The objective of this policy is to define standards, procedures, and restrictions for end users who are connecting a personally-owned device to Company’s organization network for business purposes. This device policy applies, but is not limited to all devices and accompanying media (e.g. USB thumb and external hard drives) that fit the following classifications:
The policy applies to any hardware and related software that is not organizationally owned or supplied, but could be used to access organizational resources. That is, devices that employees have acquired for personal use but also wish to use in the business environment.
The overriding goal of this policy is to protect the integrity of the confidential client and business data that resides within Company’s technology infrastructure. This policy intends to prevent this data from being deliberately or inadvertently stored insecurely on a device or carried over an insecure network where it could potentially be accessed by unsanctioned resources. A breach of this type could result in loss of information, damage to critical applications, loss of revenue, and damage to the company’s public image. Therefore, all users employing a personally-owned device connected to Company’s organizational network, and/or capable of backing up, storing, or otherwise accessing organizational data of any type, must adhere to company-defined processes for doing so.
1.1 PROCEDURE OWNER
1.3 APPLICABLE REGULATIONS
1.4 RELATED [COMPANY] NORMS AND PROCEDURES
1.6 AUDIENCE AND SCOPE
1.7 DOCUMENT SUPPORT
2. DEFINITIONS & ABBREVIATIONS
3. INTRODUCTION TO POLICY
4. APPROPRIATE USE
5. POLICY STATEMENTS
5.2 SECURITY CONTROLS
6. ACCESS CONTROL
8. ORGANIZATIONAL PROTOCOL
10. FINAL CONSIDERATIONS
10.1 DISCIPLINARY ACTIONS AGAINST PROCEDURE VIOLATION
10.2 DOCUMENT REVISION
11. APPENDIX A: FACTORS TO BE CONSIDERED FOR CHOOSING BYOD
12. APPENDIX C: RISK ASSESSMENT
The Clean Desk Procedure was developed by the Company in order to protect classified information, company's goods and employees’ personal goods, as well as to reduce the risk of fire, incidental floods or any other damaging events.
The Company has adopted an Information Risk Management Policy (“Policy”) to describe rules and expectations for both itself and all its direct and indirect subsidiaries countrywide.