Mobile Device Usage Policy

Capital District Transportation Authority

CDTA IT Agreement 2016-002

V1.1 -- March 1, 2016

Purpose

The purpose of this policy is to define standards, procedures, and restrictions for end users who have legitimate business requirements to access CDTA corporate data from a mobile device. The context of the policy is based on the following statement: “For approved employees, the Enterprise purchases a device and service plan the employee wants. The employee can use the device anyway they want but the organization controls the totality of rights to what it needs to do.” This philosophy promotes employee benefits:

·  The employee is allowed to choose the device that fits their productivity needs.

·  The employee has the choice to customize their device within legal and ethical limits

·  The device will be supported by the Information Technology Department

And company benefits:

·  There is a lower cost per device and data plan, resulting in a manageable budget

·  There is increased productivity of its employees

·  There is control of carrier, device preference and device management capabilities

Background

The overriding goal of this policy is to protect the integrity of the private and confidential employee and business data that resides within CDTA’s technology infrastructure. This policy intends to prevent this data from being deliberately or inadvertently stored insecurely on a mobile device or carried over an insecure network where it can potentially be accessed by unsanctioned resources. A breach of this type could result in loss of information, damage to critical applications, loss of revenue, and damage to the company’s public image. Therefore, all users employing a mobile device connected to an unmanaged network outside of CDTA’s direct control to backup, store, and otherwise access corporate data of any type must adhere to company-defined processes for doing so.

Policy

Applicability

This policy applies to all CDTA employees issued a mobile device who utilize it to access, store, back up, or relocate any organization or employee data. Such access to this confidential data is a privilege, not a right, and forms the basis of the trust CDTA has built with its customers, employees, vendors, and other third parties. Consequently, employment at CDTA does not automatically guarantee the initial and/or ongoing ability to use these devices to gain access to corporate networks and information.

Addition of new hardware, software, and/or related components to provide additional mobile device connectivity will be managed at the sole discretion of CDTA’s Information Technology (IT) Department. Non-sanctioned use of mobile devices to back up, store, and otherwise access any enterprise-related data is strictly forbidden. Use of personal mobile devices to access corporate data or infrastructure is also forbidden.

Responsibilities

The Vice President of Technology and Facilities at CDTA has the overall responsibility for the confidentiality, integrity, and availability of corporate data. Under the direction of the Vice President of Technology and Facilities, other IT staff are responsible for following the procedures and policies within Information Technology and Information Systems.

The Information Technology Department determines, at its sole discretion, who shall be issued a CDTA-owned mobile device, and what device that will be. This decision is based on operating and capital costs, the nature of the work being done by the person making the request, and the recommendation of the Senior Staff member the requestor reports to.

All CDTA employees are responsible for acting in accordance with company policies and procedures. Employees learning of any violations of this policy shall notify the appropriate Department Head. CDTA-issued devices shall remain the property of CDTA, and shall be returned (with accessories) upon the conclusion of the user’s affiliation (employment, consultancy, or otherwise) with CDTA.

Affected Technology

This mobile device policy applies to, but is not limited to, devices running BlackBerry, Android and iOS operating systems. Connectivity of all mobile devices will be centrally managed by CDTA’s IT department and may utilize authentication measures.

Available models are at the discretion of the Information Technology Department staff, and will be based on carrier, pricing, and current generation technologies. Supported platforms are currently limited to (and are subject to change):

·  iPhone, iPad iOS

·  Android OS

Appropriate Use

It is the responsibility of employee who uses a company issued mobile device to access corporate resources to ensure that all security protocols normally used in the management of data on conventional storage infrastructure are also applied here. It is imperative that any mobile device that is used to conduct CDTA business be utilized appropriately, responsibly, and ethically. Failure to do so will result in immediate suspension of that user’s account. Based on this, the following rules must be observed:

Access Control

1.  IT reserves the right to refuse the ability to connect mobile devices to corporate and corporate-connected infrastructure. IT will engage in such action if it feels such equipment is being used in such a way that puts the company’s systems, data, users, and/or clients at risk.

2.  Prior to initial use on the corporate network or related infrastructure, CDTA issued devices will be registered with IT. CDTA will maintain a list of approved mobile devices and related software applications and utilities.

3.  All mobile devices attempting to connect to the corporate network through an unmanaged network (i.e. the Internet) may be inspected using technology centrally managed by CDTA’s IT department. Devices that have not been previously approved by IT, are not in compliance with IT’s security policies, or represent any threat to the corporate network or data may not be allowed to connect.

Security

4.  CDTA IT staff will make modifications and add software to any CDTA-issued mobile device including but not limited to: security software, whole device encryption, and remote erase capabilities. The following settings will be enforced on all mobile devices:

1.  Passcode to access device

2.  Device will lock out after 5 minutes of inactivity and enforce passcode

3.  Device will lock after 10 failed login attempts. After 10 failed attempts, activation of the lock feature will result in a complete erase of the device.

5.  Users of mobile devices must employ reasonable physical security measures. Users are expected to secure all mobile devices whether or not they are actually in use and/or being carried. This includes, but is not limited to, passcodes, encryption, and physical control of such devices whenever they contain enterprise data. Employees agree to never disclose their passwords to anyone, particularly to family members if business work is conducted from home. Any non-corporate computers used to synchronize with these devices will have installed anti-virus and anti-malware software deemed necessary by CDTA’s IT department.

6.  User will not modify the operating system of any CDTA-issued mobile device in any way that allows them to bypass limitations and protections CDTA imposes as a condition of connecting to its systems.

7.  Users will surrender any CDTA-issued mobile device to CDTA in the event a security or privacy breach has or is suspected to have occurred in connection with the device. In the event of a lost or stolen mobile device it is incumbent on the user to report this to IT immediately. The device will be remotely wiped of all data and locked to prevent access by anyone other than IT. If the device is recovered, it can be submitted to IT for re-provisioning.

8.  Users will not attempt to use mobile devices to circumvent or alter security implementations, other Information Technology policies or directives.

Help & Support

9.  CDTA’s IT department will support its sanctioned hardware and software, but is not accountable for conflicts or problems caused by the use of unsanctioned media, hardware, or software.

10.  IT reserves the right, through policy enforcement and any other means it deems necessary, to limit the ability of end users to transfer data to and from specific resources on the enterprise network.

11.  Users will sync their CDTA-issued mobile device with updated device policies when requested by IT.

12.  The installation of iTunes on equipment connected to the CDTA network is prohibited.

Organizational Protocol

13.  The end user agrees to immediately report to CDTA’s IT department any incident or suspected incidents of unauthorized data access, data loss, and/or disclosure of company resources, databases, networks, etc.

14.  CDTA IT staff reserves the right to completely erase any CDTA-issued mobile device if the device is lost or stolen, if the mobile device is returned to IT, or if the user is no longer an employee or agent of CDTA.

15.  CDTA will not reimburse employees if they choose to purchase their own mobile devices. Users will not be allowed to expense mobile network usage costs.

16.  In the event of repeated occurrences of loss, theft, or damage, or in the case of negligence, the user will be responsible for replacement cost of the device.

17.  CDTA staff who need to travel for work related reasons or personal reasons internationally and need access to CDTA resources such as email while traveling via their CDTA mobile phone need to request and have approved a change to their phone plan to avoid over charges.

Policy Non-Compliance

1. 

2. 

3. 

4. 

5. 

6. 

7. 

8. 

9. 

10. 

11. 

12. 

13. 

14. 

15. 

16. 

17. 

18. 

19. 

20. 

21. 

22. 

23. 

18.  Failure to comply with this Policy may, at the full discretion of the organization, result in the suspension of any or all technology use and connectivity privileges, the revocation of the privileges described in this Policy, and the discipline and/or termination of the employee.

19.  The Vice President of Technology and Facilities and Chief Executive Officer, will be advised of breaches of this policy and will be responsible for and authorized to take appropriate action.

User Declaration

I, ______, have read and understand the above CDTA Mobile Device Usage Policy, and consent to adhere to the rules outlined therein.

______

User Signature Date

______

Vice President of Planning and Infrastructure Signature Date

CDTA IT Agreement 2016-002

Page 1 of 3