Establish and maintain security guidelines for portable and mobile devices.

UCF ID: 04723
Control Type: Process or Activity
Status: Live

Supporting and supported controls

This control directly supports:

This control has the following supporting controls:

    Protect information that resides on portable and mobile devices with cryptography. [UCF Control ID 01422]

Authority documents complied with:

Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2.1, § 9.1.3; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3, App F § AC-19, App F § AC-19(1), App F § AC-19(2), App F § AC-19(3), App F § AC-19(4a), App F § AC-19(4b), App F § AC-20(2); Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, AC-19, AC-19.4; The Standard of Good Practice for Information Security, SM6.4.6, CB3.3.4, CI2.4.4, UE4.1.3, UE6.4.2(c); DISA Secure Remote Computing Security Technical Implementation Guide, Version 1, Release 2, § 3.3, § 6.3; DISA WIRELESS SECURITY CHECKLIST, Version 5, Release 2.2, Version 5, Release 2.2, § 3.2 (WIR0167), § 3.3 (WIR0190), § 5 (WIR0410); ISO/IEC 17799 Code of Practice for Information Security Management, 2005, § 11.7.1; ISO/IEC 27002 Code of practice for information security management, 2005, § 11.7.1; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2, § 9.1.3; FFIEC IT Examination Handbook – E-Banking, August 2003, Pg 30; Australian Government ICT Security Manual (ACSI 33), § 3.1.27, § 3.1.28, § 3.4.59, § 3.4.61; Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline, Version 1.2, July 2009, § 4.6.1.D

Banking and Finance Guidance

Computers used for remote access should meet the security and configuration requirements of the organization. [Pg 30, FFIEC IT Examination Handbook – E-Banking, August 2003]

Payment Card Guidance

The organization must restrict physical access to handheld devices. Verify physical access to handheld devices is restricted. [§ 9.1.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2.1]

The organization must restrict physical access to handheld devices. [§ 9.1.3, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2]

§ 4.6.1.D An organization must require that wireless devices be labeled with owner, contact information and purpose. [§ 4.6.1.D, Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline, Version 1.2, July 2009]

NIST Guidance

App F § AC-19 The organization must establish and maintain access control policies and procedures for mobile devices, restrict usage and provide guidance, monitor for unauthorized access, requires prior authorization, enforce policies, disable automatic code execution, issue configured devices when traveling, manage returning devices.
App F § AC-19(1) The organization must develop and implement policies to restrict the use of writable, removable media in information systems.
App F § AC-19(2) The organization must develop and implement policies to prohibit the use of personally owned, removable media in information systems.
App F § AC-19(3) The organization must develop and implement policies to prohibit the use of removable media in information systems when the media owner is not identifiable.
App F § AC-19(4a) The organization must develop and implement policies to prohibit the use of unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information unless specifically permitted by the appropriate authorizing official(s).
App F § AC-19(4b) The organization must develop and implement policies to restrict individuals permitted to use mobile devices in facilities containing information systems processing, storing, or transmitting classified information; connection of unclassified mobile devices to classified information systems is prohibited; authorization is required to connect an unclassified mobile device to an unclassified information system; use of internal or external modems or wireless interfaces within the mobile devices is prohibited; and mobile devices and information stored on them are subject to random inspection by security officials, and incident handling policy is implemented if classified information is found.
App F § AC-20(2) The organization must develop and implement policies to limit the use of organization-controlled portable storage media by authorized individuals on external information systems. [App F § AC-19, App F § AC-19(1), App F § AC-19(2), App F § AC-19(3), App F § AC-19(4a), App F § AC-19(4b), App F § AC-20(2), Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3]

Organizational records and documents should be examined to ensure specific responsibilities and actions are defined for the implementation of the portable or mobile device access control. Any problems discovered during the implementation of the portable or mobile device access control should be documented and used to improve the controls.
Test the system by connecting unauthorized portable and mobile devices to the system and ensure the unauthorized devices are detected and identified by the organization's personnel.
Interviews should be conducted with personnel involved in the implementation of access controls for portable or mobile devices. [AC-19, AC-19.4, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

Other Configuration Guidance

Laptops and PDAs must never be checked as baggage; they must be hand carried. A Type 1 media encryptor must be used to protect hard drives. [§ 3.3, § 6.3, DISA Secure Remote Computing Security Technical Implementation Guide, Version 1, Release 2]

Laptops that contain a WLAN card should have the default setting of the WLAN card radio set to OFF. Computers with an embedded WLAN that processes, receives, transfers, or stores classified information should have a wireless NIC that can be removed. PDAs and Smart phones should not be allowed to be connected to any computer that transmits, processes, or stores classified information.
Examine the WLAN NIC management utility to ensure the configuration of the WLAN card is set to OFF by default. Examine user training materials and user agreements to verify users have been made aware of the fact that they should not attach a PDA or Smart phone to any computer containing classified information.
Inspect 10% of the laptops to verify that the WLAN card is set to OFF on boot up. Inspect laptops that process classified information to verify that the wireless NIC can be physically removed from the laptop.
Interview a sampling of laptop users to verify they are able to enable and disable the NIC in accordance with the organizational policy. Interview the Information Assurance Officer (IAO) to determine if any laptops are used to process classified information and have an embedded wireless NIC. [§ 3.2 (WIR0167), § 3.3 (WIR0190), § 5 (WIR0410), DISA WIRELESS SECURITY CHECKLIST, Version 5, Release 2.2, Version 5, Release 2.2]

ISO Guidance

A formal policy should be developed to protect mobile devices. The policy should contain requirements for physical protection, access controls, cryptographic techniques, backups, virus protection, how to connect to networks securely, and guidance on using the systems in public places. [§ 11.7.1, ISO/IEC 17799 Code of Practice for Information Security Management, 2005]

A formal policy should be developed to protect mobile devices. The policy should contain requirements for physical protection, access controls, cryptographic techniques, backups, virus protection, how to connect to networks securely, and guidance on using the systems in public places. [§ 11.7.1, ISO/IEC 27002 Code of practice for information security management, 2005]

General Guidance

Portable computers should be protected against theft by providing locks to all mobile users, attaching labels to the devices, and marking the devices with indelible markings. All equipment should have some form of protection to prevent theft from occurring. [SM6.4.6, CB3.3.4, CI2.4.4, UE4.1.3, UE6.4.2(c), The Standard of Good Practice for Information Security]

Asia and Pacific Rim Guidance

Any workstation storing official information during non-working hours should be stored and protected according to the classification of the information. Portable computers and personal electronic devices should be protected according to the classification of the information stored on them. Portable computers and personal electronic devices containing classified material should be operated in physically protected areas, under direct supervision when in use, and stored appropriately when not in use. [§ 3.1.27, § 3.1.28, § 3.4.59, § 3.4.61, Australian Government ICT Security Manual (ACSI 33)]


Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.