Incident Response - Lost or Stolen Devices

Organization: Behavioral Framework

Owner: IT Department

Reporting Email: itsupport@behavioralframework.com

1. Purpose

To ensure immediate action is taken to secure company data when a device is reported lost or stolen, and to define the recovery, replacement, and remediation process.

2. Scope

Applies to all company-owned devices including:

  • MacBooks
  • iPads
  • iPhones
  • Any device enrolled in Mosyle MDM

3. User Responsibilities

If a device is lost or stolen, the user must:

  1. Immediately report the incident to:

    itsupport@behavioralframework.com

    Include:

    • Device type (MacBook, iPad, etc.)
    • Last known location
    • Date/time last seen
    • Whether device is believed to be lost or stolen
    • Police report number (if stolen, when applicable)

Failure to report immediately may result in disciplinary action due to security risk exposure.

4. IT Response Procedure

Step 1: Acknowledge & Document

  • Create an IT support ticket.

    Document:

    • User name
    • Device serial number
    • Asset tag
    • Reported circumstances
    • Date/time of report

Step 2: Secure the Device in Mosyle

  1. Log into Mosyle
  2. Navigate to Management
  3. Search for the device by Serial Number or User
  4. Click on the device
  5. Click More
  6. Click Activation Lock

  7. In the message field, enter:

    “Please return property of Behavioral Framework to 2000 Tower Oaks Blvd 5th Floor, Rockville, MD 20852”

  8. Click Confirm

This ensures the device cannot be reactivated without company authorization.

Step 3: Additional Security Measures (If Applicable)

Depending on risk level:

  • Force password reset on user account
  • Revoke active sessions
  • Remove Google/M365 tokens
  • Review recent login activity
  • Disable account temporarily if suspicious activity is detected

Step 4: Determine Incident Classification

Ask the user:

  • Was the device stolen?
  • Was it misplaced?
  • Was it left in a public location?
  • Was sensitive data potentially exposed?

If confirmed stolen:

  • Advise user to file a police report
  • Record report number in ticket

5. Replacement Device Process

If device is not immediately recoverable:

  1. Provision a replacement device
  2. Enroll in ABM + Mosyle
  3. Assign to user
  4. Restore necessary access and software
  5. Document replacement serial number in ticket

Replacement timeline should prioritize business continuity.

6. If Device Is Recovered

When the device is returned:

Step 1: Physical Inspection

  • Inspect for damage
  • Document condition

Step 2: Security Remediation

  • Remove Activation Lock (if applied)
  • Fully wipe device
  • Reinstall OS
  • Re-enroll in Mosyle
  • Verify compliance

Step 3: Determine Disposition

If device is usable:

  • Refurbish for reassignment

If device is damaged or compromised:

  • Send to approved eWaste vendor

Update asset inventory accordingly.

7. Documentation Requirements

Each incident must include:

  • User name
  • Device serial number
  • Date reported
  • Classification (Lost / Stolen)
  • Actions taken in Mosyle
  • Whether replacement was issued
  • Final disposition of original device
  • IT staff handling incident

8. Security Considerations

  • Immediate reporting reduces risk of PHI or confidential data exposure.
  • Activation Lock must be applied as soon as possible.
  • Devices must never be reissued without full wipe.
  • Maintain records for audit/compliance purposes.

Quick Reference Checklist (Technician Use)

☐ Ticket created

☐ Device located in Mosyle

☐ Activation Lock applied

☐ Security review completed

☐ Replacement device issued (if needed)

☐ Inventory updated

☐ Final disposition documented

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us