Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more ➡
Download
Standard view
Full view
of .
Add note
Save to My Library
Sync to mobile
Look up keyword
Like this
2Activity
×
0 of .
Results for:
No results containing your search query
P. 1
Mobile Device Security Policy

Mobile Device Security Policy

Ratings: (0)|Views: 725|Likes:
Published by Redspin, Inc.
Mobile Device Security Policy

The goal of this policy is to allow any type of mobile device (whether issued by [organization name] or not) to be securely used to access [organization name] information resources. While the focus of this policy is mitigating the risks to [organization name] associated with the use of smartphones, part or all of this policy can be applied to traditional mobile devices, including laptops, USB drives, CD/DVD, etc.
Mobile Device Security Policy

The goal of this policy is to allow any type of mobile device (whether issued by [organization name] or not) to be securely used to access [organization name] information resources. While the focus of this policy is mitigating the risks to [organization name] associated with the use of smartphones, part or all of this policy can be applied to traditional mobile devices, including laptops, USB drives, CD/DVD, etc.

More info:

Published by: Redspin, Inc. on May 12, 2011
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, DOC, TXT or read online from Scribd
See More
See less

05/03/2013

pdf

text

original

 
Mobile Device Security Policy
1.0 Introduction
 The goal of this policy is to allow any type of mobile device (whether issued by[organization name]ornot) to be securely used to access[organization name] information resources. While the focus of this policy is mitigating the risks to[organization name]associated with the use of smartphones, part orall of this policy can be applied to traditional mobile devices, including laptops, USB drives, CD/DVD,etc.
2.0 Purpose
 This policy was created to mitigate known risks associated with:
A breach of confidentiality due to the access, transmission, storage, and disposal of sensitiveinformation using a mobile device.
A breach of integrity due to the access, transmission, storage, and disposal of sensitiveinformation using a mobile device.
A loss of availability to critical systems as a result of using a mobile device.
3.0 Scope
 This policy applies to any mobile device and its user, including those issued by[organization name]aswell as personal devices that are used for business purposes and/or store[organization name]information.
4.0 Policy
 The effectiveness of this policy is dependent on how it is tailored for[organization name] 'senvironment. Whether by informal process or formal risk assessment,[organization name]shouldenumerate 1) all mobile devices in use (type, owner, connections enabled, criticality, dataaccessed/stored, etc.), 2) current threat-sources, and 3) known vulnerabilities. Each of these factorsshould help formulate an understanding and prioritization of current risks such that the policy istailored to [organization name]’sspecific environment and ensuring resources are focused only on implementation of those necessary policies.4.1 Access Control4.1.1 The use of mobile devices for both business and personal use is prohibited unlesspermissions are enforceable to restrict application access to the minimum necessary resourcesand connections.4.1.2 Only approved applications can be installed and used on mobile devices. A list of approved applications will be maintained and require applications to be signed and/or providesufficient sandboxing capabilities.4.1.3 Disable Bluetooth capabilities unless necessary. If necessary, consider additional controlsincluding increased authentication, decrease power use, limit services available, strongerencryption, avoid use of security mode 1, etc.4.1.4 Access to[organization name] information resources using a mobile device must be approved, documented, and logged.4.2 Authentication4.2.1 Mobile device access must require a PIN.4.2.2 SIM access must require a PIN.
Mobile Device Security Policy Page
1
 
4.2.3 Strong passwords are required for applications that access or store sensitive information.Password policies should enforce length, complexity, lockout, forbid weak words, etc.4.2.4 Mobile device must require PIN to unlock after a period of inactivity.4.3 Encryption4.3.1 The use of encryption is required for all mobile devices that must store or access sensitiveinformation. While full disk encryption is preferable, application or file encryption solutions areacceptable at this time.4.3.2 The use of encryption is required for the transmission of sensitive information to/frommobile devices.4.4 Incident Detection and Response4.4.1 Develop, document, and implement procedure to quickly respond to lost or stolen mobiledevices.4.4.2 Every mobile device will have the capability to remotely wipe and/or track its location ondemand.4.5 User Training and Awareness4.5.1 Users that use personal mobile devices for business use will notify IT and provide systemdetails.4.5.2 Users will review all links and URLs prior to clicking to prevent a successful phishingattempt.4.5.3 Users will limit storage of sensitive data on mobile devices. However, critical data that isstored will be backed up to [organization name] 'sfile server on a regular basis. 4.5.4 Users will only install approved applications and forward suspicious permission requeststo IT prior to granting access to the application.4.5.5 Users will physically secure the mobile device when left unattended. When left in a car,mobile device will be hidden from view.4.5.6 Users will not allow unattended access to mobile device by another user.4.5.7 Users will notify IT immediately if mobile device is lost or stolen.4.5.8 Users will return mobile device at the end of employment. At which time, device will bewiped and reissued.4.5.9 Users critical to[organization name] will not use mobile device while operating a motor vehicle.4.6 Vulnerability Management4.6.1 All mobile device system and application software in use must be identified anddocumented.4.6.2 Critical security updates for in-use software must be deployed to all mobile devices.4.6.3 Anti-virus software should be used on devices with known malicious software whenavailable.
5.0 Definitions
BluetoothA technology used to transmit data wirelessly.Information ResourceIncludes data, application, system, network, and/or people.Full Disk EncryptionA process that encrypts the entire hard drive/partition.Mobile DeviceA portable electronic device, including smartphones, PDAs, laptops, USBdrives,DVD/CD, etcPINPersonal Identification NumberRemote WipeUse of software to destroy data on mobile device remotely.
Mobile Device Security Policy Page
2

You're Reading a Free Preview

Download
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->