CLASSIFICATION Internal DOCUMENT NO: DOCUMENT TITLE: OIL-IS-PRO-MDTP PROCEDURE FOR MOBILE DEVICE & TELEWORKING POLICY VERSION NO 1.0 RELEASE DATE 28/02/2015 LAST REVIEW DATE 31.03.2017 PROCEDURE FOR MOBILE DEVICE & TELEWORKING POLICY Prepared by Reviewed by : Information Security Manager : CISO
Owner : CISO Document Control Document Owner Classification Publication Date CISO Internal 23/03/2015 Revision History Version Date Summary of Changes 1.0 28/02/2015 Initial Release
Contents 1 Objective...... 4 2 Scope...... 4 3 Responsibilities... 4 4 Procedure Statement... 4
1. Objective The objective of this procedure is to ensure that security of information and systems, accessed through teleworking and mobile working are given due importance. It is essential that employees have the knowledge that security procedures and policies exist and they are understood and adhered to. 2. Scope The scope of these procedures includes all persons/parties who have access to information and information systems belonging to or under the control of. Processing devices that can be used as part of teleworking or mobile working include: PCs (home based, touchdown centres etc.), laptops and notebooks, tablet PCs, smart phones, personal digital assistants (PDAs), digital cameras, mobile phones and any other mobile device that record and/or process information. Removable media is anything that data can be copied, saved and/or written on to which can then be taken away and restored onto another computer (e.g. CD, DVD, flash drives, USB data sticks, portable hard drives). 3. Responsibilities ISC is responsible for ensuring that all employees and managers are aware of security policies and that they are observed. Managers need to be aware they have a responsibility to ensure employees have sufficient, relevant knowledge concerning the security of information and systems. Designated owners of systems, who have responsibility for the management of the information systems and information, need to ensure that staff are aware of their responsibilities towards security. Designated owners of systems and information need to ensure they uphold the security policies and procedures. 4. Procedure Statement 1. For teleworking and mobile working, access to IT information, networks and applications (including email) can be attained via the ADSL link provided to selected people in OIL or by secure VPN (Virtual Private Network) connection, on the desktop of IT commissioned devices, wherever OIL network is not or cannot be provided. 2. It is possible to access OIL email from a remote location (such as home) using non-wireless or wireless technology. This should only be attempted using a web browser via https://oilmail.oilindia.in/owa/. Employees should ensure they pick the tick box stating if they are using a private or shared computer according to the rules given on the entry web page. Employees must ensure when using this service that https is displayed at the start of the address line and the padlock symbol is displayed on the browser window. At the end of using this email service employees must logoff OIL webmail and close the browser window. Failure to do so can leave the account accessible to hackers. 3. Connection to the OIL network, for accessing SAP and other applications, through VPN should only be attempted using the domain logon and password credentials which employees are issued with.
4. Extra care should be taken to properly close all applications, network connections and web browsers when using PCs, mobile devices and software not officially provided by OIL. Passwords, logon credentials and sensitive files can be left behind on un-trusted devices, making them readily available to subsequent users. 5. Pursuing a connection via Wi-Fi to the OIL Network should not be attempted unless connection can be assured through the known OIL user ID/password based authentication. Free Wi-Fi provided in malls, airports or hotels should not be used to connect to OIL network to access OIL information resources. 6. Users conducting teleworking/mobile working should not allow or give permission for unauthorised users (including family and friends) to use that PC/mobile device. 7. Any information concerning passwords, usernames, network credentials or requirements/ability used to access OIL s information and systems by teleworking/mobile working must not be shared with other staff, unauthorised users, third party vendors, family, friends or members of the public. 8. Teleworking and/or mobile devices provided by OIL should only be used by authorized parties for authorized OIL business or purposes in accordance with OIL s Acceptable Use Policy and associated security policies. 9. A password should be set up and used on all mobile equipment that can be locked by use of a password. For example android devices can be set locked using a password and this facility should not be disabled by the user. 10. In the event that a user becomes aware of an information or data breach or accidental disclosure, this matter must be reported immediately via the OIL s Incident Reporting Procedures. In such an event, password for the user ID of the affected user will be reset immediately to minimise the risk.