An example of Mobile Device Policy

Uncategorized 4 Minutes

  1. Introduction

Mobile devices, such as smartphones and tablet computers, are important tools for the organization and Company to support their use to achieve business goals. However, mobile devices also represent a significant risk to data security as, if the appropriate security applications and procedures are not applied, they can be a conduit for unauthorized access to the organization’s data and IT infrastructure. This can subsequently lead to data leakage and system infection. It has a requirement to protect its information assets in order to safeguard its customers, intellectual property, and reputation. This document outlines a set of practices and requirements for the safe use of mobile devices and applications.

2. Scope

  1. All mobile devices, whether owned by or owned by employees, inclusive of smartphones and tablet computers, that have access to corporate networks, data and systems are governed by this mobile device security policy. The scope of this policy does not include corporate IT-managed laptops.
  2. Exemptions: Where there is a business that needs to be exempted from this policy (too costly, too complex, adversely impacting other business requirements) a risk authorized by security management must be conducted.
  3. Applications used by employees on their own personal devices which store or access corporate data, such as cloud storage applications, are also subject to this policy.

3.  Policy

  1. Technical Requirements
    1. Devices must use the following Operating Systems: Android 2.2 or later, iOS 4.x or later.
    2. Devices must store all user-saved passwords in an encrypted password store.
    3. Devices must be configured with a secure password that complies with ’s password policy. This password must not be the same as any other credentials used within the organization.
    4. Only devices managed by IT will be allowed to connect directly to the internal corporate network.
    5. These devices will be subject to the valid compliance rules on security features such as encryption, password, key lock, etc. These policies will be enforced by the IT department using Mobile Device Management software.
  2. User Requirements
    1. Users may only load corporate data that is essential to their role onto their mobile device(s).
    2. Users must report all lost or stolen devices to IT immediately.
    3. If a user suspects that unauthorized access to company data has taken place via a mobile device, they must report the incident in alignment with ’s incident handling process.
    4. Devices must not be “jailbroken” or “rooted”* or have any software/firmware installed which is designed to gain access to functionality not intended to be exposed to the user.
    5. Users must not load pirated software or illegal content onto their devices.
    6. Applications must only be installed from official platform-owner-approved sources. Installation of code from untrusted sources is forbidden. If you are unsure if an application is from an approved source contact IT.
    7. Devices must be kept up to date with the manufacturer or network-provided patches. As minimum patches should be checked weekly and applied at least once a month.
    8. Devices must not be connected to a PC that does not have up-to-date and enabled anti-malware protection and which does not comply with corporate policy.
    9. Devices must be encrypted in line with ’s compliance standards.
    10. Users must be cautious about the merging of personal and work email accounts on their devices. They must take particular care to ensure that company data is only sent through the corporate email system. If a user suspects that company data has been sent from a personal email account, either in the body text or as an attachment, they must notify IT immediately.
    11. The above requirements will be checked regularly and should a device be non-compliant that may result in the loss of access to email, a device lock, or in particularly severe cases, a device wipe.
    12. The user is responsible for the backup of their own personal data and the company will accept no responsibility for the loss of files due to a non-compliant device being wiped for security reasons.
    13. (If applicable to your organization) Users must not use corporate workstations to backup or synchronize device content such as media files unless such content is required for legitimate business purposes.

      *To jailbreak/root a mobile device is to remove the limitations imposed by the manufacturer. This gives access to the operating system, thereby unlocking all its features and enabling the installation of unauthorized software.

1.Actions which may result in a full or partial wipe of the device, or other interaction by IT

  1. A  device is jailbroken/rooted
  2. A device contains an app known to contain a security vulnerability (if not removed within a given time-frame after informing the user)
  3. A device is lost or stolen
  4. A user has exceeded the maximum number of failed password attempts

2.Use of particular applications which have access to corporate data

  1. Cloud storage solutions: Company X supports the use of the following cloud storage solutions xxxxxx
  2. The use of solutions other than the above will lead to a compliance breach and the loss of access to the corporate network for the user

Back to Home Page

If you need assistance or have any doubt and need to ask any questions contact me at preteshbiswas@gmail.com. You can also contribute to this discussion and I shall be happy to publish them. Your comments and suggestion are also welcome.

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a Reply