Bring Your Own Device (BYOD) Policy

Applies To: All employees, contractors, and affiliates of City 1st Mortgage Services LLC and its subsidiaries and DBAs, including but not limited to Clear Mortgage, Hancock Mortgage, and City 1st Insurance LLC.

1. Purpose
   This policy outlines the requirements and responsibilities for employees who choose to use personal devices for work-related activities. It aims to protect company data, ensure compliance with regulatory standards, and maintain the integrity of our IT infrastructure.

2. Scope
   This policy applies to all personal computing devices, including laptops, desktops, tablets, and smartphones, used to access company resources, systems, or data.

3. Minimum Device Requirements
   To ensure security and compatibility, personal devices must meet the following minimum specifications:

• Operating System: Windows 11 Professional Edition (Home, S, and other editions are not permitted).

• Memory (RAM): Minimum of 16 GB.

• Processor: A compatible 64-bit processor with at least 2 GHz clock rate and at least 4 cores. Specifically:

  • Intel: 8th Generation Intel Core processors or newer.

  • AMD: AMD Ryzen 2000 series or newer.

• Storage: Solid State Drive (SSD) with a minimum of 256 GB available space.

• Security Features: Trusted Platform Module (TPM) version 2.0 enabled.

• Firmware: UEFI firmware with Secure Boot capability.

• Network Capability: Wi-Fi 6 support recommended for optimal connectivity.

4. Security and Management Requirements
   Employees must consent to the following security measures on their personal devices:

• Mobile Device Management (MDM): Installation of company-approved MDM software to enforce security policies, manage configurations, and monitor compliance.

• Remote Wipe Capability: In the event of device loss, theft, termination of employment, or non-compliance, the company reserves the right to remotely wipe all corporate data from the device.

• Endpoint Protection: Installation of company-approved antivirus and anti-malware solutions.

• Azure Active Directory (AAD) Join: Devices must be joined to the company's Azure Active Directory to facilitate secure access to resources.

• Encryption: Full-disk encryption must be enabled to protect data at rest.

• Application Control: Employees may be required to install and keep updated specific company-sanctioned productivity or security applications. Use of unauthorized applications that interfere with corporate systems is prohibited.

5. User Responsibilities
   Employees opting to use personal devices agree to:

• Compliance: Adhere to all company policies, including the IT Acceptable Use Policy and Data Protection Policy.

• Updates: Ensure the device's operating system and security software are regularly updated.

• Reporting: Immediately report any security incidents, such as loss or theft of the device, to the IT department.

• Separation of Data: Use a separate user account for personal activities. Corporate activities must be restricted to a designated user profile configured and secured by IT.

• Backup: Back up personal data regularly. The company is not liable for loss of personal data during remote wipes or reconfiguration.

6. Limitations and Restrictions

• Access Control: The company reserves the right to restrict or revoke access to corporate resources on personal devices that do not comply with this policy.

• Data Ownership: All corporate data on personal devices remains the property of the company.

• Monitoring: While respecting user privacy, the company may monitor device compliance with security policies and may audit company-designated profiles.

• Support Scope: IT support is limited to connectivity to corporate resources, MDM software, and company application support. All other hardware or OS-level issues are the responsibility of the user.

• Legal Hold and Discovery: In the event of a legal hold or internal investigation, employees may be required to provide access to BYOD devices for discovery of corporate data.

7. MDM Removal Process
   Employees wishing to remove MDM software must submit a formal request to IT. Upon approval, access to all corporate resources will be revoked, and all company data will be securely wiped from the device.

8. Opt-Out Provision
   Employees may choose not to use personal devices for work purposes. In such cases, the company will provide a corporate device that complies with internal standards and policies.

9. Policy Violations
   Non-compliance with this policy may result in disciplinary action, up to and including termination of employment, and potential legal action if company data is compromised.

10. Grace Period for Compliance
    Employees will have a 30-day grace period from the effective date of this policy to bring personal devices into compliance or request a corporate-issued device.

11. Acknowledgment
    Employees must sign the BYOD Agreement Form, acknowledging understanding and acceptance of this policy before using personal devices for work purposes.

Note: This policy is subject to periodic review and may be updated to reflect changes in technology, regulatory requirements, or company operations.