Personal Computing Device Policy Template

Home / Services / Virtual CISO / Policies / Personal Computing Device Policy Template

Personal Computing Device Policy
This Personal Computing Device Policy is designed to protect the confidentiality of any data stored on employee-owned mobile computing devices that are permitted to connect to {{company_name}}’s network and to protect it from being infected by any hostile software. It covers any employee-owned computing device brought into the organisation or connected to the organisation’s network using remote connection methods. This includes but is not limited to:
  • Laptop / Tablet Computer
  • Desktop Computer
  • Handheld / PDA / BlackBerry / Mobile Phone
  • Portable printer / scanner
  • Media – including floppy disks / CDs / DVDs / Memory sticks
The purpose of this Personal Computing Device Policy is to establish the operational parameters for using an employee-owned device on the {{company_name}} network and on {{company_name}} Clients networks.
The scope of this Personal Computing Device Policy includes all personnel who have or are responsible for any system that resides at any {{company_name}} and/or {{company_name}}’s Clients facility, has access to the {{company_name}} and/or {{company_name}}’s Clients network, or stores any non-public information.
Service Or Product Description
Users’ Responsibilities
Users must be aware that:
  • They must seek authority from the appropriate IT Director before using their personal computing devices for work related activity and to register the details with the Information Security Office (ISO) via their line manager.
  • They have personal responsibility for the equipment and all data/ information stored.
  • They must read and understand this policy and be aware of the requirements of the Acceptable Use Policy and Password Policy.
  • The loss of equipment, even personally owned computing devices, that may contain corporate information may lead to a breach of security and must be reported immediately to the Information Security Officer or the IT Service Desk.
  • The reporting of security breaches is an important task; no one is to consider a breach of security too small to be significant.
    Should an item of equipment be lost, stolen or otherwise accessed by an unauthorised individual, a ‘Computer Loss Form’ from the Information Security Portal must be completed and submitted to the ISO. They will be required to hand over their system to have corporate data wiped when they leave the Company.
Line Managers’ Responsibilities
Line Managers are to:
  • Validate the need for the user to use their personal computing device for work related activity.
  • Confirm and certify that each authorised computing device meets the Company’s computer security requirements, including software requirements, and that the user has read other related policy documents.
  • Obtain agreement from the user that the IS team are required to be an administrator on their machine.
Physical security
Many personal computing devices are prone to receiving rougher treatment than a desktop computer and is therefore more likely to be damaged or fail. Users must ensure that they take appropriate and responsible measures to safeguard equipment in their care. All personal computing devices must have a form of maintenance and/or warranty in place such that, should a device fail or be stolen, the individual will be able to return to productivity in short order.

Purpose made carry cases must be used when transporting equipment. These must be checked regularly to ensure that breakage to straps etc. does not occur. Manufacturer’s instructions for protecting equipment must be observed at all times (e.g. protection against exposure to strong electromagnetic fields or extreme temperatures).

Personal computing devices must not be left unattended, particularly in public places, open offices or in an unattended car.

If your personal computing device includes removable disks that can hold data/information it is best practice to detach the two and transport them separately (e.g. equipment in carry case and disk in inside pocket of coat).
Software / Data Security
If you use a personal computing device in a public place, meeting room or other unprotected area, care must be taken to avoid unauthorised access or disclosure of information. Press Ctrl-Alt–Delete to lock the computing device.

Users must not keep passwords with their personal computing devices and all passwords on that device must comply with the password policy.

It should be noted that if any password is forgotten, the IT Department cannot provide any help or support.

Software running on personal computing devices will not be supported by the IT department except MS Office.

All of USB devices and system drives used with a personal computing device must be fully encrypted. It is strongly recommended that all staff use only officially issued ‘Iron Keys’.

All staff using a personal computing device are required to fully patch and apply updates to their device (see table below) as well as ensuring antivirus and anti-malware software are fully up to date and running. A personal firewall on the device is mandatory.
Software Mandatory Interval For Patching
  • Operating systems Within 5 days of patches being released
  • Applications Within 10 days of patches being released
All personal computing devices must be logged with the Service Desk / Information Security Office and will be routinely checked for compliance against this policy. Any device found to be contravening this policy on 2 or more occasions will be permanently barred from the corporate network.
Remote Access
All remote access must be over a secure connection or through a secure Virtual Private Network (VPN). See the Remote Access and Remote Access Tools policies.
Compliance Measurement
The {{company_name}} Team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.
Any exceptions to the policy must be approved by the CEO in advance.
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.