NOTE: This internal policy is provided for our customers to understand our commitment to security. It does not apply to customer devices using our service. Please refer to your own internal IT department for information regarding your use of personal or corporate devices when using Leading2Lean services.

As a remote-first company with employees working virtually, employees may transact L2L business at times on personal devices. To maintain the security of corporate and customer data, this “Bring your own device” (BYOD) policy governs the use of these devices for business purposes. Leading2Lean reserves the right to revoke this privilege if users do not abide by the policies and procedures outlined below.

This policy is intended to protect the security and integrity of Leading2Lean’s data and technology infrastructure. Limited exceptions to the policy may occur due to variations in devices and platforms.

Leading2Lean employees must agree to the terms and conditions set forth in this policy in order to be able to connect their devices to the company or customer networks.

 

Registration and Audit

Employees who choose to use personal devices for business purposes are required to register their devices with the company and be subject to the company security requirements and audit procedures. This is done through the installation of company-approved software agents and device management utilities. This allows L2L to audit devices for adherence to our security requirements and perform actions to secure corporate and customer data from unauthorized access or loss.

Internet Access

Employees are responsible to supply adequate internet access as defined above for these devices.

Device Hardware

Employees using personal devices are responsible for the cost and maintenance of their device(s) and any other equipment required to perform their function. 

Company Software

L2L will provide necessary software solutions for employees to perform their designated functions. Your manager can work with you to ensure you have access to the required software.

BYOD Allowance

As of Feb 28th, the company no longer provides a BYOD allowance.

Termination

For employees who received a previous BYOD allowance, should the employee or the Company terminate the employee’s employment within the first 270 days of their employment start date, the employee shall promptly repay, to the Company, the full amount of the BYOD allowance that they received.

 

If an employee or the Company terminates the employee’s employment at any time following the first 270 days of full-time employment, the employee is required to return to the Company a pro-rata monthly share of the BYOD allowance payment paid in the previous 12 months.

BYOD Security Requirements

All hardware and software you use as part of your employment must comply with the L2L Device Security Policy below.

 

Additionally, we have a security requirement that each computer must have an encrypted hard drive and must enforce complex passwords. Note for Windows users: Windows Home versions do not support these two features, only Windows Pro versions can be used to satisfy the company’s security requirements. For Apple users, the recent versions of MacOS support hard drive encryption.

 

L2L Device Security Policy

 

Acceptable Use

• The company defines acceptable business use as activities that directly or indirectly support the business of Leading2Lean.
• The company defines acceptable personal use on company time as reasonable and limited personal communication or recreation, such as reading or game playing.
• Employees will not access websites that may be offensive, illegal, pornographic, not in good taste, or that may be considered unprofessional in any way, that would damage the image, reputation, or good standing of the company, its employees, or customers.
• Devices’ camera and/or video capabilities should only be used with permission while at customer sites.
• Devices may not be used at any time to:
  • Store or transmit illicit materials
  • Store or transmit proprietary information belonging to another company
  • Harass others
  • Engage in outside business activities
  • Etc.
• Employees may use their mobile device to access the company-owned resources: email, calendars, contacts, documents, Hubspot, and Google docs.
• Acceptable applications include (but are not limited to): email/Gmail, google calendar, chrome, mobile safari, google docs, ssh/terminal applications, Microsoft Office (Word, Excel, PowerPoint, Teams, Outlook, etc.), Apple iWork (Pages, Numbers, Keynote), etc.
• Leading2Lean strongly discourages texting or emailing while driving and only hands-free talking while driving is permitted.
• Employees may only access corporate systems from mobile devices for which they have the proper user role access.

Acceptable / Approved Application Stores

• Apps should only be used from the following application stores:
  • Apple iTunes
  • Google Play
  • Amazon App Store

Devices and Support

• Smartphones including iPhone, Android, Blackberry, and Windows phones are allowed.
• Tablets including iPad, Android, and Windows Tablets are allowed.
• Phone or Tablet devices must be within 3 years of their manufacture date and maintain the latest operating system to be allowed and supported.
• Connectivity issues may be supported by IT, but employees should contact the device manufacturer or their carrier for support of the operating system, data connectivity, service plans, and hardware-related issues.

Devices and Application Validation Process

• Devices and/or Applications not on the approved list may be submitted to IT for testing and validation to identify any application compatibility issues.
• To submit a device or application for validation, please create a support ticket by sending an email to support@leading2lean.com with the appropriate information detailing the device or application in question and any concerns or problems identified.
• The support ticket will be routed to the appropriate team for review and response.

Reimbursement

• The company will not reimburse the employee for the cost of personal devices.
• The company will not pay for the phone/data plan, etc.
• The company may reimburse the employee for the following charges: International roaming and/or plan overages, due to business-related travel outside of the United States.

Security

• In order to prevent unauthorized access, devices must be password protected using the features of the device, and a strong password is required to access the company network.
• The company’s strong password policy is: Passwords must be at least eight characters and a combination of upper- and lower-case letters, numbers, and symbols. Passwords will be rotated every 90 days and the new password can’t be one of 15 previous passwords. Installing and using a password manager for company accounts is required.
• The device must lock itself with a password or PIN if it’s idle for five minutes.
• After five failed login attempts, the device will lock.
• Rooted (Android) or jailbroken (iOS) devices are strictly forbidden from accessing the network.
• Smartphones and tablets that are not on the company’s list of supported devices are/are not allowed to connect to the network.
• Smartphones and tablets belonging to employees that are for personal use only are not allowed to connect to the network.
• Employees’ access to company data is limited based on user profiles defined by IT and automatically enforced.
• The employee’s device may be remotely wiped if 1) the device is lost, 2) the employee terminates his or her employment, 3) IT detects a data or policy breach, a virus, or a similar threat to the security of the company’s data and technology infrastructure.
• Devices must use anti-malware software (where supported).

Risks/Liabilities/Disclaimers

• While IT will take every precaution to prevent the employee’s personal data from being lost in the event it must remote wipe a device, it is the employee’s responsibility to take additional precautions, such as backing up email, contacts, etc.
• The company reserves the right to disconnect devices or disable services without notification.
• Lost or stolen devices must be reported to the company within 24 hours.
• Employees are responsible for notifying their mobile carrier immediately upon the loss of a device.
• The employee is expected to use his or her devices in an ethical manner at all times and adhere to the company’s acceptable use policy as outlined above.
• The employee is personally liable for all costs associated with his or her personal devices.
• The employee assumes full liability for risks including, but not limited to, the partial or complete loss of company and personal data due to an operating system crash, errors, bugs, viruses, malware, and/or other software or hardware failures, or programming errors that render the device unusable.
• Leading2Lean reserves the right to take appropriate disciplinary action up to and including termination for non-compliance with this policy.

Privacy, Litigation, E-Discovery, and Legal Holds

• Employees should understand that devices used in Leading2Lean business activities may be subject to search, review, or legal hold if required by a court of law. 
• Employees may not expect private data on devices used for Leading2Lean business purposes to remain private if those devices are involved in any legal action.

Anti-Malware Training

• Malware training is provided on a regular basis. Employees are expected to review training material and implement best practices to keep their own and company devices safe.
• Malware on mobile devices can compromise our company's security. Please review the following training items to introduce you to malware concepts and to protect you and your device from malware
  • Mobile Device Security
  • https://www.udemy.com/mobile-security-awareness-training/
  • https://www.udemy.com/security-awareness/

Annual Security Training

• Each employee is required to complete an annual security training. This may be conducted by the department or on an individual basis. Completion of the annual security training is tracked internally and reported annually.
  
  

Decommissioning a Device

• Company devices will be returned to the for decommissioning and cleaning.
• Employee-owned hardware must follow the existing procedure below unless running the L2L-approved software agents and device management utilities.
  • Before an employee discards or repurposes a computer, data on the computer must be completely removed. If an employee leaves the company, all of the employee's devices must be reset.
  • Instructions to perform a factory reset can be found on Windows's support website (follow "Reset your PC" instructions) and Apple's support website.
  • Alternatively, the employee may demonstrate they have deleted all L2L content and used an industry-standard secure delete tool (such as Cipher on Windows, Permanent Eraser on Mac) that complies with current DOD standards, to overwrite the free disk space to ensure the files cannot be recovered.
  • The employee must then review the device with the Security officer or his delegate.