Laptop and Mobile Device Policy - Security Operations

Mobile Devices

Definition – Mobile devices are defined as any device that is portable including, but not limited to, laptops, tablets, and mobile/smart phones.

Use of Mobile Devices – Business will provide mobile devices to workforce members who require remote access to systems to perform their job duties effectively and are to be used for Business  related business but may be used for incidental personal use as long as it does not interfere with business activities or assigned duties and complies with the Electronic Communication Policy.

Registration and Approval – The use of mobile devices, Business  and personally-owned, on the Business  network must be approved in advance by the Mobile Device Team, MAC addresses registered with the Security Officer, and are required to meet organizational usage restrictions, configuration requirements, connection requirements, and implementation guidance.

Safeguards – All mobile devices accessing the Business  network and any confidential data must have the following safeguards in place when supported, reasonable, and appropriate:

  • Approved anti-virus/anti-malware installed and up to date. If Business  owned, the device must be centrally managed by the chosen software solution.

  • Full disk encryption to protect the confidentiality of any data stored on the device.

  • Proper access controls including, but not limited to, unique username and passwords for authentication, appropriate password policies, login monitoring/logging, and auto-locking enabled.

  • Personal firewall or equivalent functionality.

  • Disabling of any features that allow for code execution without user direction.

Device Repairs – Should an assigned device need repaired or serviced for any reason, the assigned user shall notify the IT Department to make necessary arrangements. A user should not attempt repairs or service themselves or take the device to any third party service provider. If a user discovers that a device has been lost or stolen, they should contact the Security Officer or designee immediately for proper incident response steps to be taken.

Disaster Recovery – Company-owned laptop computers are a critical component of the Business  Disaster Recovery program. Each workforce member assigned a laptop must acknowledge that in the event of a major disaster, the laptop may be reclaimed for deployment to other Business  workforce members.

Installation of Software – The installation of software on company-owned devices is prohibited without prior authorization from the Security Officer and must be done by an IT Department designee. A listing of approved software shall be maintained by the Security Officer and reviewed on a periodic basis or as needed. Circumvention or tampering with the security controls (i.e. jailbreaking or rooting) configured by the Business  IT Department as specified in this policy is strictly prohibited.

1.2.2 Mobile Device Users

User Responsibility – Users assigned company-owned assets must exercise caution and care when transporting devices and provide protection from theft when left in vehicles, hotel rooms, conference centers, meeting places, etc. Once formally issued, the company-owned device becomes the responsibility of the assigned user. Users accessing the Business  network from a public location such as a coffee shop or airport, must be aware of their surroundings to prevent “shoulder surfing” or inadvertent disclosure of information due to the ability to view a device screen from a distance. Training on the risks, implemented security controls, and user responsibilities shall be provided to each mobile device user prior to being issued equipment.

Remote Access – Users accessing the Business  network remotely are required to use the Single Sign On process for accessing all tools.

Assignment of Company Owned Mobile Devices

  • The user’s Manager will submit the User Access Request Form to the Security Officer or designee indicating the equipment being requested, the user the device will be assigned to, and a business justification for the device.

  • The operations manager will approve or deny the request.

  • Prior to assignment, the mobile device will be configured by Operations manager or designated member to comply with established portable device security requirements.

  • Operations manager will be informed of their responsibility when taking possession of the device and made aware of the requirements contained within this and other relevant policies.

  • Operations manager will sign an acknowledgement indicating that they have read and understand the applicable policies related to mobile devices and agree to adhere to them and take responsibility for the device(s).