My Health Checked Logo

Bring your own device (BYOD) usage policy

PURPOSE

The purpose of this document is to define the procedures that the IT department has adopted to ensure BYOD device are compliant with company security policies.

PROCEDURE

Concepta Diagnostics grants its employees the right to use their own IT equipment with written approval by senior management. Concepta Diagnostics reserves the right to revoke this privilege if users do not abide by the policies and procedures outlined below.

This policy is intended to protect the security and integrity of Company data and technology infrastructure. Limited exceptions to the policy may occur due to variations in devices and platforms.

Employees must agree to the terms and conditions set forth in this policy in order to be able to connect their devices to the company network. Failure to agree may result in your device being restricted from Concepta resources.

Acceptable Use

  • The company defines acceptable business use as activities that directly or indirectly support the business.
  • The company defines acceptable personal use on company time as reasonable and limited personal communication or recreation, such as reading or game playing.
  • Employees are blocked from accessing certain websites during work hours/while connected to the corporate network at the discretion of the company.
  • Devices’ camera and/or video capabilities are/are not disabled while on-site.

Devices may not be used at any time to:

  • Store or transmit illicit materials
  • Store or transmit proprietary information belonging to another company
  • Harass others
  • Engage in outside business activities not agreed with the company.
  • Activities that breath any other company policy
  • The following apps are allowed: Microsoft Office application suite (including Word, Excel, Powerpoint, Outlook, Skype, Internet Explorer, Teams, Visio, Project)
  • The following apps are not allowed: unlicensed or end or life unsupported products.

Devices and Support

  • Desktops, Laptops, Smartphones & Tablets including Microsoft, Apple, iPhone & Android are allowed providing the operating system is still officially supported and current security updates are available and applied
  • Connectivity issues are supported by IT; employees should contact the device manufacturer or their carrier for operating system or hardware-related issues if the hardware is owned by the employee
  • Company IT will only be able to give limited support of privately owned devices limited to company provided software and applications.

Security

  • In order to prevent unauthorised access, devices must be password protected using the features of the device and a strong password is required to access the company network
  • Passwords must be at least eight (8) characters and a combination of upper- and lower-case letters, numbers and symbols. A password of twelve (12) characters is recommended. Passwords will be rotated every 90 days and the new password can’t be one of 5 previous passwords
  • The device must lock itself with a password or PIN or password if it’s idle for 10 minutes
  • After five failed login attempts, the device will automatically lock out for a minimum or 30 minutes or until a password reset. Contact IT for additional support
  • Rooted (Android) or jailbroken (iOS) devices are strictly forbidden from accessing the network
  • Unlicensed software is strictly prohibited
  • Employees are prevented from using any app that does not appear on the company’s list of approved apps for accessing organisational data
  • Employees’ access to company data is limited based on user profiles defined by IT and automatically enforced.

Risks/Liabilities/Disclaimers

  • The company reserves the right to disconnect devices or disable services without notification
  • Lost or stolen devices must be reported to the company within 24 hours. Employees are responsible for notifying their mobile carrier immediately upon loss of a device
  • The employee is expected to use his or her devices in an ethical manner at all times and adhere to the company’s acceptable use policy
  • The employee is personally liable for all costs associated with his or her device
  • The employee assumes full liability for risks including, but not limited to, the partial or complete loss of company and personal data due to an operating system crash, errors, bugs, viruses, malware, and/or other software or hardware failures, or programming errors that render the device unusable
  • The Company reserves the right to take appropriate disciplinary action up to and including termination for noncompliance with this policy.

Responsibilities of the owner of the BYOD device

  • The device is kept up to date with supported Operating System security updates with 14 days of release
  • That all applications are licensed and currently supported, up to date and continue to receive security updates. Updates to be applied within 14 days
  • The device is secured with a password that meets to companies password policy
  • The device has a up to date anti-virus package and updates are applied
  • The device is running a software firewall (can be part of the Anti-virus package
  • The device is encrypted.

Onboarding procedure

Privately owned devices meeting the following requirements can access organisational data including E-Mails. If devices do not meet these requirements then they cannot be used to access organisational data.

Microsoft Desktop or Laptop / Apple MAC Laptop or Desktop

  • The device is using a supported Operating system (version, patch level and license) o At the time of writing this is :Windows 10 build 21H2 or above, Windows 11, Apple Mac – Version 12 – Monterey
  • All updates are being automatically applied within 14 days
  • The device has a password policy
  • The device has a screensaver enabled and timeout set to less than 10 minutes
  • The device has hard-drive encryption enabled
  • The device is running active and current Anti-virus
  • The device has a software firewall installed.

Evidence for Onboarding procedure for mobiles

Screenshot of Windows or MAC system info page showing OS version

Screenshot showing all Windows Updates or Mac updates have been applied

Screenshot of user logon screen requesting password

Screenshot of enabled screen saver and time out period settings

Screenshot of hard-drive encryption enabled

Screenshot of antivirus product showing updates are current

Screenshot of enabled firewall settings.

Mobile Phones and Tablets (Android or Apple)

  • Running a supported OS and that OS needs to be on the latest version or the latest version that has been released for more than 14 days. Apple, only the latest version is acceptable, at the time of writing this iOS 15.2. Android 9 and above
  • The device itself needs to be supported by the vendor
  • The device needs a pin number/password with a minimum of 6 characters
  • The device is not jail broken and must be restricted from installing unsigned applications
  • Only approved applications are used for accessing organisational data)
  • Current Approved list: Microsoft Outlook and Microsoft OneDrive.

Evidence for Onboarding procedure for mobiles

  • Screenshots of Operating System level
  • Screenshots of password lock screen
  • Screenshots of from Apple or Android store showing all application updates applied.

Offboarding procedure

If the employee wishes to stop using their own device to access company data the offboarding procedure needs to be completed. It is the employee responsibility to contact the company IT team to complete this procedure.

  • Removal of company owned software (e.g Microsoft Office 365 licenses)
  • Removal of any company data from local storage on either Desktop / Laptop / Mobile phone or tabled
  • Removal of any company data from local storage such as USB sticks or external hard-drives.