An emerging risk is the increased use of portable devices in the enterprise. How are you allowing mobile device secure access your sensitive information resources? Use our template to help get started.
Mobile Device Security Policy1.0 IntroductionThe goal of this policy is to allow any type of mobile device (whether issued by [organization name] or not) to besecurely used to access [organization name] information resources. While the focus of this policy is mitigating therisks to [organization name] associated with the use of smartphones, part or all of this policy can be applied totraditional mobile devices, including laptops, USB drives, CD/DVD, etc. 2.0 PurposeThis policy was created to mitigate known risks associated with: • A breach of confidentiality due to the access, transmission, storage, and disposal of sensitive information using a mobile device. • A breach of integrity due to the access, transmission, storage, and disposal of sensitive information using a mobile device. • A loss of availability to critical systems as a result of using a mobile device. 3.0 ScopeThis policy applies to any mobile device and its user, including those issued by [organization name] as well aspersonal devices that are used for business purposes and/or store [organization name] information. 4.0 PolicyThe effectiveness of this policy is dependent on how it is tailored for [organization name] s environment. Whetherby informal process or formal risk assessment, [organization name] should enumerate 1) all mobile devices in use(type, owner, connections enabled, criticality, data accessed/stored, etc.), 2) current threat-sources, and 3) knownvulnerabilities. Each of these factors should help formulate an understanding and prioritization of current risks suchthat the policy is tailored to [organization name]’s specific environment and ensuring resources are focused only onimplementation of those necessary policies.4.1 Access Control 4.1.1 The use of mobile devices for both business and personal use is prohibited unless permissions are enforceable to restrict application access to the minimum necessary resources and connections. 4.1.2 Only approved applications can be installed and used on mobile devices. A list of approved applications will be maintained and require applications to be signed and/or provide sufficient sandboxing capabilities. 4.1.3 Disable Bluetooth capabilities unless necessary. If necessary, consider additional controls including increased authentication, decrease power use, limit services available, stronger encryption, avoid use of security mode 1, etc. 4.1.4 Access to [organization name] information resources using a mobile device must be approved, documented, and logged.4.2 Authentication 4.2.1 Mobile device access must require a PIN. 4.2.2 SIM access must require a PIN. 4.2.3 Strong passwords are required for applications that access or store sensitive information. Password policies should enforce length, complexity, lockout, forbid weak words, etc. 4.2.4 Mobile device must require PIN to unlock after a period of inactivity.Mobile Device Security Policy Page 1
4.3 Encryption 4.3.1 The use of encryption is required for all mobile devices that must store or access sensitive information. While full disk encryption is preferable, application or file encryption solutions are acceptable at this time. 4.3.2 The use of encryption is required for the transmission of sensitive information to/from mobile devices.4.4 Incident Detection and Response 4.4.1 Develop, document, and implement procedure to quickly respond to lost or stolen mobile devices. 4.4.2 Every mobile device will have the capability to remotely wipe and/or track its location on demand.4.5 User Training and Awareness 4.5.1 Users that use personal mobile devices for business use will notify IT and provide system details. 4.5.2 Users will review all links and URLs prior to clicking to prevent a successful phishing attempt. 4.5.3 Users will limit storage of sensitive data on mobile devices. However, critical data that is stored will be backed up to [organization name] s file server on a regular basis. 4.5.4 Users will only install approved applications and forward suspicious permission requests to IT prior to granting access to the application. 4.5.5 Users will physically secure the mobile device when left unattended. When left in a car, mobile device will be hidden from view. 4.5.6 Users will not allow unattended access to mobile device by another user. 4.5.7 Users will notify IT immediately if mobile device is lost or stolen. 4.5.8 Users will return mobile device at the end of employment. At which time, device will be wiped and reissued. 4.5.9 Users critical to [organization name] will not use mobile device while operating a motor vehicle.4.6 Vulnerability Management 4.6.1 All mobile device system and application software in use must be identified and documented. 4.6.2 Critical security updates for in-use software must be deployed to all mobile devices. 4.6.3 Anti-virus software should be used on devices with known malicious software when available.5.0 DefinitionsBluetooth A technology used to transmit data wirelessly.Information Resource Includes data, application, system, network, and/or people.Full Disk Encryption A process that encrypts the entire hard drive/partition.Mobile Device A portable electronic device, including smartphones, PDAs, laptops, USB drives, DVD/CD, etcPIN Personal Identification NumberRemote Wipe Use of software to destroy data on mobile device remotely.Sandboxing The ability to restrict an applications access to specific device resources.Sensitive Information Types of sensitive information that may be stored on a mobile device include: authentication credentials, downloaded sensitive data (email and attachments), call logs, business contact info, location/positional info.Signing A process to determine authenticity and accountability for an application.SIM Subscriber Identity ModuleMobile Device Security Policy Page 2