Purpose

The purpose of the Centerspace Mobile Device Security Policy is to protect information assets to safeguard our intellectual property and reputation. This document outlines a set of practices and requirements for the safe use of all mobile devices when accessing the company network and is intended to protect the security and integrity of Centerspace data and technology infrastructure.  Centerspace reserves the right to restrict the use of mobile devices if users do not abide by the policies and procedures outlined below.


Audience

The Centerspace Mobile Device Security Policy applies to all mobile devices, whether owned by Centerspace or owned by team members, which have access to company networks, data and systems, including corporate IT-managed laptops. This includes smartphones and tablet computers. Limited exceptions to the policy may occur where there is a business need; however, a risk assessment must be conducted by management and written approval provided in advance.


To connect mobile devices to the company network, team members must agree to the terms and conditions set forth in this policy and install required software onto their mobile devices.


User Responsibility

User agrees to a general code of conduct that recognizes the need to protect confidential data that is stored on, or accessed using, a mobile device. This code of conduct includes but is not limited to:

  1. Doing what is necessary to ensure the adequate physical security of the device.  Appropriate measures include (but not limited to):

    1. Ensuring devices are not left unattended in public places on or off Centerspace property.

    2. Securing devices that contain sensitive information by using cable locks or locking devices up in drawers or cabinets

    3.     When transported by car, devices should be stowed in the trunk or some other area where it will not be easily seen or attract attention.

    4.     When traveling by air or train, the device should never become checked baggage and should always be kept as carry-on luggage.

    5. During hotel stays, devices should not be left unsecured in the room. If the user cannot take the device with them when leaving the hotel, it should be secured with a cable lock or left in the hotel safe.

  2. Doing what is necessary to ensure adequate network security of the device.  Appropriate measures include (but are not limited to):

    1. If network connectivity is required during hotel stays, the user should opt for a wired connection if one is available.

    2. When used away from Centerspace facilities, wireless and Bluetooth should be turned off whenever possible to reduce the likelihood of unauthorized access.

    3. Public Wi-Fi hotspots should be avoided if possible. Great caution should be used when connecting to non-Centerspace operated networks.

  3. Maintaining the software configuration of the device – both the operating system and the applications installed.

  4. Preventing the storage of sensitive company data in unapproved applications on the device.

  5. Ensuring the device’s security controls are not subverted via hacks, jailbreaks, security software changes and/or security setting changes.

  6. Following guidelines laid out in the Centerspace Acceptable Use Policy.

  7. Reporting a lost or stolen device immediately.


Personally-Owned Devices

Personal smartphones and tablet devices are not centrally managed by the IT Department. For this reason, a support need or issue related to a personally owned device is the responsibility of the device owner. Specifically, the user is responsible for:

  1. Settling any service or billing disputes with the carrier.

  2. Purchasing any required software not provided by the manufacturer or wireless carrier.

  3. Device registration with the vendor and/or service provider.

  4. Maintaining any necessary warranty information.

  5. Battery replacement due to failure or loss of ability to hold a charge.

  6. Backing up all data, settings, media, and applications.

  7. Installation of software updates/patches.

  8. Device Registration with Centerspace IT Services.

  9. Loss of or damage to the device.


Company-Owned Devices

Company-owned smartphone and tablet devices are centrally managed by Centerspace IT Services. Specifically, the user is responsible for:

  1. Installation of software updates.

  2. Reporting lost or stolen device immediately.


Centerspace IT Services Support Responsibility

The following services related to the use of a personal smartphone or tablet are provided by Centerspace IT:

  1. Enabling the device to access the web-based interface of the email system. This is a default capability. Personal device registration is not required.

  2. Enabling the device to access the web-based application system. This is a default capability. Personal device registration is not required.

  3. Email, Calendar and Contact Sync service configuration. Personal device registration is required.

  4. Devices not compliant with secure configuration standards will be unsubscribed from Mobile Device services.


Access Registration Requirement

To comply with this policy the mobile device user must agree to:

  1. Device reset and data deletion rules as defined below.

  2. Installation of Mobile Device Management solution on the device (provided by Centerspace IT).

  3. Acceptance of Centerspace Mobile Device Security Policy (this policy).


Security Policy Requirements

The user is responsible for securing their device to prevent sensitive data from being lost or compromised and to prevent viruses from being spread. Removal of security controls is prohibited.


The user is forbidden from copying sensitive data from email, calendar, and contact applications to other applications on the device or to an unregistered personally owned device.


Security and configuration requirements:

  1. Employ an active form of access protection such as a passcode, passphrase, facial recognition, or fingerprint.

  2. Sensitive data will not be sent from the mobile device. 

  3. The device operating system software will be kept current.

  4. The data on the device will be removed after 10 failed logon attempts.

  5. The device will be configured to segregate company data from personal data.

  6. User agrees to random spot checks of device configuration to ensure compliance with all applicable corporate information security policy.


Loss, Theft, or Compromise

If the device is lost or stolen, or if it is believed to have been compromised in some way, the incident must be reported immediately by contacting the IT Department or a member of the user’s management team.


Company’s Right to Monitor and Protect

The Company has the right to, at will:

  1. Monitor company messaging systems and data including data residing on the user’s mobile device.

  2. Modify, including remote wipe or reset to factory default, the registered mobile device configuration remotely.


Device Reset and Data Deletion

Device user understands and accepts the Company data on the device will be removed remotely under the following circumstances:

  1. Device is lost, stolen or believed to be compromised.

  2. Device is found to be non-compliant with this policy.

  3. Device inspection is not granted in accordance with this policy.

  4. Device belongs to a user that no longer has a working relationship with Centerspace. 

  5. User decides to un-enroll from the Mobile Device Policy and Management solution.


Enforcement

Team members found to have violated this policy may be subject to disciplinary action, up to and including termination of employment, and related civil or criminal penalties.  


Any vendor, consultant, or contractor found to have violated this policy may be subject to sanctions up to and including removal of access rights, termination of contract(s), and related civil or criminal penalties.

Also found in the Centerspace Team Member Handbook & Policy Manual.