Back

Establish, implement, and maintain mobile device security guidelines.


CONTROL ID
04723
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain physical security controls for distributed assets., CC ID: 00718

This Control has the following implementation support Control(s):
  • Require users to refrain from leaving mobile devices unattended., CC ID: 16446
  • Include the expectation of data loss in the event of sanitizing the mobile device in the mobile device security guidelines., CC ID: 12292
  • Wipe information from mobile devices after a predetermined number of unsuccessful logon attempts., CC ID: 14242
  • Include legal requirements in the mobile device security guidelines., CC ID: 12291
  • Include the use of privacy filters in the mobile device security guidelines., CC ID: 16452
  • Include prohibiting the usage of unapproved application stores in the mobile device security guidelines., CC ID: 12290
  • Include requiring users to create data backups in the mobile device security guidelines., CC ID: 12289
  • Include the definition of mobile devices in the mobile device security guidelines., CC ID: 12288
  • Refrain from responding to unsolicited Personal Identification Number requests., CC ID: 12430
  • Refrain from pairing Bluetooth devices in unsecured areas., CC ID: 12429
  • Encrypt information stored on mobile devices., CC ID: 01422


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • In principle, AIs should require staff members to use only the computing devices provided by AIs for storing or accessing AIs' customer data. Alternatively, AIs should fully comply with the standard of stringent minimum controls developed by the Hong Kong Association of Banks (HKAB) on Bring-Your-Ow… (Annex F. ¶ 1, Hong Kong Monetary Authority Customer Data Protection, 14 October 2014)
  • Controls over mobile computing are required to manage the risks of working in an unprotected environment. In protecting AIs’ information, AIs should establish control procedures covering: - an approval process for user requests for mobile computing; - authentication controls for remote access to n… (3.5.2, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • O50.7: To protect against computer viruses, unauthorized access, data leakage, and other incidents, the organization should ensure that internal network access and remote access are in accordance with the specified procedures. T28.3: The organization should use tamperproof measures to protect IC car… (O50.7, T28.3, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • O50.2: Handheld terminals should be individually identified by the organization using an ID and owner. O50.3: The organization shall store handheld terminals in specified places based on defined methods for storage. O50.4: The organization should appoint handheld terminal administrators and regular… (O50.2, O50.3, O50.4, T39, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • For precautions against theft and loss of handheld terminals, encryption should be adopted in cases where critical data are stored in personal terminals. For storage of personal data, encryption, password setting, and other proper security control measures should be implemented. (P3.5. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Mobile computing (Critical components of information security 1) 2) q. vii., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The FI should implement controls to prevent unauthorised access to IoT devices (§ 11.5.4, Technology Risk Management Guidelines, January 2021)
  • Rooted or jailbroken mobile devices, which are more susceptible to malware and may have more security vulnerabilities, should be disallowed from accessing the FI's mobile applications to perform financial transactions unless the application has been secured within a sandbox or container that insulat… (§ 14.1.7, Technology Risk Management Guidelines, January 2021)
  • avoid storing or caching data in the mobile application to mitigate the risk of data compromise on the device. Data should be stored in a protected and trusted area of the mobile device; (Annex C.1(a), Technology Risk Management Guidelines, January 2021)
  • An FI offering online financial services access via a mobile device should be aware of the risks unique to mobile applications. Specific measures aimed at addressing the risks of mobile applications should be put in place. Refer to Annex C for guidance on Mobile Application Security. (§ 14.1.4, Technology Risk Management Guidelines, January 2021)
  • implement a secure in-app keypad to mitigate against malware that captures keystrokes; and (Annex C.1(f), Technology Risk Management Guidelines, January 2021)
  • implement device binding to protect the software token from being cloned. (Annex C.1(g), Technology Risk Management Guidelines, January 2021)
  • Assess the applications that users can install and establish a policy for the use and tracking of the organisation's portable computing devices and removable storage media. (Annex A1: Portable Computing & Removable Storage Media Security 46, Singapore(PDPC) Guide to Securing Personal Data in Electronic Medium, Revised 20 January 2017)
  • Mobile devices do not process, store or communicate TOP SECRET information unless explicitly approved by the ACSC to do so. (Security Control: 0687; Revision: 5, Australian Government Information Security Manual, March 2021)
  • Personnel accessing official or classified systems or information using an organisation-owned mobile device use an ACSC approved platform with a security configuration in accordance with ACSC guidance. (Security Control: 1482; Revision: 3, Australian Government Information Security Manual, March 2021)
  • Web browsing from mobile devices is conducted through an organisation's internet gateway rather than via a direct connection to the internet. (Security Control: 0874; Revision: 4, Australian Government Information Security Manual, March 2021)
  • never using designated charging stations, wall outlet charging ports or chargers supplied by untrusted people (Security Control: 1299; Revision: 2; Bullet 5, Australian Government Information Security Manual, March 2021)
  • Privacy filters are applied to the screens of highly classified mobile devices. (Security Control: 1145; Revision: 3, Australian Government Information Security Manual, March 2021)
  • never using designated charging stations, wall outlet charging ports or chargers supplied by untrusted people (Control: ISM-1299; Revision: 3; Bullet 5, Australian Government Information Security Manual, June 2023)
  • Personnel accessing systems or data using an organisation-owned mobile device use an ASD-approved platform, a security configuration in accordance with ACSC guidance, and have enforced separation of work and personal data. (Control: ISM-1482; Revision: 6, Australian Government Information Security Manual, June 2023)
  • avoiding connecting mobile devices to open or untrusted Wi-Fi networks (Control: ISM-1299; Revision: 3; Bullet 6, Australian Government Information Security Manual, June 2023)
  • never store credentials with mobile devices that they grant access to, such as in laptop computer bags (Control: ISM-1299; Revision: 4; Bullet 2, Australian Government Information Security Manual, September 2023)
  • never connect mobile devices to designated charging stations or wall outlet charging ports (Control: ISM-1299; Revision: 4; Bullet 5, Australian Government Information Security Manual, September 2023)
  • avoid connecting mobile devices to open or untrusted Wi-Fi networks (Control: ISM-1299; Revision: 4; Bullet 9, Australian Government Information Security Manual, September 2023)
  • Mobile devices that access OFFICIAL: Sensitive or PROTECTED systems or data use mobile platforms that have completed a Common Criteria evaluation against the Protection Profile for Mobile Device Fundamentals, version 3.2 or later, and are operated in accordance with the latest version of their assoc… (Control: ISM-1867; Revision: 0, Australian Government Information Security Manual, September 2023)
  • SECRET and TOP SECRET mobile devices do not use removable media unless approved beforehand by ASD. (Control: ISM-1868; Revision: 0, Australian Government Information Security Manual, September 2023)
  • Mobile devices that access SECRET or TOP SECRET systems or data use mobile platforms that have been issued an Approval for Use by ASD and are operated in accordance with the latest version of their associated Australian Communications Security Instruction. (Control: ISM-0687; Revision: 10, Australian Government Information Security Manual, September 2023)
  • The organization must ensure information and communications technology equipment and media that contains sensitive information or classified information is secured in accordance with the requirements from the australian government physical security management protocol. (Control: 0161, Australian Government Information Security Manual: Controls)
  • The organization must develop a mobile device usage policy. (Control: 1082, Australian Government Information Security Manual: Controls)
  • The organization should use a mobile device management solution to ensure all mobile devices are applying the mobile device policy. (Control: 1195, Australian Government Information Security Manual: Controls)
  • The organization must not allow mobile devices to store or process top secret information, unless it is explicitly approved by the Defence Signals Directorate. (Control: 0687, Australian Government Information Security Manual: Controls)
  • Non-agency owned personal devices that Access sensitive systems should use a trusted operating environment that prevents sensitive information from being stored on the mobile device. (Control: 1047, Australian Government Information Security Manual: Controls)
  • Non-agency owned personal devices that Access classified systems must use a trusted operating environment that prevents classified information from being stored on the mobile device. (Control: 0693, Australian Government Information Security Manual: Controls)
  • The organization must not allow classified systems to be accessed by non-agency owned mobile devices. (Control: 0694, Australian Government Information Security Manual: Controls)
  • The organization must seek legal advice before it allows non-agency owned mobile devices to connect to an organizational system. (Control: 1297, Australian Government Information Security Manual: Controls)
  • The organization should ensure web browsing from a mobile device is accomplished through the Internet gateway instead of a direct Internet connection. (Control: 0874, Australian Government Information Security Manual: Controls)
  • Mobile devices should not be used for personal use or by people who are not specifically authorized. (Control: 1086, Australian Government Information Security Manual: Controls)
  • The organization must ensure all mobile devices are carried in a secured state when they are not being actively used. (Control: 0870, Australian Government Information Security Manual: Controls)
  • Mobile devices must be kept under continual direct supervision when they are in use. (Control: 0871, Australian Government Information Security Manual: Controls)
  • The organization should implement technical controls on mobile devices before personnel are going to travel overseas with it. (Control: 1298, Australian Government Information Security Manual: Controls)
  • Personnel must keep control over mobile devices and media at all times while traveling, including not putting them in checked-in luggage or leaving them unattended for any time period. (Control: 1087, Australian Government Information Security Manual: Controls)
  • Personnel should avoid connecting the mobile device to open WiFi networks, when traveling overseas. (Control: 1299 Bullet 2, Australian Government Information Security Manual: Controls)
  • Personnel should clear the web browser history, cache, cookies, Uniform Resource Locator files, and temporary files on mobile devices after each session, when traveling overseas. (Control: 1299 Bullet 3, Australian Government Information Security Manual: Controls)
  • Personnel should ensure the login pages on mobile devices are encrypted before entering the passphrases, when traveling overseas. (Control: 1299 Bullet 5, Australian Government Information Security Manual: Controls)
  • Personnel should avoid connecting to untrusted computers or inserting removable media into mobile devices, when traveling overseas. (Control: 1299 Bullet 6, Australian Government Information Security Manual: Controls)
  • Personnel should avoid storing authentication details or tokens and passphrases with the mobile device, when traveling overseas. (Control: 1299 Bullet 1, Australian Government Information Security Manual: Controls)
  • Personnel should encrypt e-mails on mobile devices where possible, when traveling overseas. (Control: 1299 Bullet 4, Australian Government Information Security Manual: Controls)
  • Personnel should change all passphrases for a mobile device after they return from overseas travel. (Control: 1300, Australian Government Information Security Manual: Controls)
  • Any workstation storing official information during non-working hours should be stored and protected according to the classification of the information. Portable computers and personal electronic devices should be protected according to the classification of the information stored on them. Portable … (§ 3.1.27, § 3.1.28, § 3.4.59, § 3.4.61, Australian Government ICT Security Manual (ACSI 33))
  • Are all applications which execute on devices approved by the business and restricted by code signing or other protection mechanisms (Malware protection Question 41, Cyber Essentials Scheme (CES) Questionnaire, Versions 3.3)
  • Is a Mobile Device Management solution in place for hardening and controlling all mobile platforms in use within the organisation? (Secure configuration Question 25, Cyber Essentials Scheme (CES) Questionnaire, Versions 3.3)
  • Guaranteeing security when using mobile terminal devices in the cloud provider's area of responsibility for the access to it systems in order to develop and operate the cloud service. (Section 5.17 Objective, Cloud Computing Compliance Controls Catalogue (C5))
  • Policies and instructions with technical and organisational safeguards for the proper use of mobile terminal devices in the cloud provider's area of responsibility, which allow access to IT systems for the development and operation of the cloud service, are documented, communicated and provided acco… (Section 5.17 MDM-01 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Increased access protection (Section 5.17 MDM-01 Basic requirement ¶ 1 Bullet 2, Cloud Computing Compliance Controls Catalogue (C5))
  • The requirements for mobile IT devices and mobile data storage devices are determined and fulfilled. The following aspects are considered: (3.1.4 Requirements (must) Bullet 1, Information Security Assessment, Version 5.1)
  • Users are informed of missing data protection on mobile devices. (3.1.4 Requirements (should) Bullet 2, Information Security Assessment, Version 5.1)
  • The organization should avoid using mobile media when handling personal data. (Security Policy No. 4 ¶ 10, HMG Security Policy Framework, Version 6.0 May 2011)
  • App 2 ¶ 16: The organization must not use unencrypted laptops that are not on a secure site and must store them in an appropriately security location until a full encryption program is installed. If this encryption policy cannot be met, the organization must develop a business case fully explaining… (App 2 ¶ 16, App 2 ¶ 17, App 2 ¶ 19, App 6 ¶ 17, App 6 ¶ 18, App 6 ¶ 20, The Contractual process, Version 5.0 October 2010)
  • You have protected data important to the operation of the essential function on mobile devices. (B3.d ¶ 1, NCSC CAF guidance, 3.1)
  • Processes are in place to protect endpoint and mobile computing and personal productivity devices (such as laptop and desktop computers, servers, networking and data storage devices, smart phones and tablets) that are used in computing, networking, data storage and processing of the entity's informa… (S7.3 Protects end point and mobile devices, Privacy Management Framework, Updated March 1, 2020)
  • Secure handheld devices with strong passwords and always encrypt PSKs if cached locally. (4.1.1 D, Information Supplement: PCI DSS Wireless Guidelines, Version 2.0)
  • Verify physical access to Wireless Access Points, handheld devices, telecommunications lines, gateways, networking hardware, and communications hardware is restricted. (Testing Procedures § 9.1.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • The organization must restrict physical access to handheld devices. (§ 9.1.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Physical access to Wireless Access Points, handheld devices, telecommunications lines, gateways, networking hardware, and communications hardware must be restricted. (PCI DSS Requirements § 9.1.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • § 4.6.1.D An organization must require that wireless devices be labeled with owner, contact information and purpose. (§ 4.6.1.D, Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline)
  • Is physical access to wireless access points, gateways, handheld devices, networking hardware, communications hardware, and telecommunication lines restricted? (PCI DSS Question 9.1.3, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Is physical access to wireless access points, gateways, handheld devices, networking hardware, communications hardware, and telecommunication lines restricted? (PCI DSS Question 9.1.3, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • A process should exist for the timely detection and reporting of the theft or loss of the mobile device. Inherent to such a process should be a means for testing and for confirming that it remains active. Examples include the use of GPS or other location technology with the ability to set geographic… (¶ 5.6.3, PCI Mobile Payment Acceptance Security Guidelines for Merchants as End-Users, Version 1.1)
  • Mobile device management should be reviewed by the IT auditor and he/she should, at a minimum, consider the processes to procure devices; standardizing devices; the policies and procedures for defining the security baselines; the process to control data transmission; the process to control access in… (App A.2, IIA Global Technology Audit Guide (GTAG) 4: Management of IT Auditing)
  • The security profile shall contain important details about the technology used in the local environment, including consumer devices (e.g., tablets and smartphones). (CF.12.01.05c, The Standard of Good Practice for Information Security)
  • Staff traveling to 'high-risk' countries or regions should protect sensitive information from targeted attack by avoiding the use of unknown equipment (e.g., equipment provided by unknown individuals or available in Internet cafes or kiosks) for communicating or processing sensitive information. (CF.14.01.07d, The Standard of Good Practice for Information Security)
  • Staff traveling to 'high-risk' countries or regions should protect sensitive information from targeted attack by limiting the amount of business information stored on mobile devices (e.g., by using a new build or securely deleting all previous information stored on the device before traveling). (CF.14.01.07b, The Standard of Good Practice for Information Security)
  • Mobile devices (including laptops, netbooks and consumer devices, such as ultrabooks, tablets, and smartphones) should be supported by documented standards / procedures, which cover software configuration (e.g., securing the firmware and employing standard builds). (CF.14.02.01a, The Standard of Good Practice for Information Security)
  • Mobile devices (including laptops, netbooks, and consumer devices, such as ultrabooks, tablets, and smartphones) should be supported by documented standards / procedures, which cover provision of software to protect them (e.g., system management tools, access control mechanisms, malware protection s… (CF.14.02.01b, The Standard of Good Practice for Information Security)
  • Mobile devices (including laptops, netbooks, and consumer devices, such as ultrabooks, tablets, and smartphones) should be supported by documented standards / procedures, which cover using a mobile device management system. (CF.14.02.01c, The Standard of Good Practice for Information Security)
  • Mobile devices should be provided with standard firmware configurations that include pre-configured BIOS settings (e.g., disabling the boot menu, Universal serial bus facility, and Digital Video Disk boot option). (CF.14.02.02a, The Standard of Good Practice for Information Security)
  • Mobile devices should be provided with standard firmware configurations that include restricting access to the BIOS functions (e.g., password protection) to authorized administrators. (CF.14.02.02b, The Standard of Good Practice for Information Security)
  • Mobile devices should be provided with standard technical build configurations that include preventing access to the workstation by unauthorized remote control software. (CF.14.02.04c, The Standard of Good Practice for Information Security)
  • Mobile devices should be protected by the use of a comprehensive set of system management tools (e.g., maintenance utilities, remote support, patch management, enterprise management tools, and back-up software). (CF.14.02.05a, The Standard of Good Practice for Information Security)
  • Mobile devices should be protected in the event of loss or theft using centralised mobile device management software that provides remote lockout (to prevent unauthorized access to the device). (CF.14.02.08a, The Standard of Good Practice for Information Security)
  • Mobile devices should be protected in the event of loss or theft using centralised mobile device management software that provides remote device tracking (e.g., software that will attempt to locate the equipment using Global Positioning System, or automatically contact a designated location if the e… (CF.14.02.08b, The Standard of Good Practice for Information Security)
  • Mobile devices used to access business applications should protect sensitive information against unauthorized access (e.g., from unauthorized or rogue applications) by protecting application information when it is stored on the device (e.g., by deploying business applications using a 'sandbox' or vi… (CF.14.02.09b, The Standard of Good Practice for Information Security)
  • Mobile devices (including laptops, netbooks, and consumer devices, such as ultrabooks, tablets, and smartphones) should be subject to documented standards / procedures for connectivity, which covers using portable storage devices. (CF.14.03.01a, The Standard of Good Practice for Information Security)
  • Mobile devices (including laptops, netbooks, and consumer devices, such as ultrabooks, tablets, and smartphones) should be subject to documented standards / procedures for connectivity, which covers protecting wireless access. (CF.14.03.01b, The Standard of Good Practice for Information Security)
  • Mobile devices (including laptops, netbooks, and consumer devices, such as ultrabooks, tablets, and smartphones) should be subject to documented standards / procedures for connectivity, which covers protecting against untrusted networks. (CF.14.03.01c, The Standard of Good Practice for Information Security)
  • Mobile devices (including laptops, netbooks, and consumer devices, such as ultrabooks, tablets, and smartphones) should be subject to documented standards / procedures for connectivity, which covers establishing a Virtual Private Network. (CF.14.03.01d, The Standard of Good Practice for Information Security)
  • Mobile devices (including laptops, netbooks, and consumer devices, such as ultrabooks, tablets, and smartphones) should be subject to documented standards / procedures for connectivity, which covers configuring web browsers. (CF.14.03.01e, The Standard of Good Practice for Information Security)
  • Mobile devices (including laptops, netbooks, and consumer devices, such as ultrabooks, tablets, and smartphones) should be subject to documented standards / procedures for connectivity, which covers using web proxy servers. (CF.14.03.01f, The Standard of Good Practice for Information Security)
  • Mobile devices should be configured to detect and record details about the use of / connection to unauthorized portable storage devices (e.g., cameras, smartphones, e-book readers, and audio / video media players). (CF.14.03.02b, The Standard of Good Practice for Information Security)
  • Mobile devices should be protected from connecting to unauthorized networks and computing devices by restricting wireless connectivity, such as wi-fi, 3g / 4g, Bluetooth, and infrared. (CF.14.03.03, The Standard of Good Practice for Information Security)
  • Mobile devices that access the corporate network from remote environments should be configured to establish a Virtual Private Network between the device and the corporate network. (CF.14.03.04a, The Standard of Good Practice for Information Security)
  • Mobile devices that access the corporate network from remote environments should be configured to prevent access to unprotected networks while the device is connected to the corporate network (i.e., to avoid bypassing the Virtual Private Network). (CF.14.03.04b, The Standard of Good Practice for Information Security)
  • Mobile devices that access the corporate network from remote environments should be configured to prevent network bridging / routing (e.g., by using a second Network Interface Card). (CF.14.03.04c, The Standard of Good Practice for Information Security)
  • Mobile web browser software should be configured to prevent users from disabling or modifying security options in the software settings. (CF.14.03.07a, The Standard of Good Practice for Information Security)
  • Standards / procedures should include the rights of the organization regarding ownership of information stored on portable storage devices (e.g., all information stored on a portable storage device remains the property of the organization). (CF.14.04.02e, The Standard of Good Practice for Information Security)
  • Standards / procedures should include the right of the organization to recover information held on portable storage devices. (CF.14.04.02f, The Standard of Good Practice for Information Security)
  • Users of portable storage devices should be prohibited from sharing the device with unauthorized individuals. (CF.14.04.05a, The Standard of Good Practice for Information Security)
  • Where an organization allows the use of consumer devices for business purposes, this should be supported by documented standards / procedures, which covers providing secure deployment of business applications (e.g., using a web browser or a 'sandbox'). (CF.14.05.01c, The Standard of Good Practice for Information Security)
  • The organization should reserve the right to access, recover, or delete information stored on consumer devices. (CF.14.05.07b, The Standard of Good Practice for Information Security)
  • The organization should reserve the right to remotely manage the device (e.g., from a central management console). (CF.14.05.07c, The Standard of Good Practice for Information Security)
  • The organization should reserve the right to enforce technical security controls, such as Access Control, malware protection software, and encryption. (CF.14.05.07d, The Standard of Good Practice for Information Security)
  • The security profile shall contain important details about individuals in the local environment (e.g., staff and contractors), including use of consumer devices, such as tablets and smartphones (and other gadgets including media players, e-book readers, cameras). (CF.12.01.03d, The Standard of Good Practice for Information Security)
  • The security profile shall contain important details about the technology used in the local environment, including consumer devices (e.g., tablets and smartphones). (CF.12.01.05c, The Standard of Good Practice for Information Security, 2013)
  • Mobile devices (including laptops, netbooks and consumer devices, such as ultrabooks, tablets, and smartphones) should be supported by documented standards / procedures, which cover software configuration (e.g., securing the firmware and employing standard builds). (CF.14.02.01a, The Standard of Good Practice for Information Security, 2013)
  • Mobile devices (including laptops, netbooks, and consumer devices, such as ultrabooks, tablets, and smartphones) should be supported by documented standards / procedures, which cover provision of software to protect them (e.g., system management tools, access control mechanisms, malware protection s… (CF.14.02.01b, The Standard of Good Practice for Information Security, 2013)
  • Mobile devices (including laptops, netbooks, and consumer devices, such as ultrabooks, tablets, and smartphones) should be supported by documented standards / procedures, which cover protection of the memory of computing devices against misuse and attack. (CF.14.02.01c, The Standard of Good Practice for Information Security, 2013)
  • Mobile devices should be provided with standard firmware configurations that include pre-configured BIOS settings (e.g., disabling the boot menu, Universal serial bus facility, and Digital Video Disk boot option). (CF.14.02.02a, The Standard of Good Practice for Information Security, 2013)
  • Mobile devices should be provided with standard firmware configurations that include restricting access to the BIOS functions (e.g., password protection) to authorized administrators. (CF.14.02.02b, The Standard of Good Practice for Information Security, 2013)
  • Mobile devices should be subject to standard security management practices, which include keeping them up-to-date (eg by applying approved change management and patch management processes). (CF.14.02.05a, The Standard of Good Practice for Information Security, 2013)
  • Mobile devices used to access business applications should protect sensitive information against unauthorized access (e.g., from unauthorized or rogue applications) by protecting application information when it is stored on the device (e.g., by deploying business applications using a 'sandbox' or vi… (CF.14.02.08b, The Standard of Good Practice for Information Security, 2013)
  • Mobile devices (including laptops, netbooks, and consumer devices, such as ultrabooks, tablets, and smartphones) should be subject to documented standards / procedures for connectivity, which covers using portable storage devices. (CF.14.03.01a, The Standard of Good Practice for Information Security, 2013)
  • Mobile devices (including laptops, netbooks, and consumer devices, such as ultrabooks, tablets, and smartphones) should be subject to documented standards / procedures for connectivity, which covers protecting wireless access. (CF.14.03.01b, The Standard of Good Practice for Information Security, 2013)
  • Mobile devices (including laptops, netbooks, and consumer devices, such as ultrabooks, tablets, and smartphones) should be subject to documented standards / procedures for connectivity, which covers protecting against untrusted networks. (CF.14.03.01c, The Standard of Good Practice for Information Security, 2013)
  • Mobile devices (including laptops, netbooks, and consumer devices, such as ultrabooks, tablets, and smartphones) should be subject to documented standards / procedures for connectivity, which covers establishing a Virtual Private Network. (CF.14.03.01d, The Standard of Good Practice for Information Security, 2013)
  • Mobile devices (including laptops, netbooks, and consumer devices, such as ultrabooks, tablets, and smartphones) should be subject to documented standards / procedures for connectivity, which covers configuring web browsers. (CF.14.03.01e, The Standard of Good Practice for Information Security, 2013)
  • Mobile devices (including laptops, netbooks, and consumer devices, such as ultrabooks, tablets, and smartphones) should be subject to documented standards / procedures for connectivity, which covers using web proxy servers. (CF.14.03.01f, The Standard of Good Practice for Information Security, 2013)
  • Mobile devices should be configured to detect and record details about the use of / connection to unauthorized portable storage devices (e.g., cameras, smartphones, e-book readers, and audio / video media players). (CF.14.03.02b, The Standard of Good Practice for Information Security, 2013)
  • Mobile devices should be protected from connecting to unauthorized networks and computing devices by restricting wireless connectivity, such as wi-fi, 3g / 4g, Bluetooth, and infrared. (CF.14.03.03, The Standard of Good Practice for Information Security, 2013)
  • Mobile devices that access the corporate network from remote environments should be configured to establish a Virtual Private Network between the device and the corporate network. (CF.14.03.04a, The Standard of Good Practice for Information Security, 2013)
  • Mobile devices that access the corporate network from remote environments should be configured to prevent access to unprotected networks while the device is connected to the corporate network (i.e., to avoid bypassing the Virtual Private Network). (CF.14.03.04b, The Standard of Good Practice for Information Security, 2013)
  • Mobile devices that access the corporate network from remote environments should be configured to prevent network bridging / routing (e.g., by using a second Network Interface Card). (CF.14.03.04c, The Standard of Good Practice for Information Security, 2013)
  • Mobile web browser software should be configured to prevent users from disabling or modifying security options in the software settings. (CF.14.03.07a, The Standard of Good Practice for Information Security, 2013)
  • Standards / procedures should include the right of the organization to recover information held on portable storage devices. (CF.14.04.02e, The Standard of Good Practice for Information Security, 2013)
  • The organization should reserve the right to access, recover, or delete information stored on consumer devices. (CF.14.05.07b, The Standard of Good Practice for Information Security, 2013)
  • The organization should reserve the right to remotely manage the device (e.g., from a central management console). (CF.14.05.07c, The Standard of Good Practice for Information Security, 2013)
  • The organization should reserve the right to enforce technical security controls, such as Access Control, malware protection software, and encryption. (CF.14.05.07d, The Standard of Good Practice for Information Security, 2013)
  • The security profile shall contain important details about individuals in the local environment (e.g., staff and contractors), including use of consumer devices, such as tablets and smartphones (and other gadgets including media players, e-book readers, cameras). (CF.12.01.03d, The Standard of Good Practice for Information Security, 2013)
  • Staff traveling to 'high-risk' countries or regions should protect sensitive information from targeted attack by avoiding the use of unknown equipment (e.g., equipment provided by unknown individuals or available in Internet cafes or kiosks) for communicating or processing sensitive information. (CF.14.01.05d, The Standard of Good Practice for Information Security, 2013)
  • Staff traveling to 'high-risk' countries or regions should protect sensitive information from targeted attack by limiting the amount of business information stored on mobile devices (e.g., by using a new build or securely deleting all previous information stored on the device before traveling). (CF.14.01.05b, The Standard of Good Practice for Information Security, 2013)
  • Users of portable storage devices should be prohibited from sharing the device with unauthorized individuals. (CF.14.04.06a, The Standard of Good Practice for Information Security, 2013)
  • Where an organization allows the use of consumer devices for business purposes, this should be supported by documented standards / procedures, which covers providing secure deployment of business applications (e.g., using a web browser or a 'sandbox'). (CF.14.05.01e, The Standard of Good Practice for Information Security, 2013)
  • Computing devices and information should be protected against loss and theft by providing users with security screen filters (often referred to as privacy filters) to protect against the threat of shoulder surfing. (CF.14.01.03f, The Standard of Good Practice for Information Security, 2013)
  • The organization should reserve the right to confiscate, audit or inspect portable storage devices. (CF.14.04.07a, The Standard of Good Practice for Information Security, 2013)
  • The organization should reserve the right to access, recover or delete information stored on portable storage devices. (CF.14.04.07b, The Standard of Good Practice for Information Security, 2013)
  • Mobile devices (including laptops and consumer devices) should be supported by documented standards / procedures, which cover configuration of event logging. (CF.14.02.01e, The Standard of Good Practice for Information Security, 2013)
  • Where an organization allows the use of consumer devices for business purposes, this should be supported by documented standards / procedures, which cover implementing technical controls to manage applications and device hardware. (CF.14.05.01d, The Standard of Good Practice for Information Security, 2013)
  • Consumer devices should be untrusted by default (i.e., each device should be considered hostile and running a hostile operating system), particularly when introduced to the organization as part of a Bring Your Own Device program. (CF.14.05.02c, The Standard of Good Practice for Information Security, 2013)
  • Access to the organisation's networks and business applications should be restricted to only approved consumer devices that meet a predetermined minimum security configuration (e.g., the device has not been tampered with ('jailbroken'), is running an approved version of the operating system, has Mob… (CF.14.05.08, The Standard of Good Practice for Information Security, 2013)
  • Technical controls should be implemented to help protect business information held on consumer devices (throughout the complete lifecycle of each device), which include maintaining a register (or equivalent) of approved consumer devices. (CF.14.05.09b, The Standard of Good Practice for Information Security, 2013)
  • Technical controls should be implemented to help protect business information held on consumer devices (throughout the complete lifecycle of each device), which include protecting business information in the event of loss or theft of consumer devices (e.g., by deploying Mobile Device Management soft… (CF.14.05.09d, The Standard of Good Practice for Information Security, 2013)
  • Technical controls should be implemented to help protect business information held on consumer devices (throughout the complete lifecycle of each device), which include building and maintaining application and device management configuration settings (e.g., automatic updates to the operating system … (CF.14.05.09e, The Standard of Good Practice for Information Security, 2013)
  • Technical controls should be implemented to help protect business information held on consumer devices (throughout the complete lifecycle of each device), which include configuring consumer devices to log important events (e.g., when sensitive information is copied to another device). (CF.14.05.09f, The Standard of Good Practice for Information Security, 2013)
  • Mobile devices should be provided with standard technical build configurations that include implementing access control mechanisms (e.g., passwords, tokens, or biometrics) to restrict access to a limited number of users and administrators to the device. (CF.14.02.04b, The Standard of Good Practice for Information Security, 2013)
  • Mobile devices should be protected by the use of a comprehensive set of system management tools (e.g., maintenance utilities, remote support, patch management, enterprise management tools, and back-up software). (CF.14.02.05c, The Standard of Good Practice for Information Security, 2013)
  • Mobile devices should be protected in the event of loss or theft using centralised mobile device management software that provides remote lockout (to prevent unauthorized access to the device). (CF.14.01.04a, The Standard of Good Practice for Information Security, 2013)
  • Mobile devices should be protected in the event of loss or theft using centralised mobile device management software that provides remote device tracking (e.g., software that will attempt to locate the equipment using Global Positioning System, or automatically contact a designated location if the e… (CF.14.01.04b, The Standard of Good Practice for Information Security, 2013)
  • Standards / procedures should include the rights of the organization regarding ownership of information stored on portable storage devices (e.g., all information stored on a portable storage device remains the property of the organization). (CF.14.04.02d, The Standard of Good Practice for Information Security, 2013)
  • Users of portable storage devices should be informed of the types of portable storage device permitted for storing business information (e.g., portable storage devices that are issued or approved by the organization). (CF.14.04.03a, The Standard of Good Practice for Information Security, 2013)
  • Users of portable storage devices should be informed of the types of information that can be transferred to and from portable storage devices (e.g., restricted to non-classified information or encrypted files). (CF.14.04.03b, The Standard of Good Practice for Information Security, 2013)
  • Mobile devices should be provided with standard technical configurations that include preventing access to the device by unauthorised remote control software. (CF.14.02.03d, The Standard of Good Practice for Information Security, 2013)
  • Mobile devices should be provided with standard technical configurations that include running a standard operating system, trusted and approved applications, common communications software and security software. (CF.14.02.03a, The Standard of Good Practice for Information Security, 2013)
  • Where an organization allows the use of consumer devices for business purposes, this should be supported documented standards / procedures, which cover meeting an agreed specification of device allowed. (CF.14.05.01a, The Standard of Good Practice for Information Security, 2013)
  • Enterprise software should be used to allow only specific Universal serial bus devices to be accessed and the data to be automatically encrypted, if portable devices are required. (Critical Control 17.5, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The application whitelist and the software inventory should be deployed on the mobile devices used by the organization. (Critical Control 2.7, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The organization must register mobile devices and personnel devices before connecting them to the wireless network. (Critical Control 7.15, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The company shall have a centralized, mobile device management solution deployed to all mobile devices permitted to store, transmit, or process company data. (MOS-10, Cloud Controls Matrix, v3.0)
  • The provider shall have a documented mobile device policy that includes a documented definition for mobile devices and the acceptable usage and requirements for all mobile devices. The provider shall post and communicate the policy and requirements through the company's security awareness and traini… (MOS-05, Cloud Controls Matrix, v3.0)
  • Policies and procedures shall be established, and supporting business processes and technical measures implemented, to manage business risks associated with permitting mobile device access to corporate resources and may require the implementation of higher assurance compensating controls and accepta… (HRS-06, Cloud Controls Matrix, v3.0)
  • Policies and procedures shall be established and measures implemented to strictly limit access to sensitive data from portable and mobile devices, such as laptops, cell phones, and Personal Digital Assistants (pdas), which are generally higher-risk than non-portable devices (e.g., desktop computers … (IS-32, The Cloud Security Alliance Controls Matrix, Version 1.3)
  • Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network… (CIS Control 1: Safeguard 1.1 Establish and Maintain Detailed Enterprise Asset Inventory, CIS Controls, V8)
  • A policy and supporting security measures shall be adopted to manage the risks introduced by using mobile devices. (A.6.2.1 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • A formal policy should be developed to protect mobile devices. The policy should contain requirements for physical protection, access controls, cryptographic techniques, backups, virus protection, how to connect to networks securely, and guidance on using the systems in public places. (§ 11.7.1, ISO 27002 Code of practice for information security management, 2005)
  • A policy and supporting security measures should be adopted to manage the risks introduced by using mobile devices. (§ 6.2.1 Control, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • When formulating its information security risk treatment plan (6.1.3 e)), the organization should then include actions to implement mobile device policy and MDM and assign responsibilities and timeframes. (§ 6.1.3 Guidance ¶ 27, ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • The organization establishes policies, procedures and tools, such as policy enforcement, device fingerprinting, patch status, operating system version, level of security controls, etc., to manage personnel's mobile devices before allowing access to the organization's network and resources. (PR.IP-1.2, CRI Profile, v1.2)
  • The organization's removable media and mobile devices are protected and use is restricted according to policy. (PR.PT-2.1, CRI Profile, v1.2)
  • The organization implements safeguards against mobile malware and attacks for mobile devices connecting to corporate network and accessing corporate data (e.g., anti-virus, timely patch deployment, etc.). (DE.CM-5.1, CRI Profile, v1.2)
  • The organization establishes policies, procedures and tools, such as policy enforcement, device fingerprinting, patch status, operating system version, level of security controls, etc., to manage personnel's mobile devices before allowing access to the organization's network and resources. (PR.IP-1.2, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The organization's removable media and mobile devices are protected and use is restricted according to policy. (PR.PT-2.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The organization implements safeguards against mobile malware and attacks for mobile devices connecting to corporate network and accessing corporate data (e.g., anti-virus, timely patch deployment, etc.). (DE.CM-5.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • In the event that a host device utilizes mobile code technologies, that host device shall provide the capability to enforce a security policy for the usage of mobile code technologies. The security policy shall allow, at a minimum, the following actions for each mobile code technology used on the ho… (14.2.1 ¶ 1, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • In the event that a network device utilizes mobile code technologies, the network device shall provide the capability to enforce a security policy for the usage of mobile code technologies. The security policy shall allow, at a minimum, the following actions for each mobile code technology used on t… (15.4.1 ¶ 1, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • In the event that a software application utilizes mobile code technologies, that application shall provide the capability to enforce a security policy for the usage of mobile code technologies. The security policy shall allow, at a minimum, the following actions for each mobile code technology used … (12.2.1 ¶ 1, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and (AC-19a., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and (AC-19a., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and (AC-19a., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and (SC-18b., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and (AC-19a., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and (SC-18b., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Personal information that is stored on portable devices or portable media is protected from unauthorized access. (Generally Accepted Privacy Principles and Criteria § 8.2.6, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The organization should develop policies and procedures to prohibit personal information from being stored on portable devices and portable media, unless a business need exists and management has approved the storage. (Table Ref 8.2.6, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The organization should implement systems, policies, and procedures to protect accessed or stored personal information on laptop computers, smart phones, and portable media. (Table Ref 8.2.6, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The organization should password protect personal information that is accessed or stored on mobile devices or portable media. (Table Ref 8.2.6, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The organization should physically protect personal information that is stored or accessed on mobile devices or portable media. (Table Ref 8.2.6, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • the service organization's use of technology, including its applications, infrastructure, network architecture, use of mobile devices, use of cloud technologies, and the types of external party access or connectivity to the system; (¶ 3.59 Bullet 9 Sub-Bullet 1, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Does the information security policy cover mobile computing? (§ B.1.22, Shared Assessments Standardized Information Gathering Questionnaire - B. Security Policy, 7.0)
  • When desktop computers are used to transmit scoped systems and data, are mobile devices used with those computers? (§ G.22.13, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • When desktop computers are used to process scoped systems and data, are mobile devices used with those computers? (§ G.22.13, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • When desktop computers are used to store scoped systems and data, are mobile devices used with those computers? (§ G.22.13, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • When desktop computers are used to transmit scoped systems and data, are users permitted to execute mobile code? (§ G.22.12, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • When desktop computers are used to process scoped systems and data, are users permitted to execute mobile code? (§ G.22.12, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • When desktop computers are used to store scoped systems and data, are users permitted to execute mobile code? (§ G.22.12, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • CSR 1.3.13: The organization must protect removable storage devices and media that contain sensitive information and other data as if it were entirely sensitive information. CSR 1.13.2: The organization must prohibit employees from bringing personally-owned computer software and equipment into the w… (CSR 1.3.13, CSR 1.13.2, CSR 1.13.5, CSR 2.2.20, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Laptops and PDAs must never be checked as baggage; they must be hand carried. A Type 1 media encryptor must be used to protect hard drives. (§ 3.3, § 6.3, DISA Secure Remote Computing Security Technical Implementation Guide, Version 1 Release 2)
  • Laptops that contain a WLAN card should have the default setting of the WLAN card radio set to OFF. Computers with an embedded WLAN that processes, receives, transfers, or stores classified information should have a wireless NIC that can be removed. PDAs and Smart phones should not be allowed to be … (§ 3.2 (WIR0167), § 3.3 (WIR0190), § 5 (WIR0410), DISA WIRELESS SECURITY CHECKLIST, Version 5, Release 2.2, Version 5, Release 2.2)
  • Control connection of mobile devices. (AC.3.020, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
  • Control connection of mobile devices. (AC.3.020, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Control connection of mobile devices. (AC.3.020, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Control connection of mobile devices. (AC.L2-3.1.18 Mobile Device Connection, Cybersecurity Maturity Model Certification, Version 2.0, Level 2)
  • An agency shall implement mobile device management with centralized administration that is capable of remote locking when criminal justice information is allowed to be accessed from cell phones, smartphones, and tablet devices. (§ 5.5.7.3.3 ¶ 2(2)(i), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • An agency shall implement mobile device management with centralized administration that is capable of remote wiping when criminal justice information is allowed to be accessed from cell phones, smartphones, and tablet devices. (§ 5.5.7.3.3 ¶ 2(2)(ii), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • An agency shall implement mobile device management with centralized administration that is capable of setting and locking the device configuration when criminal justice information is allowed to be accessed from cell phones, smartphones, and tablet devices. (§ 5.5.7.3.3 ¶ 2(2)(iii), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • An agency shall implement mobile device management with centralized administration that is capable of detecting "rooted" and "jailbroken" devices when criminal justice information is allowed to be accessed from cell phones, smartphones, and tablet devices. (§ 5.5.7.3.3 ¶ 2(2)(iv), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • An agency shall implement mobile device management with centralized administration that is capable of enforcing folder level encryption or disk level encryption, when criminal justice information is allowed to be accessed from cell phones, smartphones, and tablet devices. (§ 5.5.7.3.3 ¶ 2(2)(v), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The agency shall: (i) establish usage restrictions and implementation guidance for mobile devices; and (ii) authorize, monitor, control wireless access to the information system. Wireless technologies, in the simplest sense, enable one or more devices to communicate without physical connections—wi… (§ 5.13 ¶ 2, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Devices that have had any unauthorized changes made to them (including but not limited to being rooted or jailbroken) shall not be used to process, store, or transmit CJI data at any time. Agencies shall implement the following controls when allowing CJI access from devices running a limitedfeature … (§ 5.13.2 ¶ 3, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • CSO approved compensating controls to meet the AA requirement on agency-issued smartphones and tablets with limited feature operating systems are permitted. Compensating controls are temporary control measures that are implemented in lieu of the required AA control measures when an agency cannot mee… (§ 5.13.7.2.1 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Remote locking of device (§ 5.13.2 ¶ 3(2)(a), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Devices that have had any unauthorized changes made to them (including but not limited to being rooted or jailbroken) shall not be used to process, store, or transmit CJI data at any time. User agencies shall implement the following controls when directly accessing CJI from devices running a limited… (§ 5.13.2 ¶ 3, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • The agency shall: (i) establish usage restrictions and implementation guidance for mobile devices; and (ii) authorize, monitor, control wireless access to the information system. Wireless technologies, in the simplest sense, enable one or more devices to communicate without physical connections—wi… (§ 5.13 ¶ 2, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Any cellular device used to transmit CJI via voice is exempt from the encryption and authentication requirements. (§ 5.13.1.2.2 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Secure entity-owned telework client devices. (App A Objective 9:1c Bullet 5, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Management should control and protect access to and transmission of information to avoid loss or damage and do the following: - Establish and supervise compliance with policies for storing and handling information, including storing data on mobile devices and cloud services. - Define and implement… (II.C.13 Control of Information, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Computers used for remote access should meet the security and configuration requirements of the organization. (Pg 30, FFIEC IT Examination Handbook - E-Banking, August 2003)
  • Mobile devices. (AppE.7 Objective 3:4 d., FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Mobile-enabled Web sites. (AppE.7 Objective 5:4 b. Bullet 2, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Mobile-enabled Web sites: Include vulnerabilities with Internet banking (hardware, operating system, and security limitations); malicious messages through Web-based attack vectors; limitations on anti-phishing and anti-XSS capabilities; malicious attacks through unvalidated redirects and forwards; u… (AppE.7 Objective 3:5 b., FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Mobile application: Include application vulnerabilities (e.g., unpatched and outdated applications); malware; ability to jailbreak or root devices; use of unapproved application stores; weak storage controls over confidential information on devices; and inappropriate access to back-end databases. (AppE.7 Objective 3:5 c., FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • The service provider must define all inspection measures and preventative measures for mobile devices. (Column F: AC-19g, FedRAMP Baseline Security Controls)
  • The joint authorization board must approve and accept the service provider's inspection and preventative measures for mobile devices. (Column F: AC-19g, FedRAMP Baseline Security Controls)
  • Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and (AC-19a. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and (AC-19a. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and (SC-18b. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and (AC-19a. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and (SC-18b. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and (AC-19a., FedRAMP Security Controls High Baseline, Version 5)
  • Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and (AC-19a., FedRAMP Security Controls Low Baseline, Version 5)
  • Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and (AC-19a., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and (AC-19a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and (AC-19a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and (AC-19a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and (AC-19a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and (AC-19a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and (AC-19a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Organizational records and documents should be examined to ensure specific responsibilities and actions are defined for the implementation of the portable or mobile device access control. Any problems discovered during the implementation of the portable or mobile device access control should be docu… (AC-19, AC-19.4, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and (AC-19a. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and (AC-19a. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and (AC-19a. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and (SC-18b. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and (SC-18b. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization may choose to strictly limit or prohibit Access to Personally Identifiable Information from mobile devices and portable devices. (§ 4.3 Bullet Access Control for Mobile Devices (AC-19), NIST SP 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII))
  • The organization may ensure that portable devices and mobile devices are properly secured and regularly scanned to verify their security status, if they are allowed to Access Personally Identifiable Information. (§ 4.3 Bullet Access Control for Mobile Devices (AC-19), NIST SP 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII))
  • The organization must establish Implementation Guidance and usage restrictions for mobile devices, including personally owned removable media and writeable, removable media. (SG.AC-17 Requirement 1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must enforce the connection requirements for mobile devices to the smart grid Information System. (SG.AC-17 Requirement 4, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must conduct specific measures on all mobile devices when they return from locations of significant risk. (SG.AC-17 Requirement Enhancements 4, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • Control connection of mobile devices. (3.1.18, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171)
  • Control connection of mobile devices. (3.1.18, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 1)
  • Control connection of mobile devices. (3.1.18, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 2)
  • Individuals who are permitted to use mobile devices in facilities that contain Information Systems which are processing, storing, or transmitting classified information should be prohibited from connecting unclassified mobile devices to classified information systems. (App F § AC-19(4)(b) Bullet 1, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must establish Implementation Guidance and usage restrictions for organizationally-controlled mobile devices. (App F § AC-19.a, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must develop and implement policies to prohibit the use of unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information unless specifically permitted by the appropriate authorizing official(s). (App F § AC-19(4a), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must develop and implement policies to restrict individuals permitted to use mobile devices in facilities containing Information Systems processing, storing, or transmitting classified information; connection of unclassified mobile devices to classified information systems is prohib… (App F § AC-19(4b), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must enforce the mobile device connection requirements. (App F § AC-19.d, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must inspect mobile devices that are returning from locations that are at significant risk. (App F § AC-19.g, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Individuals who are permitted to use mobile devices in facilities that contain Information Systems which are processing, storing, or transmitting classified information should be subject to random reviews or inspections of the mobile devices and the information stored on them by security officials, … (App F § AC-19(4)(b) Bullet 4, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must use other mechanisms or procedures as compensating controls in accordance with the general tailoring guidance when the Industrial Control System cannot implement any or all of the mobile device access control components. (App I § AC-19, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices. (AC-19a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization authorizes the connection of mobile devices to organizational information systems. (AC-19b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices. (AC-19a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization authorizes the connection of mobile devices to organizational information systems. (AC-19b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices. (AC-19a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization authorizes the connection of mobile devices to organizational information systems. (AC-19b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices. (AC-19a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization authorizes the connection of mobile devices to organizational information systems. (AC-19b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and (AC-19a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and (SC-18b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and (AC-19a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and (AC-19a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and (SC-18b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and (AC-19a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and (SC-18b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and (AC-19a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and (AC-19a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and (AC-19a., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and (SC-18b., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and (AC-19a., TX-RAMP Security Controls Baseline Level 1)
  • Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and (AC-19a., TX-RAMP Security Controls Baseline Level 2)
  • Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and (SC-18b., TX-RAMP Security Controls Baseline Level 2)