Project Report

of
DISA 2.0 Course
Scanned by CamScanner
 Table of Contents

Project Report

 Project Problem
 Project Report (solution)
 Auditee Environment
 Assessment of Company’s Existing Policies & Practices
 Evaluation of Technology Infrastructure of the Company
 Evaluation of HR Policy, Access Policy, Security Requirements and
Customer Deliverables

 Background
 Situation

 Terms and Scope of assignment

 Auditee team

 Logistic Arrangements Required

 Methodology and Strategy adapted for execution of assignment

 Documents review for assessment
 Introduction to Mobile Computing
 How to work with Mobile Computing Technology
 Requirements of Mobile Computing Technology
 Benefits of Mobile Computing Technology
 Threats, Vulnerabilities and Risks associated with Mobile Computing
 Risk Control Matrix
 Risk Assessment Table with respect to mobile computing
 Policy of mobile computing for Radisson ltd

 Summary/Conclusion
 Project Report
PROJECT REPORT ON

ASSESSING RISK AND FORMULATING POLICY FOR MOBILE

COMPUTING

A. Project Problem
 Radisson Ltd is a global Indian IT Solutions provider with development
centres in India and marketing offices across, USA, Asia and Europe. It
has more than 15,000 employees. It offers both standard and
customized products and services to its customers. The company has
highly skilled professionals who are in great demand in the highly
competitive market. The HR department has recently enforced a strict
attendance policy which requires mandatory physical presence at the
office premises for specified number of hours. This has resulted in
increasing dis-content from the employees.

 There has been increase in employee turnover and HR has identified

that one of the reasons for this is the strict office timings which are
implemented by the company. A meeting of the business unit heads
was held where it was pointed out that the increased turnover of
employees is impacting deliverables to the customers and is leading to
loss of reputation and business. As the productivity of the highly
skilled workers can be assessed based on the project plan and
deliverables, it has suggested that management has to implement
flexible working hours and allow employees to work off-site.

B. Project Report (solution)

The report will provide the use of Mobile Computing Devices in the
Organization along with the benefits that the organisation will achieve, the
risk that the organisation will experience and the change in the their
Working style which is discussed later in the report. It also includes the
guidance and recommendation based on the actions and best practices
which can be implemented by the organisation to achieve the best results.

(Assumed that the Radisson Ltd is fully IT infrastructure Company but not
uses mobile computing for some reason)

Auditee Environment

We are going to conduct assessment of Radisson Ltd’s working practices,

technology infrastructure, HR policies, access policy, security requirements
and customer deliverables. Following are the assessment that we have done
in simulated environment using a windows 7 computer connected to
company’s server. The assessment is done upto 31st march 2017.

Assessment of Company’s Existing Policies & Practices:

Policy is the backbone of any organisation. It describes how the organisation

will work and govern. The successful implemented policy will allow top
management to take right decisions at right time and in right manner and
also to assess the performance of the employees of the organisation.

The organisation has bifurcated its employees into two parts:

1. Employees working in India for development of products

2. Employees working outside India for marketing

The HR Department of the organisation has enforced strict attendance policy

which requires mandatory physical presence of the employees at the office
premises for specified number of hours. The employees who are developing
the products may be strictly adhering to the policies as defined by the HR
department of the organisation as they are the local peoples who can be
easily tracked and monitored. But the question arises for the employees who
are working outside India for marketing for adherence to policy laid down by
the HR department. The strict recommendation of HR department’s policy
has resulted into increased turnover of the employee which has affected the
organisation’s loss of reputation and business. The policies should be defined
in such a way which allows every employee of the organisation to work in
smooth and easy environment. The company is following sound policies for
smooth functioning:

1. Acceptable usage Policy

2. Confidential Data Policy
3. Email Policy
4. Incident Response Policy
5. Network Security Policy
6. Password Policy
7. Physical Security Policy
8. Wireless Network and Guests Access Policy

(source:https://www.annese.com/blog/how-to-create-your-it-security-policy)

Evaluation of Technology Infrastructure of the Company:

Infrastructure is the foundation or framework that supports a system or

organization. In computing, information technology infrastructure is
composed of physical and virtual resources that support flow, storage,
processing and analysis of data.

The organisation is fully equipped with the Information Technology

Infrastructure having centralised data centre. The data in the data centre is
available to the employees, vendors, customers and others who need the
information of the organisation as per the policies and procedures designed
and implemented by the organisation. The infrastructure components
installed and monitored by the organisation is given below with help of
figure:
1. Computer hardware platforms
2. Operating system platforms
3. Enterprise and other software applications
4. Data management and storage
5. Networking and telecommunication platforms
6. Internet platforms
7. Consulting and system integration services

computer hardware
platforms

Internet Platforms operating System

platforms

Data Management and Enterprise Software

storage Applications

Consultants and Network

System Integrators Telecommunications

(Source: https://paginas.fe.up.pt/~als/mis10e/ch5/chpt5-bullettext.htm)
To integrate organisational goals and the IT resources of the organisation
such as hardware and virtual resources, the organisation has implemented
ISO 38500 which includes COBIT 5 framework to fulfil IT governance
responsibilities while delivering value to the business.

The resources of the organisation are fully controlled through various

controls such as physical access controls, logical access controls and
environmental controls and has installed control check points and as when
needed and required.

Evaluation of HR Policy, Access Policy, Security Requirements and

Customer Deliverables

Policies defines the actions adopted or proposed by the organisation for

smooth functioning. The Policy reflects the various capabilities in which the
organisation operates, the nature of the information that it receives and
prepares in connection with those diverse activities and the level of
disclosure applicable to different types of information. The organisation to
achieve its vision or mission has established various strategic objectives and
to achieve the objectives, the organisation has to function as per policies,
procedures and rules framed by the organisation.

Human Resource department is the function which focuses on the

recruitment, management and the direction of the people within the
organisation. It focuses on the various issues related to the employees of
the organisation.

With respect to HR department the following policies are in place:

1. Employee Recruitment policy

 2. Benefit Options Policy
3. Leave and Absenteeism Policy
4. Candidate Evaluation Policy
5. Access to information Policy
6. Job Rotation Policy
7. Usage Policy

While evaluating the policies it has been observed that the organisation has
made an attempt to achieve the transparency about its activities and has
establish accountability so that the person can be made responsible for any
cause that will adversely affect the organisation.

With respect to Access Policy, it has been described in the organisation

policy whether any particular information is to be made available as a
routine matter or upon request. The organisation considers the priority of
the information and also considers on first basis that the information so
requested falls within the ambit of the Access Policy. The purpose of the
policy is to maintain adequate level of security to protect organisations data
and information systems from unauthorised access. This policy defines the
rules necessary to achieve this protection and to ensure a secure and
reliable operation of the organisation’s information systems.

The policy states that only authorised users are granted access to
information systems, and users are limited to specific defined, documented
and approved applications and levels of access rights. For this purpose, the
organisation has given limited rights as per the user level which is achieved
via user IDs that are unique to each individual user to provide individual
accountability.
This policy affects all employees of the organisation, all contractors, vendors,
consultants, temporary employees and business partners. Employees who
deliberately violates this policy will be subject to disciplinary action up to and
including termination.

This policy applies to all computer and communication systems owned or

operated by the organisation. It applies to all the softwares including
operating system.

Any user (remote or internal) accessing the networks and system of the
organisation must be authenticated. The level of authentication implemented
by the organisation includes and also not limited to:
- Automatic log off
- Unique user identifier
- And also installed following where ever required
 Biometric authentication
 Password
 Personal Identification number
 Telephonic call back procedure
 Token

The employees of the organisations are provided with workstation to work.

All workstations used by the employees of the organisation are using the
access control system approved by the organisation. They are given unique
IDs and passwords with a time out after no activity facility and a power on
password for CPU and BIOs. They are instructed no to left active
workstations unattended for prolonged period of time. The workstation has
been properly logged off from all applications and networks otherwise the
users will be held responsible for all actions taken under their sign on.
Inactive works stations are automatically logged out after some duration as
organisation has set out in the policy and the user is required to logged in
again to continue usage to minimise the opportunity of unauthorised access
to organisation resources. The organisation has installed the dual concept of
signing process on to the system, which requires the user of the workstation
to take approval of the senior of head of department while signing in. The
employees who have left the organisation, the access privileges given to
them has been terminated.

The organisation has implemented the system access controls based on the
data classification to ensure that it is not improperly disclosed, modified,
deleted or rendered unavailable. the organisation has put in place limiting
user access controls wherein the user logon scripts, menus, session
managers and other access controls limits the user to only those applications
and functions for which they have been authorised. The users have been
granted information in a need to know basis.

Individuals who are not employees, contractors, vendors, consultants or

business partners are not entertained to any access or privileges to use the
organisations computers or information systems unless the written approval
of the department head has first been obtained. After approval is obtained
they have to abide by the rules and regulations which they are required to
sign before access to resources of the organisation.

Deliverables are the outcome or the result of the activity involving mental or
physical effort of the organisation. Deliverables are the products, services
and results that a project produces. The deliverables of the IT companies are
its softwares and the sources codes they made. This organisation develops
both customised and non - customised softwares. They has developed the
policy as to how the customers to be kept satisfied and develop the products
according to their requirements and also the time limit specified by them.
Some of the products of the organisation are complex and therefore they
also impart training to the customer’s employees and also gives idea about
how to work with products. The organisation is also giving support services
to its customers 24 x 7 for the problems they face during working with the
product.

Background
Radisson Ltd as a global IT solution provider having marketing offices across
USA, Asia and Europe and because of which the company has large
employee base working from outside India. Due to strict attendance policy of
the HR department the employees of the organisation are unable to provide
their best and therefore the customers deliverables are impacted In order to
provide good deliverables and regular support for its products and services
the company is has decided to explore the option of Mobile Computing.

Situation
There has been increase in employee turnover and HR has identified that
one of the reasons for this is the strict office timings which are implemented
by the company. As the productivity of the highly skilled workers can be
assessed based on the project plan and deliverables, so the management
has decided to explore option of using mobile computing to increase
employee productivity and offer convenience of working for employees from
any location.

Term and Scope of Assignment

Based on understanding of Radisson ltd need for implementing the mobile

computing, it was decide to assess the company’s working practices,
technology infrastructure, HR policies, access policy, security requirements
and customer deliverables as per project plan and provide recommendations
of policies and procedures required for mobile computing to meet business
needs, compliance and regulatory requirements.

Auditee team

IS CONSULTING COMPANY (ISCC) is a 10 years old firm of chartered

accountants specializing in information systems assurance, training and
consulting including management consulting services ISCC is led MR lal who
is chartered accountant and has diploma in information system audit of ICAI.
The firm has qualified and trained IS audit personnel.

Logistic Arrangement Required

Infrastructure Required

It will be necessary for Radisson ltd to appoint one coordinator who will be
part of the discussion on the work plan initially and continue to work with
the ARA team till the assignment is complete. Radisson ltd will make
available the necessary computer time, software resources and support
facilities necessary for completing the assignment within the agreed
timeframe. The conduct of the assignment should be adequately
communicated to the required personnel so as to facilitate extensive co-
operation from the respective personnel. During the course of the
assignment, we will require the following infrastructure.

 Three Nodes with Read only access to SAP

 One Laptop with windows 8/Microsoft office 2013.

 Access to a laser printer for printing reports as required.

 Adequate seating and storage space for audit team

 Facilities for discussions amongst our team and your designated staff.

Documentation Required

 User Manuals and Technical Manuals relating to System Software and SAP
 Organisation chart outlining the organisation hierarchy and job
responsibilities

 Access to circulars\guidelines issued to employees.

 Access to user manuals and documentation relating to SAP

Implementation by Radisson ltd.

 Any other documentation as identified by us as required for the assignment

Methodology and Strategy adapted for execution of assignment

Audit Approach

Our approach to the assignment would be as follows:

(i) We propose to deploy a core team of 2 to 4 IS audit personnel for this

assignment under the personal direction and leadership of the Principal, Mr
lal.

(ii) Radisson ltd should designate a person at a senior level to coordinate

between us. Radisson ltd should also depute one personnel each from
systems and audit group to form part of the audit team.

(iii) Detailed systematic assessment procedures would be finalized after

completing review of the documentation and discussion with the systems
staff and the users. In tune with terms and scope of reference of the
assignment, we will adapt the methodology from COBIT®. Specific Control
Objectives\Management Guidelines of the relevant IT process of Logical
Access controls shall be assess for this assignment after obtaining
understanding of the organisation structure, Information Technology
deployment and available documented policies and procedures. Structured
Methodology the above-mentioned objectives shall be achieved through the
following structured methodology

 Obtain understanding of IT Resources deployment at Radisson ltd

 Obtain understanding of the IT Strategy and internal control system at

Radisson ltd
 Identification and documentation of IT related Circulars issued by Radisson
ltd.

 Identification and documentation of Organisation Structure and

Information Architecture

 Identification and documentation of existing policies, procedures and

practices

 Application of COBIT® for formulating IT best practices for the Policy and
procedures of Radisson ltd

 Formulation of draft report on our findings covering our assessment and

benchmarking.

 Presentation of final report with agreed action plan based on feedback of IT

management of Internal Audit team of Radisson ltd. Radisson ltd shall make
available all the required resources on time and provide one coordinator for
interaction and clarifications as required.

Audit plan

The audit plan would cover the following activities:

Discussions with the

 Internal Audit Team

 Systems\Implementation Team

 Users and user management

 Review of Operating Systems (OS) documentation

 Examination of OS access rights

 Review of SAP Manuals

 Examination of selected Modules access profiles

 Observation of the Users and the systems in operation

 Review of access controls over Computers as relevant

 Examination of computerised processing controls incorporated within the
selected modules. Assessment Program\procedures Our audit team would
perform the following tasks based on the assessment methodologies which
include the following programs\procedures:

Undertake an in-depth study and analysis of all aspects of SAP as

implemented at Radisson ltd. We will take steps to identify the way in which
the system currently operates. In doing so, the following objectives would be
kept in mind while setting the overall goals:

Accurate and complete processing of data

 Error messages in case of incomplete/aborting of processing of data

 Optimise data handling and storage

 Better management of information

2. Review the software in operation; understand how the various modules

interact within the overall system.

3. Review how each module in the system has been tested including the
documentation prepared in respect of each.

4. Review the methods employed for implementation of the system,

including postimplementation review procedures undertaken to ensure that
the objectives set out were actually achieved.

5. Understand the business processes and review how these have been
mapped in the information systems by tracing the modules with a top down
approach.

6. Review the modules by performing detailed documented tests of all the

menu options and their related effects.

7. Review the controls established over the continuity of stored data,

necessary to ensure that once data is updated to a file, the data remains
correct and current on the file.

8. Review the in-built controls for stored data so as to ensure that only
authorised persons have access to data on computer files.
9. Review the controls established which ensure that all transactions are
input and accepted for further processing and that transactions are not
processed twice.

10. Review the controls established so as to ensure that only valid

transactions are processed.

11. Review the procedures established for back-up and recovery of files in
the package.

12. Review controls established for the development, documentation and

amendment of programs so as to ensure that they go live as intended.

Documents review for assessment

Review of information security policy of Radisson ltd

 User Manuals and Technical Manuals relating to System Software and

SAP.
 Organisation chart outlining the organisation hierarchy and job
responsibilities
 Access to circulars\guidelines issued to employees.
 Access to user manuals and documentation relating to SAP
Implementation by Radisson ltd.
 Any other documentation as identified by us as required for the
assignment

Introduction to Mobile Computing

Mobile Computing is a use of variety of devices that allow people to access
data and information of the organisation from any place. Mobile computing
transfers data, voice and video over network via mobile devices.

Mobile Device refers to wide range of devices that allow people to access
data and information from anywhere at any time from those that fit in to the
pocket to laptops that can help to stay connected. Mobile devices include cell
phones and other portable devices. The devices that can be used in Mobile
Computing includes:
- Laptops
- Smartphones
- Tablets
- Wearable Computers.

Mobile devices can be connected to Local Area Network (LAN) or they can
take advantage of Wireless Fidelity (WIFI) by connecting via a wireless local
area network (WLAN) which includes benefits such as:

Connectivity: Stay connected to all sources at all times

Social Engagement: Can interact with variety of users via internet
Personalization: Tailoring the devices to one’s need
Portability: Facilitates movement of devices

How to work with Mobile Computing Technology

By using smartphone in our pockets and access to thousands of apps, a

person can perform wide range of information intensive activities on phones.
The use of smartphones and other portable devices has brought the world on
finger tips. A smartphone consists of thousands of apps. The organisation
can develop its own app which includes all the features which an employee
accesses by working in his original workplace through the use of
workstation. The customers of the organisation can place and track order
from the app itself. The vendors can be managed by using the app. This app
allows the employees to perform activities such as:

- View upcoming tasks and scheduled activities, so the employees can

always have tack of the work to be done.
 - Recording of attendance of the employees.

- Get alerts on specific events such as deviations from approved

discounts, prices, credit limits or targeted gross profits.

- View and complete approval requests or ask for additional information

or provide comments to requesters in the approval and rejection
process. These include PO requisition approvals, invoice approvals,
discount approvals etc.

- Access real time operational reports from the system to have up to

date dashboards and key performance indicators at the fingertips.

- Access and manage customers and partner information, including

contact details, historical activities and past orders.

- Monitor inventory levels, and access detailed information about

products, including purchasing and sales price, availability,
manufacturer, shipping type, product specification etc.

(source - http://www.industryweek.com/companies-amp-executives/five-
reasons-why-mobile-computing-accelerating-organizations)

Use of mobile technology during customer interactions not only allows

organizations to become more responsive to their customers (a great
competitive advantage over other companies), but more important, it
enables them to appear bigger in size and richer in resources than they
actually are (a huge coup in perception management for mid-sized
companies). They can also get access to the latest operational scorecards on
their mobile phone to know where they are (by the minute) in terms of
meeting their metrics. Since ERP and BI vendors are offering pre-built
mobile apps at no additional cost, even small organizations can afford to
mobile-enable their workforce and increase their business. These reasons
suggest that mobile computing at business is not only here to stay, it will
become the very fabric of how we will work. Organizations that do not
deploy the mobile apps from their enterprise vendors (or build their own
apps on top of their applications and data) will become less competitive.

Requirements of Mobile Computing Technology

The organisation has to develop a policy for use of Mobile Computing

technology in its business environment. The purpose of the policy is to
provide guidance for appropriate purchase and usage of Mobile Computing
devices. The type of device to purchased and who to use the device. The risk
associated with the use of the Mobile Computing devices and other
regulatory requirements to be kept in mind.

Benefits of Mobile Computing Technology

The following are the benefits of using Mobile Computing:

1. Increase in productivity:
Mobile devices can be used out in the filed of various companies,
therefore reducing the time and cost. Due to increase in productivity
the Revenues of the organisation may increase.

2. Portability:
This is the main advantage of Mobile Computing, as there are no
restrictions to one locations in order to have access to the organisation
data and information and can have higher revenues.
 3. Storage:
The smartphones and tablets contain inbuilt storage and can helps in
storing of various files.

Disadvantage associated with Mobile Computing are:

1. Connectivity Issues:
Mobile devices require either Network Connectivity or Wireless
Connectivity. If these networks are not available the access to the
database of the organisation will be broken.

2. Security Concerns:
The security of wireless communications is more easily compromised
than wired communication. This is further complicated if users are
allowed to cross security domains.

3. Low Bandwidth and Bandwidth Variability:

Wireless networks deliver lower bandwidth than wired networks, hence
mobile computing designs need to be very concerned about bandwidth
consumption. The deliverable bandwidth per user depends on the
number of users sharing a cell. The network's capacity can be
measured by its bandwidth per cubic meter.

4. Small User Interface:

Smaller and more portable devices current windowing techniques are
inadequate. It is impractical to have several windows open at the same
time on a small screen even at high resolutions.
Applications driving the use of mobile devices

- Email and collaborative applications

- Office productivity applications
- Sales force automation applications

Threats, Vulnerabilities and Risks associated with Mobile Computing

Mobile computing device threats are:

- Newly purchased mobile devices can be configured insecurely. Devices

can contain the original vulnerable operating system (OS) that has not
been updated to eliminate known vulnerabilities.

- If a device does not require some type of access controls such as a

personal identification number (PIN) or fingerprint, it is ripe for
unauthorized use by anyone who has access to it.

- There are many types of malware that can provide people with
malicious intent the ability to obtain sensitive data stored on a device.
Protecting data can be more of a problem if one makes the mistake of
loading sensitive organizational information on it. Users need to be
aware that they are responsible for protecting the device, preventing
physical tampering, setting security-specific features, and avoiding
supply chains that provide compromised or unsecure mobile devices.

- App-based threats include malware, spyware, vulnerable apps,

compromised apps and data/information leakage due to poor
programming practices.
 - User-based threats include: social engineering, inadvertently (or
intentionally) releasing classified information, theft and/or misuse of
device and app services, and malicious insiders who steal devices for
their own purposes or for someone else.

Mobile Computing Vulnerabilities are as follows:

- Mobile computing device vulnerabilities exist in the device itself, the

wireless connection, a user’s personal practices, the organization’s
infrastructure and wireless peripherals (e.g., printers, keyboard,
mouse), which contain software, an OS and a data storage device.

- If not secured by encryption, wireless networks often pass sensitive

information in the clear that can do harm to individuals and/or
organizations.

- Unencrypted organization, customer and employee information stored

on the computing device can inadvertently be made available to others
if someone intercepts it while in transit or if the device is stolen (and
no access controls are in place).

- If the organization does not have a wireless encryption program (i.e.,

virtual private network [VPN]) in place, then mobile devices may
interact with personal devices’ email and obtain sensitive
correspondence.

- Other vulnerable components of the mobile computing device

environment are the apps loaded on it. Each application can contain a
vulnerability that is susceptible to exploitation.
  The most common risk factor applies to using mobile devices are:
a) lack of physical security controls
b) use of untrusted mobile devices
c) use of untrusted networks
d) use of untrusted applications
e) interaction with other systems
f) use of untrusted content -
g) use of location service

Controls used to manage risks:

Controls are used in business to assist with the execution of business

strategy, to manage business outcomes and to manage risk. In the case of
managing risks related to the use of mobile devices to access information
and applications, the controls required to be implemented are:

1. Use of antivirus and anti-malware programs

2. User access policy for mobile computing
3. Protect sensitive information on devices with encryption
4. Prevent unauthorized devices and people from accessing information
or applications
5. Patch system software on devices wherever possible
6. Testing of configuration settings on devices

Radisson Ltd wants to implement strict timing functions to manage the

attendance of the employees of the company, the following risk matrix is
prepared for using Mobile computing for HR department’s attendance policy
 RISK CONTROL MATRIX

SEVERITY

RISK CONTROL MATRIX LOW MEDIUM HIGH

LOW

This risk has rarely been a problem and LOW MEDIUM MEDIUM
never occurred
PROBABILITY

MEDIUM

This risk will MOST LIKELY occur at this LOW MEDIUM HIGH
event

HIGH

This risk WILL occur at this event, possibly MEDIUM HIGH HIGH
multiple times, and has occurred in the past

Risk Assessment Table with respect to mobile computing

List All Associated Severity Probability Risk Score Method(s) to

Activities Risk(s) Manage the Risk
Level of The chances of Risk score,
Your activity Risk(s) impact that risk found by A list of methods
name associated with happening combining you will use to
the activity impact and minimize the
probability chances of the risk
on the risk happening and/or
matrix the resulting
damages of the risk

High High High Prevention of

unauthorised
devices and people
Use of Mobile from accessing
critical information
devices in Loss or theft of and applications
work place (or sensitive data -
BYOD) -
 Medium High High
Use of antivirus
Viruses, worms
software and anti-
or malware
malware programs

Medium High High Protection of

Exposure to
sensitive data or
critical
information with
information via
encryption on
wireless sniffers
devices

Medium High High Training and

awareness
Malformed SMS programs to be
held

Medium Medium Medium

Automatic wiping of
Spam causing
data in case of
disruption
stolen or loss
device

Medium High High Protection of

Capturing of
sensitive data or
emails and data
information with
attached with
encryption on
emails
devices

Use of device as Medium High High Testing of

a proxy to configuration
establish virtual settings on devices
connection

High High High Allowing authorised

Data employees to use
loss/leakage their own devices
 RADISSON LTD

Mobile Computing Device

Draft Policy

Purpose

The purpose of this policy is to provide guidance for the appropriate

purchase and usage of Mobile Computing Devices [Laptops, Cell Phones,
Netbooks, Tablets PC’s and PDA/SMART phones (phones with data/network
connectivity capabilities)].

Scope

The policy sets standards for the purchase, operation, and support of Mobile
Computing Devices for Radisson Ltd employees. This includes any type of
portable or handheld computing device capable of transmitting packet data
either directly or via connection to another network service (e.g. Wi-Fi
hotspot or cellular service).

Overview

The Information Technologies (IT) department strives to provide the best

customer service possible to all members of the university community.
However, some services are not always a necessity for certain job
descriptions and/or duties that are required. Information Technology (IT)
has responsibility for specifying requirements for mobile computing devices.
IT’s responsibility to provide stewardship guidelines, manage risk and assess
the impact these devices can have on the operation of infrastructure or the
information stored therein. It will also allow IT to properly support and
maintain these devices.

Company Policy

Department Cell Phones

The use, purchase and replacement of cell phone are governed by the “Voice
Communications Devices” policy and the Cell Phone Allowance Policy.
Services

 All services used are to be for business purposes only. If there is a

need/ or request to use the services for personal use, the Organisation
is to be reimbursed by the employee.

Policy related to Selection and Purchase of mobile computing

devices

 Standards for some Mobile Computing Devices will be set by IT and

reviewed each year with attention given to cost, business functionality,
service availability, software compatibility, software licensing,
supportability, and security. These standards will specify models,
vendors, related service providers, and software packages approved
for use with these devices.
 Regularly scan mobile devices with anti-virus and anti-malware

Policy related to data usage of Cellular Carrier Data / Service

Plans

 Many Mobile Computing Devices come with the ability to connect to

the internet through Local Area Networks (LANs), Wi-Fi hot-spots or
through a cellular carrier’s network. These services are also advertised
as “3G or 4G” networks. Connectivity through a cellular carrier’s
network requires a separate data/service plan for each device. It is the
employee’s responsibility to pay for the data/service plan unless
otherwise agreed upon with the department’s budget manager through
the approval of the Cell Phone Allowance Policy. IT will not support
tethering devices together for shared internet access. Support for
tethering is provided by your cellular carrier.

Policy related to Software usage in mobile computing devices

 Users must not install any software on mobile IT equipment without

prior authorisation from the IT service desk

 Software/Apps purchased for cell phones, PDA/Smart phones, and

Tablets are not reimbursable as the licenses cannot be transferred. In
addition, if a particular application is found to be causing problems
with the Network for whatever reason, IT reserves the right to ask that
software not be used or be removed from the device. If the software is
 not removed from the device organisation has the right to revoke
access to organisation resources from the device.

Policy related to Security of Data

 Data stored on mobile devices is often at more risk than data stored
on desktop computers or network shares due to the public
environments that the devices can be used in and their risk of being
lost or stolen. Hence, confidential organisations data must not be
stored on mobile computing devices. In addition, all data stored on
mobile computing devices should be backed up regularly. Due to the
diversity of devices available, security and backups are the
responsibility of the employee.

 Given that Mobile Computing Devices may be storing and transferring

critical data while connected to the internet, all Policies (Acceptable
Use, Email, Data Security, etc.) are applicable and will be enforced.
Mobile are strongly recommended to password protect access to stored
information and take precautions to ensure the device is not lost or
stolen.

Policy related to access control rights related to Network Access

and Support

 As it is accessible from any internet connection, the use of any other

personal e-mail accounts (such as hotmail etc) is not authorised for
work purposes

 Authorized Mobile Computing Device users will be allowed to access

any organisations network directly through the Wi-Fi network, which
requires authentication through a web browser. To ensure the security
of organisations networks, users should not leave Ad-hoc detection or
the capability open on their Mobile Computing Device.

Department Responsibility for access control rights related to

mobile computing

 Once an employee’s employment with the organisations has been

terminated, the manager/supervisor is to immediately notify the IT
Support Desk so that the service can be suspended if necessary. It is
 also the manager/supervisor’s responsibility to obtain all Mobile
Computing Devices that are the property of the organisations before
the employee physically leaves the organisations. If another employee
(replacement employee) will take over the device/service, it is the
responsibility of the supervisor to ensure that all data be removed
from the device before transitioning the device to another employee.
Most units have a factory reset option that is useful to remove all data
and reset the device to manufacturer defaults.

 It is the department responsibility to withdraw equipment from Users

who tamper with the hardware and software configuration on mobile
IT equipment.

 The department must Deliver security awareness training and measure

its effectiveness with employees.

Physical access policy related to mobile computing

 Users must take due care of mobile IT equipment to prevent accidental

damage, e.g. from rough handling or accidentally spilling drinks

 Use of smartphones and tablets in the workplace should be limited

specifically to authorized employees of the organisation.

Policy in case loss / theft of mobile computing device.

 Policy related to who will responsible for security concern in event of

any circumstances so for that there should be assemble a team to
ensure that company and employee concerns are best met.
Additionally, these individuals will provide core support throughout the
implementation and enforcement of the policy

 Upon the loss or theft of a organisations owned mobile computing

device the employee must file a report with Organisation’s safety
department and copy of report should be forwarded to IT Desk.

 Upon receipt of the loss/theft report IT will activate a process to wipe

the data and user profile from device for any device that supports
remote data wiping. The execution of this process will help ensure that
private and confidential data that might be stored on the device will
not be accessed and used inappropriately. The information will not be
 recoverable after this process is completed. It is recommended that all
devices are backup up frequently as per the security of data section
above.

 If an employee should lose or damage a Mobile Computing Device that

is out of warranty or not covered by insurance, and/or if the
department fails to collect the device from the employee upon
separation from organisations, the department will be responsible for
the full payment to repair or replace the device.

Policy related to Support services of IT Department

 The IT Service Desk will not visit a member of staff’s home to fix faulty
network issued equipment. Following a call to the IT services desk, any
mobile IT equipment requiring repair should be delivered to one of the
HQ buildings.

 The IT Support Desk will provide, to the best of its ability, connectivity
support to the organisations network for all Mobile Computing Devices
that meet organisations network standards. Instructions and
assistance will be provided for access to organisations Email on the
device. Access to organisations software and services cannot be
guaranteed, however selecting devices with a full web browser
experience will increase the likelihood of future service availability.

Policy for audit

 There should quarter audit of information security audits.

Summary/Conclusion

Mobile Computing is versatile and strategic technology that at one hand

increase information quality and accessibility, enhance operational efficiency,
and improves management effectiveness while on other side it came up with
the risk like Data Compromise, Unauthorised access and Viruses/Malwares.

By adopting above mentioned Policies & Procedures and Implementing

Mobile Computing by the above stated Methodology and with their periodical
reviews, Radission Ltd. can achieve the best possible outcome.