Version: 3.0
Valid until: 2025-04-12
Classification: Low
3.0 | Edward Robinson | Additions/changes as part of the annual review. Added a link (under A.6.2.1) on how to enroll a device now that non-developer anDREa employees in the Netherlands have received a managed anDREa device. Added the security@andrea-cloud.com email address for reporting on devices. Added suggestions for Chromebook equivalent of Windows Defender and Chromebook encryption. Added andrea-cloud.com accounts where appropriate under A.6.2.2. Added number matching, our new Google Workspace and collection of evidence under 'Centrally managed'. |
anDREa B.V. (hereafter called anDREa) is committed to protecting the security of its business information in the face of incidents and unwanted events and has implemented an Information Security Management System (ISMS) that is compliant with ISO/IEC/27001:2017, the international standard for information security.
The purpose of this document is to describe anDREa’s Mobile Devices and Teleworking Policy. This document also addresses the fact that anDREa is a remote first organisation. anDREa personnel and hirees work from environments not managed nor controlled by anDREa.
This document will be updated at least annually and when significant change happens.
The objective of this control is:
To ensure the security of teleworking and use of mobile devices.
All the work done for or on behalf of anDREa by employees or contractors of anDREa.
anDREa assumes:
The use of Bring Your Own Device (BYOD).
The use of anDREa-issued devices.
Breach and loss of devices.
Devices are not up-to-date.
Unauthorised access to devices.
Centrally managed workplace can create a false sense of security
Centrally managed devices are currently an extra risk/false sense of security, for:
anDREa B.V. does not have the capacity nor the expertise to effectively 24/7/365 manage devices.
Users may assume incorrectly that certain aspects will be taken care of centrally.
This document is:
required reading for:
all employees and contractors of anDREa.
available for all interested parties as appropriate.
“The policy and supporting security measures that are adopted to manage the risks introduced by using mobile devices.”
General:
When in doubt, consult the Security Officer.
The Security Officer documents the consult and advise.
The Security Officer will randomly check and document compliance with the measures below, each year:
When possible by visiting the employee or contractor physically.
Every person at least every 3 years.
Device:
If you BYOD, create a work account for anDREa on your device.
Keep non-work related applications and information separate.
Restrict anDREa-related applications and information to the anDREa work account.
If you have received a device issued by anDREa, please follow these instructions ([For anDREa employees] Enrolling a device) to enroll your device.
Keep the time that devices are unattended to a minimum.
If going to be left unattended, the device must be locked. If possible, preferably lock the device with biometric authentication or PIN.
When a device is misplaced or stolen, that is used for or with anDREa-related work, directly report it via:
https://support.mydre.org/portal/en/kb/articles/contact#Security__Privacy_related_incidents or by emailing to security@andrea-cloud.com.
All devices used for or with anDREa-related work must have:
Industry-accepted unlocking of mobile devices.
Especially the ones containing the Multifactor Authentication (MFA) app.
Preferably Windows Defender or equivalent running.
The same functionalities are included in the MacOS, however additional software such as Windows Defender for Mac or CleanMyMac X are preferred.
Chromebooks include security layers, however you can install additional software such as Bitdefender.
All security patches/updates available are applied as soon as possible.
Preferably have bitlocker or other device encryption in place.
MacOS has a built-in feature called FileVault for encryption. This needs to be switched on manually.
Chromebooks already have full disk encryption.
Preferably VPN enabled when connecting to public networks or networks which are not equipped with minimal WPA2 protection.
When you change devices, change harddisks or other media carriers, please report to the Security Officer:
You changed devices / harddisks / media carriers.
You have deleted all work-related material and documents, and minimally emptied the bin with deleted work.
You have removed the Work account.
You have wiped the harddisk/media carrier and if applicable physically damaged the harddisk/media carrier.
The Security Officer documents all of the above.
“The policy and supporting security measures that are implemented to protect information accessed, processed or stored at teleworking sites.”
General:
Always consult the Security Officer when you take/do work abroad.
The Security Officer documents the consult and advice, and verifies compliance.
Work environment:
Verify if the environment is safe to work in; both physical and security-wise.
Clear desk and clear screen when leaving your workplace.
Accounts:
myDRE.org or andrea-cloud.com accounts should not be used for non-anDREa-related work.
Data and data carriers:
Delete/destroy local data that is no longer needed. Preferably work in the provided cloud environments.
All data carriers, including non-digital, should not be left unattended and only be used when cloud storage is not suitable.
Don’t use USB-sticks except for personal use only and preferably encrypted, and only if cloud transfer is not an option.
Don’t put USB-sticks that are used on another person’s device in your device.
All data not classified as low must be encrypted on media carriers.
All data not classified as low must exist in the cloud before being added to a media carrier.
All data created offline and not classified as low must be uploaded to the appropriate place in the cloud at the earliest possibility.
All anDREa relevant data should be kept on systems provided by anDREa, if not in real-time, then a copy.
All data stored locally must pass the test of:
Not affecting anDREa or its services in case of loss, destruction, or obtained by non-authorized people.
Being able to get up-and-running on vanilla devices without transfer of local data within a week.
Do not send data classified as high via e-mail. Always provide a link to Sharepoint/Google Drive with RBAC in place and explicit invite using the email address.
Follow the Retention & Destruction Policy.
Role Based Access Control (RBAC) based on the least-privileged principle.
Access to the myDRE platform:
Requires:
myDRE account or an account added as a guest to anDREa Azure Active Directory (AAD).
MFA with number matching.
For Research Support Teams: Azure Privileged Identity Management (PIM).
Do not allow:
Connecting apps to mydre.org or andrea-cloud.com accounts unless strictly necessary and approved by the CTO.
When required, anDREa will:
Block a user (account).
Immediately revoke access to all anDREa-managed environments.
Reset passwords.
Reset MFA.
Collect all evidence/logging, potentially needed for A.7.2.3 Disciplinary procedure.
Train people and periodically validate if what is required is also acted upon.
Invite people to log impractical policies and requirements.
Ensure all organisational assets are returned to anDREa at termination of employment, contract, and agreement.
Compliance checks, controls and documentation.
Compliance with the measurements described above in anDREa People - Mobile Devices & Teleworking Check.
Relevant Zoho tickets regarding:
device/media carrier/harddisk changes.
taking working abroad requests.
misplaced or lost devices.