Unmanaged Device Policy
Ported from policies/Core 12 Security Policy - Unmanaged Device Management.md in the legacy ISMS backup. Use this as the current maintained Markdown version and track operational records in core12-isms-management.
Device Requirements
-
Protected with a password required at the time the device is powered on.
-
All data stored on devices must be encrypted.
-
Device will NOT ever be connected to unsecured network connections without an approved VPN connection being used
-
Unattended computing devices must be physically secured.
-
Devices must have location services enabled and the ability to be locked and wiped, so they are unusable until recovered or destroyed. Note: All managed devices must have approved MDM software installed. unmanaged devices can use the Core 12, LLC provided MDM, or services offered by their device manufacturer.
-
Operating system and application patches should be installed within 30 days of release, unless the ISO has issued an exception.
-
Devices must not be "rooted" or have unauthorized software/firmware installed.
-
Device must be wiped / erased before changing ownership or being discarded.
User Guidelines
-
User must immediately report any lost or stolen devices.
-
Unauthorized access to a device or Core 12, LLC information assets must be immediately reported.
-
User must not load illegal content or pirated software onto any device.
-
User must use Core 12, LLC approved systems and software when sending, storing, or receiving Core 12, LLC data.
Core 12, LLC Responsibility
- Annual security training is provided to users of unmanaged devices. The content and form of that training will be decided by Core 12, LLC. Periodic security reminders may be used to reinforce unmanaged device security procedures.
Audit Controls and Management
-
Security policies regarding unmanaged devices reviewed annually and when updated.
-
Readily available processes and procedures for staff use of unmanaged devices