Skip to content
Home » IT Policies » COPE (Company-Owned Personally Enabled) Policy

COPE (Company-Owned Personally Enabled) Policy

Document ID: COPE-001
Version: 1.0
Effective Date: ____________________
Approved By: ____________________
Last Review Date: ____________________
Next Review Date: ____________________

1. Purpose

The purpose of this Company-Owned, Personally Enabled (COPE) Policy is to establish requirements for the secure use of organization-owned devices that are authorized for limited personal use.

This policy helps protect organizational information while allowing employees to use company-owned devices for approved personal activities in a secure, controlled, and responsible manner.

2. Scope

This policy applies to:

  • Employees
  • Contractors (where authorized)
  • Consultants (where authorized)
  • Temporary workers (where authorized)
  • Interns
  • Any individual assigned a company-owned device for business use

This policy applies to organization-owned devices, including:

  • Laptop computers
  • Desktop computers
  • Smartphones
  • Tablets
  • Mobile hotspots
  • Wearable devices (where approved)
  • Other organization-owned endpoint devices

This policy applies whether devices are used:

  • On-site
  • Remotely
  • At home
  • While traveling
  • At customer locations

3. Policy Statement

Company-owned devices are provided primarily for authorized business purposes. Limited personal use may be permitted provided such use does not interfere with business operations, create security risks, violate applicable laws, or conflict with organizational policies.

Because devices are owned by the organization, they remain subject to organizational management, monitoring, and security controls at all times.

4. Guiding Principles

The organization follows these principles:

  • Security by Default
  • Business First
  • Least Privilege
  • Zero Trust
  • Protection of Organizational Data
  • Responsible Personal Use
  • Transparency
  • Individual Accountability

5. Device Ownership

All COPE devices:

  • Remain the property of the organization.
  • Shall be inventoried.
  • Shall be managed by the IT Department.
  • Shall follow organizational security standards.
  • May be reassigned or reclaimed at any time for legitimate business purposes.

Assignment of a device does not transfer ownership to the user.

6. Authorized Personal Use

Limited personal use is permitted provided it:

  • Does not interfere with work responsibilities
  • Does not negatively affect device performance
  • Does not consume excessive organizational resources
  • Does not violate organizational policies
  • Does not create security risks
  • Does not violate applicable laws

Personal use is a privilege and may be limited or revoked at the organization’s discretion.

7. Device Security Requirements

COPE devices shall, where technically feasible:

  • Use supported operating systems
  • Receive security updates
  • Use approved endpoint protection
  • Enable full-disk encryption
  • Require secure authentication
  • Automatically lock after inactivity
  • Support remote management
  • Support remote wipe where appropriate
  • Use approved security configurations

Users shall not disable required security controls.

8. Authentication

Users shall authenticate using approved methods before accessing organizational resources.

Authentication may include:

  • Passwords
  • Passphrases
  • Multi-Factor Authentication (MFA)
  • Biometrics
  • Passkeys
  • Smart cards
  • Hardware security keys

Authentication shall comply with the Authentication Policy.

9. Device Management

COPE devices shall be centrally managed using approved management solutions.

Management capabilities may include:

  • Security configuration management
  • Software deployment
  • Security updates
  • Endpoint protection
  • Compliance verification
  • Device inventory
  • Remote support
  • Remote lock
  • Remote wipe

Users shall not remove or disable device management software.

10. Protection of Organizational Data

Organizational information shall:

  • Be stored in approved locations
  • Be protected using approved encryption
  • Be handled according to the Data Classification Policy
  • Remain under organizational control
  • Be removed when devices are retired or reassigned

Users shall not intentionally bypass organizational data protection controls.

11. Approved Software

Only approved software may be installed on COPE devices.

Users shall not:

  • Install unauthorized software
  • Disable endpoint protection
  • Root or jailbreak managed mobile devices
  • Circumvent software restrictions
  • Modify security configurations without authorization

Software installations shall comply with the Software Installation Policy.

12. Privacy

The organization respects users’ personal privacy while recognizing that COPE devices are organization-owned.

Users should understand that:

  • Device activity may be monitored for legitimate business purposes.
  • Security logs may be collected.
  • Installed software may be inventoried.
  • Organizational data may be accessed during incident investigations.
  • Remote administrative actions may be performed when necessary.

Users should have no expectation of absolute privacy when using organization-owned devices to the extent permitted by applicable law.

13. Monitoring

The organization may monitor COPE devices for:

  • Security events
  • Device compliance
  • Endpoint health
  • Malware detection
  • Software inventory
  • Authentication events
  • Network activity
  • Incident investigations

Monitoring shall be conducted in accordance with applicable laws and organizational policies.

14. Lost or Stolen Devices

Users shall immediately report:

  • Lost devices
  • Stolen devices
  • Unauthorized access
  • Device compromise
  • Credential compromise

The organization may:

  • Lock the device
  • Revoke access
  • Perform remote wipe
  • Reset credentials
  • Initiate incident response procedures

15. Separation from Employment

Upon termination of employment, contract completion, or reassignment:

  • Devices shall be returned promptly.
  • Organizational accounts shall be disabled.
  • Credentials shall be revoked.
  • Devices shall be inspected.
  • Organizational data shall remain with the organization.
  • Devices shall be securely reconfigured before reassignment.

Failure to return organizational devices may result in disciplinary or legal action.

16. Artificial Intelligence (AI) Applications

Only approved AI applications may be used to process organizational information on COPE devices.

Users shall not:

  • Upload confidential or regulated information to unapproved AI services
  • Install unauthorized AI software
  • Circumvent AI governance requirements

AI usage shall comply with the AI Acceptable Use Policy.

17. Security Incident Reporting

Users shall immediately report:

  • Malware infections
  • Device compromise
  • Unauthorized software
  • Lost or stolen devices
  • Credential compromise
  • Data loss
  • Security alerts
  • Policy violations

Incident handling shall follow the Incident Response Policy.

18. Exceptions

Exceptions require:

  • Documented business justification
  • Risk assessment
  • Management approval
  • Information Security approval where applicable
  • Compensating security controls
  • Periodic review

19. Responsibilities

Executive Management

  • Support secure COPE practices
  • Allocate appropriate resources
  • Promote policy compliance

Managers

  • Approve device assignments where applicable
  • Ensure employees understand this policy
  • Support compliance

IT Department

  • Manage COPE devices
  • Deploy security updates
  • Maintain endpoint protection
  • Provide technical support
  • Perform device lifecycle management
  • Reclaim devices when necessary

Information Security

  • Define endpoint security standards
  • Monitor device compliance
  • Investigate security incidents
  • Assess policy compliance
  • Conduct security awareness training

Users

  • Protect assigned devices
  • Use devices responsibly
  • Follow organizational security requirements
  • Report security incidents promptly
  • Return devices upon request or separation

20. Compliance

Compliance with this policy is mandatory.

Violations may result in:

  • Revocation of device privileges
  • Removal of system access
  • Disciplinary action
  • Contract termination
  • Legal action where applicable

21. Policy Review

This policy shall be reviewed at least annually or following:

  • Significant technology changes
  • Security incidents
  • Regulatory updates
  • Organizational restructuring
  • Audit findings

22. Related Policies

  • Information Security Policy
  • Endpoint Security Policy
  • Mobile Device Policy
  • Computer Use Policy
  • Acceptable Use Policy
  • Authentication Policy
  • Access Control Policy
  • Least Privilege Policy
  • Software Installation Policy
  • Data Classification Policy
  • Data Protection Policy
  • Encryption Policy
  • Asset Management Policy
  • Artificial Intelligence (AI) Acceptable Use Policy
  • Incident Response Policy

Document Objective

This Company-Owned, Personally Enabled (COPE) Policy establishes the organization’s requirements for the secure management and use of organization-owned devices that are authorized for limited personal use. It provides a vendor-neutral framework for protecting organizational information through centralized device management, endpoint security, authentication, encryption, monitoring, and lifecycle controls while allowing appropriate personal use. This policy supports secure operations across on-premises, cloud, remote, and hybrid work environments and aligns with recognized security frameworks and standards, including NIST CSF, ISO/IEC 27001, CIS Controls, SOC 2, HIPAA, PCI DSS, CMMC, and the FTC Safeguards Rule.