Mobile Device or BYOD Security Best Practices
Posted by Superadmin on September 16 2022 06:42:16

Mobile Device or BYOD Security Best Practices

  PUBLISHED DATE:JANUARY 12, 2019
BYOD Security Best Practices

This article will provide some guidance and best practices for the use of, and security for, remote access and mobile device technology (e.g. BYOD) that access critical information systems and sensitive or confidential information assets.

Keywords you should know

All federal, state, and local laws should be followed, which includes, among its requirements, reviewing and modifying, where necessary, information security policies and procedures on a regular basis. Emphasis is also placed on allowing remote access to information systems and information assets including protected health information that is access through portable devices (BYOD), external systems, or hardware owned/managed or not owned/managed by the organization.

Acceptance of mobile device (BYOD) policies and procedures

Access to and continued use of network services should be granted on condition that each employee reads, signs, respects, and follows policies concerning the use of these devices and services. Management should identify mobile computing requirements specific to bring-your-own-device (BYOD) usage including identifying approved applications, eligibility requirements, privacy expectations, data wipe, and usage.

Who should authorize the device?

The CISO or compliance officer should authorize the connection of mobile devices to organizational information systems. A documented list of approved applications should be defined as acceptable for mobile devices accessing or storing data. The use of unapproved applications should be prohibited for company-owned and BYOD mobile devices. Non-approved applications or approved applications not obtained through the application store should prohibited.

Tools to protect the device

Mobile devices should be protected at all times by access controls, usage restrictions, connection requirements, encryption, virus protections, host-based firewalls, secure configuration, and physical protections.

Password policies applicable to mobile devices should be documented and enforced through technical controls for all devices approved for use. Password/PIN lengths and authentication requirements should be prohibited from being changed without appropriate authorization.

Controls Specific to Mobile Devices

All personnel travelling to high risk locations should be issued specific mobile devices when travelling to these locations. Upon return, these devices should be checked for tampering and/or malware.

All personnel should be trained in the appropriate use of mobile computing devices, the risks inherit to utilizing these devices, and their responsibilities to protect these devices. All other security controls specified in policies and procedures should apply to mobile devices, where applicable.

Mobile Device Use Restrictions

All personnel should be prohibited from using devices while driving, whether the purpose of the use is personal or company-related. Likewise, all personnel should be prohibited from using non-company owned mobile devices while driving if the purpose of use is for business. This prohibition includes receiving or placing calls, text messages, browsing the Internet, receiving or responding to e-mails and checking for voice messages.

A mobile device may be used to receive or place calls by using a hands-free device, which includes, for example, speaker phones, earpieces, wired headsets, and Bluetooth, so long as the use of a hands-free device complies with the laws of the state in which the activity is being conducted. Despite the hand-free exception, all personnel are strongly discouraged from using any mobile device for any purpose while driving. If use of a mobile device is necessary when driving, it is recommended they pull their vehicle aside in a safe place to conduct the activity.

All messages and information communicated using company owned mobile devices and/or systems accessed through personally owned mobile devices should be the property of the company. All personnel should be aware that the organization may monitor, inspect, or access its mobile devices, electronic systems, and/or any messages sent using either company owned mobile devices or systems, at any time with or without notice. This includes, without limitation, monitoring: Internet sites visited by employees, screensavers, software, file downloads, news groups, and e-mail communications. There should be no expectation of privacy in any matter created, accessed, received, stored, or sent using either company owned mobile devices or systems.

Additionally, critical considerations should be taken over the confidentiality and security of information. Any mobile device and BYOD used for business purposes should follow the requirements contained within the policy/procedure.