No using computers at work2/27/2023 ![]() ![]() I'm keeping an eye on this, as I want to be ahead of the questions when they come from my managers. At any rate, we find it particularly hard to identify what we're really trying to solve with these policies and thus end up with no real policy. I've only ever had to do that once and it was due to a lost phone. This is fine, but once again, we make them acknowledge in writing that we have the ability to remotely wipe the phones if our company data is at risk. As far as software, all of our users have OWA access via browser, but there are plenty of folks who have asked for their email to be set up on their phones. While we do not have a policy we have in writing their acknowledgement of the risks of doing so and the lack of support that entails in using anything other than a company machine. However, we have provided them with a company machine. We do have a couple of users who prefer to use their sleeker, consumer electronics grade machines. However, as we all know, the world is not perfect. We do not have users using personal devices as their work machines officially. We've tried to develop an MDM policy before but it seems like every time we go for another round because of the most in our case it goes hand in hand with BYOD policies, which we don't have in place. Over the years I've learned it's best practice to follow industry standards (do what everyone else is doing) and above all to keep it simple! In this case all you need is a simple one liner that reads something like 'Company e-mail will only be used for official business related correspondence'. The point is this policy would be based off of factors that you can't control, can't continually monitor (at least not from an automated stand point), and frankly cannot enforce. Are you going to follow up with me in April when my Norton 360 subscription ends to make sure I renewed it? What if I start dating some girl named Candy and while I'm at her house I decide to use her laptop real quick to check my e-mail, how will you know? Let me ask you this, how do you plan to monitor for violations of or enforce such a policy? Lets say I'm your employee, and I sign off on your policy and since I'm a standard user (not in IT) I ignorantly allow you to verify that my home computer is running Norton 360, and in return you grant me OWA access. You don't need a policy like this, and frankly even if you had a policy like this it wouldn't matter. How to you ensure personal systems that access OWA have these securities implemented? No, we are ensuring that home computers have active antivirus protection, working Windows updates, firewall, etc, without recording user activity (No invasion of privacy). We do not want them accessing intranet resources from personal devices, as previously stated. This would only be for cloud accessed resources. Our company's secure information is stored elsewhere. that way all of your regulated data stays on company owned and managed equipment. I think you would be better served by only allowing access to your online environment from your workplace and then setup a mdm sandbox environment so the users can get their email in a sandbox application on what ever device they desire, and then setup a RDS server so remote users can have access to company resources to an RDP session. You also have to consider how will this impact any regulatory laws on either data privacy or hipaa in that your regulated data could now exist on unregulated or managed equipment. ![]() ![]() To extend what Dustin posted (which I agree with 100%) you will also loose control of your company's intellectual property, unless that isn't important to you, if you offer this service. ![]()
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |