Back

Include prohibiting the usage of unapproved application stores in the mobile device security guidelines.


CONTROL ID
12290
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain mobile device security guidelines., CC ID: 04723

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The FI should only make available mobile applications or software to customers through official mobile application stores, or other secure delivery channels. (§ 14.1.5, Technology Risk Management Guidelines, January 2021)
  • Installation only of approved applications from "App Stores" classified as trusted (Section 5.17 MDM-01 Basic requirement ¶ 1 Bullet 5, Cloud Computing Compliance Controls Catalogue (C5))
  • The mobile device policy shall require the BYOD user to perform backups of data, prohibit the usage of unapproved application stores, and require the use of anti-malware software (where supported). (MOS-17, Cloud Controls Matrix, v3.0)
  • Mobile application: Include application vulnerabilities (e.g., unpatched and outdated applications); malware; ability to jailbreak or root devices; use of unapproved application stores; weak storage controls over confidential information on devices; and inappropriate access to back-end databases. (AppE.7 Objective 3:5 c., FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)