensure the
ability to retrieve BBC content should the need arise.
PIN (mandatory for phone functions) and password (if
available). A 4 digit pin is the minimum acceptable
security measure, some BBC provided facilities require
the use of an 8 digit alpha numeric password.
Where BBC confidential data is stored on the PDA, it is
required that the BBC Anti-Virus (AV) solution is also

Mobile Device (Including Blackberry)

Julia Harris
Version 01.00 / 12/03/06
Page 3 of 6
 used. If the device is non BBC owned, the user must
purchase and run a suitable AV solution.
CD/DVD Files should be password protected (if supported by the
hardware), once used, data should be removed from
CD/DVD and CD/DVD disposed of appropriately if a
rewritable disk, if not destroyed (Further advice can be
obtained from the Siemens Service Desk on their
published number). Data that is not deemed BBC
specific (deemed suitable for complete public
consumption) may be stored unprotected on the disk.
Where data is required to be stored on this media for
archive/reference purposes, adequate care must be
taken to ensure this data does not get disclosed to
unauthorised individuals.
Tape Files should be password protected (if supported by the
hardware), once used, data should be removed from
tape and tape disposed of appropriately. (Further
advice can be obtained from the Siemens Service Desk
on the published number). Data that is not deemed
BBC specific (deemed suitable for complete public
consumption) may be stored unprotected..
Where data is required to be stored on this media for
archive/reference purposes, adequate care must be
taken to ensure this data does not get disclosed to
unauthorised individuals.
Floppy Disk Files should be password protected, once used, data
should be removed from disk and disk disposed of
appropriately (Further advice can be obtained from the
Siemens Service Desk on the published number.)
Data that is not deemed BBC specific (deemed suitable
for complete public consumption) may be stored
unprotected.
Where data is required to be stored on this media for
archive/reference purposes, adequate care must be
taken to ensure this data does not get disclosed to
unauthorised individuals.
MP3 Players (including iPods) Certain areas of the BBC are authorised to use MP3
players. If the device is BBC owned, NO personal
music or content may also be stored. Where personal
devices are also storing BBC content, permission must
have been gained from the Technology Controller (was
Head of Technology) or equivalent. Users MUST
acquaint themselves of the legal situation for any
content stored.

Mobile Device (Including Blackberry)

Julia Harris
Version 01.00 / 12/03/06
Page 4 of 6
3 What you can’t do
No changes to the security settings or configuration of any approved device can be made without prior
authorisation from IT.

Never attempt to use an unapproved device, via any method of communication, with any IT equipment
that belongs to the BBC.

Personal mobile phones with cameras and personal digital cameras are permitted in the office but must
not be used to collect and store data that belongs to the BBC.

4 Specific Rules

4.1.1 Specific points on the use of Blackberry devices.

• The pin-2-pin option is not permitted from or to BBC owned or operated devices.
• The Blackberry web client is configured to use the BBC internet provision, so is permitted.
• The Blackberry Desktop re-director software is not permitted, the only route for mail to reach the
Blackberry is to use the BBC provided BES service (this ensures appropriate security settings
are correctly applied).
• BBC Blackberry devices should not be attached to non BBC owned laptops or desktop PC’s
4.1.2 Specific points on the use of Camera Phones.

• Phones enabled with cameras should primarily be used for taking business related pictures.
However, some limited personal use is allowed, but storage must not interfere with BBC
Business use.
• Inappropriate content prohibition applies to mobile phones as it does other forms of
communication.
• Information should be downloaded to a secure device (BBC Laptop for example) and removed
from the phone at the users’ earliest opportunity.
• Privacy, only take pictures of individuals with their permission to do so, or follow current policy
where this is impractical.
4.1.3 Specific points on the use of Bluetooth enabled devices.

• Bluetooth must only be used for accessing passive devices – such as hands free kits
• Bluetooth cannot be used to communicate with a device directly connected to the BBC data
network (unless through a BBC owned or leased PC).
• Bluetooth connections must be accepted from other devices with care. Ensure the recipient is
known and agree connection security criteria in advance.
• Never run a BBC device in broadcast mode, various viruses and other schemes are prevalent
whilst in this mode
4.1.4 Specific points on the use of Infrared enabled devices.

• Infrared must only be used for accessing passive devices, no sync should be performed using
the interface (unless through a BBC owned or leased PC).
• Infrared cannot be used to communicate with other devices, and should be turned off
• No BBC data can be sent to other devices (including BBC owned ones) using the Infrared
protocol.

Mobile Device (Including Blackberry)

Julia Harris
Version 01.00 / 12/03/06
Page 5 of 6
4.1.5 Specific points on the use of MP3 players (including iPods).

• BBC content should be stored in linear .wav format. News departments may select other file
types, where quality is less important. Acceptable file formats are wav, MP3, wma, AAC & MXF
• Users must consider the implications of any rights management included within the devices
selected, to ensure easy sharing of content with independents.
• No additional software should be required to allow the device to communicate with a BBC
desktop PC. Usage of iTunes is restricted at the BBC.
4.1.6 Specific points on the use of non BBC owned devices.

• Only devices currently supported as purchased BBC devices are supported. If the device
requires special software to be incorporated onto the desktop, this is not allowed.
• The permission to attach non BBC devices is prior arranged by job function and division through
the Technology Controller (was Head of Technology) or equivalent and BBC Information Security

5 Document History

Version Date Author Description

0.1 26/05/05 Julia Harris Initial Version for review by Information

Security

0.2 21/06/05 Julia Harris Version for comment by ISSG

0.3 10/07/05 Julia Harris Latest versions for comment and

ratification by ISSG

0.4 27/02/06 Julia Harris Changes incorporated to encompass

non BBC owned devices

1.0 12/03/06 Julia Harris First version.

Any change requests or comments about this document
should be addressed to: Julia Harris.

Mobile Device (Including Blackberry)

Julia Harris
Version 01.00 / 12/03/06
Page 6 of 6