Management of corporate and personal devices

This policy specifies the requirements for administrators and developers when using corporate or personal devices with the HeartAI source code or with HeartAI platform components. This includes devices that may access sensitive information or may access networks that host sensitive information.

Policy

  1. For the purposes of corporate or personal devices the following definitions are maintained:
    1.1. A device is any item that is capable of processing information, including sensitive information. This includes but is not limited to: desktop computers, laptop computers, tablet devices, and mobile devices.
    1.2. A corporate device is any device that has been issued from and managed by a responsible corporate entity. This may include organisations such as SA Health, SAHMRI, Flinders University, and associated institutions.
    1.3. A personal device is any device that is the personal property of an administrator or developer. It is typically understood that personal devices are less regulated by organisational and administrative governance, and therefore restrictions are placed on these devices for the purposes of managing sensitive information.
  2. In relation to the management of sensitive information:
    2.1. For administration or development of HeartAI platform components, devices may only hold sensitive information where the device is an approved corporate device of SA Health, or there exists an approved agreement between SA Health and a collaborating organisation. For the latter relationship, the device must be a corporate device of the collaborating organisation, and the management of the device should align with SA Health policies for the management of corporate devices.
    2.2. This requirement also extends to devices that are accessing HeartAI platform networks, such as through a virtual private network connection, where these networks may hold sensitive information.
    2.3. Following agreement with HeartAI administrators, personal devices may be used for the development of HeartAI platform components. In these circumstances, personal devices must not hold sensitive information and must not access networks that hold sensitive information.
    2.4. For devices that hold sensitive information, if the permission to access this information is revoked or if this information is no longer required for use, the information must be securely removed from these devices. This must include appropriate mechanisms to ensure non-recoverability of this information, for example with entropy overwriting of the corresponding storage locations.
  3. In relation to the management of corporate and personal devices:
    3.1. Corporate devices must be managed with an appropriate governance and policy structure, and should make reasonable efforts to align with SA Health policies.
    3.2. Corporate devices must meet a reasonable standard of device management, including specifications for: device updates, device access control, device encryption, and device malware detection. Corporate devices should also have corresponding service-level support where appropriate.
    3.3. Personal devices should aim to meet a similar level of device management where appropriate. HeartAI administrators should regularly review the use of personal devices to ensure a reasonable standard of device management is achieved.
  4. In relation to the ongoing review of this policy:
    4.1. This policy should be reviewed at least every 6 months. This review should assess the appropriateness of the existing policy, and should propose any modifications or extensions to the policy where needed.
    4.2. Modifications or extensions to this policy should be reviewed and approved by corresponding governing authorities.
    4.3. This policy welcomes suggestions and feedback.
  5. In relation to the governance and compliance of this policy:
    5.1. This policy must be understood and agreed to by HeartAI administrators and developers before the approval of access to HeartAI platform components.
    5.2. Where this policy does not provide a specification to, or conflicts with, a mandated SA Health or SA Government policy, the existing SA Health or SA Government policy will take precedence. HeartAI administrators will resolve policy deficits by approved modification or extension to HeartAI policy.
    5.3. HeartAI administrators are responsible for ensuring that this policy is compliant with SA Health and SA Government policies.