Mobile Computer Policy

This is an example Mobile Computer Policy.

1.0 Overview
This policy defines the use of mobile computers in the organization. It defines:

  1. The process that mobile computers must meet to leave the corporate network. Both the device and any sensitive data should be password protected.
  2. How mobile computers and devices will be protected while outside the organizational network.
  3. The process that mobile computers must meet to enter the corporate network when being brought into a building owned by the organization.

    2.0 Purpose
    This policy is designed both to protect the confidentiality of any data that may be stored on the mobile computer and to protect the organizational network from being infected by any hostile software when the mobile computer returns. This policy also considers wireless access.

    3.0 Scope
    This policy covers any computing devices brought into the organization or connected to the organizational network using any connection method. This includes but is not limited to desktop computers, laptops, and palm pilots.

    Note:
    To write this policy, consider data and the sensitivity of the data stored and viewed on the mobile computer including:

    1. Email
    2. Data the user is working on that is stored locally.
    3. Cached data that is stored locally such as cached data from the user's browser. Windows XP allows for cached files to be encrypted using the encrypting file system (EFS).
    4. Data from the internal network that the user may access while the computer is outside the network.
    5. Locally stored user names and passwords.

    Consider loss due to:

    1. Theft - should locally stored data be encrypted?
    2. Hard drive failure

    4.0 Responsibility
    The user of the mobile computer will accept responsibility for taking reasonable safety precautions with the mobile computer and agrees to adhere to this policy. The computer user will not be allowed to have administrative rights unless granted special exception by the network administrator. The user of the computer agrees not to use the mobile computer for personal business and agrees to abide by the organizational computer usage policy.

    5.0 Connection Terms

    1. Devices connected to the organizational network must be determined to be a benefit to the organization rather than convenience by the designated IT manager.
    2. All mobile devices owned by the organization or allowed on the organization network must be identified by their MAC address to the IT department before being connected. (Possibly require static IP address)
    3. The device must meet the computer connection standards described in the following section.
    4. The device operator must be identified by name and contact information to the IT department.
    5. The computer device operator must be familiar with the organization's acceptable use policy.
    6. Devices not owned by the organization are subject to a software audit to be sure no software that could threaten the network security is in operation. All computing devices are subject to a software audit at any time.
    7. Access rights to the organizational network cannot be transferred to another person even if that person is using an allowed computing device.



6.0 Mobile Computer Protection

  1. Any mobile computer owned by the organization shall at all times operate the following for its own protection:
    1. Antivirus program named _________________ with the latest possible virus updates. The program shall be configured for real time protection, to retrieve updates daily, and to perform an anti-virus or malware scan at least once per week.
    2. A firewall program named _________________ with the latest possible updated. The program shall be operational any time the computer is connected to any untrusted network including the internet to protect the computer from worms and other malware.
    3. Additional malware protection software shall be active on the computer in accordance with the anti-virus and malware policy.
    4. The operating system and application patch levels must be consistent with the current patch levels of our organization for similar devices and operating systems. All mobile computers in the organization shall have wireless access disabled. If wireless access is used, a specific protocol for wireless encryption shall be designated and configured. Also the maximum data sensitivity category shall be noted for the computer depending on the security of the wireless access and other features of the computer.
  2. Policy for mobile computers owned by the organization and removed nightly by employees with permission to work from home.
    1. These computers shall always meet requirement 6.0.1 above.
    2. If at any time the computer shall fail to meet the requirement 6.0.1 above, the employee shall report the condition to the IT Security department and a check of the computer equivalent to any check of an unsecure computer entering the building shall be performed.
    3. It shall be ensured that unauthorized persons cannot gain access to the computer without a proper user identification and password. Operating systems that do not safely support this process shall not be used in mobile computers. The IT Security department will determine and specify the proper tools to be used for authentication and access controls.
    4. Data to be stored on the computer will be evaluated and rated to consider the sensitivity of the data according to the Data Assessment Process document. Any data stored on the computer that is considered to be sensitive will be stored only in an encrypted format, possibly using an Encrypting File System (EFS). The policy must define the encryption tool to use and how it will be maintained.
    5. The computer shall be checked weekly by IT Security department personnel at designated times when the computer will be entering a secure building area. The check will include a scan for malware and a test to determine whether the computer has a worm. The state of stored sensitive data shall also be checked to determine whether it is encrypted and whether data of too high a level of security is being stored on the computer. Remove any malware on the computer if any was detected. Log information about any malware found. Log any information about data that was not stored properly.
  3. Policy for computers being used for travel - Protection of these computers shall be the encryption of all sensitive data and a requirement for a valid user ID to operate the computer.
  4. These computers shall always meet requirement 6.0.1 above. If any additional software installation is required, it must be done and configured before the computer leaves the building.
  5. It shall be ensured that unauthorized persons cannot gain access to the computer without a proper user identification and password. Operating systems that do not safely support this process shall not be used in mobile computers. The IT Security department will determine and specify the proper tools to be used for authentication and access controls.
  6. Data to be stored on the computer during the time the computer is not in a security facility will be evaluated and rated to consider the sensitivity of the data according to the Data Assessment Process document. Any data stored on the computer that is considered to be sensitive will be stored only in an encrypted format, possibly using an Encrypting File System (EFS). The policy must define the encryption tool to use and how it will be maintained. Any data not considered to be safe to be stored on the computer will be removed using a designated program to be sure it has been removed so it cannot be read using special technology later. There will be a list of documented sensitive data including storage locations for all sensitive data stored on the computer. This list will be created before the computer leaves the facility.
  7. If there is a chance that the user will view any sensitive data using their web browser or other program, cached data will need to be encrypted. Cached data that is stored locally such as cached data from the user's browser will be set to be encrypted using the encrypting file system (EFS). This may require Windows XP or some third party software. In Windows XP, this may be enabled using the following procedure:
    1. Open "My computer"
    2. Click on "Tools" and select "folder Options".
    3. Select the "Offline files" tab.
    4. Check the box next to "Encrypt offline files to secure data".
    5. Click "OK" to exit.
  8. If the computer will acquire irreplaceable and valuable data while on the road, the computer user must notify the IT department so arrangements can be made for a method to back the data up.
  • Policy for computers being used by contractors
    1. The computer will first be checked for compliance with section 6.01 above.
    2. The computer will be scanned for malware and tested to determine whether the computer has a worm. Any malware on the computer shall be removed if any was detected. Log information about any malware found.
    3. If the computer is in compliance with section 6.01 and contains no malware, the contractor shall report any sensitive data related to the organization that is expected to be stored on the computer.
    4. Data to be stored on the computer will be evaluated and rated to consider the sensitivity of the data according to the Data Assessment Process document. Any data stored on the computer that is considered to be sensitive will be stored only in an encrypted format, possibly using an Encrypting File System (EFS). The policy must define the encryption tool to use and how it will be maintained.
    5. The ID of the computer shall be recorded and it shall be certified for use on the organizational network.
    6. The computer shall be checked weekly by IT Security department personnel at designated times when the computer will be entering a secure building area. The check will include a scan for malware and a test to determine whether the computer has a worm. The state of stored sensitive data shall also be checked to determine whether it is encrypted and whether data of too high a level of security is being stored on the computer. Remove any malware on the computer if any was detected. Log information about any malware found. Log any information about data that was not stored properly. If the computer is storing data improperly, the certification of the computer shall be reviewed.

    7.0 Protecting the Network
    Mobile computers entering the network shall meet the following requirements.

    1. If the computer is owned by the organization and used regularly by employees according to 4.0.2 above, then the computer shall be checked according to that part of the policy.
    2. If the computer is owned by the organization and is returning from a period when an employee used it for travel, the following check shall be performed.
      1. Determine whether the anti-virus program is up to date, has the latest virus definitions, is configured properly, and is running properly. If it fails one of these conditions or has not been scanned for a virus within the last week, a full virus scan must be done before the computer can be used in the building.
      2. Test the computer and scan for additional malware such as adware or spyware test to determine whether the computer has a worm.
      3. Test the state of stored sensitive data to be sure it is encrypted.
      4. Remove any malware on the computer if any was detected. Log information about any malware found. Log any information about data that was not stored properly.
    3. If the computer is owned by an outside organization the following must be done.
      1. The outside organization must agree in writing to allow a malware scan of their computer and agree pay any costs if malware is found on their computer.
      2. A full virus scan must be done.
      3. Test the computer and scan for additional malware such as adware or spyware test to determine whether the computer has a worm.
      4. Remove any malware on the computer if any was detected. Log information about any malware found. The outside organization may be billed for services depending on organizational policy.

    8.0 Enforcement
    Since improper use of mobile computers can bring in hostile software which may destroy the integrity of network resources and systems and the prevention of these events is critical to the security of the organization and all individuals, employees that do not adhere to this policy may be subject to disciplinary action up to and including dismissal.