Implementation Guidance
(This section must be removed from final version of the document)
Purpose of this document
This document describes how information security will managed within and
outside the company, whenever the employees use their own digital devices for
accomplishing Company related work.
Areas of the standard addressed
The following areas of ISO standard are addressed by this document
Annex A
A.6. Organization of Information Security
A.6.1 Internal organization
A.6.2 Mobile devices and teleworking
General Guidance
This document provides rules on aspects and areas that should be considered for
managing information security within and outside iFour Consultancy.
Review Frequency
We would recommend that this document is reviewed quarterly and upon
significant change to iFour Consultancy.
Version Number
V.1.0 Draft
Disclaimer
Please Note: This document is intended only for iFour Consultancy use and if
used for any other purpose, a responsible person should be contacted
immediately within iFour Consultancy.
1
V 1.0 Draft
BYOD Policy
Document Name
Document Authors
Document owner
Security classification
Responsible person
Date
2
V 1.0 Draft
BYOD Policy
Revision History
Version
Date
V 1.0
V1.1
5/5/2014
6/5/2014
Change by
Summary
Changes
Document Review
Date of next schedule review
1/11/2014
Distribution
Name
Bharat Parmar(HR)
Title
Director
Approval
Name
Bharat Parmar
Position
Director
Signature
Table of Contents
3
V 1.0 Draft
Date
5/5/2014
of
BYOD Policy
1.
2.
Introduction.......................................................................................................... 5
1.1
Risk addressed............................................................................................... 5
1.2
Scope............................................................................................................. 5
1.3
Related Documents........................................................................................ 5
1.4
Purpose.......................................................................................................... 5
Policy detail.......................................................................................................... 6
2.1
Applicability................................................................................................... 6
2.2
Background.................................................................................................... 6
2.3
3.
4.
1. Introduction
4
V 1.0 Draft
BYOD Policy
Employees who prefer to use their personally-owned IT equipment for work
purposes must be explicitly authorized to do so but care must be taken to
secure corporate data to the same extent as on corporate IT equipment, and
the personal devices must not introduce unacceptable risks (such as
malware) onto the corporate networks by failing to secure their own
equipment.
1.2 Scope
This policy applies to all systems, people and processes that constitute the
organizations information systems, including board members, directors, employees,
suppliers and other third parties who have access to iFour Consultancys systems.
ISMS12002
ISMS12003
ISMS15001
ISMS15002
ISMS15003
ISMS15004
ISMS16001
5
V 1.0 Draft
BYOD Policy
1.4 Purpose
The purpose of this policy is to set out the controls that must be in place when using
mobile devices that are not owned or provided by the organization. It is intended to
mitigate the following risks:
It is important that the controls set out in this policy are observed at all times in
the use and transport of BYOD mobile devices. It is a joint decision between the
organization and the owner of the device concerning whether any particular
device will be used for business purposes. Such use is not compulsory and the
employee has the right to decide whether the additional controls placed on the
device by the organization are acceptable and therefore whether they choose to
use the device for business purposes.
2. Policy detail
2.1
Applicability
This policy forms part of the corporate governance framework.
It is particularly
relevant to employees who wish to use PODs for work purposes. This policy also
applies to third parties acting in a similar capacity to our employees whether they
are explicitly bound (e.g. by contractual terms and conditions) or implicitly bound
(e.g. by generally held standards of ethics and acceptable behavior) to comply with
our information security policies.
2.2
Background
In contrast to Information and Communications Technology (ICT) devices owned by
the organization, PODs are ICT devices owned by employees or by third parties
(such as clients, consultancies and maintenance contractors). Authorized
employees and third parties may wish to use their PODs for work purposes, for
example making and receiving work phone calls and text messages on their own
personal cellphones, using their own tablet computers to access, read and respond
to work emails, or working in a home-office.
Due to managements concerns about information security risks associated
with BYOD, individuals who wish to opt-in to BYOD must be authorized by
management and must explicitly accept the requirements laid out in this policy
beforehand.
Management reserves the right not to authorize individuals, or to
6
V 1.0 Draft
BYOD Policy
withdraw the authorization, if they deem BYOD not to be appropriate and in the best
interests of the organization.
The organization will continue to provide its choice of fully owned and managed ICT
devices as necessary for work purposes, so there is no compulsion for anyone to
opt-in to BYOD if they choose not to participate in the scheme.
2.3
BYOD Policy
5) Organization Control: The organization has the right to control its
information. This includes the right to backup, retrieve, modify, determine
access and/or delete corporate data without reference to the owner or
user of the POD.
6) Forensic Examination: The organization has the right to seize and
forensically examine any POD believed to contain corporate data where
necessary for investigatory or control purposes.
7) Run mobile antivirus software or scanning tools: Suitable antivirus
software must be properly installed and running on all PODs.
8) Back up device data: POD users must ensure that valuable corporate
data created or modified on PODs are backed up regularly, preferably by
connecting to the corporate network and synchronizing the data between
POD and a network drive, otherwise on removable media stored securely.
9) Corporate data should be encrypted: Any POD used to access, store
or process sensitive information must encrypt data transferred over the
network (e.g. using SSL or a VPN) and while stored on the POD or on separate
storage media (e.g. using TrueCrypt), whatever storage technology is
used (e.g. hard disk, solid-state disk, CD/DVD, USB/flash memory stick, floppy
disk etc.).
10)
Limited Tech Support: Since IT Help/Service Desk does not have the
resources or expertise to support all possible devices and software, PODs
used for BYOD will receive limited support on a best endeavors basis for
business purposes only.
11)
Business data and personal data must be kept separate: While
employees have a reasonable expectation of privacy over their personal
information on their own equipment, the organizations right to control
its data and manage PODs may result in support personnel
unintentionally gaining access to their personal information.
To reduce
the possibility of such disclosure, POD users are advised to keep their
personal data separate from business data on the POD in separate
directories, clearly named (e.g. Private and BYOD).
12)
Maintain Individual Privacy: Take care not to infringe other peoples
privacy rights, for example do not use PODs to make audio-visual recordings
at work.
13)
Actions Against Non-Compliance: The employees/owners PODs
shall be responsible, in case of loss of the PODs and are subject to
appropriate compensation for that loss of the companys data. Hence the
employees shall ensure that the Companys data stored is secured
(encryption, passwords, etc.) so as to keep it protected from being misused.
The Company reserves the right to take actions against such non-compliance.
14)
Maintain PODs Security: If agreed upon the POD owners must
maintain PODs and take necessary precautions so as to keep the PODs
secure.
15)
Jail broken and rooted devices are not allowed : Most, if not all,
mobile security suites consider jail broken and rooted devices to be security
8
V 1.0 Draft
BYOD Policy
compromised. These compromised devices are exposed to security
vulnerabilities, malware, viruses, and hacks that secured devices are not.
16)
Devices must be regularly updated with latest OS and patches :
To stay ahead of malware, users have to keep their devices updated to the
latest operating systems. This updating includes minor updates that may fix
security vulnerabilities between major revisions. You can enforce update
policies and push updates from some mobile security management suites to
ensure that users devices maintain the highest available patch levels.
17)
Require periodic re-authentication: Periodic re-authentication
assures that the user is genuine. Unlimited access without re-authentication
is a secure vulnerability for any device that might be stolen or compromised
during authenticated use. Management suites can enforce re-authentication
after a set time period.
18)
Prevent offline access: If you require a very high level of security for
particular documents or applications, prevent any offline access to them. Do
not allow documents or data to be downloaded or cached on the local device.
Only allow access to sensitive information while connected to the corporate
network.
19)
Beware of free apps: Many free applications have been found to
track users and share user information with advertisers or other third parties.
Enterprise users should review app permissions prior to downloading and
download only from trusted publishers. IT and security teams can assist
employees by providing lists of applications that are approved for download.
BYOD Policy
5) Internal Audit is authorized to assess compliance with this and other
corporate policies at any time.
Relevance
Defines the overarching set of information security controls
reflecting ISO/IEC 27002, the international standard code of
practice for information security management
Specifies a number of information security controls applicable
to the use of mobile and portable devices.
Information Asset Owners are responsible for classifying their
assets and may determine whether BYOD is or is not
appropriate for them.
Explain standards of behavior expected of employees, and
disciplinary processes if the rules are broken.
Further security awareness materials are available on this topic.
10
V 1.0 Draft