Mobile Device Policy
Cyber Essentials Toolkit: Version 2 ŠCertiKit
Mobile Device Policy
Implementation guidance The header page and this section, up to and including Disclaimer, must be removed from the final version of the document. For more details on replacing the logo, yellow highlighted text and certain generic terms, see the Completion Instructions document.
Purpose of this document This document sets out the organisation’s policy with respect to mobile devices.
Areas of Cyber Essentials addressed The following areas of the Cyber Essentials scheme are addressed by this document: •
Control 2: Secure Configuration
General guidance This policy should be provided to all employees and other interested parties who use organisation-provided mobile devices, or where it has been agreed that they can use their own. You may need to add additional detail to this document depending on your technical environment. You will also need to update it as technology changes. If you don’t have a formal IT Support Desk, simply use the name of the role or external company that will provide support for computers within your organisation.
Review frequency We would recommend that this document is reviewed annually and upon significant change to the organisation.
Document fields This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”. Version 1
Page 2 of 11
[Insert date]
Mobile Device Policy
To update this field (and any others that may exist in this document): 1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name. 2. Press Ctrl A on the keyboard to select all text in the document (or use Select, Select All via the Editing header on the Home tab). 3. Press F9 on the keyboard to update all fields. 4. When prompted, choose the option to just update TOC page numbers. If you wish to permanently convert the fields in this document to text, for instance, so that they are no longer updateable, you will need to click into each occurrence of the field and press Ctrl Shift F9. If you would like to make all fields in the document visible, go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check you have updated all fields correctly. Further detail on the above procedure can be found in the toolkit Completion Instructions. This document also contains guidance on working with the toolkit documents with an Apple Mac, and in Google Docs/Sheets.
Copyright notice Except for any specifically identified third-party works included, this document has been authored by CertiKit, and is ©CertiKit except as stated below. CertiKit is a company registered in England and Wales with company number 6432088.
Licence terms This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence. If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third-party copyright included in this document.
Disclaimer Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will
Version 1
Page 3 of 11
[Insert date]
Mobile Device Policy
create your own document and to which you will apply all reasonable quality checks before use. Therefore, please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country. You should take all reasonable and proper legal and other professional advice before using this document. CertiKit makes no claims, promises, or guarantees about the accuracy, completeness or adequacy of our document templates; assumes no duty of care to any person with respect its document templates or their contents; and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.
Version 1
Page 4 of 11
[Insert date]
Mobile Device Policy
Mobile Device Policy
Version 1
DOCUMENT REF
CYB-DOC-02-3
VERSION
1
DATED
[Insert date]
DOCUMENT AUTHOR
[Insert name]
DOCUMENT OWNER
[Insert name/role]
Page 5 of 11
[Insert date]
Mobile Device Policy
Revision history VERSION
DATE
REVISION AUTHOR
SUMMARY OF CHANGES
Distribution NAME
TITLE
Approval NAME
Version 1
POSITION
SIGNATURE
Page 6 of 11
DATE
[Insert date]
Mobile Device Policy
Contents 1
Introduction ............................................................................................................... 8
2
Mobile device policy................................................................................................... 9 2.1
Devices provided by [Organization Name] .................................................................... 9
2.2
Use of personal mobile devices .................................................................................. 10
Version 1
Page 7 of 11
[Insert date]
Mobile Device Policy
1 Introduction Mobile computing is an increasing part of everyday life. As devices become smaller and more powerful, the number of tasks that can be achieved away from the office grows. However, as the capabilities increase, so do the risks. Security controls that have evolved to protect the static desktop environment are easily bypassed when using a mobile device outside the confines of an office building. Mobile devices include items such as: • • • • •
Laptops Notebooks Tablet devices Smartphones Smart watches
The purpose of this policy is to set out the controls that must be in place when using mobile devices. It is intended to mitigate the following risks: • • • •
Loss or theft of mobile devices, including the data on them Compromise of sensitive information through observation by the public Introduction of viruses and other malware to the network Loss of reputation
It is important that the controls set out in this policy are observed at all times in the use and transport of mobile devices. This policy applies to all systems, people and processes that constitute the organisation’s information systems, including board members, directors, employees, suppliers and other third parties who have access to [Organization Name] systems. The following policies and procedures are relevant to this document: • • •
Access Control Policy User Access Management Process Cryptographic Policy
Version 1
Page 8 of 11
[Insert date]
Mobile Device Policy
2 Mobile device policy 2.1 Devices provided by [Organization Name] Unless specifically authorised, only mobile devices provided by [Organization Name] must be used to hold or process sensitive information on behalf of the organisation. If you are required to make use of mobile equipment, you will be provided with one or more appropriate devices which will be configured to comply with the organisation’s policies. Support will be provided by the [IT Support Desk], who may at times need access to your device for problem resolution and maintenance purposes. You must ensure that the device is transported in a protective case when possible and that it is not exposed to situations in which it may become damaged. Do not leave the device unattended in public view, such as in the back of a car or in a meeting room or hotel lobby. Do not remove any identifying marks, such as a company asset tag or serial number, on the device. Ensure the device is locked away when being stored and that the key is not easily accessible. Do not add peripheral hardware to the device without the approval of the [IT Support Desk]. The [IT Support Desk] must be consulted before the device is taken out of the country. This is to ensure that it will work and to consider any insurance implications. You will not hold sensitive information on the device unless this has been authorised and appropriate controls (e.g. hard disk encryption) put in place. Do not keep access tokens (e.g. a key-fob device that displays access codes that change regularly), PINs (Personal Identification Numbers), or other items that might be useful to an attacker, with the device. Ensure the device screen locks after a short period of not being used (e.g. 10 minutes) and requires an access code or password to unlock it. Passwords used must be strong and difficult to guess. No unsecured logons (i.e. those that do not require a password) may be set up on the device. The organisation-provided device is for your business use only; it must not be shared with family or friends or used for personal activities. You may be asked to return the device to the [IT Support Desk] at any time for inspection and audit. You must not install any unauthorised software or change the configuration or setup of the device without consulting the [IT Support Desk] first. Where possible, the device will be secured so that all of the data on it is encrypted and so is only accessible if the password is known. If the device is supplied with encryption, do not disable it. Changes to files held on the device may not be backed up on a regular basis if it is not connected to the corporate network for a period of time. Try to schedule some time in to achieve this on a regular basis. Do not take your own unencrypted backups of sensitive information. Version 1
Page 9 of 11
[Insert date]
Mobile Device Policy
Where applicable, virus protection will be installed on the device by the organisation. Ensure the device is connected to the corporate network on a regular basis to allow the virus signatures to be updated. Do not disable virus protection on the device. The device must not be connected to non-corporate networks such as wireless or the Internet unless a VPN (Virtual Private Network) is used to secure the connection. When in public places, ensure you site the device such that other people cannot view (or take photographs or video of) the screen.
2.2 Use of personal mobile devices The low cost and general availability of such devices has fuelled the desire among employees and other stakeholders to use their own devices for business use. This is commonly referred to as “Bring Your Own Device” (BYOD). In some cases, this can provide increased flexibility and remove the need for the employee to carry more than one device on a regular basis. However, the concept of allowing an employee to make use of their own device(s) for business purposes may result in the need for such devices to be subject to additional controls over and above those typically in place for a consumer device. Common issues and security challenges with BYOD may include: • • • • • • •
Use of the device by friends and family members Default storage of data in cloud backup services Increased exposure to potential loss in social situations, e.g. on the beach or in a bar Potential access to websites that do not meet the organisation’s acceptable use policy Connection to insecure networks, e.g. unsecured wireless hotspots Antivirus protection and how often the device is patched Installation of potentially malicious apps onto the device (often without the user being aware that they are malicious)
These issues must be considered when assessing the suitability of any given device to hold specific data belonging to the organisation. It is a joint decision between the organisation and the owner of the device concerning whether any particular device will be used for business purposes. Such use is not compulsory, and the employee has the right to decide whether the additional controls placed on the device by the organisation are acceptable and therefore whether they choose to use the device for business purposes. It is important that the controls set out in this policy are observed at all times in the use and transport of BYOD mobile devices. Individuals must not use their own devices to hold and process company information unless they have submitted a request to do so, and that
Version 1
Page 10 of 11
[Insert date]
Mobile Device Policy
request has been formally approved. It is [Organization Name]’s policy to assess each BYOD request on an individual basis in order to establish: • • • •
The identity of the person making the request The business reason for the request The data that will be held or processed on the device The specific device that will be used
Requests must be submitted to the [IT Support Desk]. The general principle of this policy is that the degree of control exercised by the organisation over the BYOD device will be appropriate to the sensitivity of the data held on it. In order to ensure its data is adequately protected, it is important for [Organization Name] to be able to monitor and audit the level of compliance with this policy. The level of monitoring and audit will be appropriate to the sensitivity of the information held on the device. The methods and timing of monitoring and audit will be such that the device owner’s privacy is not invaded and must be in line with applicable privacy legislation. In general, monitoring of usage outside of business hours will be avoided. In the event of the device being lost or stolen, the owner must inform the [IT Support Desk] as soon as possible, giving details of the circumstances of the loss and the sensitivity of the business information stored on it. [Organization Name] reserves the right to remote wipe the device where possible as a security precaution. This may involve the deletion of nonbusiness data belonging to the device owner. Upon leaving the organisation, the device owner must allow the device to be audited and all business-related data and applications removed.
Version 1
Page 11 of 11
[Insert date]