Removable Media, Cloud Storage and BYOD Policy

Removable Media, Cloud Storage and BYOD Policy

Netspective Unified Process
 

The Netspective Communications LLC governs the use of removable media, cloud storage, and personally-owned devices for storing Netspective Communications LLCal data, regardless of the data’s classification level. The policy applies to all users of the Netspective Communications LLC’s information systems, including employees, contractors, and external parties. The Netspective Communications LLC must ensure that all users can easily access the policy. [FII-SCF-009-DCH-12]

Removable Media

  • All users of removable media containing data pertinent to the Netspective Communications LLC must register the media in the Netspective Communications LLC’s Asset Inventory (reference (b)).

  • The Netspective Communications LLC must re-inventory all removable media listed in reference (b) on a quarterly basis to ensure that it is still under the control of the organization.

    a. To re-inventory a removable media item, the owner must check it in with the Information Security Manager (ISM).

    b. The ISM must report any missing removable media as lost, and a security incident report must be logged according to the Security Incident Response Policy.

  • The owner of the removable media must perform all necessary maintenance on the item at intervals suitable for the type of media, such as cleaning, formatting, labeling, etc.

  • The owner of the removable media must, where possible, ensure that an alternate or backup copy of the information on the device exists.

  • Removable media must be stored in a safe place with a reduced risk of fire or flood damage.

  • If the storage item contains sensitive information, removable media must:

    a. Be kept in a locked cabinet or drawer.

    b. Store only encrypted data that is securely enciphered according to the Encryption Policy.

  • All data on removable media devices must be erased, or the device must be destroyed before it is reused or disposed of.

  • When disposing of removable media devices, the device owner must inform the ISM.

Cloud Storage

  • The Netspective Communications LLC must register all cloud storage systems in active use and containing data pertinent to it in reference (b) through manual or automated means.

  • The organization must re-inventory all cloud storage systems listed on a ?nqspCloudStoragePeriod? to ensure it remains under the control of the Netspective Communications LLC. The owner of the cloud storage system must check it in with the Information Security Manager (ISM) of the Netspective Communications LLC to re-inventory, which may be accomplished by manual or automated means.

  • The owner of the cloud storage system must conduct regular maintenance, including system configuration, access control, performance monitoring, etc.

  • All data on cloud storage systems must be replicated to at least one other physical location, which may be automatically configured by the cloud storage provider.

  • The organization must use only cloud storage providers that can demonstrate through security accreditation, demonstration, tour, or other means that their facilities are secured, both physically and electronically, using best practices.

  • If the cloud storage system contains sensitive information, the information must be encrypted.

  • Data on cloud storage systems must be erased using technology and processes approved by the ISM.

  • The system owner must inform the ISM when the use of a cloud storage system is discontinued.

Personally-owned Devices

  • The Netspective Communications LLC retains ownership of all personally-owned devices on which company data is stored, transferred or processed, and maintains the right to control such data.

  • The ISM is responsible for managing personally-owned devices, which includes:

    a. Supervising the use of removable media.

    b. Maintaining a list of authorized job titles and/or persons who may use personally-owned devices for company business, as well as the applications and databases that may be accessed from such devices.

    c. Maintaining a list of prohibited applications for use on personally-owned devices, and ensuring that device users are aware of these restrictions.

  • Personally-identifiable information (PII) may not be stored, processed, or accessed on personally-owned devices at any time.

  • Users of personally-owned devices must observe the following acceptable use requirements:

    a. Back up all Netspective Communications LLCal data at regular intervals.

    b. Install MDM and endpoint protection software on the device at all times.

    c. Encrypt sensitive information stored on the device in accordance with reference (d).

    d. Secure the device using a password, pin, unlock pattern, fingerprint, or equivalent security mechanism.

    e. Connect the device only to secure and encrypted wireless networks.

    f. When using the device outside the Netspective Communications LLC’s premises, do not leave it unattended and, if possible, physically secure it.

    g. When using the device in public areas, take measures to ensure that the data cannot be read or accessed by unauthorized persons.

    h. Install patches and updates regularly.

    i. Protect classified information in accordance with reference (a).

    j. Install the ISM before disposing of, selling, or providing the device to a third party for services.

    k. Prohibit the following actions:

    i. Allowing device access for anyone except the owner.

    ii. Storing illegal materials on the device.

    iii. Installing unlicensed software.

    iv. Locally storing passwords.

    v. Transferring Netspective Communications LLCal data to other devices that have not been approved by the Netspective Communications LLC.

  • The Netspective Communications LLC reserves the right to view, edit, and/or delete any Netspective Communications LLCal information that is stored, processed, or transferred on the device.

  • The Netspective Communications LLC reserves the right to perform a full deletion of all of its data on the device without the consent of the device owner if it considers it necessary for the protection of company-related data.

  • The Netspective Communications LLC does not pay employees (the owners of BYOD) any fee for using the device for work purposes.

  • The Netspective Communications LLC pays for any new software that needs to be installed for company use.

  • Employees must report all security breaches related to personally-owned devices immediately to the ISM (contact@medigy.com).

Approved by
Ajay Kumaran Nair on June 13, 2023 |
Last Updated by
Sreejith K on June 13, 2023