An emerging risk is the increased use of portable devices in the enterprise. How are you allowing mobile device secure access your sensitive information resources? Use our template to help get started.
1. Mobile Device Security Policy
1.0 Introduction
The goal of this policy is to allow any type of mobile device (whether issued by [organization name] or not) to be
securely used to access [organization name] information resources. While the focus of this policy is mitigating the
risks to [organization name] associated with the use of smartphones, part or all of this policy can be applied to
traditional mobile devices, including laptops, USB drives, CD/DVD, etc.
2.0 Purpose
This policy was created to mitigate known risks associated with:
• A breach of confidentiality due to the access, transmission, storage, and disposal of sensitive information
using a mobile device.
• A breach of integrity due to the access, transmission, storage, and disposal of sensitive information using a
mobile device.
• A loss of availability to critical systems as a result of using a mobile device.
3.0 Scope
This policy applies to any mobile device and its user, including those issued by [organization name] as well as
personal devices that are used for business purposes and/or store [organization name] information.
4.0 Policy
The effectiveness of this policy is dependent on how it is tailored for [organization name] 's environment. Whether
by informal process or formal risk assessment, [organization name] should enumerate 1) all mobile devices in use
(type, owner, connections enabled, criticality, data accessed/stored, etc.), 2) current threat-sources, and 3) known
vulnerabilities. Each of these factors should help formulate an understanding and prioritization of current risks such
that the policy is tailored to [organization name]’s specific environment and ensuring resources are focused only on
implementation of those necessary policies.
4.1 Access Control
4.1.1 The use of mobile devices for both business and personal use is prohibited unless permissions are
enforceable to restrict application access to the minimum necessary resources and connections.
4.1.2 Only approved applications can be installed and used on mobile devices. A list of approved applications
will be maintained and require applications to be signed and/or provide sufficient sandboxing capabilities.
4.1.3 Disable Bluetooth capabilities unless necessary. If necessary, consider additional controls including
increased authentication, decrease power use, limit services available, stronger encryption, avoid use of
security mode 1, etc.
4.1.4 Access to [organization name] information resources using a mobile device must be approved,
documented, and logged.
4.2 Authentication
4.2.1 Mobile device access must require a PIN.
4.2.2 SIM access must require a PIN.
4.2.3 Strong passwords are required for applications that access or store sensitive information. Password
policies should enforce length, complexity, lockout, forbid weak words, etc.
4.2.4 Mobile device must require PIN to unlock after a period of inactivity.
Mobile Device Security Policy Page 1
2. 4.3 Encryption
4.3.1 The use of encryption is required for all mobile devices that must store or access sensitive information.
While full disk encryption is preferable, application or file encryption solutions are acceptable at this time.
4.3.2 The use of encryption is required for the transmission of sensitive information to/from mobile devices.
4.4 Incident Detection and Response
4.4.1 Develop, document, and implement procedure to quickly respond to lost or stolen mobile devices.
4.4.2 Every mobile device will have the capability to remotely wipe and/or track its location on demand.
4.5 User Training and Awareness
4.5.1 Users that use personal mobile devices for business use will notify IT and provide system details.
4.5.2 Users will review all links and URLs prior to clicking to prevent a successful phishing attempt.
4.5.3 Users will limit storage of sensitive data on mobile devices. However, critical data that is stored will be
backed up to [organization name] 's file server on a regular basis.
4.5.4 Users will only install approved applications and forward suspicious permission requests to IT prior to
granting access to the application.
4.5.5 Users will physically secure the mobile device when left unattended. When left in a car, mobile device
will be hidden from view.
4.5.6 Users will not allow unattended access to mobile device by another user.
4.5.7 Users will notify IT immediately if mobile device is lost or stolen.
4.5.8 Users will return mobile device at the end of employment. At which time, device will be wiped and
reissued.
4.5.9 Users critical to [organization name] will not use mobile device while operating a motor vehicle.
4.6 Vulnerability Management
4.6.1 All mobile device system and application software in use must be identified and documented.
4.6.2 Critical security updates for in-use software must be deployed to all mobile devices.
4.6.3 Anti-virus software should be used on devices with known malicious software when available.
5.0 Definitions
Bluetooth A technology used to transmit data wirelessly.
Information Resource Includes data, application, system, network, and/or people.
Full Disk Encryption A process that encrypts the entire hard drive/partition.
Mobile Device A portable electronic device, including smartphones, PDAs, laptops, USB drives,
DVD/CD, etc
PIN Personal Identification Number
Remote Wipe Use of software to destroy data on mobile device remotely.
Sandboxing The ability to restrict an application's access to specific device resources.
Sensitive Information Types of sensitive information that may be stored on a mobile device include:
authentication credentials, downloaded sensitive data (email and attachments),
call logs, business contact info, location/positional info.
Signing A process to determine authenticity and accountability for an application.
SIM Subscriber Identity Module
Mobile Device Security Policy Page 2