A.6.1 Resolver Bring Your Own Device (BYOD) Policy

1. Purpose, scope, and users

The purpose of this document is to define how Resolver will retain control over its information assets while they are being accessed through devices that are not owned by the organization.

This document applies to all personally owned devices that can store, transfer, or process any sensitive information from the Information Security Management System (ISMS) scope. These devices include laptops, smartphones, tablets, USB memory sticks, digital cameras, etc. Such devices will be referred to as BYOD in this Policy.

Users of this document are all Resolver employees.

2.  Reference documents

  • ISO/IEC 27001:2013 standard, controls A.6.2.1, A.6.2.2, A.13.2.1

3.  Security rules for using BYOD

The rules in this Policy apply to all BYOD, whether they are used for work, or for private use, or whether they are used within or outside of the organization’s premises.

3.1. Company policy

Resolver supports the widespread use of BYOD for work use – i.e. using such devices for performing work for the company.

The company data that is stored, transferred, or processed on BYOD remains under the company’s ownership, and the company retains the right to control such data even though it is not the owner of the device.

3.2. Minimal requirement

Resolver’s IT department will manage and enforce the minimum requirements for BYOD through Office 365 Mobile Device Management Security Policy (smartphones).

The minimum requirements are subject to change at any time depending on organizational needs and an evolving security landscape.

3.3. BYOD connection to Resolver networks

All BYOD devices allowed to connect to the Resolver Guest networks ONLY.

3.4. BYOD apps and information types

All Resolver employees are permitted to use their own devices for e-mail, Slack, Asana, Salesforce, Concur, Zoom, Box, and Bamboo.

BYOD owners are prohibited from installing applications from non-trusted sources (sources outside of the App Store, Google Play, or the Microsoft Store).

3.5. BYOD types

Rooted or Jailbroken devices are not allowed to be used as BYODs hosting Resolver content.

3.6. Acceptable BYOD use

For each BYOD, the following conditions are mandatory:

  • Anti-virus software must be installed on the device.
  • Resolver recommends Sophos, Avast, or McAfee.
  • Full device encryption must be enabled.
  • A screen lock must be enabled and the password should be at least 6 characters.
  • When using a BYOD outside of the company premises, it must not be left unattended and, if possible, should be physically locked away.
  • When using BYOD in public places, the owner must take care that data cannot be read by unauthorized persons.
  • Patches and updates must be installed regularly.
  • Confidential information must be additionally protected according to the [Information Classification Policy].
  • Users must notify the IT and Information Security department before a BYOD is disposed of, sold, or given to a third party for servicing and maintenance activities.

The following actions are prohibited with BYOD:

  • Giving access to anyone except the employee who is the owner of the device.
  • Installing applications from non-trusted sources.
  • Storing illegal materials on the device.
  • Installing unlicensed software on the device.
  • Locally storing passwords, except when using the following applications: 1Password, OnePass.
  • Locally storing information classified as Confidential and Customer Confidential, for more information refer to “A.8.2 Resolver Corporate Data Handling Policy.”
  • Transferring company data to other devices that are not allowed.

3.7. Special rights

Resolver has the right to view, edit, and delete all company data that is stored, transferred, or processed on BYOD.

Resolver has the right to perform full deletion of all data on BYOD without the consent of the device owner if it is deemed necessary for the protection of company information.

3.8. Security breaches and incident reporting

All security breaches and lost or stolen BYOD must be reported immediately to the IT department and Information Security Department by phone, Slack, and e-mail: infosec@resolver.com. Further, all weaknesses that have not yet become incidents must be reported through the same channels within 1 business day.

3.9. Training and awareness

The Information Security Analyst will oversee training new and existing employees on the appropriate use of BYOD, as well as raising awareness about the most common threats.

4. Non-Conformance

All policies require the participation of staff and contractors to be successful. Any employee or contractor found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

5. Exceptions

Any exceptions to this policy can only be granted in accordance with the company CISO or Resolver’s Information Security Department’s written approval.

6. Validity and document management

This document is valid as of July 2020.

The owner of this document is an Information Security Analyst who must check and, if necessary, update the document at least once a year.

When evaluating the effectiveness and adequacy of this document, the following criteria need to be considered:

  • The number of incidents arising from the unclear definition of the ISMS scope.
  • The number of corrective actions taken due to an inadequately defined ISMS scope.
  • Time put in by employees implementing the ISMS to resolve dilemmas concerning the unclear scope.

EFFECTIVE ON: September 2020

REVIEW CYCLE: Annual at least and as needed

REVIEW, APPROVAL & CHANGE HISTORY: Last time reviewed and approved in August 2020 by Resolver’s Information Technology Security team.