(NOTE: This policy is for reference only. You are strongly encouraged to work with your HR, tech support/security staff, device administrators, data owners, and your legal counsel to expand this template to meet your firm’s needs and business objectives. Once the policy is final, it should be communicated to your staff, future new hires and/or other authorized users. Your final draft may be used to help develop user education, supporting processes for device activation, technical support, and remediation of non-compliant devices. As with all Firm policies, strict enforcement and frequent review is required as modifications may be necessary.)
This policy is intended to protect the security and integrity of <Firm Name>’s (“Firm”) data and technology infrastructure. <Firm Name> seeks to protect its data and network including, without limitation, mobile devices and the data stored on such devices, from unauthorized access, use, disclosure, alteration, modification, deletion, destruction and/or removal.
Using non-Firm-owned/controlled mobile devices to access, use, or store sensitive Firm-related information, including sensitive or confidential personal information, is strictly prohibited <NOTE: This template is a non-Bring-Your-Own-Device (BYOD) policy. >
Purpose and Scope
The purpose of this policy is to provide minimum security guidelines for mobile devices (see, Glossary of Terms) used and operated by <Firm Name>’s employees or other authorized users as part of their duties and responsibilities
This policy describes the acceptable use and minimum security policy for mobile devices used to connect to the Firm’s network [resources or are otherwise used to store or transport Firm-related information. Such mobile devices must be appropriately secured to
- Prevent sensitive or confidential data from being lost or compromised
- Reduce the risk of spreading viruses
- Mitigate other forms of abuse of the Firm’s computing and information infrastructure
- The Firm defines acceptable business use as activities that directly or indirectly support the Firm’s business activities.
- The Firm defines acceptable personal use on company time as reasonable and limited personal communication or recreation, such as reading or game playing.
- Devices may not be used at any time to:
- Store or transmit illicit or pornographic materials
- Store or transmit proprietary information such as materials developed by the Firm to facilitate its services to clients
- Harass others
- Engage in outside business activities
- Any mobile device that stores any data owned by the Firm must have the following security measures in place
- All mobile devices must be password protected. Staff members must not use the default passwords provided by their phone or voicemail service, but must create new ones. <Optional which should address frequency of changing passwords and strength: Current password standards can be found in our Firm security policy.>
- A screen lock (may be known by other names on different devices) must be implemented to require a password or a code to be entered after the mobile device is idle for <for example, 2 minutes> or more.
- The physical security of these devices is the responsibility of the user to whom the device has been assigned
- Mobile devices shall be kept with the user whenever possible
- Whenever a device is being stored, It shall be stored in a secure place, preferably out of sight.
- If a mobile device is lost or stolen, promptly report the incident (not more than 24 hours after the discovery) to your supervisor or other person pursuant to Firm security policy This report should include the serial number if the device has one. If your mobile device has a serial number, it should be recorded upon receipt and kept in a safe place.
- If a user suspects that unauthorized access to the Firm’s data has occurred via their assigned mobile device, the user must immediately report the incident to their supervisor or other person pursuant to our Firm security policy
- All employees consent to having the data on the mobile device assigned to you completely wiped in the event of loss or theft to protect any data stored on the device
- If sensitive or confidential documents must be stored on the device, the information must be:
- Encrypted according to the Firm’s compliance standards, and
- Completely and securely removed from the mobile device before it is returned, exchanged, or disposed of
- Mobile device options and applications that are not in use should be uninstalled or disabled
- Mobile devices must be presented to <specify IT, etc.> for proper configuration of standard applications such as browsers, office productivity software and security tools before being permitted to access the Firm’s network
- Other applications must only be installed from official platform Firm—approved sources. Installation of code from untrusted sources is forbidden. If you are unsure if an application is from an approved source, contact our Firm’s IT
- <Alternative: Other applications installed on the Firm’s device must be “white-listed” by the Firm’s security staff. **Note. This may be an added burden on the security staff and if approval takes too long, employees may circumvent the policy.>
- Users must never load pirated software or illegal content onto the Firm’s devices.
- Devices must not be “jailbroken” (see, Glossary of Terms) or install or have installed any software/firmware that is designed to gain entry to functionality not intended to be accessed by the user.
- Devices must be kept up-to-date with manufacturer and/or network-provided patches. At a minimum, user should check weekly for available patches and apply them as soon as they become available
- Devices must not be connected to another device such as a PC that does not have up-to-date and enabled anti-malware protection and that does not comply with the Firm’s policies, procedures and standards
- No sensitive personal or business information shall be stored on mobile devices unless the data is encrypted
- Before a mobile device is connected to the Firm’s IT systems, it shall be scanned for viruses and malware If either a virus or malware is detected, the Firm reserves the right to delete any files, including personal files, on the device that contain the suspected virus or malware
- If the mobile device is used for transitional storage (for example, copying data between systems), the data shall be completely and securely removed from the mobile device immediately upon completion of the transitional task
- All mobile device users are responsible for following this policy.
- Anyone observing what appears to be a breach of security, violation of this policy, violation of state or federal law, theft, damage, or any action that might place the Firm’s resources at risk must immediately report the incident to an appropriate-level supervisor, manager, or security officer.
- Managers and supervisors are responsible for ensuring that all mobile device users under their supervision are aware of and understand this policy and all related procedures.
- In addition to the Security Policy stated above, the Firm reserves the right to monitor all Firm mobile device usage and settings in order to enforce policy compliance.
- Non-compliance with this policy and/or its resulting procedures may be cause for disciplinary action up to and including termination. Depending on the circumstances, federal or state law may impose civil or criminal litigation and/or restitution, fines, and/or penalties upon individuals for actions that would violate this policy
Glossary of Terms
- Mobile Devices: These include, but are not limited to, notebook computers, tablets, mobile phones, MP3 players, compact discs, DVD discs, memory sucks, USB drives. floppy or hard discs and other similar devices.
- User: Anyone with authorized access to the Firm s information systems. This includes permanent and temporary employees, third-party personnel such as contractors or consultants, and other parties With valid Firm access accounts
- Screen Lock: A password-protected mechanism used to hide data on a visual display while the deuce continues to operate Screen locks (which may be known by other names on different devices) can be activated manually or tn response to rules
- Screen Timeout: A mechanism that tums off a device display after the device has not been used for a specified time period
- Personal Information: Information that can be used to Identify an individual and/or an individual’s financial account(s), credit history, or credit cards. as well as individual medical record and health plan information. This includes an Individual s social security number, first name (or initial) plus last name, along With his/her diver’s license number or state identification card number. financial account numbers, and/or credit card numbers
- ‘Jailbreak” or “jailbroken”: To “jailbreak,” “root” or “unlock” a mobile device IS to remove the limitations Imposed by the manufacturer that protect against accessing protected or hidden files or permissions “Jailbreaking’ gives full access to the operating system, thereby unlocking all of Its features and enabling the Installation of unauthorized software. “Jailbreaking” not only voids the warranty. but makes the device less secure