Device management and monitoring
All devices must be enrolled in the relevant MDM system to be granted access to company and client data or services.
The MDM systems responsibilities include managing:
- auto-update policies and manual update deployments
- password strength and brute force protection
- disabling auto-run/play
- screen timeouts and auto-locking
- permitted self-service software library
- malware protection - scanning and updating
- ownership tracking
- monitoring, auditing and wiping
User's must not attempt to circumvent the controls deployed by the MDM and the company reserves the right to take such action as it deems appropriate against users who breach this policy.
Permitted software and operating systems
All software and operating systems must:
- be supported by the creator or under a support agreement with a supplier
- licensed in accordance with the publisher requirements
- approved for use on company devices
Software must not be installed, except from the MDM self-service library, without prior approval. Requests must be submitted to the Helpdesk for review.
Updates and patching
All software, including operating systems, must be kept up to date - this is a key component of security.
Automatic updates must be enabled wherever possible, unless there is an exception approved by the Technical Director. Exceptions will only be approved if using auto-updates would lead to a significant risk of disruption to the business. When exceptions are granted a manual process must be in place to ensure they remain up to date, and comply with the guidance below on security patches.
Current exceptions apply to the LAN router and IaaS web servers. These are monitored by the MSP and systems admin respectively, under oversight of the Technical Director. Updates are deployed after testing at a time to minimise disruption to business operation.
Security updates and patches
Any update that addresses a high-risk or critical security issue (CVE rating of 7 or greater) must be installed as soon as possible, whether automatically or manually, and within a maximum of 14 days.
Users are responsible for actioning update prompts from the operating system, individual applications, or the MDM, at the first opportunity to minimise disruption to their work. Failing to take proactive action will lead to enforced deployment which could result in interruption of work.
Devices that are not kept up to date will be blocked from company resources.