Mobile Computing and Remote Working

Support Home Security ISO27001 Access Control

Mobile Computing and Teleworking

 Mobile Computing

CX Index institutes the following policies to ensure that business information is not compromised by use of such devices as notebooks, laptops, tablets, smartphones, and mobile phones in an unprotected environment and to provide users with controls for and awareness of the potential risks.

A risk assessment will be performed on the potential threats associated with the various forms of mobile computing for new devices (other than those listed above) that become available.

The risk assessment will consider the following issues:

  • Physical protection of the device (i.e.  locking away, carrying on airplanes)
  • Access control,
  • The use of cryptographic techniques,
  • Back-up schedules, procedures and media protection,
  • Protection from viruses and malicious software,
  • Network connections,
  • Use of networking facilities in public places.

Users of mobile computing devices will be required to sign a statement of their understanding and compliance.  This statement should be included in the policy acceptance letter signed during orientation.

Physical Protection of Mobile Devices

Users must reasonably ensure mobile devices are physically secure at all times if they contain CX Index sensitive data.  Examples of physically securing devices include:

  • Mobile devices should never be left visible in a car, and should never be left in the boot or other storage location overnight.
  • Mobile devices should always be carried on-board aircraft and not put in checked luggage
  • Mobile devices should not be left at tables in public places (i.e.   restaurants) if they will be out of sight

Access Control Requirements

If a mobile device contains other than public CX Index data, it must have some form of access control to access this information.  If access to the device is not controllable, access to the data must be controlled.

Use of Encryption

If a mobile device contains sensitive CX Index confidential data, it must be encrypted on the storage drive.  Encryption may be on a file-by-file basis, or on a volume-by-volume basis.

Information Backup

Users are strongly encouraged to back up their CX Index data stored on mobile devices.  Backup may be done when connected to the CX Index network (file shares and other backup facilities), or may be backed up to removable media.  If backed up to removable media, this media must be physically protected or the data must be encrypted.

Protection from Viruses/Malicious Software

If capable, mobile devices must run anti-virus software with current updates/definitions.  All laptops must use CX Index-approved anti-virus software.

Connecting to the CX Index Network

Users may only connect mobile devices that have been authorised by the Senior Management to the CX Index network.  These devices must have current anti-virus software running and the user must be reasonably sure no other malicious software is operating on the laptop.

Users may never connect to an outside network through any form of network interface (modem, wireless, second Ethernet card, etc.) while simultaneously connected to the internal CX Index network through their primary network connection.  If use of a secondary connection is necessary, the user must first disconnect from the CX Index network before connecting to the outside network.  This policy also applies to connections from one security zone within CX Index to another (i.e., connecting to the CX Index corporate network and the DMZ at the same time).

Users are encouraged to   have their mobile device checked before connecting to the CX Index network if they have reason to believe they may have come into contact with any malicious software, whether detected by anti-virus or not.

Connecting to the Internal CX Index Network from Public Places

Remote connections to the CX Index network will be facilitated by the use of s secure Virtual Private Network (VPN). Access to this VPN will be granted by CX Index Senior Management on an as needs basis. Only authorised users are allowed to connect to the CX Index network remotely.

Wireless Connections (Any)

CX Index users must use a personal firewall and anti-virus software (as discussed above) whenever connected to a wireless network, regardless of whether or not they will connect to the CX Index networks.  In addition, the use of WPA or equivalent privacy measures is encouraged where available.

Mobile device users will not enable ad hoc networking, or operate any other access point functionality on their wireless adapters while connected to the CX Index network through another connection (Ethernet, modem, etc.).

General Use and Ownership

While CX Index’s network administration desires to provide a reasonable level of privacy, users should be aware that the data they create on CX Index’s systems remains the property of CX Index.  Because of the need to protect CX Index’s network, management cannot guarantee the confidentiality of information stored on any network device belonging to CX Index

Employees are responsible for exercising good judgment regarding the reasonableness of personal use and to abide by CX Index’s policies regarding accessing the Internet or any other networks from CX Index’s systems. If there is any uncertainty, employees should consult their supervisor or manager.

Employees shall exercise due diligence to protect sensitive or confidential data or material.   

For security and network maintenance purposes, authorised individuals within CX Index may monitor equipment, systems and network traffic at any time.

Security and Proprietary Information

Employees should take all necessary steps to prevent unauthorised access to this information:

  • Authorised users are responsible for the security of their passwords and accounts.  Users must keep their passwords secure and accounts should not be shared.
  • All PCs, laptops and workstations should be secured with a password-protected screensaver with the automatic activation feature set at 15 minutes or less, or by logging-off (control-alt-delete for Windows users) when the host will be unattended.
  • Postings by employees from a CX Index email address to newsgroups and/or social media platforms should contain a disclaimer stating that the opinions expressed are strictly their own and not necessarily those of CX Index unless posting is in the course of business duties.
  • All applicable hosts used by the employee that are connected to the CX Index network, whether owned by the employee or CX Index, shall continually execute approved virus-scanning software with a current virus database.
  • Employees must use extreme caution when opening e-mail attachments received, especially from unknown senders, as these attachments may contain viruses, e-mail bombs, or Trojan horse code.

Unacceptable Use

The following activities are generally prohibited.  Employees may be exempted from these restrictions during the course of their legitimate job responsibilities (e.g., systems administration staff may have a need to disable the network access of a host if that host is disrupting production services).  Under no circumstances is an employee of CX Index authorised to engage in any activity that is illegal under law while utilising CX Index owned resources.

CX Index employees are required to abide by the Computer Use Internet and Email Policy at all times.

Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.



Was this article helpful?

Related Questions: