Mobile Device Security Policy
The goal of this policy is to allow any type of mobile device (whether issued by[organization name]ornot) to be securely used to access[organization name] information resources. While the focus of this
policy is mitigating the risks to[organization name]associated with the use of smartphones, part orall of this policy can be applied to traditional mobile devices, including laptops, USB drives, CD/DVD,etc.
This policy was created to mitigate known risks associated with:
A breach of confidentiality due to the access, transmission, storage, and disposal of sensitiveinformation using a mobile device.
A breach of integrity due to the access, transmission, storage, and disposal of sensitiveinformation using a mobile device.
A loss of availability to critical systems as a result of using a mobile device.
This policy applies to any mobile device and its user, including those issued by[organization name]aswell as personal devices that are used for business purposes and/or store[organization name]information.
The effectiveness of this policy is dependent on how it is tailored for[organization name] 'senvironment. Whether by informal process or formal risk assessment,[organization name]shouldenumerate 1) all mobile devices in use (type, owner, connections enabled, criticality, dataaccessed/stored, etc.), 2) current threat-sources, and 3) known vulnerabilities. Each of these factorsshould help formulate an understanding and prioritization of current risks such that the policy istailored to [organization name]’sspecific environment and ensuring resources are focused only on
implementation of those necessary policies.4.1 Access Control4.1.1 The use of mobile devices for both business and personal use is prohibited unlesspermissions are enforceable to restrict application access to the minimum necessary resourcesand connections.4.1.2 Only approved applications can be installed and used on mobile devices. A list of approved applications will be maintained and require applications to be signed and/or providesufficient sandboxing capabilities.4.1.3 Disable Bluetooth capabilities unless necessary. If necessary, consider additional controlsincluding increased authentication, decrease power use, limit services available, strongerencryption, avoid use of security mode 1, etc.4.1.4 Access to[organization name] information resources using a mobile device must be
approved, documented, and logged.4.2 Authentication4.2.1 Mobile device access must require a PIN.4.2.2 SIM access must require a PIN.
Mobile Device Security Policy Page