Mobile Computer Policy and Mobile Device Policy

Version: 1.00Issue Date: 12/16/2014

This is an example Mobile Computer Policy and Mobile Device Policy. A Mobile Computer Policy and Mobile Device Policy is required to prevent loss of data due to devices containing sensitive data being transported away from secure premises and being lost or stolen. This policy covers all devices that can store data whether they have computing functions or memory storage functions in order to prevent compromise of sensitive information or to become infected with malware through the use of physical transportation.

1.0 Overview

This Mobile Computer Policy and Mobile Device Policy defines the use of mobile computers in the organization. It defines:

  1. The process that mobile computers and memory storage devices must meet to leave the organizational network. Sensitive data should be encrypted and password protected. The mobile device such as computers should be password protected if possible
  2. How mobile computers and devices will be protected while outside the organizational network.
  3. The process that mobile computers and memory storage devices must meet to enter the organizational network when being brought into a building owned by the organization.

2.0 Purpose

This Mobile Computer Policy and Mobile Device Policy is designed both to protect the confidentiality of any data that may be stored on the mobile computer or device and to protect the organizational network from being infected by any hostile software when the mobile computer or device returns.

3.0 Scope

This Mobile Computer Policy and Mobile Device Policy covers any computing devices or data storage devices brought into the organization or connected to the organizational network using any connection method. This Mobile Computer Policy and Mobile Device Policy covers all mobile computers or devices used to store organizational data. This includes but is not limited to desktop computers, laptops, palm pilots, memory sticks, floppy disks, tapes. This policy is effective as of the issue date and does not expire unless superceded by another policy.

All devices (capable of storing data) that connect to the organizational network or store organizational data are subject to this policy regardless of who owns them including but not limited to employees, contractors, business partners, and members of the public. (Note: Although cameras and video equipment are not included in this policy, depending on the needs of your organization, you may want to include them.)

Storage media includes but is not limited to:

  • Hard Drives when being moved
  • Temporary storage drives
  • Tapes with data stored on them including system backup data.
  • Floppy disks
  • CD ROM disks
  • DVDs
  • Memory sticks
  • Flash drives
  • USB thumb drives

Mobile computers includes but is not limited to:

  • Laptops
  • Notebooks
  • PDAs
  • Networkable test equipment

4.0 Terms

  • Encryption - The conversion of data or information from a normal readable format, known as plaintext, into a format that is not readable, known as ciphertext. Ciphertext must be converted back to plaintext to be read and the person who converts it back normally needs to know the secret key.
  • Mobile Device - A mobile device is a device that can be easily carried from location to location.
  • Portable Media - A device that can store information and is easily transported.
  • Sensitive Data or Information - Information which may have restricted access, the disclosure of which could have adverse consequences to the organization or to one or more individuals.

5.0 Data Types

To write this policy, consider data and the sensitivity of the data stored and viewed on the mobile computer or mobile storage device including:

  • Email
  • Data the user is working on that is stored locally.
  • Cached data that is stored locally such as cached data from the user's browser. Windows XP allows for cached files to be encrypted using the encrypting file system (EFS).
  • Data from the internal network that the user may access while the computer is outside the network.
  • Locally stored user names and passwords.

Consider loss due to:

  • Theft - Locally stored data that is sensitive should be encrypted.
  • Misplacement
  • Hard drive failure

6.0 Responsibility

All employees, contractors, and people entering the building must agree to abide by this Mobile Computer Policy and Mobile Device Policy. The guard at the guard station should ask them whether they are carrying mobile memory devices and their signature on the guest sheet indicates they are not carrying that type of equipment or they agree to abide by the policy. Policy sheets can be available at the guard station for visitors who need them.

The user of the mobile computer or mobile memory storage device will accept responsibility for taking reasonable safety precautions with the mobile device and must sign an agreement to adhere to this policy. The computer user will not be allowed to have administrative rights to the computer unless granted special exception by the network administrator. The user of the device agrees not to use the organizationally owned mobile computer or device for personal business and agrees to abide by the Mobile Computer Policy and Mobile Device Policy.

7.0 Connection and Device Usage Terms

Use of mobile computer or mobile memory devices is restricted to those whose job duties require them to use the mobile device. The use of the device is granted for a limited period of time which is required to perform the job. The owners of data to be used or stored on the device must approve the use of the mobile device along with the staff member's department head.

  • Devices connected to the organizational network must be determined to be a benefit to the organization rather than convenience by the designated manager.
  • All networkable mobile devices owned by the organization or allowed on the organization network must be identified by their MAC address to the IT department before being connected. (Possibly require static IP address)
  • The device must meet the computer connection standards described in the following section.
  • The device operator must be identified by name and contact information to the IT department.
  • The mobile device user must be familiar with the organization's acceptable use policy and sign an acknowledgement of that fact.
  • Devices not owned by the organization are subject to a software audit to be sure no software that could threaten the network security is in operation. All computing devices are subject to a software audit at any time.
  • Access rights to the organizational network cannot be transferred to another person even if that person is using an allowed computing device.
  • All devices that can store information may be subjected to an information audit to be sure they do not contain unencrypted sensitive information that could fall into the hands of unauthorized parties.

8.0 Mobile Computer Protection

  1. Any mobile computer owned by the organization shall at all times operate the following for its own protection:
    1. Antivirus program named _________________ with the latest possible virus updates. The program shall be configured for real time protection, to retrieve updates daily, and to perform an anti-virus or malware scan at least once per week.
    2. A firewall program named _________________ with the latest possible updated. The program shall be operational any time the computer is connected to any untrusted network including the internet to protect the computer from worms and other malware.
    3. Additional malware protection software shall be active on the computer in accordance with the anti-virus and malware policy.
    4. The operating system and application patch levels must be consistent with the current patch levels of our organization for similar devices and operating systems. All mobile computers in the organization shall have wireless access disabled. If wireless access is used, a specific protocol for wireless encryption shall be designated and configured. Also the maximum data sensitivity category shall be noted for the computer depending on the security of the wireless access and other features of the computer.
  2. Policy for mobile computers owned by the organization and removed nightly by employees with permission to work from home.
    1. These computers shall always meet requirement 8.0.1 above.
    2. If at any time the computer shall fail to meet the requirement 8.0.1 above, the employee shall report the condition to the IT Security department and a check of the computer equivalent to any check of an unsecure computer entering the building shall be performed.
    3. It shall be ensured that unauthorized persons cannot gain access to the computer without a proper user identification and password. Operating systems that do not safely support this process shall not be used in mobile computers. The IT Security department will determine and specify the proper tools to be used for authentication and access controls.
    4. Data to be stored on the computer will be evaluated and rated to consider the sensitivity of the data according to the Data Assessment Process document. Any data stored on the computer that is considered to be sensitive will be stored only in an encrypted format, possibly using an Encrypting File System (EFS). The Encryption Policy or associated procedures must define the encryption tool to use and how it will be maintained.
    5. The computer shall be checked bi-weekly by IT Security department personnel at designated times when the computer will be entering a secure building area. The check will include a scan for malware and a test to determine whether the computer has a worm. The state of stored sensitive data shall also be checked to determine whether it is encrypted and whether data of too high a level of security is being stored on the computer. Remove any malware on the computer if any was detected. Log information about any malware found. Log any information about data that was not stored properly.
  3. Policy for computers being used for travel - Protection of these computers shall be the encryption of all sensitive data and a requirement for a valid user ID to operate the computer.
    1. These computers shall always meet requirement 8.0.1 above. If any additional software installation is required, it must be done and configured before the computer leaves the building.
    2. It shall be ensured that unauthorized persons cannot gain access to the computer without a proper user identification and password. Operating systems that do not safely support this process shall not be used in mobile computers. The IT Security department will determine and specify the proper tools to be used for authentication and access controls.
    3. Data to be stored on the computer during the time the computer is not in a security facility will be evaluated and rated to consider the sensitivity of the data according to the Data Assessment Process document. Any data stored on the computer that is considered to be sensitive will be stored only in an encrypted format, possibly using an Encrypting File System (EFS). The Encryption Policy or associated procedures must define the encryption tool to use and how it will be maintained. Any data not considered to be safe to be stored on the computer will be removed using a designated program to be sure it has been removed so it cannot be read using special technology later. There will be a list of documented sensitive data including storage locations for all sensitive data stored on the computer. This list will be created before the computer leaves the facility.
    4. If there is a chance that the user will view any sensitive data using their web browser or other program, cached data will need to be encrypted and deleted as soon as it is no longer needed. Cached data that is stored locally such as cached data from the user's browser will be set to be encrypted using the encrypting file system (EFS). This may require Windows XP or some third party software. In Windows XP, this may be enabled using the following procedure:
      1. Open "My computer"
      2. Click on "Tools" and select "folder Options".
      3. Select the "Offline files" tab.
      4. Check the box next to "Encrypt offline files to secure data".
      5. Click "OK" to exit.
    5. If the computer will acquire irreplaceable and valuable data while on the road, the computer user must notify the IT department so arrangements can be made for a method to back the data up.
  4. Policy for computers being used by contractors
    1. The computer will first be checked for compliance with section 8.01 above.
    2. The computer will be scanned for malware and tested to determine whether the computer has a worm. Any malware on the computer shall be removed if any was detected. Log information about any malware found.
    3. If the computer is in compliance with section 8.01 and contains no malware, the contractor shall report any sensitive data related to the organization that is expected to be stored on the computer.
    4. Data to be stored on the computer will be evaluated and rated to consider the sensitivity of the data according to the Data Assessment Process document. Any data stored on the computer that is considered to be sensitive will be stored only in an encrypted format, possibly using an Encrypting File System (EFS). The Encryption Policy or associated procedures must define the encryption tool to use and how it will be maintained.
    5. The ID of the computer shall be recorded and it shall be certified for use on the organizational network.
    6. The computer shall be checked weekly by IT Security department personnel at designated times when the computer will be entering a secure building area. The check will include a scan for malware and a test to determine whether the computer has a worm. The state of stored sensitive data shall also be checked to determine whether it is encrypted and whether data of too high a level of security is being stored on the computer. Remove any malware on the computer if any was detected. Log information about any malware found. Log any information about data that was not stored properly. If the computer is storing data improperly, the certification of the computer shall be reviewed.

9.0 Protecting the Network

Mobile computers entering the network shall meet the following requirements.

  1. If the computer is owned by the organization and used regularly by employees according to 8.0.2 above, then the computer shall be checked according to that part of the policy.
  2. If the computer is owned by the organization and is returning from a period when an employee used it for travel, the following check shall be performed.
    1. Determine whether the anti-virus program is up to date, has the latest virus definitions, is configured properly, and is running properly. If it fails one of these conditions or has not been scanned for a virus within the last week, a full virus scan must be done before the computer can be used in the building.
    2. Test the computer and scan for additional malware such as adware or spyware test to determine whether the computer has a worm.
    3. Test the state of stored sensitive data to be sure it is encrypted.
    4. Remove any malware on the computer if any was detected. Log information about any malware found. Log any information about data that was not stored properly.
  3. If the computer is owned by an outside organization the following must be done.
    1. The outside organization must agree in writing to allow a malware scan of their computer and agree pay any costs if malware is found on their computer.
    2. A full virus scan must be done.
    3. Test the computer and scan for additional malware such as adware or spyware test to determine whether the computer has a worm.
    4. Remove any malware on the computer if any was detected. Log information about any malware found. The outside organization may be billed for services depending on organizational policy.

10.0 Encryption of Sensitive Data

All sensitive data on mobile computers or mobile memory storage devices must be encrypted except during the time that it is being actively used. The encryption requirements shall be specified by the Encryption Policy or associated procedures. It shall specify the tool used for encryption and minimum requirements including but not limited to the encryption protocol to use and the minimum bit length.

Computers that have sensitive data stored on them may not transmit cleartext wireless signals. Wireless connections must be secure and encrypted with a minimum protocol of WAPII according to the Encryption and Wireless Policies.

11.0 Reporting Loss or Theft

Any incident of loss or theft or a mobile device with memory or possible loss or compromise of sensitive data in any form must be reported immediately to your immediate supervisor. The immediate supervisor must inform the designated IT management, HR management, and Public Relations Management.

12.0 Temporary Files

All systems should be configured so temporary files that store sensitive data are immediately removed or overwritten when they are no longer required. This includes temporary files used when secure web sites are visited. When the session expires or is completed, the temporary files must be deleted.

13.0 Enforcement

Since improper use of mobile computers or improper use of mobile memory devices can compromise data or bring in hostile software which may destroy the integrity of network resources and systems and the prevention of these events is critical to the security of the organization and all individuals, employees that do not adhere to this policy may be subject to disciplinary action up to and including denial of access, legal penalties, and/or dismissal. Any employee aware of any violation of this policy is required to report it to their supervisor or other authorized representative.

14.0 Additional Policies

  • Wireless Communication Policy
  • Virus Protection Policy
  • Patch Management Policy
  • System Lockdown Policy
  • Workstation Configuration Policy

15.0 Additional Requirements

  • Senior management must ensure that this policy is published and users agree to abide by the policy.
  • Auditors must periodically check to be sure this policy is being followed.
  • Procedure for scanning mobile computers for malware.
  • Procedure used to secure mobile computers including patching, hardening, installing anti-virus with updates, and installing a software firewall.
  • Procedure for configuring computers to encrypt cache information.
  • Procedure for configuring computers to delete temporary information when the session ends.
  • Procedure for encrypting and decrypting sensitive data which is associated with the Encryption Policy.
  • Memory Device agreement form indicating users agree to abide by the policy to use these devices.
  • If the device has wireless capability it must comply with the Wireless Communication Policy.
  • Appropriate procedures must be created to be followed when a mobile device or memory storage device is lost or stolen. Consideration for the type of data on the device must be given, whether that data was encrypted, and how it was encrypted.

Approval

Approved by:__________________________ Signature:_____________________ Date:_______________