LEP Mobile Device Policy

Download as docx, pdf, or txt
Download as docx, pdf, or txt
You are on page 1of 4

Mobile Device Policy 1

Mobile Device Policy


1. Overview

Mobile computing devices (smartphones, tablets, convertible laptops, and various other personal
computing devices) are becoming an implementation standard in today’s computing environment. Their
size, portability, and ever- increasing functionality are making the devices desirable in replacing traditional
desktop devices. However, the portability offered by these devices can also increase security exposure
to individuals using the devices.

2. Purpose

The purpose of this policy is to establish the procedures and protocols for the use of mobile devices and
their connection to the network.

3. Scope

This policy applies to all [LEP] staff who use personal devices for business purposes or business-issued
mobile computing devices.

4. Policy

5. GENERAL

All mobile devices, whether owned by [LEP] or owned by staff, that have access to systems
and applications are governed by this policy. Applications, including cloud storage software
used by staff on their own personal devices are also subject to this policy. The following
general procedures and protocols apply to the use of mobile devices:

 Mobile computing devices must be protected with a password required at the time the
device is powered on

 Passwords must meet the requirements outlined in the [LEP] Access Control and
Password Policy

 All data stored on mobile devices shall be encrypted

 Wireless encrypted security and access protocols shall be used with all wireless
network connections

 Staff shall refrain from using public or unsecured network connections while using
their mobile device for work

 Personal mobile computing devices that require network connectivity must conform to
all [LEP] standards for use and configuration

 Personal devices used for work business shall be registered with the [Insert
Appropriate Role] approved by [Insert Appropriate Department]

 Unattended mobile computing devices shall be physically secured

Sample IT Security Policies


Mobile Device Policy 2

 Mobile computing devices that access the [LEP] network shall have active and up-to-
date anti-malware and firewall protection

 Lost and stolen devices shall have locations services enabled and the units “bricked”
or wiped of all information so they are unusable until recovered or destroyed

6. USER DEVICE RESPONSIBILITIES

The following procedures and requirements shall be followed by all users of mobile devices:

 Staff shall immediately report any lost or stolen devices

 Unauthorized access to a mobile device or company data must be immediately


reported

 Mobile devices shall not be “rooted” or have unauthorized software/firmware installed

 Staff shall not load illegal content or pirated software onto any mobile device

 Only approved applications are allowed on mobile devices that connect to the [LEP]
network

 Mobile devices and applications shall be kept up-to-date

 Operating system and application patches should be installed within 30 days of


release

 Mobile devices shall have active and up-to-date anti-malware/virus protection


software

 All mobile device physical storage partitions shall be encrypted

 Personal firewalls shall be installed and active where available

 Staff shall use [LEP] corporate email system when sending or receiving [LEP] data

 Staff are responsible for ensuring all important files stored on the mobile device are
backed up on a regular basis

 Mobile Device Management (MDM) will be used to enforce common security


standards and configurations on devices

 Staff shall not modify configurations without express written authorization from the
[Insert Appropriate Role]

7. ADMINISTRATIVE RESPONSIBILITIES

The [Insert Appropriate Role] or their designee shall ensure:

 Specific configuration settings shall be defined for personal firewall and malware
protection software to ensure that that this software is not alterable by users of
mobile and/or employee-owned devices.

Sample IT Security Policies


Mobile Device Policy 3

 Annual security training is provided to users of mobile devices. The content and form
of that training shall be decided by the [LEP] or their designee. Periodic security
reminders may be used to reinforce mobile device security procedures.

 MDM software is used to manage risk, limit security issue, and reduce costs and
business risks related to mobile devices. The software shall include the ability to
inventory, monitor (e.g. application installations), issue alerts (e.g. disabled
passwords, categorize system software (operating systems, rooted devices), and
issue various reports (e.g. installed applications, carriers).

 MDM software enforces security features such as encryption, password, bricking,


and key lock on mobile devices.

 MDM software shall include the ability to distribute applications, data, and global
configuration settings against groups and categories of devices.

 Regular reviews and updates of security standards and strategies used with mobile
computing devices.

 Procedures and policies exist to manage requests for exemptions and deviations
from this policy.

[Insert Appropriate Department] shall implement procedures and measures to strictly limit
access to sensitive data moving to and from mobile computing devices since these devices
generally pose a higher-risk for incidents than non-portable devices.

8. Audit Controls and Management


On-demand documented procedures and evidence of practice should be in place for this
operational policy as part of [LEP]. Satisfactory examples of evidence and compliance
include:

 Spot user checks for compliance with mobile device computing policies

 Readily available processes and procedures for staff use of mobile devices

 Configuration and support guidelines and procedures for mobile devices

 Communication and device logs of attached units showing appropriate management


and monitoring protocols are in place

 Anecdotal and archival communications showing regular implementation of the policy

9. Enforcement

Staff members found in policy violation may be subject to disciplinary action, up to and including
termination.

10. Distribution

This policy is to be distributed to all [LEP] staff and contractors using [LEP] information resources.

Sample IT Security Policies


Mobile Device Policy 4

11. Policy Version History

Version Date Description Approved By

1.0 9/15/2016 Initial Policy Drafted

Sample IT Security Policies

You might also like