The purpose of this document is to define how Resolver will retain control over its information assets while they are being accessed through devices that are not owned by the organization.
This document applies to all personally owned devices that can store, transfer, or process any sensitive information from the Information Security Management System (ISMS) scope. These devices include laptops, smartphones, tablets, USB memory sticks, digital cameras, etc. Such devices will be referred to as BYOD in this Policy.
Users of this document are all Resolver employees.
The rules in this Policy apply to all BYOD, whether they are used for work, or for private use, or whether they are used within or outside of the organization’s premises.
Resolver supports the widespread use of BYOD for work use – i.e. using such devices for performing work for the company.
The company data that is stored, transferred, or processed on BYOD remains under the company’s ownership, and the company retains the right to control such data even though it is not the owner of the device.
Resolver’s IT department will manage and enforce the minimum requirements for BYOD through Office 365 Mobile Device Management Security Policy (smartphones).
The minimum requirements are subject to change at any time depending on organizational needs and an evolving security landscape.
All BYOD devices allowed to connect to the Resolver Guest networks ONLY.
All Resolver employees are permitted to use their own devices for e-mail, Slack, Asana, Salesforce, Concur, Zoom, Box, and Bamboo.
BYOD owners are prohibited from installing applications from non-trusted sources (sources outside of the App Store, Google Play, or the Microsoft Store).
Rooted or Jailbroken devices are not allowed to be used as BYODs hosting Resolver content.
For each BYOD, the following conditions are mandatory:
The following actions are prohibited with BYOD:
Resolver has the right to view, edit, and delete all company data that is stored, transferred, or processed on BYOD.
Resolver has the right to perform full deletion of all data on BYOD without the consent of the device owner if it is deemed necessary for the protection of company information.
All security breaches and lost or stolen BYOD must be reported immediately to the IT department and Information Security Department by phone, Slack, and e-mail: email@example.com. Further, all weaknesses that have not yet become incidents must be reported through the same channels within 1 business day.
The Information Security Analyst will oversee training new and existing employees on the appropriate use of BYOD, as well as raising awareness about the most common threats.
All policies require the participation of staff and contractors to be successful. Any employee or contractor found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
Any exceptions to this policy can only be granted in accordance with the company CISO or Resolver’s Information Security Department’s written approval.
This document is valid as of July 2020.
The owner of this document is an Information Security Analyst who must check and, if necessary, update the document at least once a year.
When evaluating the effectiveness and adequacy of this document, the following criteria need to be considered:
EFFECTIVE ON: September 2020
REVIEW CYCLE: Annual at least and as needed
REVIEW, APPROVAL & CHANGE HISTORY: Last time reviewed and approved in August 2020 by Resolver’s Information Technology Security team.