Continuum Logo


Top of page

Size: View this website with small text View this website with medium text View this website with large text View this website with high visibility

2.3 Mobile Computer Devices

Contents

1. Executive Summary
2. Scope
3. Details    
3.1 Responsibility   
3.2 Connection Terms 
3.3 Mobile Computer Protection
3.3.1 Non organisation mobile computer equipment
3.3.2 USB sticks (flash drives)
3.3.3 External Hard Disk Drives    
4. Enforcement


1. Executive Summary

This policy defines the use of mobile computers in the organisation. It defines:
  • The process that mobile computers must meet to leave the corporate network. Both the device and any sensitive data should be password protected.
  • How mobile computers and devices will be protected while outside the organisational network.
  • The process that mobile computers must meet to enter the corporate network when being brought into a building owned by the organisation.

This policy is designed both to protect the confidentiality of any data that may be stored on the mobile computer and to protect the organisational network from being infected by any hostile software when the mobile computer returns.


2. Scope

This policy covers any computing devices brought into the organisation or connected to the organisational network using any connection method. This includes but is not limited to desktop computers, laptops, and palm pilots.

Note:

To write this policy, consider data and the sensitivity of the data stored and viewed on the mobile computer including:

  • Email
  • Data the user is working on that is stored locally.
  • Cached data that is stored locally such as cached data from the user's browser.
  • Data from the internal network that the user may access while the computer is outside the network.
  • Locally stored user names and passwords.

Consider loss due to:

  • Theft - should locally stored data be encrypted?
  • Hard drive failure


3. Details

3.1 Responsibility

The user of the mobile computer will accept responsibility for taking reasonable safety precautions with the mobile computer and agrees to adhere to this policy. The computer user will not be allowed to have administrative rights unless granted by the network administrator. The user of the computer agrees not to use the mobile computer for personal business and agrees to abide by the Acceptable use of PC and Network Policy. The user is responsible for the physical security of the device and any compromise of this is to be reported immediately to the IT department.

3.2 Connection Terms

  • Devices connected to the network must be determined to be a benefit to the organisation rather than convenience by the IT Manager.
  • The device must meet the computer connection standards described in the following section.
  • The device operator must be identified by name and contact information to the IT department.
  • The user must be familiar with all the organisation's IT Policies.
  • Devices not owned by the organisation are subject to a software audit to be sure no software that could threaten the network security is in operation. All computing devices are subject to a software audit at any time.
  • Access rights to the organisational network cannot be transferred to another person even if that person is using an allowed computing device.

3.3 Mobile Computer Protection

Any mobile computer owned by the organisation shall at all times operate the following for its own protection:

  • Antivirus program with the latest possible virus updates. The program shall be configured for real time protection, to retrieve updates daily, and to perform an anti-virus scan at least once per week. Users are responsible to check that the current virus definitions are up to date and that there are no errors with the virus scanner (normally presented as a yellow exclamation on the shield in the bottom right hand corner of screen or red slash through the same icon)
  • Windows Firewall with the latest possible update. The program shall be operational any time the computer is connected to any untrusted network including the internet to protect the computer from worms and other malware.
  • The operating system and application patch levels must be consistent with the current patch levels of our organisation for similar devices and operating systems. If wireless access is used, a specific protocol for wireless encryption shall be designated and configured.
  • If at any time the computer shall fail to meet the above requirements, the employee shall report the condition to the IT Security department and a check of the computer shall be performed.
  • It shall be ensured that unauthorised persons cannot gain access to the computer without a proper user identification and password. Operating systems that do not safely support this process shall not be used in mobile computers. The IT department will determine and specify the proper tools to be used for authentication and access controls.
  • User is to evaluate the sensitivity and confidentiality of the data to be stored on the device and if deemed confidential or sensitivity then it should be password protected or encrypted.
  • No additional software is to be installed on the mobile device without the authorisation of the IT department. Regular automated software audits will be carried out by the IT department.

3.3.1 Non organisation mobile computer equipment

Contractors or Staff are not permitted to use their own personal computer devices on the network. If internet or external access is required the I.T. Department will connect the device to its own external segment where it cannot communicate with the internal network. Exception to this rule is the IT support contractors who will need to connect foreign machines to the network but are to ensure that the machine is clean.

3.3.2 USB sticks (flash drives)

Whilst USB sticks provide a risk to the integrity of the network, it is appreciated that with the limited computer connectivity we have throughout the group that they are a necessity. They can easily introduce viruses, spyware etc. on to the network as they by pass the internet gateway scanner. To minimise the risk to the network the following must be adhered to:

  • No Personal USB sticks are to be used on any company computer equipment, only those purchased through the company. Exception to this is that the Stick is formatted by the IT department and then can no longer be used as a personal device whilst using it with company equipment.
  • Do not use the sticks on any untrusted computer device i.e. your friend’s laptop. Ensure that any device you connect them to does have up to date anti-virus software.
  • Do not let anyone else use the sticks, only you are allowed to transfer files on and off the stick.
  • Only company documents using Microsoft Office are to be stored on these devices i.e. word, excel powerpoint etc., no executable or other types of files including MP3, video files or your personal photos.
  • Do not store confidential or sensitive information on these devices as they are small and easily be misplaced or go missing.

3.3.3 External Hard Disk Drives

Due to the allowed use of USB Stick, there should be no requirement for the use of External Hard Drives. Therefore no external hard drives permitted to be connected to any company device, or any device that is connected logically or physically to the network. Occasionally the IT department may need to use such devices in order to carry out maintenance etc. but these devices will be company owned and only used on network devices for the storage of legitimate, licensed company data.


4. Enforcement

Since improper use of mobile computers can bring in hostile software which may destroy the integrity of network resources and systems and the prevention of these events is critical to the security of the organisation and all individuals, employees that do not adhere to this policy may be subject to disciplinary action up to and including dismissal.

End