Bring Your Own Device Policy
1. Background and purpose:
Mobile devices, such as smartphones, laptops and tablet computers, are important tools for Melbourne Racing Club, its subsidiaries, and related entities (“MRC”) and their use is supported to achieve business goals.
However mobile devices also represent a significant risk to information security and data security if the appropriate security applications and procedures are not applied. They can be a conduit for unauthorised access to MRC’s data and IT infrastructure. This can subsequently lead to data leakage and system infection.
MRC shall protect its information assets in order to safeguard its customers, intellectual property and reputation. This policy outlines a set of practices and requirements for the safe use of mobile devices and outlines fundamental controls to secure them.
2. Scope
Bring Your Own Device (“BYOD”) refers to use of any electronic device not owned or leased by MRC, and which is capable of storing data and connecting to a network (e.g. wireless, 4G, physical connection), to access or connect to MRC’s IT services, data and networks (“Device”).
This policy applies to mobile devices, including, but not limited to, mobile phones, laptops, notebooks, smart phones, tablets, and USB drives. This policy also applies to all personal mobile devices used by employees, contractors, consultants, and temporary staff (collectively “Users”) who work at MRC using Devices that access MRC’s IT systems.
3. Policy
3.1. User Responsibilities
Access to MRC’s IT resources (physical, network and application systems) is strictly provided to users authorised by the IT Department only. Users with Devices that have remote access to systems enabled must do the following:
3.1.1. Device Security
- Users must always maintain physical control of the Device, or have stored in a secure space, to ensure it is secure.
- Devices used outside the office must be carried in a secured state (i.e. encryption is active when they are not in use) to avoid accidental or deliberate compromise of information.
- Users must employ security solutions where available, including but not limited to, anti-virus and firewall.
- Users must notify the IT department immediately upon determining a Device has been lost.
3.1.2. Mobile Device Management (MDM)
- MRC IT department must use a Mobile Device Management Solution (Microsoft Endpoint Manager) to secure Devices and enforce Device management policies remotely.
- MRC users must install Microsoft Endpoint Manager application on their Devices connecting to MRC IT systems. The application can be installed by contacting MRC IT department.
3.1.3. Data Backup
- Users must not store corporate data to Devices or services such as personal computers, personal web servers and internet-based Cloud Storage solutions such as Apple iCloud, Google Drive, Microsoft One Drive, Amazon Drive etc.
3.1.4. Enable user authentication
- Users must not automatically store credentials on their Device and ensure that passwords and security pins are kept confidential.
3.1.5. Reduce data exposure
- Users must avoid keeping sensitive information on the Device.
3.1.6. Reduce wireless interfaces
- Users must not connect to untrusted and unsafe WIFI networks.
3.1.7. System Updates
- Users must ensure that the operating system, firmware and installed software is obtained from an authorised source and is up to date.
- Necessary security patches must be applied to the Devices to protect against known vulnerabilities.
3.1.8. Mobile Phones SIM PIN
- Users must ensure a PIN or biometric lock is assigned to mobile phone Devices, requiring the PIN to be entered upon unlocking.
3.1.9. Find My Phone
- Users must enable the relevant Device Locating Application on their Mobile Phones / Smartphones, to enable tracking of stolen or lost devices. Examples for such applications include, but not limited to, Find My iPhone for iPhone Users and Find My Device for Android Phone users.
3.1.10. Decommissioned Device
- Users must remove or transfer all MRC data from the Device or associated storage when no longer required or when the Device is decommissioned.
3.1.11. Installation of Applications
- Users must not install inappropriate applications that conflict with MRC policies. User discretion is advised when deploying applications to personal devices used to access corporate systems.
3.1.12. Jail Broken Devices
- Users must not connect BYOD Devices running an unofficial operating system to the corporate environment.
- Access to corporate applications and systems will be revoked for Users who deploy unofficial operating systems to personal mobile devices.
3.1.13. Using Mobile Devices in Public Spaces
- Caution must be exercised when using mobile devices to view or communicate sensitive or classified information, especially in public areas such as public transport, transit lounges and coffee shops.
- In such locations it is important to ensure information is not observed to maintain the confidentiality of MRC’s information. In some cases, privacy filters can be applied to the screen of a mobile device to prevent onlookers from reading content off its screen.
3.1.14. Loss of Device
In the event your Device is lost or stolen, Users must:
- Notify the MRC IT Team immediately;
- In conjunction with MRC IT Team, attempt to track the phone using Device Locating Applications; and
- If the Device cannot be retrieved, the MRC IT branch will perform a remote wipe of the device. The remote wipe shall erase all MRC related data on the device such as email and OneDrive for Business. Note this will not erase any personal information such as personal photo’s, music, personal email accounts, personal documents and applications installed on the device.
3.2. Device Policy Settings
The following security settings must be followed by all BYOD Device Users accessing MRC’s IT systems
Security
Feature
Setting
Description
Passcode
Lock
Enabled
Enforce a screen lock password/fingerprint lock on devices
Auto-Lock
Timeout
5 minutes
Time delay after which the screen lock will automatically activate
Password /
PIN Length
Minimum 4 letters and/or
numbers or fingerprint for Mobile
Phones / Smart Phones
Enforce minimum password length or fingerprint for screen lock
For all Laptops, Notebooks, Tablets, configure passwords as per guidelines listed within the Information Security Policy.
Device Level
Encryption
Enabled
Enable device/hard disk level encryption to protect MRC data.
4. Applicability of Other Policies
- MRC Privacy Policy;
- Information Security Policy;
- Access Control Policy;
- Back-up Management Policy;
- Email Management Policy;
- Patch Management Policy;
- Physical and Environmental Security Policy.
5. Key Legislation, Acts & Standards
- ISO/IEC 27002:2013 standards – Information Technology security techniques – Code of practice for information security controls - https://www.iso.org/standard/54533.html
- Privacy and Data Protection Act 2014 (NO. 60 OF 2014) VIC). Retrieved April 17, 2019 from http://www6.austlii.edu.au/cgi-bin/viewdb/au/legis/vic/num_act/padpa201460o2014317/
6. Review[1]
This Policy is recommended to be reviewed biennially.
7. Further assistance
For advice and assistance on policy matters please direct your enquiries to MRC’s IT Department via itsupport@mrc.net.au.
8. Glossary of terms/definitions
Term
Definition
Amazon Drive
Amazon Drive is a cloud storage application managed by Amazon. The service offers secure cloud storage, file backup, file sharing, and photo printing
Cloud Storage
Computer data storage in which the digital data is stored in logical pools, said to be on "the cloud". The physical storage spans multiple servers, and the physical environment is typically owned and managed by a hosting company.
Encryption
The process of encoding data with an algorithm so that it is unintelligible without the key. Used to protect data during transmission or while stored.
Firewall
A firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. A firewall typically establishes a barrier between a trusted network and an untrusted network, such as the Internet.
Firmware
Permanent software programmed into a read-only memory that provides control, monitoring and data manipulation within the device.
Google Drive
Google Drive is a cloud storage and synchronization service that allows users to store files on their servers, synchronize files across devices, and share files.
iCloud
iCloud is a cloud storage and cloud computing service from Apple
Malware
Malicious software used to gain unauthorised access to IT systems
Microsoft Endpoint Manager
Microsoft Endpoint Manager solution helps to keep data secure, in cloud and on-premises. It includes the services and tools used to manage and monitor mobile devices, desktop computers, virtual machines, embedded devices, and servers.
Microsoft OneDrive
Microsoft OneDrive is a cloud storage service that allows file hosting service and synchronization service operated by Microsoft
Mobile Devices
A portable device that can be used for certain applications and data storage. Examples are PDAs or Smartphones.
MDM
Mobile Device Management solution is a type of management or security technology that enables IT administrators to monitor, manage and secure corporate or personally-owned mobile devices that run across multiple operating systems.
Mobile Storage Media
A data storage device that utilizes flash memory to store data. Often called a USB drive, flash drive, or thumb drive.
Password
A sequence of characters that is used to authenticate a user to a file, computer, or network. Also known as a passphrase or passcode.
PDA
Stands for Personal Digital Assistant. A portable device that stores and organizes personal information, such as contact information, calendar, and notes.
Portable Media Player
A mobile entertainment device used to play audio and video files. Examples are mp3 players and video players.
Security Patch
Software designed to update a computer program, or its supporting data, to fix or improve it. This includes fixing security vulnerabilities and other bugs, with such patches usually called bug fixes, and improving the usability or performance of a device.
Smartphone
A mobile telephone that offers additional applications, such as PDA functions and email.
Spam
Unsolicited bulk email messages
[1] Review date is recommended only. Should this Policy have not been reviewed or updated by its review date, this Policy shall still remain in force and does not expire.