Purpose and Scope
The purpose of this policy is to define requirements for connecting to Obvious systems and networks from remote hosts, including personally-owned devices, in order to minimize data loss/exposure.
This policy applies to all users of information systems within OVPL. This typically includes employees and contractors, as well as any external parties that come into contact with systems and information controlled by Userflow (hereinafter referred to as “users”). This policy must be made readily accessible to all users.
Background
The intent of this policy is to minimize Userflow’s exposure to damages which may result from the unauthorized remote use of resources, including but not limited to: the loss of sensitive, company confidential data and intellectual property; damage to Userflow’s public image; damage to Userflow’s internal systems; and fines and/or other financial liabilities incurred as a result of such losses.
Within this policy, the following definitions apply:
- Mobile computing equipment: includes portable computers, mobile phones, smart phones, memory cards and other mobile equipment used for storage, processing and transfer of data.
- Remote host: is defined as an information system, node or network that is not under direct control of Userflow.
- Telework: the act of using mobile computing equipment and remote hosts to perform work outside Userflow’s physical premises. Teleworking does not include the use of mobile phones.
Policy
- Security Requirements for Remote Hosts and Mobile Computing Equipment
- Caution must be exercised when mobile computing equipment is placed or used in uncontrolled spaces such as vehicles, public spaces, hotel rooms, meeting places, conference centers, and other unprotected areas outside Userflow’s premises.
- When using remote hosts and mobile computing equipment, users must take care that information on the device (e.g. displayed on the screen) cannot be read by unauthorized persons if the device is being used to connect to Userflow’s systems or work with Userflow’s data.
- Remote hosts must be updated and patched for the latest security updates on at least a monthly basis.
- Remote hosts must have endpoint protection software (e.g. malware scanner) installed and updated at all times.
- Persons using mobile computing equipment off-premises are responsible for regular backups of organizational data that resides on the device.
- Access to Userflow’s systems must be done through an encrypted and authenticated connection with multi-factor authentication enabled. All users requiring remote access must be provisioned with Google Cloud Platform credentials from Userflow’s information technology team.
- Information stored on mobile computing equipment must be encrypted using hard drive full disk encryption.
- Security Requirements for Telework
- Employees must be specifically authorized for telework in writing from their hiring manager .
- Only device’s assigned owner is permitted to use remote nodes and mobile computing equipment. Unauthorized users (such as others living or working at the location where telework is performed) are not permitted to use such devices.
- Users performing telework are responsible for the appropriate configuration of the local network used for connecting to the Internet at their telework location.
- Users performing telework must protect Userflow’s intellectual property rights, either for software or other materials that are present on remote nodes and mobile computing equipment.