/
Mobile Device Policy

Mobile Device Policy

Owned by Jan Tenenberg
Last updated: 28 May 2022
7 min read

Introduction

Mobile computing is an increasing part of everyday life, as devices become smaller and more powerful the number of tasks that can be achieved away from the office grows. However, as the capabilities increase so do the risks. Security controls that have evolved to protect the static desktop environment are easily bypassed when using a mobile device outside of the confines of an office building.

Mobile devices (also commonly referred to as “user endpoint devices”) include items such as:

  • Laptops

  • Notebooks

  • Tablet devices

  • Smartphones

  • Smart watches

The purpose of this policy is to set out the controls that must be in place to secure each step in the lifecycle of a mobile device, including when employees are using mobile devices provided by Vertic Pty Ltd. It is intended to mitigate the following risks:

  • Loss or theft of mobile devices, including the data on them

  • Compromise of classified information held or accessed via a mobile device

  • Introduction of viruses and malware to the network

  • Loss of reputation caused by incidents relating to a mobile device

It is important that the controls set out in this policy are always observed in the provision, use and transport of mobile devices. The use of personally owned mobile devices to access corporate data is addressed separately in the BYOD Policy.

This policy applies to all systems, people and processes that constitute the organisation’s information systems, including board members, directors, employees, suppliers and other third parties who have access to Vertic Pty Ltd systems.

The following policies and procedures are relevant to this document:

  • Access Control Policy

  • User Access Management Process

Mobile device policy

Selection and sourcing of mobile devices

Mobile devices must remain within support from the vendor so that security updates are made available on a regular basis. Devices that are out of support must not be used and must be replaced as soon as possible.

Expected or published support periods must be considered when choosing a mobile device model to be purchased and deployed.

The requirements for mobile devices must be clearly defined, including the form factor, software that the device must run and classification of information that it will store or access.

Security must be considered when selecting a mobile device to be used within the organization, including the following factors:

  • Whether a device is available in a more secure version for use within enterprises, rather than by consumers, or is part of a security certification program

  • Frequency and mechanism by which updates are released by the vendor, including firmware updates if applicable

  • Availability of hardware-based security tools such as TPM (Trusted Platform Module) and hardware-backed key-stores

  • Vendor software tools available for the management of mobile devices

  • Compatibility with mobile device management (MDM) software either in current or planned use by the organization

  • The security reputation of the hardware vendor, if separate to the software vendor (for example in the case of many Android devices)

  • Security features available on the device, such as biometrics

Mobile devices must only be sourced from reputable vendors which have been the subject of a due diligence exercise within Vertic Pty Ltd.

Mobile device provisioning

Where possible, a zero-touch approach (we use Google Administration) should be taken to the enrolment of mobile devices to reduce the administrative setup involved and increase the security of the delivered devices.

Where zero-touch enrolment is not possible (for example if firmware settings need to be configured), setup tasks should only be performed by appropriately qualified administrators.

Only in exceptional circumstances should device enrolment be carried out by the end user.

Procedures for device provision and enrolment must be tested to ensure that security requirements are met.

Where enrolment credentials need to be distributed to users, this must be achieved via an appropriately secure channel.

Time limits must be set within which device enrolment should have taken place, and all failures investigated.

Mobile device management

A mobile device management (MDM) service will be used to provide the capability to implement policies on device configuration, define permitted software installation, monitor device status and take remote actions such as device wiping, among other features.

Access to the MDM service will be controlled according to Vertic Pty Ltd policies, including the use of multi-factor authentication where possible.

The MDM service will ideally allow the management of all types of mobile devices in use within the organization. Any exceptions will be subject to technical and security review and management approval.

Regular monitoring must be performed of the compliance of mobile devices with defined policies, and cases of non-compliance investigated promptly.

User applications will be provided from a defined store and provision made to ensure that these apps are regularly updated from an appropriate source (for example the app vendor or an external update service).

Mobile device security

The configuration of mobile devices will be controlled from a central point using the MDM service.

Device compliance

Compliance policies will be defined for each type of device (for example Windows, iOS) under management to include the following:

  • Device health, such as use of encryption

  • Device properties, such as OS version

  • System security, including password rules and use of security features including firewall and antivirus

Compliance of mobile devices against these policies will be monitored, and instances of non-compliance investigated with the intention of bringing devices back into the required state.

Where available, conditional access capabilities within the MDM service should be used to further reduce risk to the organization.

Device configuration

One or more device configuration profiles will be created for each type of mobile device to enforce the security policies of Vertic Pty Ltd. Due consideration will be given to available template profiles (such as security baselines) recommended by best practice bodies such as device and software vendors, government security agencies and industry bodies.

The specifics of the configuration required will vary by device type, but will typically include:

  • Use of encryption (for example full disk encryption)

  • Browser settings

  • Use of biometrics (for example fingerprint and face recognition)

  • Network settings (for example Wi-Fi and VPN)

  • Device lock

  • Firewall settings

  • Access to applications

  • Use of cloud services

  • Power

  • Threat protection

  • Software updates

  • Connection of peripherals (for example USB storage devices)

Success in synchronising devices with their required configuration profiles must be monitored and failures investigated and resolved as soon as possible.

Deprovisioning mobile devices

A mobile device may need to be deprovisioned for a number of reasons, including loss or theft, reaching the end of its supported life, or needing to be returned to the manufacturer.

In most cases this will be achieved using the remote wipe capability of the MDM service. This should be carried out as soon as possible after the requirement is identified (for example the device being reported as lost).

If appropriate, a backup of the device should be taken before it is wiped.

Devices that are no longer required must be destroyed in accordance with documented procedures for the secure disposal of media.

User responsibilities

The following guidance must be observed by users of mobile devices provided by Vertic Pty Ltd.

Unless specifically authorised, only mobile devices provided by Vertic Pty Ltd must be used to hold or process classified information on behalf of the organization.

If you are required to make use of mobile equipment, you will be provided with an appropriate device(s) which will be configured to comply with the organisation’s policies. Support will be provided by the IT Support Desk who may at times need access to your device for problem resolution and maintenance purposes.

You must ensure that the device is transported in a protective case when possible and is not exposed to situations in which it may become damaged. Do not leave the device unattended in public view, such as in the back of a car or in a meeting room or hotel lobby.

Do not remove any identifying marks on the device such as a company asset tag or serial number. Ensure that the device is locked away when being stored and that the key is not easily accessible.

Do not add peripheral hardware to the device without the approval of the IT Support Desk. The IT Support Desk must be consulted before the device is taken out of the country. This is to ensure that it will work and to consider any insurance implications.

You will not hold classified information on the device unless this has been authorised and appropriate controls (e.g. encryption) put in place. Do not keep access tokens, Personal Identification Numbers, or other security items with the device.

Ensure that the device screen locks after a short period of not being used and requires an access code or password to unlock it. Passwords used must be strong and difficult to guess. No unsecured logons (i.e. those that do not require a password) may be set up on the device.

The organization-provided device is for your business use only; it must not be shared with family or friends or used for personal activities. You may be asked to return the device to the IT Support Desk at any time for inspection and audit. You must not install any unauthorised software or change the configuration or setup of the device without consulting the IT Support Desk first.

Where possible, the device will be secured so that all of the data on it is encrypted and so is only accessible if the password is known. If the device is supplied with encryption, do not disable it.

Changes to files held on the device may not be backed up on a regular basis if it is not connected to the corporate network for a period of time. Try to schedule some time in to achieve this on a regular basis. Do not take your own unencrypted backups of classified information.

Where applicable, virus protection will be installed on the device by the organization. Ensure that the device is connected to the corporate network on a regular basis to allow the anti-virus software to be updated. Do not disable virus protection on the device.

The device must not be connected to non-corporate networks such as wireless or the Internet unless a VPN (Virtual Private Network) is used. When in public places, ensure that you site the device such that unauthorised people cannot view (or take photographs or video of) the screen.

 

Related content

Employee Screening Process
Employee Screening Process
Vertic Quality Management System (VQMS)
Read with this
Acceptable Use Policy
Acceptable Use Policy
Vertic Quality Management System (VQMS)
More like this
Vertic Operational Implementation Processes
Vertic Operational Implementation Processes
Vertic Quality Management System (VQMS)
Read with this
Vertic's IT Policy
Vertic's IT Policy
Vertic Quality Management System (VQMS)
More like this
Vertic's Information Security Roles Responsibilities and Authorities
Vertic's Information Security Roles Responsibilities and Authorities
Vertic Quality Management System (VQMS)
Read with this
Internet Acceptable Use Policy
Internet Acceptable Use Policy
Vertic Quality Management System (VQMS)
More like this