Device Acceptable Use Policy
Purpose
The purpose of this policy is to define standards, procedures and restrictions for employees who have legitimate business uses for mobile devices (i.e. Smart Phones, Android, iPads).
The overriding goal of this policy is to protect the integrity of the confidential client and business data that resides within Thompson Holdings Incorporated’s technology infrastructure, including internal and external cloud services. This policy intends to prevent this data from being deliberately or inadvertently stored insecurely on a mobile device or carried over an insecure network where it could potentially be accessed by unsanctioned resources. A breach of this type could result in loss of information, damage to critical applications, loss of revenue and damage to the company’s public image. Therefore, all employees utilizing a mobile device for corporate email and data of any type must adhere to company-defined processes.
Scope
This mobile device policy applies, but is not limited to, all devices and accompanying media that fit the following classifications:
- Smartphones
- Android Tablets
- iPads
- E-readers
- Portable media devices
- Laptop/Notebook computers
- Jump/Flash Drives
- Any other mobile devices capable of storing corporate data and connecting to a network.
In order to maintain security and manageability, only devices fitting the following criteria are allowed to access corporate resources:
- Thompson Holdings Incorporated PCs and laptops.
The policy applies to any device that is used to access corporate resources, whether the device is owned by the user or by the organization. It also applies to all Thompson Holdings Incorporated employees, including full and part-time staff, contractors, freelancers and other agents who use a mobile device to access, store, back up or relocate any organization or client-specific data.
Policy Statements
- Connectivity of all devices will be managed by Thompson Holdings Incorporated IT department and will use authentication and strong encryption measures. IT will not directly manage personal devices purchased by employees, as employees are expected to adhere to the same security protocols when connected to non-corporate equipment.
- It is the responsibility of employees of Thompson Holdings Incorporated who use laptops to access corporate resources to ensure that all security protocols are strictly followed.
- It is imperative that any laptop/mobile device used to conduct Thompson Holdings Incorporated business be used appropriately, responsibly and ethically.
Access Control
- Prior to initial use on the corporate network or related infrastructure, all devices must be approved by IT. IT maintains a list of approved devices and related software applications and utilities.
- Employee personal devices such as laptops/desktops should never be brought into the office. These devices should be kept at home.
- Employees should never connect phones to any Thompson Holdings Incorporated system (laptop/desktop).
- Only authorized jump/flash drives (new and drives cleared by IT) can connect to Thompson Holdings Incorporated systems. Drives given to a Thompson employee from outside vendors or other 3rd party individuals must be scanned by IT prior to being used. There are NO exceptions to this policy.
- Cameras that have not connected to a non-Thompson Holdings Incorporated system can connect to a Thompson Engineering System. If the camera or flash drive was connected to a non-Thompson Holdings Incorporated system, IT must scan and clear the device before it can connect to a Thompson system.
- End users who wish to connect their phones, iPads, Android devices and readers can connect to the Thompson Holdings Incorporated TE-Guest network. At no time shall these devices be connected to the internal network.
- All personal mobile devices attempting to connect to the corporate network through the Internet will be inspected using technology centrally managed by Thompson Holdings Incorporated IT department. Devices that are not approved by IT, that are not in compliance with IT’s security policies or that represent any threat to the corporate network or data will not be allowed to connect. Devices may only access the corporate network and data through the Internet using a Secure Socket Layer (SSL) Virtual Private Network (VPN) connection.
Security
- Employees using mobile devices must be protected by a strong password or PIN.
- All mobile devices connecting to the Thompson email systems must be running Sophos and Malwarebytes.
- All users of mobile devices must employ reasonable physical security measures. End users are expected to secure all such devices whether or not they are actually in use and/or being carried.
- Passwords and other confidential data, as defined by Thompson Holdings Incorporated IT department, are not to be stored unencrypted on mobile devices.
- IT will manage security policies, network, application and data access centrally using whatever technology solutions it deems suitable. Any attempt to contravene or bypass that security implementation will be deemed an intrusion attempt and will be dealt with in accordance with Thompson Holdings Incorporated’s overarching security policy.
- Employees, contractors and temporary staff will follow all enterprise data removal procedures to permanently erase company-specific data from such devices once its use is no longer required. Thompson Holdings Incorporated will send out a remote wipe command once the employee has resigned or is terminated. The mobile device will be put back to factory default and all data, including pictures, will be deleted.
- In the event of a lost or stolen mobile device, it is incumbent upon the employee to report the incident to IT immediately. The device will be remotely wiped, all data will be deleted and the device will be locked to prevent access by anyone other than IT. If the device is recovered, it can be submitted to IT for re-provisioning. The remote wipe will destroy all data on the device, whether it is related to company business or is personal.
Hardware & Support
- IT reserves the right, through policy enforcement and any other means it deems necessary, to limit the ability of end users to transfer data to and from specific resources on the enterprise network.
- Users will make no modifications to the hardware or software that change the nature of the device in a significant way (e.g. replacing or overriding the operating system, jailbreaking, rooting) without the express approval of Thompson Holdings Incorporated IT department.
Organizational Protocol
- IT can and will establish audit trails, which will be accessed, published and used without notice. Such trails will be able to track the attachment of an external device to the corporate network, and the resulting reports may be used for investigation of possible breaches and/or misuse.
- The end user agrees to and accepts that his or her access and/or connection to Thompson Holdings Incorporated networks may be monitored to record dates, times, duration of access, etc. in order to identify unusual usage patterns or other suspicious activity. This monitoring is necessary in order to identify accounts/computers that may have been compromised by external parties or users who are not complying with Thompson Holdings Incorporated policies.
2. The end user agrees to immediately report to his/her manager and Thompson Holdings Incorporated IT department any incident or suspected incidents of unauthorized data access, data loss and/or disclosure of company resources, databases, networks, etc.
Non-Compliance
Violations of this policy will be treated like other allegations of wrongdoing at Thompson Holdings Incorporated. Allegations of misconduct will be adjudicated according to established procedures. Sanctions for non-compliance may include, but are not limited to, one or more of the following:
- Disciplinary action according to applicable Thompson Holdings Incorporated policies;
- Termination of employment; and/or
- Legal action according to applicable laws and contractual agreements.
Agreement
I have read and understand the Device Acceptable Use Policy. I understand that if I violate the rules explained herein, I may face legal or disciplinary action according to applicable laws or company policy.
___________________________________________
Employee Name
___________________________________________ _______________________________________
Employee Signature Date