DOCUMENT VERSION & CHANGE CONTROL

Version History

Issue Date	Version	Description	Prepared By	Approved By
June 12,2020	1.0	Corporate Mobile Device Policy	Mrs. Sudha Jacob ITIL Administrator	Mr. Winston Ellison Group CIO

Change History

Issue Date	Version	Description	Prepared By	Approved By

1.0 Policy

This Policy aims to ensure that best practices for mobile computing are followed, without affecting the Babtain business.

2.0 Purpose

Wireless communications and mobile computing offers organizations and users many benefits such as portability and flexibility. The use of these devices outside the offices poses risks to the devices and the information they contain. The purpose of this policy is to assist in prevention of risks presented by mobile computing.

3.0 Overview

Portable computers allow personnel to be more productive while "on the road". They offer flexibility as to where one can access information. From the security point of view they can create risks of information disclosure, theft and perhaps offer an unauthorized point of access to the corporate network. The computing population is on the increase, so a special policy is necessary. When using mobile computing the risks of working in an unprotected environment should be considered and appropriate protection applied.

4.0 Major Policy Elements

· All Babtain supplied mobile devices and their contents remain the property of Babtain.

Babtain’s management authorizes the issue of mobile computing devices. Usage is restricted to business purposes, and users are aware of, and accept the terms and conditions of use, especially responsibility for the security of information held on such devices.
Persons who have been issued with mobile computing facilities like notebooks, palmtops, laptops, mobile phones/communicator/organizer, and any other portable media like portable hard drive, DVD/CD, tapes, etc. on which data/information can be stored, do not leave them unattended while traveling. Care is taken when using mobile computing facilities in public places, meeting rooms and other unprotected areas outside of the organization’s premises. The security provided is equivalent to that for on-site equipment used for the same purpose, taking into account the risks of working outside the organization’s premises.
Users are trained and educated about the risk of computing device usage.
Persons, who have been issued with Laptops and other portable media devices, ensure the protection of the contents. In order to achieve this, the users:

1. Are responsible for backing up of Babtain business data that is stored on the mobile computer on a regular basis.

2. Use antivirus and personal firewall software when connected to any network other than Babtain.

3. Ensure that unauthorized or unlicensed software is not installed

4. Review distribution lists of authorized recipients at regular intervals.

5. The Group IT department configures software/hardware security measures on all Babtain mobile devices. Security measures as put in place by Group IT are not altered or removed

Persons other than the equipment custodian, including friends and members of the user's family, do not have any access to the equipment.
Loss of any mobile device containing sensitive data, or any other security breach, shall be reported immediately to Group IT.
Mobile devices are used in accordance with manufacturers’ recommendations.
Remote access to business information across public network like internet, Mobile network using mobile computing facilities takes place after successful identification and authentication
Information owners and mobile users must take account of the risks associated with using wireless networks and non-Babtain networks.

· If the laptop is running Windows operating systems, the automatic update options shall be activated within Windows update, to ensure that the system is kept current with available security patches

· The operating system and application patch levels must be consistent with the current patch levels of our organization for similar devices and operating systems

Automatic screen locking mechanisms are used where possible.
Computers are switched off when not in use.
Passwords are not stored on the Laptop which allows access to corporate network systems.
Communication:

1. Classified data is not transmitted across insecure networks (such as Internet, Mobile-GSM, Infrared, etc.) unless encrypted.

2. Dial-in or VPN access to the Babtain network is authorized by the Group IT.

Modems are turned off when not in use.
Adequate insurance cover is in place to protect equipment off site.
When disposing laptops, PDA's or portable media devices like Hard Disk, DVD/CDs, Tapes, etc, that are no longer in use by Babtain, it is ensured that any sensitive data and licensed software has been removed or overwritten prior to disposal. Configuration settings are cleared to prevent the disclosure of sensitive network information.
Users of laptops/handheld computers and PDA’s always login to the Babtain network with their domain account (\\domainname\username) only.
Admin privilege is not provided to the user and is authorized by the Group CIO..
Users contact IT support personnel before travel to confirm the necessary access on their notebook and network accessibility from outside network, if required.
Users are responsible for ensuring that any mobile computing resources they own are being used in accordance with Babtain’s mobile computing policy. Should a theft occur, and the employee responsible for the piece of hardware has neglected the above guidelines, the employee may be held liable for the replacement cost of the device.
Bluetooth connections must be accepted from other devices with care. Ensure the recipient is known and agree connection security criteria in advance.

· Please ensure that your devices are configured as below:

Approved Device	Security Requirement
Mobile Phone	PIN, locked whilst not in use.
Laptop	Password Protected, AV Installed

· Mobile computers entering the network shall meet the following requirements.

1. If the computer is owned by Babtain then the following checks shall be performed.

a) Determine whether the anti-virus program is up to date, has the latest virus definitions, is configured properly, and is running properly. If it fails one of these conditions or has not been scanned for a virus within the last week, a full virus scan must be done before the computer can be used on the network.

b) Test the computer and scan for additional malware such as adware or spyware test to determine whether the computer has a worm.

c) Quarantine & Remove any malware on the computer if any was detected. Log information about any malware found.

2. If the computer is owned by an outside organization the following must be done.

a) A full virus scan must be done.

b) Test the computer and scan for additional malware such as adware or spyware test to determine whether the computer has a worm.

c) If a mobile device is detected as non- compliant, the system shall be quarantined to prevent any potential threat source from harming neighbouring systems independent of any other access control method that may be in place.

· Any use of peer to peer/content sharing network software to transmit or access material into/out of Babtain's network is prohibited.

· Ensure that when staying in hotels, that the safety deposit boxes (if available) are used to store unattended equipment

· And ensure that equipment is not left unattended at anytime

The Babtain IT department maintains a comprehensive, detailed inventory of all computer hardware and software. The accuracy of this inventory is critical in the event of a theft issue. No users add, remove, or change the location or contents of any hardware without consulting the Group IT department.

5.0 Scope

The Mobile Computing policy applies to all laptops and mobile computing devices that are used to store or process Babtain’s data.

6.0 Personnel with Responsibility

Mr. Burhanuddin Ali Sr. System Administrator

Mr. Winston Ellison Group CIO

7.0 Terms and Definitions

PDA:

PDA (Personal Digital Assistant) are basically enhanced organizers or toned-down laptops.

Mobile Computing:

Any easily portable device that is capable of storage/processing information and also receiving and/or transmitting data to and from information resources. These include, but are not limited to, laptops, handheld computers, PDA’s and cell phones.

Password:

It’s a sequence of characters that one must input to gain access to a file, application, or computer system. Also called “passkey”

Custodian:

Representative of the owner who is a guardian or caretaker; the agent charged with implementing the controls specified by the owner. The custodian is responsible for the processing and storage of information.

8.0 Actions and Methods

1.1 6.1 Process and Procedure

Terms and Condition of usage of mobile devices:

The mobile device will remain the legal property of Babtain for the duration the user stays and works for Babtain.
Certain Babtain licensed software will be installed on the device. Users may use only software provided for the purpose by Group IT and must not alter, amend or delete any of the programs or settings already resident on the mobile device.
Babtain will not be liable for any lost data or damage (including direct, indirect, consequential, and incidental) to the mobile device for any reason. Should the device be lost, damaged stolen or in any other way disposed of or rendered un-usable, it will only be replaced upon the approval of Group CIO.
Users warrant that the usage of the Babtain mobile devices does not breach any law or the right of any person. Group IT will not be held liable for any misconduct by a user of a device.
Intellectual Property on the Babtain mobile devices may not be modified, copied, displayed, performed, reproduced, republished, uploaded, posted, transmitted or distributed in any way without the express permission of Babtain Group CIO.
Should a user resign or be terminated or transfer to another department, the user shall return the device.
Babtain Group IT reserve the right to revise these Terms and Conditions at any time
Users are not permitted to distribute, circulate, read or look at any obscene or pornographic material or any material that is grossly offensive or of an indecent or menacing character.
Users must not infringe copyright regulations when downloading, copying or printing.

1.2 6.2 Enforcement

This policy is approved by the Group CIO (Chief Information Officer). Request for clarifications on this policy can be sent to the Group CIO (winston.ellison@babtain.com.kw)

Violations to this policy are formally intimated by the Group CIO to the HR department for subsequent disciplinary action.

Auditing periodically for compliance with the policy is the responsibility of all Managers.

1.3 6.3 Revision

This policy document is reviewed by Group IT once in a year; updated with modifications and updates are carried out if required and the policy is then approved.

P.S. The mentioned procedures are built on standard practice and can be changed upon business and technology environment. And/or IT new frameworks, new roles & responsibilities across IT resources and business owners demand.

END OF DOCUMENT