As introduced, this policy assumes that employees don't use their own iPhone 4 for business. I decided to follow this thought because we need to separate the purpose of a business mobile phone from a personal mobile phone. To Provide a device to our employees makes us sure that the configuration of the phone practically corresponds to the security policy and allows us to be more restrictive from a certain point of view. For instance it is difficult to block cameras or prohibit Apple App Store purchases if the phone belong to an employee.
Behind the following policy there should be another security policy that denies the use of video and audio recording and regulate the use of smartphones in general. The following policy wants to be a policy for iPhone but a similar one could have been written for general smartphones.
Instead of writing a standard document to accomplish the policy (it is not the purpose of this coursework), within the square brackets I will write some features the standard should follow in order to assure a good security for the data and for the device itself. In real case policies we don't need to write advices for standard within the policy, but we will write complete standard, guidelines and procedures instead.
The sources for writing the policy have been [u] [y] [w].
1.0.0 Apple IPhone 4 Security Policy
1.1.0 Overview
The intentions of this Policy are to protect Pharma Solutions employees, partners and the company from illegal actions by either aware or unaware individuals.
This policy is applicable to all IPhone 4 purchased by Pharma Solutions. For iPhones or other smartphones purchased by employees for personal use please refer to the policy "1.0.0 Smartphone Security Policy".
Apple IPhone 4, hereinafter referred to "the device", its software and operating system, network accounts and storage media are proprieties of Pharma Solutions and are to be used for the company's business, and in the interest of the company and of the company's customers in the course of the individual's job.
It is the responsibility of every device user to know guidelines on how to participate to the effort of getting an effective security, and to conduct their activities accordingly.
1.2.0 Purpose
The aim of this policy is to touch on the acceptable use of IPhone 4 at Pharma Solutions in order to protect the confidentiality, availability, and integrity of data stored, transmitted or processed. These rules serve to protect the employees and Pharma Solutions and improper use exposes Pharma Solutions to risks including virus infiltration, network systems and services compromising, disclosure of data and legal issues.
1.3.0 Scope
This policy refers to temporaries, employees, contractors, consultants and other people who operate within the premises, including all personnel connected to third parties. This policy applies to all devices that are owned or leased by Pharma Solutions. This policy will not replace any other existing Pharma Solutions developed policies but may introduce more rigorous requirements than current policies dictate.
1.4.0 Policy
1.4.1 General Use and Ownership
Data creates on the company systems remains property of Pharma Solutions. In order to protect Pharma Solutions's network, the company cannot guarantee the confidentiality of information stored on IPhone 4 belonging to Pharma Solutions.
Each departments is responsible for the creation of guidelines concerning the use of the device by an authorized individual. If such policies do not exist, departmental policies will guide employees on the device use, and in case of doubts, employees are welcomed to consult their supervisor or manager.
Because of network maintenance and security, authorized personnel within Pharma Solutions may monitor the device and its network traffic at any time.
Amendments to security policy: this policy may be replaced by new versions realised by Pharma Solutions. The new version will contain the caption "This policy replaces the old policy entitled IPhone 4 Security Policy v.1.0.0".
1.4.2 Security and Proprietary Information
Apple IPhone 4 will be configured or otherwise user will agree to:
whereas possible host the most updated Apple iPhone's operative system [standard: at the time of writing it has been named iOS 4];
install security mechanism and operating system updates from the operating system vendor if required;
confiscate the IPhone 4 when security incidents occur and to follow all required security procedures as well as install required software in order to protect the Pharma Solutions network.
prevent unauthorized access to confidential information such as: competitor sensitive information, trade secrets, customer lists, and research data;
keep the device passwords and passcode secure and do not share them. Users should change their device password every six months;
choose strong device passcode. For more information on how to write a strong password see the standard [the standard: an eight character, or longer, alphanumeric password, ...].
be secured with an auto-lock system that self-activates after a inactivity time out [standard: for NIST 800-63 level 3, the inactivity time should be less than 5 minutes];
use the encryption feature provided by the operative system to encrypt data whereas the hosted applications support it;
have the hardware encryption option activated, due to the vulnerability of the information contained in IPhone 4.
be auto-wiped after a number of time an user types wrong PINs [standard: four times];
set the configuration of the mail applications running on IPhone 4 on "encrypted" mode.
protect the device configuration by a password profile that only the system administrator will know;
have installed a software that will force the employee to adopt future modification of the policy once he connects to the server [standard: ActiveSync];
periodically execute approved and updated virus-scanning;
be aware of the danger of running malware while downloading email attachments;
notify the system administrator if the device has been lost or stolen or if the employee no longer needs to connect to company resources;
keep weekly backups of the device using the proper software name iTunes;
be responsible for break/fix support for the device;
use the Internet only for downloading and sending emails or software updates;
Access the internet only using either Internet SIM-based connection, installed by the Pharma Solutions system administrator or Pharma Solutions Internet wireless connection provided within the company building;
preserve the good condition of the Pharma Solutions' seals installed on the external screws of the device. The purpose of the seals is to avoid alteration or tampering with the device itself.
Participate at security awareness and training programmes whenever requested.
The System administrator of Pharma Solutions, responsible to configure correctly the device and to protect the configuration with a personal password, will restrict also the use of entertainment game and software.
1.4.3. Unacceptable Use
The following are, in general, forbidden activities. Under no circumstances an employee of Pharma Solutions is authorized to use the device against the local or international law.
System and Network Activities
Even if not exhaustive, the list below reports the activities which belong to the category of unacceptable use.
Installation or utilizing software products that are not licensed for use by Pharma Solutions.
Exporting software or Pharma Solutions' intellectual information is illegal. Consult the appropriate management prior to export any material.
Installing or using malicious programs in the device.
Disclose the device passwords or passcode to others or allowing use of own device by others, including family and other house members.
Using the device to send material that violates the sexual harassment in the user's local jurisdiction.
Using the device to make fraudulent offers of products or services.
Use the device to intercept data destined to other users.
Disclose information about Pharma Solutions employees to parties outside Pharma Solutions.
Using or accessing newsgroup or mailing lists.
Using the device's browser to surf the Internet.
Accessing the App Store, installing apps, or both.
Using the device's camera (neither for taking photos nor making videos).
Using of Bluetooth. Use wireless encrypted transmission rather than Bluetooth-based earphones.
Use of wireless connections that don't belong to Pharma Solutions.
Alteration or tampering with the seals put on the device.
Use the device as cellular modem.
Try to tamper with the Pharma Solutions' seals installed on the screw of the device.
The use of location-based services within the corporate, or at customer sites. [L]
Email and Communications Activities
This paragraph regulates the use of the email account belonging to the device. It is rigorously forbidden:
Sending unasked emails, such as "junk mail" or other advertising material, to individuals who did not specifically request them (email spam).
To abuse of the email header sending email that don't belongs to the business of the company.
Writing or forwarding "pyramid" schemes of any type.
1.5.0 Enforcement
Every individual found to have violated this policy will be subject to possible disciplinary action, such as the restriction of his privileges or the ceasing of his period of work in Pharma Solution. Resources will be periodically audited to make software and configuration comply with the present policy. In extreme cases the company can use evidences gather from a malicious use of the device by the employee in front of a court for legal persecutions.
1.6.0 Definitions
Term Definition
Spam Unauthorized and/or unrequested bulk of electronic mailings.
IPhone 4 Smartphone created by apple, successor to the IPhone 3GS.
Smartphone Mobile phone that has advanced computing and connectivity features similar to a
computer.
iOS Operative system made by Apple for its devices such as iPhone.
iTunes Application created by Apple to play and organize digital music and video files
iTunes Store Shop online owned by Apple where it is possible to purchase digital music, video
and films
Apps stands for application, usually referred to Apple's applications
App Store a service provided by Apple that allows to browse and download free or with fee
apps (applications) from iTunes Store
1.7.0 Revision History
This version, named 1.0.0, is the first version of this document.
