We are a DevOps and Amazon Web Services (AWS) Professional Services Consultancy based in London. We build secure bespoke automated big data platforms on AWS using open source tooling, helping businesses to extract value from their data in the most cost effective and agile way. We provide self service tooling to enable business workflows to make data driven decisions.
OSO DevOps is committed to maintaining the security of client data and financial assets, protecting them against unauthorised access or modification, malicious or accidental disclosure and/or destruction in order to maintain its confidentiality, integrity, and availability.
This standard outlines the security requirements required to protect your organisational data and financial assets (including systems, applications and infrastructure) against improper or unauthorised access that could result in compromise of confidentiality, integrity or availability of your data via the use of bring your own devices (BYOD).
The BYOD Security Standard addresses the minimum set of controls required to ensure all that BYOD are adequately protected to reduce risk from weaknesses in hardware and software and protected against information disclosure in case of loss or theft.
This standard applies to all employees in all geographical locations, and to all subsidiaries and joint ventures in which your organisation has a controlling interest (except where local laws and/or regulatory requirements explicitly preclude specific activities defined herein). It applies to all instances where your organisational data is accessed, processed or stored whether or not this use takes place in an office or in a cloud environment.
This standard does not supersede any local or regional laws, government regulations, or other legislative or contractual requirements.
Throughout this Security Standard, controls are written using MUST,
SHOULD and MAY. Where these are present, they are defined as follows:
- Controls that use MUST require mandatory compliance.
- Controls that use SHOULD are considered recommendations that will further enhance security.
- Controls that use MAY give permission to perform a specific action.
To ensure the protection of information in networks and systems and the protection of the supporting infrastructure, the minimum set of control requirements are defined as:
- Connectivity of all personal mobile devices is centrally managed by a Corporate Facilities team, who must approve a device before it can be connected to our systems. Devices are not permitted to connect to corporate infrastructure without documented consent from the Corporate Facilities team.
- No one is required to use their personal mobile device for business purposes. It is a matter entirely for each person’s discretion.
- The use of a personal device in connection with organisational data is a privilege granted to employees through approval from their line manager and from the Corporate Facilities team.
- The organisation has no obligation to modify systems to assist staff in connecting to our systems. The organisation is not responsible for technical support of a personal device.
- The organisation reserves the right to revoke these privileges in the event that staff do not abide by the policies and procedures set out herein or otherwise where, in our reasonable opinion a device is being or could be used in a way that puts, or could put, the organisation, its staff, its business connections, the organisation’s systems or its company data at risk.
- Staff connecting personal mobile devices to the organisation's systems must not loan their device out to anyone.
- Corporate Facilities reserves the right to disable or disconnect some or all services without prior notification.
- Users of personal mobile devices are personally liable for the device and carrier service costs, e.g. voice/data, purchase/repairs, see liability disclaimer in 10.
- Users of personal mobile devices are not eligible for expense reimbursement for any hardware or carrier services from the organisation.
- Corporate Facilities require security software to be placed on personal mobile devices to enable to connectivity to the organisation infrastructure.
- The security software will enforce the following settings on a personal
mobile device, these must not be disabled:
- The device will be wiped after 20 failed login attempts.
- The device will force a password change every 60 days.
- The device will lock the screen every 15 minutes, requiring password re-entry.
- The password must be a minimum of 8 characters.
- The password must contain at least one letter or number.
- The password must not be one of your previous 6 passwords.
- User of personal mobile devices must inform their local IT helpdesk as soon as the device is lost.
- Using your personal mobile device in ways not designed or intended by the manufacturer is not allowed. This includes mechanisms to circumvent digital locks, removing limitations applied by the manufacturer and hardware modifications.
- All users are expected to use their personal mobile device in an ethical manner.
- You must not use a personal mobile device to:
- Breach our obligations with respect to the rules of relevant regulatory bodies;
- Breach any obligations that relevant regulatory bodies may have in relation to confidentiality and privacy;
- Defame or criticise the organisation, its group companies, customers, clients, business partners, suppliers or other stakeholders;
- Unlawfully discriminate against other staff or third parties;
- Harass or bully other staff in any way;
- Breach our Data Protection Policy;
- Breach any other laws or regulations, e.g. by breaching copyright or licensing restrictions by unlawfully downloading software onto a device.
- Personal mobile devices will be remotely wiped if:
- The device is reported as lost;
- A users employment with the organisation is terminated; or
- The organisation detects a breach of confidentiality, improper or illegal use of company data or access to our systems, an introduction of a virus from a device to our systems or any other breach of this policy.
Liability and Disclaimer to Users of Personal Mobile Devices
- You acknowledge that the use of a personal mobile device in connection with the organisation carries specific risks for which you, as the user, assume full liability. These risks include, but are not limited to, the partial or complete loss of data as a result of a crash of the operating system, errors, bugs, viruses, and/or other software or hardware failures, or programming errors which could render a device inoperable.
- The organisation hereby disclaims liability for the loss of any such data and/or for service interruptions.
- The organisation expressly reserves the right to wipe the entire device at any time as deemed necessary for purposes of protecting or maintaining the service or company data.
- The organisation software may increase applicable data rates and charges. You are responsible for confirming any impact on rates as a result of the use of the organisation supplied applications as you will not be reimbursed by the organisation.
- The organisation reserves the right, at its own discretion, to remove any supplied applications from your device as a result of an actual or deemed violation of the the organisation Policies.
It is vital that the business requirements for agility and change are balanced with the need for security. Exceptions, both temporary and permanent, to security controls, standards, processes or policies must be managed in a controlled and transparent process to reduce risk while maintaining flexibility. The objectives of this section are defined as: - To minimise the risk that an exception to one of the controls stated within this security standard adversely impacts the organisation’s execution of business process. - To minimise the risk that an exception to one of the controls stated within this security standard adversely impacts the organisation’s cyber and security risk profile. - To ensure a complete oversight of all exceptions through adequate and documented process (including. logging and monitoring of exceptions).
Exceptions to this standard require:
- A formal request MUST be raised with the organisation’s security team when the business have reasons to believe an exception to a control stated within this BYOD security standard.
- The organisation’s security teams MUST acknowledge receipt of the request, and advise the requestor of the timescale for review and approval.
- The organisation’s security teams with the assistance of any SME as required MUST assess the security risks related to the exception, and advise the requestor on plausible mitigation factors.
The organisation commitment to security is reflected with the roles and responsibilities defined and assigned in relation to the protection of critical and sensitive information, business applications, information systems and networks.
- Chief Information Security Officer
- Record and monitor any security risks and agreed mitigation plans related to the exception process.
- Liaise with relevant SMEs to assist the business with security risks raised and with any recommended mitigation plans.
- Advise the requestor on plausible mitigation factors.
- Identify and assess the security risks related to any exception to the requirements stated within this policy.
- Receive and acknowledge any formal request for exception to the security requirements stated within this security standard.
- Securing devices for remote work.
- Monitor compliance with this security standard.
- Keep up-to-date on developments from regulatory and non-regulatory entities.
- Defining and monitoring the performance of controls through development and monitoring of key risk (KRIs) indicators to ensure effectiveness and compliance with this standard and related policies.
- Own and update this security standard.
- Internal Audit Officer
- Provide independent assurance as to the effectiveness of the design, implementation and embedding of the risk management frameworks, as well as the management of the risks and controls by the Risk Owners and Control Owners.
- Business System Owners
- Communicate to Corporate Facilities team the loss/theft of a device.
Have any questions about implementing BYOD? Email us enquiries@osodevops.io or schedule a call