1. Purpose
Establish requirements for managing and securing mobile devices that access [ORGANIZATION]'s data, applications, or network resources.
2. Scope
This policy applies to all mobile devices (smartphones, tablets, and portable computing devices) that access [ORGANIZATION]'s information systems, whether organization-owned or personally owned (BYOD).
3. Policy
3.1 Mobile Device Enrollment
All mobile devices accessing [ORGANIZATION]'s email, applications, or data shall be enrolled in [ORGANIZATION]'s Mobile Device Management (MDM) solution.
Personal devices (BYOD) must meet minimum security requirements and be enrolled in MDM before accessing [ORGANIZATION]'s resources. Users shall acknowledge [ORGANIZATION]'s right to manage and, if necessary, wipe corporate data from enrolled devices.
Lost or stolen devices shall be reported to [CUSTOMIZE: IT Help Desk/Security Team] within [CUSTOMIZE: 4/8/24] hours of discovery.
3.2 Mobile Security Requirements
Enrolled mobile devices shall have the following minimum security controls enforced via MDM: device encryption enabled, screen lock with [CUSTOMIZE: 6-digit PIN/biometric] authentication, automatic screen lock after [CUSTOMIZE: 2/5] minutes of inactivity, remote wipe capability, and current operating system version (within [CUSTOMIZE: one/two] major version(s) of current release).
Jailbroken or rooted devices are prohibited from accessing [ORGANIZATION]'s resources.
Mobile applications shall only be installed from approved app stores (Apple App Store, Google Play Store) or [ORGANIZATION]'s enterprise app catalog.
Corporate data on mobile devices shall be stored in managed containers that can be independently wiped without affecting personal data.
3.3 Separation and Offboarding
Upon employee separation, [ORGANIZATION]'s data shall be removed from personal devices within [CUSTOMIZE: 24/48] hours via MDM corporate wipe.
Organization-owned devices shall be collected and wiped during the offboarding process.
MDM enrollment shall be revoked immediately upon separation.
4. Compliance
Compliance with this policy is mandatory for all personnel within its scope. Compliance will be monitored through periodic audits, automated controls, and management review.
Exceptions to this policy must be documented with a business justification, approved by [CUSTOMIZE: CISO/Security Team], and reviewed at least annually.
5. Enforcement
Violations of this policy may result in disciplinary action up to and including termination of employment or contract, and may result in civil or criminal penalties where applicable law has been violated.
[ORGANIZATION] reserves the right to audit compliance with this policy at any time, with or without notice.
6. Review and Revision
This policy shall be reviewed at least annually by [CUSTOMIZE: CISO/Policy Owner] and updated as necessary to reflect changes in the threat landscape, regulatory requirements, or organizational structure.
All revisions shall be documented with version number, date, author, and description of changes.
Policy Approval
Approved By
Title
Date
Document Control