Mobile Device Security Policy

Overview

The most common challenge is that users do not recognize that mobile devices represent a threat to IT and data security. As a result, they often do not apply the same security and data protection guidelines as they would on other devices such as desktop computers.

The second challenge is that when users provide their own devices, they often give greater weight to their own rights on the device than to their employer's need to protect data.

Purpose

Mobile devices, such as smartphones and tablet computers, are important tools for the organization and their use is supported to achieve business goals.

However mobile devices also represent a significant risk to information security and data security as, if the appropriate security applications and procedures are not applied, they can be a conduit for unauthorized access to the organization's data and IT infrastructure. This can subsequently lead to data leakage and system infection.

InContext Solutions has a requirement to protect its information assets to safeguard its customers, intellectual property, and reputation. This document outlines a set of practices and requirements for the safe use of mobile devices.

Scope

• All mobile devices, whether owned by InContext Solutions or owned by employees, have access to corporate networks, data, and systems, not including corporate IT-managed laptops. This includes smartphones and tablet computers.

• Exemptions: Where there is a business need to be exempted from this policy (too costly, too complex, adversely impacting other business requirements) a risk assessment must be conducted by the InfoSec team and any exemption authorized by the InfoSec team.

Policy

Technical Requirements

1. Devices must use a recent operating system that is supported by its manufacturer.

2. Devices must be configured with a secure password that complies with InContext Solutions' password policy. This password must not be the same as any other credentials used within the organization.

3. With the exception of those devices managed by IT, devices are not allowed to be connected directly to the internal corporate network without a security certificate supplied by InContext.

User Requirements

1. Users must only load essential corporate data directly related to their role onto their mobile device(s).

2. Users must report all lost or stolen devices to InContext Solutions IT immediately.

3. If a user suspects that unauthorized access to company data has taken place via a mobile device, the user must report the incident in alignment with InContext Solutions' incident handling process.

4. Devices must not be "jailbroken" or have any software/firmware installed which is designed to gain access to functionality not intended to be exposed to the user. (To jailbreak a mobile device is to remove the limitations imposed by the manufacturer. This gives access to the operating system, thereby unlocking all its features and enabling the installation of unauthorized software.)

5. Users must not load pirated software or illegal content onto their devices.

6. Applications must only be installed from official platform-owner approved sources. Installation of code from un-trusted sources is forbidden. If you are unsure if an application is from an approved source contact InContext Solutions IT.

7. Devices must be kept up to date with manufacturer or network provided patches. As a minimum, individuals should check for patches weekly and apply any applicable patches at least once a month.

8. Company owned devices must not be connected to a PC which does not have up-to-date and enabled anti-malware protection and which does not comply with corporate policy.

9. Users must be cautious about the merging of personal and work email accounts on their devices. They must take particular care to ensure that company data is only sent through the corporate email system. If a user suspects that company data has been sent from a personal email account, either in body text or as an attachment, he or she must notify InContext Solutions IT immediately.

10. Users must not use corporate workstations to backup or synchronize device content such as media files unless such content is required for legitimate business purposes.

Revision History