Embed Size (px)
DESCRIPTION
An emerging risk is the increased use of portable devices in the enterprise. How are you allowing mobile device secure access your sensitive information resources? Use our template to help get started.
Citation preview
Mobile Device Security Policy
1.0 IntroductionThe goal of this policy is to allow any type of mobile device (whether issued by [organization name] or not) to be securely used to access [organization name] information resources. While the focus of this policy is mitigating the risks to [organization name] associated with the use of smartphones, part or all of this policy can be applied to traditional mobile devices, including laptops, USB drives, CD/DVD, etc.
2.0 PurposeThis policy was created to mitigate known risks associated with:
A breach of confidentiality due to the access, transmission, storage, and disposal of sensitive information using a mobile device.
A breach of integrity due to the access, transmission, storage, and disposal of sensitive information using a mobile device.
A loss of availability to critical systems as a result of using a mobile device.
3.0 ScopeThis policy applies to any mobile device and its user, including those issued by [organization name] as well as personal devices that are used for business purposes and/or store [organization name] information.
4.0 PolicyThe effectiveness of this policy is dependent on how it is tailored for [organization name] 's environment. Whether by informal process or formal risk assessment, [organization name] should enumerate 1) all mobile devices in use (type, owner, connections enabled, criticality, data accessed/stored, etc.), 2) current threat-sources, and 3) known vulnerabilities. Each of these factors should help formulate an understanding and prioritization of current risks such that the policy is tailored to [organization name]’s specific environment and ensuring resources are focused only on implementation of those necessary policies.
4.1 Access Control4.1.1 The use of mobile devices for both business and personal use is prohibited unless permissions are enforceable to restrict application access to the minimum necessary resources and connections.4.1.2 Only approved applications can be installed and used on mobile devices. A list of approved applications will be maintained and require applications to be signed and/or provide sufficient sandboxing capabilities.4.1.3 Disable Bluetooth capabilities unless necessary. If necessary, consider additional controls including increased authentication, decrease power use, limit services available, stronger encryption, avoid use of security mode 1, etc.4.1.4 Access to [organization name] information resources using a mobile device must be approved, documented, and logged.
4.2 Authentication4.2.1 Mobile device access must require a PIN.4.2.2 SIM access must require a PIN.
Mobile Device Security Policy Page 1
4.2.3 Strong passwords are required for applications that access or store sensitive information. Password policies should enforce length, complexity, lockout, forbid weak words, etc.4.2.4 Mobile device must require PIN to unlock after a period of inactivity.
4.3 Encryption4.3.1 The use of encryption is required for all mobile devices that must store or access sensitive information. While full disk encryption is preferable, application or file encryption solutions are acceptable at this time.4.3.2 The use of encryption is required for the transmission of sensitive information to/from
mobile devices.
4.4 Incident Detection and Response4.4.1 Develop, document, and implement procedure to quickly respond to lost or stolen mobile
devices.4.4.2 Every mobile device will have the capability to remotely wipe and/or track its location on
demand.
4.5 User Training and Awareness4.5.1 Users that use personal mobile devices for business use will notify IT and provide system
details. 4.5.2 Users will review all links and URLs prior to clicking to prevent a successful phishing
attempt.4.5.3 Users will limit storage of sensitive data on mobile devices. However, critical data that is stored will be backed up to [organization name] 's file server on a regular basis.4.5.4 Users will only install approved applications and forward suspicious permission requests to IT prior to granting access to the application.4.5.5 Users will physically secure the mobile device when left unattended. When left in a car, mobile device will be hidden from view.4.5.6 Users will not allow unattended access to mobile device by another user.4.5.7 Users will notify IT immediately if mobile device is lost or stolen.4.5.8 Users will return mobile device at the end of employment. At which time, device will be wiped and reissued.4.5.9 Users critical to [organization name] will not use mobile device while operating a motor
vehicle.
4.6 Vulnerability Management4.6.1 All mobile device system and application software in use must be identified and
documented.4.6.2 Critical security updates for in-use software must be deployed to all mobile devices.4.6.3 Anti-virus software should be used on devices with known malicious software when
available.
5.0 Definitions
Bluetooth A technology used to transmit data wirelessly.Information Resource Includes data, application, system, network, and/or people.Full Disk Encryption A process that encrypts the entire hard drive/partition.Mobile Device A portable electronic device, including smartphones, PDAs, laptops, USB
drives, DVD/CD, etc
PIN Personal Identification NumberRemote Wipe Use of software to destroy data on mobile device remotely.
Mobile Device Security Policy Page 2
Sandboxing The ability to restrict an application's access to specific device resources.Sensitive Information Types of sensitive information that may be stored on a mobile device include: authentication credentials, downloaded sensitive data (email and attachments), call logs, business contact info, location/positional info.Signing A process to determine authenticity and accountability for an application.SIM Subscriber Identity Module
Mobile Device Security Policy Page 3
