Mobile devices, such as smartphones and tablet computers, are important tools for the organization and Company to support their use to achieve business goals. However, mobile devices also represent a significant risk to data security as, if the appropriate security applications and procedures are not applied, they can be a conduit for unauthorized access to the organization’s data and IT infrastructure. This can subsequently lead to data leakage and system infection. It has a requirement to protect its information assets in order to safeguard its customers, intellectual property, and reputation. This document outlines a set of practices and requirements for the safe use of mobile devices and applications.
- All mobile devices, whether owned by or owned by employees, inclusive of smartphones and tablet computers, that have access to corporate networks, data and systems are governed by this mobile device security policy. The scope of this policy does not include corporate IT-managed laptops.
- Exemptions: Where there is a business that needs to be exempted from this policy (too costly, too complex, adversely impacting other business requirements) a risk authorized by security management must be conducted.
- Applications used by employees on their own personal devices which store or access corporate data, such as cloud storage applications, are also subject to this policy.
- Technical Requirements
- Devices must use the following Operating Systems: Android 2.2 or later, iOS 4.x or later.
- Devices must store all user-saved passwords in an encrypted password store.
- Devices must be configured with a secure password that complies with ’s password policy. This password must not be the same as any other credentials used within the organization.
- Only devices managed by IT will be allowed to connect directly to the internal corporate network.
- These devices will be subject to the valid compliance rules on security features such as encryption, password, key lock, etc. These policies will be enforced by the IT department using Mobile Device Management software.
- User Requirements
- Users may only load corporate data that is essential to their role onto their mobile device(s).
- Users must report all lost or stolen devices to IT immediately.
- If a user suspects that unauthorized access to company data has taken place via a mobile device, they must report the incident in alignment with ’s incident handling process.
- Devices must not be “jailbroken” or “rooted”* or have any software/firmware installed which is designed to gain access to functionality not intended to be exposed to the user.
- Users must not load pirated software or illegal content onto their devices.
- Applications must only be installed from official platform-owner-approved sources. Installation of code from untrusted sources is forbidden. If you are unsure if an application is from an approved source contact IT.
- Devices must be kept up to date with the manufacturer or network-provided patches. As minimum patches should be checked weekly and applied at least once a month.
- Devices must not be connected to a PC that does not have up-to-date and enabled anti-malware protection and which does not comply with corporate policy.
- Devices must be encrypted in line with ’s compliance standards.
- Users must be cautious about the merging of personal and work email accounts on their devices. They must take particular care to ensure that company data is only sent through the corporate email system. If a user suspects that company data has been sent from a personal email account, either in the body text or as an attachment, they must notify IT immediately.
- The above requirements will be checked regularly and should a device be non-compliant that may result in the loss of access to email, a device lock, or in particularly severe cases, a device wipe.
- The user is responsible for the backup of their own personal data and the company will accept no responsibility for the loss of files due to a non-compliant device being wiped for security reasons.
- (If applicable to your organization) Users must not use corporate workstations to backup or synchronize device content such as media files unless such content is required for legitimate business purposes.
*To jailbreak/root a mobile device is to remove the limitations imposed by the manufacturer. This gives access to the operating system, thereby unlocking all its features and enabling the installation of unauthorized software.
1.Actions which may result in a full or partial wipe of the device, or other interaction by IT
- A device is jailbroken/rooted
- A device contains an app known to contain a security vulnerability (if not removed within a given time-frame after informing the user)
- A device is lost or stolen
- A user has exceeded the maximum number of failed password attempts
2.Use of particular applications which have access to corporate data
- Cloud storage solutions: Company X supports the use of the following cloud storage solutions xxxxxx
- The use of solutions other than the above will lead to a compliance breach and the loss of access to the corporate network for the user
If you need assistance or have any doubt and need to ask any questions contact me at firstname.lastname@example.org. You can also contribute to this discussion and I shall be happy to publish them. Your comments and suggestion are also welcome.