MOBILE DEVICE POLICY
In present day use of mobile technology are becoming more and more complicated, with access to every people and with less effective in controlling. Several factors are there which includes increased use of “functionality” and “storage capacity” towards increase connectivity needs and low price (Mallery and Kelly). However a mobile device is part of computer technology. With every year passing away there has been significant development in its use and flexibility. So in terms of that use of mobile devices is increasingly gaining ground for all business organization and corporate firms. So development of mobile security device policy should be the first aspect that needs to be done. The first aspect that needs to be looked is determining whether as to mobile devices are authorized. With significant developments that are taking place in this mobile era, making a stop on usage of mobile devices wouldn't be the right idea. However keeping the perception that mobile devices have the capability of holding a vast amount of information about the organization which would be difficult to keep pace with it and taking the considerations of security policies could force any business organizations to make a stop on using mobile devices within the organizations. However no such devices have been found that could stop users from passing the corporate data on to the mobile phones. In any business organization if the firms feel that there is need to sync mobile devices, it is crucial that the aspect to be notified the executive staff with the aspect of the risks associated with it. In many situations mobile devices are driven by its availability rather than its security aspect. So security issue comes down at the very low end of the organization. So the next step that needs to be taken by the executive staff is to define a parameter about what can be synchronized and what not. Examples of security policy for mobile devices have been highlighted (Taylor, 2004-2005).
Must ensure that the cell phone, PDA or smart phone is protected though using password
Secure Access VPN should be used for corporate access in order to check e-mail.
Use of firewall and anti virus client with updated anti virus authentication system for use of connecting to other corporate networks.
Using security policies on the firewall that are suggested by the corporate security team.
The collision between internet and the mobile internet has raised several questions on the security of mobile devices. Situations like spam email, “virus attacks”, “content privacy” and “malicious attacks” have been a growing area of problem in the wireless arena so that new type of systems could be designed to protect wireless networks and handsets (Sundaresan, 2003). So with increased use of mobile devices and improved technological innovations attacks can become more complicated. As preventive measure information security officers and administrators who have proven control over the network systems should conduct a risk assessment before actually employing those mobile devices into the organizations computing networks. Business organizations should try and provide more information to enable them to handle the mobile devices. Other than this network administrators should investigate and provide documentation of the security policies that meets their use and users capabilities (Barley, Mouratidis and Unruh, 2009). So the documentation should include information about the actual users who have the right authentication, the various types of information that the device would hold, software programs that they would be able to install, using proper password tool and to report certain issues in case of lost or stolen PDA.
1. Mobile Devices: These include, but are not limited to, Portable Digital Assistants (PDAs), Notebook computers, Tablet PCs, Palm Pilots, Microsoft Pocket PCs, RIM Blackberrys, MP3 Players, text pagers, smart phones, compact discs, DVD discs, memory sticks, USB drives, Floppy discs and other similar devices.
2. User - Anyone with authorized access to State business information systems, including permanent and temporary employees or third-party personnel such as temporaries, contractors, consultants and other parties with valid State access accounts.
3. Screen Lock - Mechanism to hide data on a visual display while the computer continues to operate. A screen lock requires authentication to access the data. Screen locks can be activated manually or in response to rules.
4. Screen Timeout - Mechanism to turn off a device or end a session when the device has not been used for a specified time period.
Noncompliance with this policy and/or its resulting procedures may be cause for disciplinary action up to and including discharge, may involve civil or criminal litigation, and may involve restitution,fines, and/or penalties.
1. Each user of a State mobile device is responsible for following this policy and any related policy or procedure promulgated by their Agency head.
2. Each Agency may also establish policies and procedures and assign responsibility to specific agency personnel to achieve compliance with this policy.
3. Anyone observing what appears to be a breach of security, violation of this policy, violation of state or federal law, theft, damage, or any action placing State resources at risk must report the incident to an appropriate level supervisor, manager, or security officer within their organization. Those reporting alleged incidents will be protected from retaliation by existing whistleblower protection laws.
4. Managers and supervisors are responsible for ensuring that users are aware of and understand this policy and all related procedures.
1. Whenever possible, all mobile devices must be password protected. Choose and implement a strong password – at least eight (8) characters in length.
2. The physical security of these devices is the responsibility of the employee to whom the device has been assigned. Devices shall be kept in the employee's physical presence whenever possible. Whenever a device is being stored, it shall be stored in a secure place, preferably out of-sight.
3. If a mobile device is lost or stolen, promptly report the incident to the CMS/BCCS Help Desk and proper authorities. Also, be sure to document the serial number of your device now, for reporting purposes, in the event that it is lost or stolen.
4. Sensitive or confidential documents, if stored on the device, should be encrypted if possible.
5. Mobile device options and applications that are not in use should be disabled.
6. Sensitive and confidential information should be removed from the mobile device before it is returned, exchanged or disposed.
7. Whenever possible all mobile devices should enable screen locking and screen timeout functions.
8. No personal information (as defined by the personal information protection act – 815 ILCS 530) shall be stored on mobile devices unless it is encrypted and permission is granted from the data owner.
9. Before a mobile device is connected to State IT systems, it shall be scanned for viruses (the user risks having files on the device deleted if any viruses are detected). If media mobile device is used for transitional storage (for example copying data between systems), the data shall be securely deleted from the mobile device immediately upon completion.
BENEFITS OF MOBILE DEVICES
Mobile devices have increased in functionality, storage capacity and their general utility. The benefits of mobile devices are visible at all organizational levels of enterprises, as they provide greater mobility, accessibility and convenience. In simple terms, mobile devices are a critical enabler of the ‘mobile office' concept—potentially reducing overheads and increase work productivity in a range of enterprise settings.
Mobile devices therefore represent an increasingly attractive way for enterprises to optimize their operational business outcomes, whilst simultaneously increasing workplace flexibility and decreasing infrastructure costs. In particular, to reduce costs, businesses may allow individuals to privately own mobile devices which interface with business systems, though this practice will involve the acceptance of a degree of risk by the organization.
RISKS TO MOBILE DEVICES
Mobile devices are subject to the same sorts of threats as traditional desktop computers, with additional threats arising out of two sources—the size and portability of mobile devices, and available wireless interfaces and their associated services.
Additionally, due to their generally limited processing power (as compared to desktop computers), mobile devices typically lack a range of integrated security features commonly found on desktop computers. Given this, mobile devices have become increasingly attractive as the target of malicious attack. Also, because their adoption often takes place informally and piecemeal, organizations may not recognize mobile devices as part of an organization's infrastructure nor treat them accordingly.3
Inappropriate controls on mobile devices raise the potential for any information on the corporate system to become vulnerable to loss, interception or capture. Collectively, these issues mean that the threat space faced by mobile devices is larger and more complex than that posed to desktop computers. This is illustrated in Figure 1 below.
3 US Key risks posed specifically to mobile devices are as follows:
• Loss and theft. The small size of mobile devices means that they have a tendency to be lost or misplaced, and are an easy target for theft. If the device does not have appropriate security measures in place or activated, then gaining access to the device can be easy, thereby exposing sensitive data on the device or accessible by it. Where a mobile device has an active telecommunications service, then unauthorized calls or other expenses can continue to be charged to the legitimate user. Additionally, the mobile device unit itself may be of considerable value, and be able to be reset and reused—even if user data is wiped in the process.
• Disposal. When a mobile device is disposed of (for being surplus to requirements), the risk exists of sensitive data being accessed, may continue as information may remain on the mobile device. Manually resetting a device, whilst deleting data in a logical sense, may leave data still physically residing on the device until it is overwritten by new data. Software and hardware products that can recover erased data from a mobile device are readily available.
• Malware. Mobile devices are subject to attack by a wide variety of malware (malicious software). Such malware ranges from that which is common to desktop computers, to that which specifically targets mobile devices. Malware can be introduced to mobile devices via communications services, synchronisation with a desktop computer or network, via email or web browsing, or via infected storage media. Generally, malware writers employ social engineering techniques to prompt users to carry out the necessary actions, enabling them to download malware on the mobile device. Malware installation may lead to the compromise of sensitive information on—or accessed by— the device, or a denial of service.
• Spam. Mobile devices, as the result of their connection to communication services, are increasingly subject to spamming. In addition to the annoyance of receiving undesirable and unsolicited material, spam can cause users to unwittingly accept charges on their communication service. Further, spam can be used as an adjunct to social engineering, as a pathway for the introduction of malware, and to conduct denial-of-service attacks on a mobile device.
• Private ownership. Allowing privately owned mobile devices to be used for business purposes may seem to be a cost-effective approach for an organization. But the ability to control and manage privately-owned devices is difficult to achieve, increasing the security risks generally associated with mobile devices.
PROTECTING THE ORGANIZATION:
In order to manage the level of risk associated with the use of mobile devices within your organization, you should consider the following dimensions of security practice:
• People. Applying security controls to counter people-related risks such as insure behaviors and the inadvertent installation of malware, is critical for protecting an organization's information and systems from threats that might arise via mobile devices. The awareness and training of staff is a critical factor in ensuring that technological and procedural security controls are implemented.
• Technology. Whilst technical solutions cannot substitute for an integrated mobile device security policy, a range of technical actions can reduce the risk exposure of mobile devices, and mitigate the effects of security incidents when they do occur.
• Policies and procedures. Policies and procedures need to be developed that outline clear roles and responsibilities with respect to the employment and management of mobile devices across their entire life-cycle (acquisition, deployment, use and disposal).
• Identify key roles and responsibilities with respect to mobile device security, and identify mobile device user groups and their scope of usage for risk assessment.
• Educate users and administrators of mobile devices regarding risks, physical control, acceptable use, permissible sensitive data storage, and response and reporting actions in the event of security incidents or loss of the mobile device.
• Enable authentication processes on mobile devices, particularly where they interface with wireless networks, communication services, and corporate information and networks.
• Encrypt data resident on mobile devices and their associated removable media.
• Minimise or eliminate unnecessary functionality on mobile devices—this includes controlling or restricting access to wireless communications and communications services.
• Install protection and detection software on mobile devices.
• Where possible, conduct centralised configuration control and management of mobile devices and associated software.
• Where possible, enable remote deactivation and erasure of mobile devices.
• Where data cannot be reliably erased from mobile devices, consider the secure physical destruction of memory modules prior to disposing of the device.
Policies and Procedures
• Develop a plan for the acquisition, deployment and operation of mobile devices in the organization risk assessments and security controls are easier to conduct and implement when the organisation approaches mobile devices in a systematic fashion.
• Limit or prohibit access to corporate information and networks for privately owned mobile devices.
• Establish a mobile device security policy, which encompasses both organisation issued and privately owned mobile devices.
• Integrate mobile device security issues into the organisation's overall IT security policy.
• Review mobile device security policy, particularly after the acquisition of new mobile devices, configuration changes, and in the wake of security incidents involving mobile devices.
It is essential that organisations have suitable protective measures in place to secure mobile devices. This paper provides the basic knowledge for managing and mitigating the risks associated with the integration of mobile devices into corporate networks. Mobile device security policies should ensure that new devices cannot be introduced into corporate networks without the knowledge of IT management. In addition, remove the ability to make changes to configurations or settings which have the capability to adversely impact on the risk profile of the organisation.
Finally, implement a secure infrastructure which aligns with good practice advice, and control, manage and update the configuration and settings of mobile devices as necessary. Constant adjustments will be required response to evolving technologies, changing risk exposure, and patterns of user behaviour. The security of mobile devices should be an integral, routine and ongoing element of an organisation's approach to securing its IT infrastructure.
1. Australian Government Information Management Office, Better PracticeGuidance for CIOs – Security Considerations for the Use of PersonalElectronic Devices (PEDs): www.finance.gov.au/e-government/security-andauthentication/ docs/Guidance_Use_of_Personal_Electronic_Devices_CIO_Advice_v1.0.pdf
2. CIO Magazine, Mobile Security 101: http://www.cio.com.au/article/268162/mobile_security_101_an_executive_guide_mobile_security?fp=4&fpid=23.
4. Taylor , L. (2004-2005), “Handheld security part I-V “ ,Retrieved September 25, 2007, Available Online [ www.pdastreet.com/articles /2004/12/ 2004-12-6-Handheld security-Part.html].
5. Sundaresan, H. (2003), “OMAP Platfom security features”, White paper retieved July 1, 2005, Available Online [http//focus.ti.com/pdfs/ wtbu/omappletformsecurity wp.pdf].
9. US National Institute of Standards and Technology, Guidelines on Cell Phone and PDA Security, NIST Special Publication 800-124: http://csrc.nist.gov/publications/nistpubs/800-124/SP800-124.pdf