The purpose of this mobile computing policy is to enable Company to:
- Protect resources by ensuring the appropriate use of personally owned or corporate-owned computing devices for accessing, processing and storing the organization's confidential data;
- Ensure that Company has the ability and authority to take the appropriate measures to prevent the loss of resources that would result in financial and reputation loss; and
- Protect the confidentiality of any data that may be accessed, processed or stored by personally owned or corporate-owned computing devices and to protect Company's network from being infected by any hostile software when mobile devices are used.
This policy applies to all employees and contractors, and all members of the Company workforce, and employees or contractors of any affiliate entities (”Users”). It further applies to any mobile device, be it personally owned or corporate owned, brought into the organization or connected to the organizational network using any connection method.
Mobile Device: Any computing or telephonic device, whether personally owned or company owned, brought into the organization or connected to the organizational network that stores, transmits, receives or is capable of storing, transmitting or receiving Company work product, including Confidential Information, including but not limited to laptops, phones, and tablets.
Mobile Device Management (MDM): This refers to any routine or tool intended to distribute applications, data, and configuration settings to mobile devices. The intent of MDM is to optimize the functionality and security of a mobile communications network.
Confidential Information: Information which unauthorized disclosure of could result in negative impact to the organization; including but not limited to Protected Health Information (PHI), Personally Identifiable Information (PII), trade secrets, proprietary information, intellectual property, attorney-client information, any non-public proprietary information, information otherwise marked as “confidential,” and/or any information for which regulatory or legal requirements mandate enhanced protection protocols.
PHI: See P-026 Identifying PHI policy.
PII: See P-026 Identifying PHI policy.
Trade Secrets: A formula, practice, process, design, instrument, pattern, or compilation of information which is not generally known or reasonably ascertainable, by which a business can obtain an economic advantage over competitors or customers.
Public Information: Information that has been made available to the public domain through authorized company channels and requires no special protection
User: Any Company employee, contractor or affiliate or member of the Company workforce.
- Mobile Device Management (MDM) software: Only devices that have the company-authorized MDM software installed can be used for corporate purposes. The MDM software provides a comprehensive suite of remote tools that are used to assist users and identify and resolve security and compliance issues.
- Manager Approval: The user must have manager approval to obtain access to corporate information on personally owned devices. The manager should also define specific access parameters according to user business purposes.
- Remote Wiping Capability: Information Technology (IT) Network Operations along with Service and Support has the authority to remotely wipe corporate data on personal devices when deemed necessary. Such instances include, but are not limited to, a lost or stolen device, or when the user is separated from the organization. When possible a partial wipe of only corporate data will be employed, however, if required all data will be wiped from the device.
- External storage hardware (last alternative): External storage devices such as external hard drives, USB keys, etc. should be considered last alternatives for handling data. All confidential information on these types of devices must be encrypted, and device encryption by default, no matter what is stored on it is the recommended option. They are also subject to the information security policy and will be wiped clean if deemed necessary.
- Lost Device Notification: It is the user's responsibility to notify IT Service and Support immediately and file the proper lost/stolen paperwork with the local law enforcement agency or other authority.
- Notification of Sale/ Transfer of device: The user shall notify IT Service and Support prior to selling, transferring, or allowing any other party to use the device.
- Loss of Confidential Data Notification: Any missing confidential information shall be reported to IT Service and Support or Corporate Compliance immediately.
- Security Updates: The user is expected to update the device as new operating system and security patches become available to maintain the security of the device. A device that is not updated with these patches is more vulnerable to attacks and hence will put corporate information at risk. Company may require and enforce through either procedures or management software an approved set of devices, operating systems, and patch levels as deemed appropriate by the CIO/CSO.
Chief Information Officer (CIO)/Information Security Officer (ISO)
The Chief Information Officer (CIO)/Information Security Officer (ISO) ensures appropriate precautionary measures (both technical and process-wise) are established and maintained. The CIO/ISO is actively involved in identifying security loopholes and handling incidents that could result in the loss of Company information. Company will maintain user agreements related to above.
Maintaining the security, confidentiality, integrity, and availability of information stored in the organization's corporate network or the device is a responsibility shared by all employees and users of the network. Users are expected to read this policy, understand the risks, and abide by the guidelines when using consumer devices. The CIO/ISO is the final authority on device suitability and connectivity.
The user’s departmental manager can authorize information technology to enable the user’s mobile device for specific business purposes, and to ensure that the user understands and complies with this and related policies, including, but not limited to.
- Being responsible for ensuring the user reports lost or stolen devices to Information Technology Service and Support immediately.
- Monitoring and managing any financial reimbursements which may be applicable to the user
The user understands and agrees to protect company data stored on their devices with all commonly available security measures, including but not limited to:
- The installation of Company’s MDM software on the device,
- To allow company inspection of company-related information,
- Implementation of appropriate encryption capabilities on the device, and
- To allow the company to implement measures for automatic removal of such information as required
by business operation and policies, including both selective and complete wiping of the device, and
- Keeping device updated with new OS releases as they become available.
The user understands that Company may distribute the user’s cellular device phone number as required to complete its normal day-to-day business operations. Use of the device in any manner contrary to local, state, or federal laws constitutes misuse and is strictly prohibited. In the event of litigation, the rules of civil procedure may require the employee to save any data about potential litigation that is stored on a personal cellular or mobile device.
Every policy and procedure revision/replacement will be maintained for a minimum of six years from the date of its creation or when it was last in effect, whichever is later. Other company requirements may stipulate a longer retention. Log-in audit information and logs relevant to security incidents must be retained for six years.
Failure to comply with this or any other security policy will result in disciplinary actions as per the IS-004. Sanction Policy. Legal actions also may be taken for violations of applicable regulations and standards such as HIPAA, HITECH and others.
Company employees are prohibited from cellular or mobile computing device use in any way that is dangerous, has disregard for public welfare, or is contrary to state or federal laws such as HIPAA, HITECH or others, including applicable regulations governing wireless device use while driving. Employees who violate these terms will be subject to disciplinary actions, up to and including employment termination. Additionally, employee agrees to defend, indemnify and hold harmless Company and its affiliates for any damages, actual or alleged, that occur from employee’s violation of these terms or misuse of cellular or mobile computing device.
- Employee obtains manager’s approval to use the mobile device for work purposes
- Manager ensures that user understand this policy above, and Company Related Policies noted below
- Manager opens a Service and Support Case Ticket to connect the device to Company resources
- Prior to purchase check with Service and Support to verify device is compatible with Company Mobile Device Management System
- Employee obtains manager’s approval to use device for work purposes
- Manager ensures that user understands the policy above, and Company Related Policies noted below
- Manager opens a Service and Support Case Ticket to connect the device to Company resources