Mobile Device Security Policy

1.0 Introduction
The goal of this policy is to allow any type of mobile device (whether issued by [organization name] or
not) to be securely used to access [organization name] information resources. While the focus of this
policy is mitigating the risks to [organization name] associated with the use of smartphones, part or
all of this policy can be applied to traditional mobile devices, including laptops, USB drives, CD/DVD,
etc.

2.0 Purpose
This policy was created to mitigate known risks associated with:

• A breach of confidentiality due to the access, transmission, storage, and disposal of sensitive
information using a mobile device.
• A breach of integrity due to the access, transmission, storage, and disposal of sensitive
information using a mobile device.
• A loss of availability to critical systems as a result of using a mobile device.

3.0 Scope
This policy applies to any mobile device and its user, including those issued by [organization name] as
well as personal devices that are used for business purposes and/or store [organization name]
information.

4.0 Policy
The effectiveness of this policy is dependent on how it is tailored for [organization name] 's
environment. Whether by informal process or formal risk assessment, [organization name] should
enumerate 1) all mobile devices in use (type, owner, connections enabled, criticality, data
accessed/stored, etc.), 2) current threat-sources, and 3) known vulnerabilities. Each of these factors
should help formulate an understanding and prioritization of current risks such that the policy is
tailored to [organization name]’s specific environment and ensuring resources are focused only on
implementation of those necessary policies.

4.1 Access Control

4.1.1 The use of mobile devices for both business and personal use is prohibited unless
permissions are enforceable to restrict application access to the minimum necessary resources
and connections.
4.1.2 Only approved applications can be installed and used on mobile devices. A list of
approved applications will be maintained and require applications to be signed and/or provide
sufficient sandboxing capabilities.
4.1.3 Disable Bluetooth capabilities unless necessary. If necessary, consider additional controls
including increased authentication, decrease power use, limit services available, stronger
encryption, avoid use of security mode 1, etc.
4.1.4 Access to [organization name] information resources using a mobile device must be
approved, documented, and logged.

4.2 Authentication
4.2.1 Mobile device access must require a PIN.
4.2.2 SIM access must require a PIN.

Mobile Device Security Policy Page 1

 4.2.3 Strong passwords are required for applications that access or store sensitive information.
Password policies should enforce length, complexity, lockout, forbid weak words, etc.
4.2.4 Mobile device must require PIN to unlock after a period of inactivity.

4.3 Encryption
4.3.1 The use of encryption is required for all mobile devices that must store or access sensitive
information. While full disk encryption is preferable, application or file encryption solutions are
acceptable at this time.
4.3.2 The use of encryption is required for the transmission of sensitive information to/from
mobile devices.

4.4 Incident Detection and Response

4.4.1 Develop, document, and implement procedure to quickly respond to lost or stolen mobile
devices.
4.4.2 Every mobile device will have the capability to remotely wipe and/or track its location on
demand.

4.5 User Training and Awareness

4.5.1 Users that use personal mobile devices for business use will notify IT and provide system
details.
4.5.2 Users will review all links and URLs prior to clicking to prevent a successful phishing
attempt.
4.5.3 Users will limit storage of sensitive data on mobile devices. However, critical data that is
stored will be backed up to [organization name] 's file server on a regular basis.
4.5.4 Users will only install approved applications and forward suspicious permission requests
to IT prior to granting access to the application.
4.5.5 Users will physically secure the mobile device when left unattended. When left in a car,
mobile device will be hidden from view.
4.5.6 Users will not allow unattended access to mobile device by another user.
4.5.7 Users will notify IT immediately if mobile device is lost or stolen.
4.5.8 Users will return mobile device at the end of employment. At which time, device will be
wiped and reissued.
4.5.9 Users critical to [organization name] will not use mobile device while operating a motor
vehicle.

4.6 Vulnerability Management

4.6.1 All mobile device system and application software in use must be identified and
documented.
4.6.2 Critical security updates for in-use software must be deployed to all mobile devices.
4.6.3 Anti-virus software should be used on devices with known malicious software when
available.

5.0 Definitions

Bluetooth A technology used to transmit data wirelessly.

Information Resource Includes data, application, system, network, and/or people.
Full Disk Encryption A process that encrypts the entire hard drive/partition.
Mobile Device A portable electronic device, including smartphones, PDAs, laptops, USB
drives,
DVD/CD, etc
PIN Personal Identification Number
Remote Wipe Use of software to destroy data on mobile device remotely.

Mobile Device Security Policy Page 2

Sandboxing The ability to restrict an application's access to specific device resources.
Sensitive Information Types of sensitive information that may be stored on a mobile device
include: authentication credentials, downloaded sensitive data (email
and attachments), call logs, business contact info, location/positional info.
Signing A process to determine authenticity and accountability for an
application.
SIM Subscriber Identity Module

Mobile Device Security Policy Page 3