Mobile Device Acceptable Use and Security Policy

This policy applies to all employees and contractors of Commit Works. This policy establishes the criteria governing the authorized use of personal or Commit Works owned smartphone and tablet (mobile) devices where the owner has established access to the Commit Works’ Systems enabling them to send and receive work-related e­mail messages and conduct other Commit Works business.

This document is effective from 10/07/17.

Policy Statement

Employees may use approved personally owned and Commit Works owned mobile devices to access the Commit Works messaging system and the approved Commit Works wireless network as necessary in the course of their normal business routines in support of the Commit Works' published goals and objectives.

User Responsibility

General

User agrees to a general code of conduct that recognizes the need to protect confidential data that is stored on, or accessed using a mobile device. This code of conduct includes but is not limited to:

• Doing what is necessary to ensure the adequate physical security of the device
• Maintaining the software configuration of the device – both the operating system and the applications installed.
• Preventing the storage of sensitive Commit Works data in unapproved applications on the device.
• Ensuring the device’s security controls are not subverted via hacks, jailbreaks, security software changes and/or security setting changes
• Reporting a lost or stolen device immediately

Personally Owned Devices

The personal smartphone and tablet devices are not centrally managed by Commit Works IT Services. For this reason, a support need or issue related to a personally owned device is the responsibility of the device owner. Specifically, the user is responsible for:

• Settling any service or billing disputes with the carrier
• Purchasing any required software not provided by the manufacturer or wireless carrier
• Device registration with the vendor and/or service provider
• Maintaining any necessary warranty information
• Battery replacement due to failure or loss of ability to hold a charge
• Backing up all data, settings, media, and applications
• Installation of software updates/patches
• Device Registration with Commit Works IT Services

Commit Works Owned Devices

Commit Works owned smartphone and tablet devices are centrally managed by Commit Works IT. Specifically, the user is responsible for:

• Installation of software updates
• Reporting lost or stolen device immediately

Commit Works IT Services Support Responsibility

The following services related to the use of a personal smartphone or tablet are provided by Commit Works IT Services:

• Enabling the device to access the web-based interface of the email system. This is a default capability. Personal device registration is not required.
• Enabling the device to access the web-based application system. This is a default capability. Personal device registration is not required.
• Email, Calendar and Contact Sync service configuration. Personal device registration is required.
• Wi-Fi Internet Access configuration. This service is limited to the facility. Personal device registration is required. Personal email will not sync when connected to the Commit Works network.
• Devices not compliant with secure configuration standards will be unsubscribed from Mobile Device services.

Access Registration Requirement

To comply with this policy the mobile device user must agree to:

• Register the device via Commit Works place.
• Device reset and data deletion rules below.
• Device must be encrypted or user must purchase software to ensure data on the device is encrypted.
• Installation of Mobile Device Management solution on the device (provided by Commit Works IT Services).
• Acceptance of Commit Works Mobile Device Acceptable Use and Security Policy (this policy).

Security Policy Requirements

The user is responsible for securing their device to prevent sensitive data from being lost or compromised and to prevent viruses from being spread. Removal of security controls is prohibited.

The user is forbidden from copying sensitive data from email, calendar and contact applications to other applications on the device or to an unregistered personally owned device.

Security and configuration requirements:

• Sensitive data will not be sent from the mobile device. Encrypted email services will be utilized in such cases.
• The device operating system software will be kept current.
• The data on the device will be removed after 10 failed login attempts.
• The device will be configured to encrypt the content.
• The device will be configured to segregate Commit Works data from personal data.
• User agrees to random spot checks of device configuration to ensure compliance with all applicable Commit Works information security policy.

Wi-Fi Access to Commit Works Network

Users who connect to the Commit Works Wi-Fi network with a personally owned device will be allowed access to Commit Works systems and resources available via the Internet.

Loss, Theft or Compromise

If the device is lost or stolen, or if it is believed to have been compromised in some way, the incident must be reported immediately by contacting the Chief Technology Officer.

Commit Works’ Right to Monitor and Protect

Commit Works has the right to, at will:

• Monitor Commit Works messaging systems and data including data residing on the user’s mobile device
• Modify, including remote wipe or reset to factory default, the registered mobile device configuration remotely

Device Reset and Data Deletion

Device user understands and accepts Commit Works data on the device will be removed remotely under the following circumstances:

• Device is lost, stolen or believed to be compromised
• Device is found to be non-compliant with this policy
• Device inspection is not granted in accordance with this policy
• Device belongs to a user that no longer has a working relationship with the Commit Works.
  Note: the "selective" wipe capability is available for IOS-based devices only. BlackBerry OS-based devices will be reset to the factory default.
• User decides to un-enroll from the Mobile Device Policy and Management solution

Enforcement

Any user found to have violated this policy may be subject to disciplinary action, including but not limited to:

• Account suspension
• Revocation of device access to the Commit Works System
• Data removal from the device
• Employee termination

Data Segregation on mobile devices

Commit Works data must be kept separate from personal data

Approved Technology

All wireless LAN access provisioned to the Commit Works Network must use Commit Works-approved vendor products and security configurations. Commit Works owned assets, and those explicitly allowed per the Mobile Device Policy, are the only devices that can be approved and authorized for use on the Commit Works Network.

Home-based wireless networks are not supported by the Commit Works. If a home-based wireless network is encrypted using WPA or later Commit Works equipment may be configured for access to the network.

Secure Configuration Policy

Supported Devices

The following devices are supported by Commit Works:

• Samsung IOS based smartphone and tablet devices.
• Apple IOS based smartphone and tablet and iTouch devices.
• Android-based smartphone and tablet devices

Un-tethered Jailbreak Risk

Risk and Compensating Control: To address the risk of an un-intentional jailbreak resulting in data compromise no version of the IOS known to be susceptible to a non-tethered jailbreak exploitation will be allowed to remain subscribed to the Commit Works Mobile Media services.

Android Risk Information

The Android’s biggest iPhone differentiator is its openness. The Android operating system is more customizable; its application model more open and its app distribution approach is much less restrictive (including a lower approval bar in the Android Market while also allowing apps to be proliferated outside of the market). That freedom opens the door to potential and actual security problems.

Mobile Device Application Development

This policy does NOT address application development or deployment of custom-built applications to a mobile device.

Information Security Controls Policy

The mass-adoption of both consumer and Commit Works owned mobile devices has increased employee productivity but has also exposed the Commit Works to new security risks. Current control technologies may be insufficient to protect the enterprise assets that regularly find their way onto devices. Complicating the security picture is the fact that virtually all of today’s mobile devices operate in an ecosystem, much of it not controlled by the Commit Works. Devices connect and synchronize out-of-the-box with third-party cloud services and computers whose security posture is potentially unknown and outside of Commit Works’ control.

Control Risks

While the decision to allow employees to use mobile and personal devices, to improve productivity and work efficiency, the Commit Works is doing so ever-aware of the risks outlined below:

1. Sensitive Data Exposure
   As employees use more and different mobile devices in various settings, they are more likely to lose those devices or have them stolen.
2. Malware
   Introducing malware to the Commit Works network. It is already difficult to maintain network security with standardized devices via controlled access. For this reason, the Commit Works has screened the multitude of non-standardized devices end-users might wish to connect to the Commit Works network and selected solutions that enable both flexibility and essential controls.
3. Co-Mingling Commit Works and Personal Data
   Greater need to control network access and ensure data privacy. When employees leave an organization, or they lose a mobile device, The Commit Works needs to quickly terminate network access and restrict access to Commit Works data residing on the device.
4. Commit Works Data Segmentation and Encryption
   Commit Works data must be protected and segmented at all times from the employee's personal data stored on the device.

Initial Service Control Features and Policy

Essential Access Controls

The essential basic access controls are supported:

• Password Strength
• Inactive Device Lockout
• Encryption
• Remote Data Removal

Email

Native Email Sync Enabled: Users enjoy the native email application experience. Allowing mobile devices to access Commit Works email systems through the native application is ideal because the native application is designed for the mobile device form factor. Forcing someone to read email using a web-based interface falls short of the user’s expectation. Some security solutions require using web-based access to email or a second non-native email application. The Commit Works policy enables the use of the native email application giving the user the rich functionality they expect.

Risk: Native mobile email applications allow unintentional and malicious movement of email to and from the Commit Works BPOS account and any personal email accounts.

Compensating Control: The problem of data leakage between email accounts on the device is mitigated by the Mobile Device Management (MDM) system. MDM policy will prevent moving email directly between accounts.

The Secure Email feature is not supported on mobile devices. Initial and Annual communications of acceptable use must be communicated to the service user base

Web Filtering – Limited Support

Web filtering services are available on a mobile device at this time only if the device is accessing the Internet via the Commit Works Wi-Fi network.

WiFi Access to Internal Resources - Limited

Qualified personal devices are allowed to leverage the Commit Works network to access Internet-based services

Access to the Commit Works' Wi-Fi network has been configured to enable a mobile device (Commit Works owned or personal) to connect, in a logically segregated and secured way (controlled) way, to the Commit Works Commit Works network. Only Commit Works resources already available via the Internet are accessible.

Personal e-mail access on any Commit Works Wi-Fi network is not supported

Mobile Device Management

Mobile Device Management (MDM) solutions are the foundation of a secure mobile device deployment as MDM makes configuration control possible.

Risk: MDM solutions are not necessarily security-centric and do not typically cover all the security fundamentals. The MDM tools reality is that most Mobile Device Management solutions provide a set of capabilities that address only some of the security problems presented by Mobile Devices.

Compensating Control: The essential MDM use cases such as enforcing a passcode, encryption of stored data and wiping a device if it gets lost—are being fulfilled by the MDM vendor selected by the Commit Works.

Commit Works and personal data separation

Commit Works data will be kept separate from personal data.

User Awareness of Their Responsibilities

All authorized mobile device users will be reminded every six months of their responsibilities.

About Personal Data Access

• Can Commit Works monitor or observe the data?
  NO, we have the ability to monitor encryption, security controls, installed applications, app distribution, MDM profiles, Device Jailbroken, but not data –with exception of Commit Works configured (email, calendar, contacts).
• Is this access limited to deletion only?
  YES, all Commit Works configured data is removed once un-enrolled from MDM or reset to factory default.(this excludes any data manually moved to other applications on the device by the user).

Compliance and Reporting

The security solution must be able to report what controls policy has been deployed, that a device is not "rooted" or "Jailbroken" and that policy controls applied are in still in place.

Thinking of a mobile device as if it were a laptop or a personal computer also requires one to know if the SD card is encrypted, or if any anti-malware controls are current and running or if someone is accessing illicit web content. The selected controls to enforce security policies on mobile devices must meet these requirements if the Commit Works is to maintain the current information security posture.

Detection and Prevention of Data Leaks

Data seeping or leaking from/to personally owned devices remains a realm of control concern. This is true for MDM solutions including the solution selected by the Commit Works. It is possible, even with the selected control software in place, to experience data and malware leakage to and from mobile devices through the native email client. This means email and attachments containing sensitive data (PII, M&A futures, Medical claims dialogue, etc.) can move from a Commit Works managed system to a non-Commit Works system easily and intuitively. This exfiltration/infiltration of data can be unintentional or malicious.

Native email applications make it simple to file an email from a Commit Works email account to a personal Yahoo or Gmail account and vice versa. There are no native controls in place to prevent this. In fact, the email application is designed to enable this to make management of multiple email accounts easier for the mobile device user.

The problem of data leakage between email accounts on the device is mitigated by the Mobile Device Management (MDM) system. MDM policy will prevent moving email directly between accounts.

Patch Management

Security patching is fundamental in the Desktop and Server Management spaces and is required in order to close vulnerabilities as they are discovered and before they are exploited. Some relief comes from the OS vendors who are supposed to keep your device current. The vendor selected by the Commit Works has a way to patch a device, to resolve vulnerability quickly and ensure these devices remain compliant with Commit Works security patch management policy.

Archival of Text Messages - Limited

Commit Works requirements dictate archiving of all emails and SMS messages sent from a device used to conduct Commit Works business. This capability is simply not in place. The deployment team will address the need for users to be educated about the appropriate use of texting apps. It is assumed that mobile device controls will be enhanced to address this problem when the technical means to do so is viable. Update: This capability is simply not in place for SMS messages but is in place for all e-mail through our standard archival system.

Malware Control

Inevitable malware threats remain a concern on all computing platforms. Mobile devices are not alone here. The Apple IOS provides a software quality ecosystem and “application sandboxing” to counter this threat to some extent.

• If an application in the Apple "App Store" is discovered to be malware, Apple has the ability to "kill" the application and remove it from the installed base. This is a significant deterrent to a would-be iPhone/iPad malware writer. What is the point of writing malware if the planet’s population of IOS devices can be cleaned off it in the span of 24 hours once discovered?
• The Apple IOS also employs a concept known as "application sandboxing" which makes it impossible for one application to invade the domain of another.

Policy Management - Limited

Capabilities in the Policy Management realm are lacklustre for mobile devices in general. It is a plus that Apple IOS limits what can be done between applications (as mentioned in the Malware section above). A comparative few (approximately 20) policy control points exist for ActiveSync (among which few are actually considered useful) on mobile devices. Comparatively, there is a myriad of policy attributes and actions that can be applied to a Laptop device or to a BlackBerry device. It is assumed that mobile device controls will be enhanced to address this problem when the technical means to do so is viable.