[ORGANIZATION] recognizes the importance of modern technology and access to information in providing citizens the best and most efficient services. Therefore, [ORGANIZATION] has provided some employees mobile devices, or access to [ORGANIZATION]’s network and resources with personal mobile devices.

{navigation}

  • 1.0 APPLICABILITY
  • 2.0 DEFINITIONS
  • 3.0 POLICY
  • 4.0 ROLES AND RESPONSIBILITIES
  • 5.0 RELATED INFORMATION
  • 6.0 SUPPORT CONTACT
  • 7.0 RETENTION
  • 8.0 REVISION HISTORY
  • 9.0 APPROVAL LIST

This policy outlines the acceptable use of smart phones, tablets, and other devices (i.e. “Mobile Devices”) used for [ORGANIZATION] business, with the following goals:

  • To protect the confidentiality and integrity of dat and applications, and the availability of services;
  • To protect the confidentiality and integrity of data and applications, and the availability of services.
  • To protect the Mobile Devices and the data residing on them, as well as maintain continuity of the services that the [ORGANIZATION] provides.
  • protect the employees and [ORGANIZATION]. Inappropriate use of Mobile Devices exposes [ORGANIZATION] to liability and risks, including, loss of data, virus attacks, compromise of network systems and services, and potential litigation.

Note: If printed, content is valid only for the day it was printed. Always refer to [ORGANIZATION] DOCUMENT LIBRARY for the current version. If the user elects to maintain copies of this policy or procedure, it is their responsibility to verify the currency of the document by checking it against the online version. This document must be promptly removed from use when obsolete. Questions? Contact: TECHNOLOGY & INNOVATION.

1.0 Applicability

1.1. This policy applies to all employees and affiliates including contractors, consultants, vendors, etc. at [ORGANIZATION] who are granted access to mobile devices that are owned, leased, and/or operated/maintained by the [ORGANIZATION]. These individuals will be known and referred to as “User(s).”

1.2. Access and/or use of Mobile Devices constitutes the user’s acknowledgement and consent to this policy as well as his/her consent to the [ORGANIZATION]’s recording and monitoring of his/her use (whether for personal or business purposes) of Mobile Devices.

1.3. This policy is not intended to list all forms of acceptable and unacceptable use. Employees have the responsibility to use Mobile Devices in an efficient, effective and lawful manner. The [ORGANIZATION] may supplement or modify this policy for employees in certain roles.

2.0 Definitions

2.1 AUTOMATED SECURITY POLICY  – A standard set of security settings that are automatically applied to Mobile Devices that connect to the [ORGANIZATION] email system.

2.2 BLUETOOTH, NEAR FIELD COMMUNICATION, AND INFRARED – Wireless technologies that enable communication between compatible devices. These technologies are used for short-range connections between desktop and laptop computers, Mobile Devices, digital cameras, scanners, wireless headsets, printers and other devices.

2.3 COMPUTER SYSTEM – Includes a network system or any other system that is not publicly accessible which requires [ORGANIZATION] authentication, interconnected computer equipment, software package, or other Information Technology Resources.

2.4 EMAIL – A method of composing, storing, sending, and receiving messages, memoranda, and attached documents form a sender to one or more recipients using a telecommunications network.

2.5 COMPROMISED – An event that has the potential to expose confidential or protected data or sensitive information to unauthorized individuals.

2.6 MOBILE DEVICES – [ORGANIZATION] smartphones, tablets, and other devices that are [ORGANIZATION]-owned or personally-owned and used for [ORGANIZATION] business, and have access to email or other data and applications over the Intranet or Internet via wired or wireless connection.

2.7 [ORGANIZATION] NET – The [ORGANIZATION]’s internal network (Intranet) and technical infrastructure.

2.8 SMARTPHONE – A wireless device with the capability to access email and [ORGANIZATION] applications over the Internet via a carrier’s wireless network or via Wi-Fi. Smartphones can access network resources via Web browsers or over synchronization technologies.

2.9 TABLET – A wireless, portable, personal device, usually with a touch screen interface and a form factor larger than a smartphone but smaller than a laptop.

2.10 EMPLOYEE – Any individual employed by the [ORGANIZATION] or its affiliated agencies or departments in any capacity, whether full or part-time, active or inactive, including interns, contractors, consultants and vendors.

2.11 USER(S) – Individual(s) whether full or part-time, active or inactive, including interns, contractors, consultants, vendors, etc. who have been given access to and granted permission(s) to use Information Technology Resources.

2.12 NETWORK – Any and all network and telecommunications equipment, whether wired or wireless, controlled or owned by the [ORGANIZATION] which facilitate connecting to the Internet.

2.13 INSTANT MESSAGING – A type of communications service that enables the creation of a kind of private chat room with another individual in order to communicate in real time over the Internet.

2.14 ENCRYPTION – The translation of data into a secret code to achieve data security.

2.15 WI-FI – A protocol for connecting electronic devices wirelessly.

2.16 CLOUD HOSTED – A(n) [ORGANIZATION] system where data is stored off site at a vendor or other location and accessed via the Internet.

3.0 Policy

3.1 Mobile Devices Accessing [ORGANIZATION] Systems, Whether Internal or Cloud Hosted.

3.1.1 Mobile Devices accessing [ORGANIZATION] resources must adhere to [ORGANIZATION] security policies as described in the Information Technology Resource Use Policy.

3.1.2 The [ORGANIZATION] reserves the right to disable or deactivate access to the [ORGANIZATION] network and cloud hosted data to protect the integrity of the [ORGANIZATION]’s services. Reasons may include unauthorized user; unauthorized Mobile Device; Mobile Device does not comply with security policies; Mobile Device poses a security threat to [ORGANIZATION] services; or Mobile Device is having a negative impact on the confidentiality, integrity, or availability of the [ORGANIZATION] network or services.

3.1.3 The act of connecting any [ORGANIZATION]-owned or personally-owned Mobile Device to [ORGANIZATION] technical infrastructure assumes the User’s consent to [ORGANIZATION] security policies. This includes the authorization to wipe any [ORGANIZATION] data (i.e. remove data from) the Mobile Device in the event that it is lost, stolen, or Compromised. When possible, the [ORGANIZATION]’s Director of Information Technology & Innovation, or a member of his or her cyber security team, will inform users prior to wiping any device.

a. In the event a personally-owned Mobile Device is lost, stolen or Compromised, Users are required to take all necessary actions and work with the [ [ORGANIZATION] security team, which may include working with Users’ Mobile Device wireless provider (e.g. AT&T, Verizon Wireless, Sprint, etc.) to ensure [ORGANIZATION] data has been wiped from User’s Mobile Device. These actions may include wiping all user data from the Mobile Device. The impacted User will complete a statement of compliance confirming the data has been wiped from their Mobile Device.

3.1.4 Users accessing [ORGANIZATION] systems from Mobile Devices must adhere to acceptable use guidelines as outlined in the Information Technology Resource Use Policy.

3.1.5 All services on Mobile Devices must be configured in compliance with [ORGANIZATION] security policies.

3.1.6 Users may install [ORGANIZATION]-approved software on [ORGANIZATION]-owned or personally-owned Mobile Devices. Installing other software on [ORGANIZATION]-owned Mobile Devices requires written approval from the IT Steering Committee. Failure to comply with this administrative regulation may result in discipline that may lead to termination. (This last sentence seems a bit heavy-handed, but if there has been previous issues it may be needed.)

3.17 Installation and download of applications for Mobile Devices must be done from the official mobile application store for that device. Unless otherwise approved in writing by the Information Security Team, the Mobile Device configuration shall prohibit installation from untrusted or third-party sources.

3.2 Mobile Devices Containing [ORGANIZATION] Data

3.2.1 Users should refer to the [ORGANIZATION] policy, “Protection of Sensitive Information and Data,” for procedures regarding handling sensitive information. Users should be aware that [ORGANIZATION] information on [ORGANIZATION]-owned or personally-owned Mobile Devices is subject to the California Public Records Act (California Government Code sections 6250 et seq.). The [ORGANIZATION] must comply with the California Public Records Act and respond appropriately to any request by a member of the public for a public record.

a. Text messages and Mobile Devices are not intended to be a permanent storage medium for public records or a medium for transmitting public records.

b. Text messages and Mobile Devices determined to be public records, whether transmitted on a(n) [ORGANIZATION]-owned or personally-owned Mobile Device, must be saved in accordance with “General Records Retention Policy.” Users must transfer and save the messages to their permanent storage location as outlined by the employee’s respective Department Records Disposition Schedule. (Each department should create this document, as different departments have varying legal requirements for retention and disposition.

3.2.2 Users must change their [ORGANIZATION] password immediately if their [ORGANIZATION]-owned or personally-owned Mobile Device used for [ORGANIZATION] business is lost or stolen. Changing the password ensures that Mobile Devices can no longer access [ORGANIZATION] resources. Passwords can be changed from the password reset portal or by calling the Service Desk.

4.0 Roles and Responsibilities

4.1 Innovation and Information Technology Department

4.1.1 Establish Mobile Device policy, review the policy annually, and update as appropriate.

4.1.2 Develop, deploy, manage, and audit Mobile Device security policy to to ensure approved devices have appropriate security controls in place.

4.1.3 Develop and maintain an list of Mobile Devices operating systems that support deployment of automated security settings.

4.1.4 Director of Information Technology and Innovation or authorized designee is responsible for monitoring compliance with this policy.

4.2 [ORGANIZATION] Departments

4.2.1 [ORGANIZATION] departments, through their designated Mobile Device Coordinator(s), are responsible for billing, activation, de-activation, inventory management, and audit of the department’s use of Wireless Communication Services, including Mobile Devices that are for [ORGANIZATION] business, whether [ORGANIZATION]-owned or personally-owned.

4.3 Users

4.3.1 Users: are responsible for their own use of Mobile Devices and are advised to exercise common sense and follow this policy (i.e. “Mobile Device Use Policy”) in regards to what constitutes appropriate use of Mobile Devices in the absence of specific guidance.

4.3.2 Call Service Desk and ensure the Security Team is informed within 2 hours if Mobile Device is lost, stolen, or Compromised.

4.3.3 Notify department’s Mobile Device Coordinator or supervisor within 24 hours if Mobile Device is lost or stolen.

4.3.4 Ensure destruction of [ORGANIZATION] data and settings on a [ORGANIZATION]-owned or personally-owned Mobile Device prior to recycling, disposing, or returning of the Mobile Device to the vendor. Contact the Service Desk if assistance is required.

4.3.5 Non-exempt employees must not access any [ORGANIZATION] applications via a Mobile Device to perform [ORGANIZATION] work, including but not limited to payroll time entry and approvals, and preparation of leave requests and approval outside of their normal working schedules. In addition, supervisors must not direct employees to access any electronic or mobile [ORGANIZATION] applications outside of their normal work schedules. (Reference to overtime policy here. This section may not be needed, depending on the needs of the organization.)

5.0 Related Information

5.1 Information Technology Resource Use Policy

5.2 Password Policy

5.3 General Records Retention Policy (City Clerk?)

5.4 Email Management and Retention Policy (City Clerk?)

5.5 Protection of Sensitive Information and Data (City Clerk?)

6.0 Support Contact

DoTI Service Desk: 888-888-7777, or servicedesk@organization.gov.

7.0 Retention

[ORGANIZATION] Department ofInnovation & Technology will retain this policy and review it on an annual basis to ensure that it remains effective, complies with internal operational parameters, meets identified [ORGANIZATION] business goals and industry best practices.

8.0 Revisions

DateRevisionChangeReference SectionsPerson Responsible
7/1/20201.0First VersionAllDirector of IIT


9.0 Approval List

TitleNameDate
Document OwnerIT Steering Committee7/1/2020
Preliminary ApproverDoIT – IT DIRECTOR7/1/2020
Final ApproverCity Manager7/1/2020