Device Management (MDM)

In most cases, your organization ensures that employees receive laptops/notebooks when they join. However, there are cases when personal or other devices can be used for business functions. This is commonly referred to as "Bring Your Own Device" (BYOD). In some cases, this can provide increased flexibility and remove the need for the employee to carry more than one device regularly. This results in the need for such devices to be subject to additional controls over and above those typically in place for a consumer device.

Common issues and security challenges with BYOD may include:

• Use of the device by other family members or friends
• Default storage of data in cloud backup facilities
• Increased exposure to potential loss in social situations (e.g. on the beach, in a bar)
• Potential access to websites that do not meet your organization's Acceptable Use Policy
• Connection to insecure networks (e.g. unsecured wireless hotspots)
• Anti-virus protection and how often the device is patched
• Installation of potentially malicious apps onto the device (often without the user being aware that they are malicious)

Requirements for the use of personal devices that store your organization data which is classified as Confidential or Internal:

• All Bring Your Own Devices (BYOD) must be managed by your organization using Mobile Device Management (MDM) solutions;
• All Mobile Devices, removable media, and other mobile storage devices are to be added to your organization's asset inventory according to the Asset Management Policy;
• Owner/Manager must provide a reason for requesting a personal device to be used for business functions;
• Company-owned devices and Bring Your Own Devices (BYOD) are encrypted;
• As data is mainly stored in cloud-based systems, a regular backup of the phone is preferred, but not mandatory;
• Rooted (Android) or Jailbroken (Apple iOS) devices are strictly forbidden from being enrolled as a BYOD;
• Strong password/passcode must be enforced by the MDM software based on the Password Management Policy;
• Devices are kept up to date as part of the mobile device management controls;
• Only pre-approved application stores are allowed (public such as Apple AppStore, Google App Store, or company-managed app store)

• your organization reserves the right to take appropriate disciplinary action up to and including termination for non-compliance with this policy.

The device may be disconnected, remotely locked, or wiped (company-owned data only). This is done only with the approval of both the CISO and the device owner, and after confirmation of one of the following events:

1. the device is lost (device owner must report this as soon as possible but not later than 24 hours)
2. the employee terminates his or her employment
3. IT/Security Team detects a data or policy breach, a virus, or similar threat to the security of your organization's data and IT/Cloud infrastructure

Devices

• USB Flash and External Drives;
• Optical disks (CD, DVD);
• SD Cards (secure digital cards);
• Tapes (infrequently used);
• Floppy disks (infrequently used).

Roles and Responsibilities

1. Sender – responsible for ensuring, among others, the following requirements:

   • Assessing the information to be sent;
   • Ensuring that the identity and authorization of the recipient has been formally confirmed and documented;
   • Obtaining the consent of the Manager (if applicable) for the transfer;
   • Ensuring that the information is sent and tracked properly in compliance with the policy.

2. IS Auditor – will monitor and audit departments to ensure compliance with all statutory and regulatory obligations but also internal policies.

3. Managers – responsible for ensuring that this Policy is communicated and implemented within their area of responsibility.

4. Employees – responsible for knowing this Policy and ensuring that any information transfer for which they are responsible is done right. They must report any suspected or actual security breaches related to data transfer to their Managers.

5. Contractor or 3rd Party – responsible for knowing this Policy and ensuring that any information transfer for which they are responsible is done right. They must report any suspected or actual security breaches related to data transfer to their contact within your organization.

Protected data, as defined in the Data Management Policy, cannot be stored outside your organization's systems or cloud infrastructure.

The other types of data can be transferred on external storage devices only by following these requirements:

• Confidential and Internal data will only be transferred to external parties if the owner of the data explicitly approves its transfer. For GDPR and most compliant-related data, the owner is the creator of the data;
• For all transfers of personal information, the owner of the sensitive information must provide his/her consent;
• Data must be encrypted during transfer. Best practices include a standard of AES 256-bit encryption, although other levels may be appropriate. Most of the time, this can be achieved using encrypted ZIP files;
• The key or password to the encrypted data must be transferred out of bounds; that is, it cannot be transferred using the same mechanism as the data. For instance, if the data is sent via e-mail, the key must be exchanged via phone or SMS;
• The Sender has the responsibility to assess risks in what they are intending to do and ensure that all associated risks are adequately understood and covered, and that the transfer is properly authorized;
• your organization staff shall not assume that because someone asks for information they are authorized or legally entitled to have it. If in doubt, staff shall check with their Manager;
• For all transfers of personal information, the identity and authorization of the recipient must be appropriately authenticated by the sender;
• Any unauthorized release of confidential information can leave your organization staff open to legal sanction or litigation;
• Personal e-mail accounts (e.g. Gmail, Yahoo, Hotmail accounts) must not be used for transferring Confidential and Internal Data;
• Any removable devices used for information transfer should be scanned for viruses and malware.

Approved Communication and Transmission Channels:

• E-mail transfers and communications – Outlook/Exchange Online service;
• Transfers of data on removable media (USB, CD, DVD, HDD, etc.);
• Remote Desktop Access Software (WebEx, TeamViewer, etc.);
• Virtual Private Networks (contractors, customers);
• Instant Messaging or SMS Systems (Teams, Zoom, Google Meet, Skype);
• Postal / Courier services;
• Faxes and eFax.

Due to technological advancements, simple deletion or formatting does not provide enough protection of Protected and Confidential data. Deleted files usually will remain on the media for long periods, and many software tools are now available to recover such data. Many state and federal regulations may also require the removal of information from electronic media to be made securely.

Warning: Once destroyed in the manner described below, files cannot be recovered. your organization is not responsible for unwanted effects the use of this procedure or software may cause. Do not use the methods described below unless you are certain the data will no longer be needed.

Disposal Methods

1. Overwriting: as the name implies, overwriting uses a program to write (1s, 0s, or a combination of both) onto the location of the media where the file to be sanitized is located. The number of times the media is overwritten depends on the level of sensitive information. Overwriting can be done for single files/folders, or it can be performed on entire disks or media devices.

2. Degaussing: magnetically erase data from magnetic media. Two types of degaussing exist, strong magnets and electric degauss. Note that common magnets (e.g., those used to hang a picture on a wall) are fairly weak and cannot effectively degauss magnetic media.

3. Destruction (physical): destruction can be as simple as unraveling and cutting up disks, or putting entire drives through a shredder. It is usually a much quicker process than overwriting data, and when done properly just as effective.

4. Hiring a 3rd Party: due to the time investment required to process the media, it may be advantageous to hire a 3rd Party record management and destruction company to perform the media wipe. If that's the case, the vendor must provide:

   • a written statement explaining the procedure;
   • include a time estimate in which the media will be stored awaiting processing;
   • a statement assuming responsibility for the confidentiality of the data while under their possession.