YKK AP Mobile Device Acceptable Use and Company Electronic Certificate Policy Statement
POLICY
The purpose of this YKK AP Mobile Device Acceptable Use and Company Electronic Certificate Policy Statement (“policy”) is to define standards, procedures, and restrictions for end users who have legitimate business requirements to use a mobile device issued to them by YKK AP America Inc. (“Company”) that can access the Company’s electronic resources. This mobile device policy applies to, but is not limited to, all devices and accompanying media that fit the following device classifications (collectively referred to in this policy as “mobile device”):
- Laptop/notebook
- Tablet computers such as iPads
- Mobile/cellular phones
- Smartphones
- Any mobile device capable of storing Company data and connecting to an unmanaged network (this type of device is listed because it is the type of device that this policy specifically prohibits employees from using to access Company data)
APPLICABILITY
The goal of this policy is to protect the integrity and confidential data that resides within the Company’s technology infrastructure. This policy intends to prevent this data from being deliberately or inadvertently stored insecurely on a mobile device or carried over an insecure network where it can potentially be compromised. A breach of this type could result in loss of information, damage to critical applications, financial loss, and damage to the Company’s reputation. Therefore, all employees are prohibited from utilizing a personal mobile device to store, back-up, or otherwise access Company data or networks.
This policy applies to all Company employees who utilize Company-owned mobile devices to access, store, back up, relocate or who have access to any Company resources/information. Such access to the Company’s resources/information is a privilege, not a right. Consequently, employment at the Company does not automatically guarantee the initial and ongoing ability to use these devices to gain access to Company networks and information.
This policy addresses a range of threats:
Loss: Devices used to transfer or transport work files could be lost or stolen.
Theft: Sensitive Company data is deliberately stolen or sold by an employee.
Copyright: Software copied onto a mobile device could violate licensing.
Malware: Viruses, trojans, worms, spyware and other threats could be introduced via a mobile device.
Compliance: Loss or theft of financial and/or personal and confidential information or data could expose the Company to risk the of non-compliance with various identity theft and privacy laws.
The introduction of new information technology hardware, software, and/or related components will be managed at the sole discretion of the Technology Business Services Department (“TBS”). One example of such software is the Company’s upcoming transition to using Google’s G Suite instead of Lotus Notes for the Company e-mail platform. In connection with that transition, employees with Company issued mobile devices will receive instructions on how to install the Company’s Electronic Certificate (“EC”) onto employees’ Company issued mobile devices. The EC will facilitate installing G Suite onto employees’ Company issued mobile device. Employees are prohibited from installing the EC onto personal mobile devices or any other personal electronic devices.
Use of personal mobile devices to back up, store, and otherwise access any Company related information/data is strictly forbidden. This policy is complementary to any previously implemented policies dealing specifically with data access, data storage, data movement, use of mobile devices, use of electronic devices, and connectivity of mobile devices to any element of the Company network.
POLICY AND APPROPRIATE USE
It is the responsibility of any employee of the Company who uses a Company issued mobile device to access Company resources to ensure that all security protocols normally used in the management of data are followed. It is imperative that any mobile device that is used to conduct Company business be utilized appropriately, responsibly, and ethically. Failure to do so will result in immediate suspension of that user’s account.
Based on this, the following rules must be observed:
Access Control
1. TBS reserves the right to refuse the ability to connect mobile devices to Company and Company-connected infrastructure. TBS will engage in such action if it feels such equipment is being used in a way that puts the Company’s systems and data at risk.
2. Prior to initial use on the Company network or related infrastructure, all mobile devices must be registered with TBS. TBS will maintain a list of approved mobile devices and related software applications and utilities. Devices that are not on this list are precluded from being connected to Company network infrastructure. TBS reserves the right to update the list of devices authorized to be connected to Company network infrastructure.
3. Employees are prohibited from installing the EC on personal mobile devices or any other personal electronic devices. Employees are prohibited from using personal mobile devices to connect to the Company network infrastructure.
4. TBS can and will establish audit trails and these will be accessed and used without notice. Such trails will be able to track the use of non-Company issued mobile devices to access or connect to Company networks. Such audit trails will be able to determine whether an EC is installed on a personal mobile device. The end user agrees to and accepts that his or her access and/or connection to Company’s networks may be monitored to record dates, times, duration of access, etc., in order to identify unusual usage patterns or other suspicious activity. This is done in order to identify devices that may have been compromised by external parties. In all cases, data protection remains the Company’s highest priority.
POLICY NON-COMPLIANCE
Failure to comply with this policy may result in the suspension of any or all technology use and connectivity privileges, disciplinary action, and possibly termination of employment. Employees will be held monetarily responsible for any loss or damage caused by using personal mobile devices to access or connect to Company networks or for installing the EC onto a personal mobile device or any other personal electronic device.