Mobile Device or BYOD Security Best Practices

This article will provide some guidance and best practices for the use of, and security for, remote access and mobile device technology (e.g. BYOD) that access critical information systems and sensitive or confidential information assets.

Keywords you should know

• Mobile Devices or Portable Electronic Devices – means those electronic devices that are portable or mobile in nature. The term “mobile devices” specifically applies to any handheld device that makes or receives phone calls, leaves messages, sends text messages, browses the Internet, or downloads and allows for the reading of and responding to e-mails, regardless of whether the device is supplied and/or owned by the organization.
• Information Assets – means all information, data, and communications created, received, or stored on or passed through the network, including all user files and e-mail.
• Information Systems – means the entire computer and telecommunications network, including, but not limited to, the following: fax machines, host computers, file servers, application servers, communication servers, mail servers, scanners, fax servers, Web servers, workstations, stand-alone computers, laptops, portable/handheld telecommunications devices (e.g., cellular telephones, pagers, and radios), cameras (both digital and analog), software, applications, data files, removable media, and all internal and external computer and communications networks (e.g., intranets, extranets, internet, commercial online services, value added networks, e-mail systems) accessed directly or indirectly from the computer network.
• Company-owned – means any devices owned by the organization. Employees being assigned a company-owned device do not have the right, nor should an employee have the expectation, of privacy while using company owned equipment or services.
• Personally-owned – means any device that is owned by an employee or receives a stipend based on the employee’s job roles.

All federal, state, and local laws should be followed, which includes, among its requirements, reviewing and modifying, where necessary, information security policies and procedures on a regular basis. Emphasis is also placed on allowing remote access to information systems and information assets including protected health information that is access through portable devices (BYOD), external systems, or hardware owned/managed or not owned/managed by the organization.

Acceptance of mobile device (BYOD) policies and procedures

Access to and continued use of network services should be granted on condition that each employee reads, signs, respects, and follows policies concerning the use of these devices and services. Management should identify mobile computing requirements specific to bring-your-own-device (BYOD) usage including identifying approved applications, eligibility requirements, privacy expectations, data wipe, and usage.

Who should authorize the device?

The CISO or compliance officer should authorize the connection of mobile devices to organizational information systems. A documented list of approved applications should be defined as acceptable for mobile devices accessing or storing data. The use of unapproved applications should be prohibited for company-owned and BYOD mobile devices. Non-approved applications or approved applications not obtained through the application store should prohibited.

Tools to protect the device

Mobile devices should be protected at all times by access controls, usage restrictions, connection requirements, encryption, virus protections, host-based firewalls, secure configuration, and physical protections.

Password policies applicable to mobile devices should be documented and enforced through technical controls for all devices approved for use. Password/PIN lengths and authentication requirements should be prohibited from being changed without appropriate authorization.

Controls Specific to Mobile Devices

• A centralized, mobile device management solution should be deployed to all mobile devices permitted to store, transmit, or process organizational and/or customer data, enforcing built-in detective and preventative controls.
• Mobile devices should never be left unattended in public areas such as cars, hotel rooms, conference rooms, or airports.
• Personnel should not download or transfer sensitive business related data or sensitive information to a personally owned device. Sensitive business related data or sensitive information should allowed to be downloaded or transferred to a company owned device only if encryption capabilities are enabled on that device. This excludes e-mail that is protected through other various security controls.
• All mobile computing devices utilized for business purposes should be encrypted.
• All personnel agree to delete any business related data or sensitive information that may be inadvertently downloaded and stored on the device through the process of viewing e-mail attachments. IT staff should provide instructions for identifying and removing these unintended file downloads.
• Devices, by policy, should be required to employ an unlock passcode as implemented by the device vendor.
• All personnel should enable session timeouts of ten (10) minutes that require PIN or password to re-use.
• All personnel agree to maintain personally owned devices or company owned devices that are assigned with the original device operating system and keep the device current with security patches/updates as released by the manufacturer. In addition, all personnel agree to allow for remote software version/patch validation. The personnel should not ‘Jail Break’ the device (installing software that allows them to bypass standard built-in security features and controls).
• All mobile devices utilized for business purposes should be installed with anti-virus/malware software that should be kept up to date.
• All personnel agree that the device should not be shared with other individuals or family members, due to the business use of the device and potential access to business related or sensitivity of information.
• All personnel agree that applications that cache data should be minimized and all temporary files should be automatically deleted on the mobile device.
• When accessing any business information over open or public networks, identification and authentication should be required to be in place for mobile devices. In addition, devices should have host-based firewalls installed when connecting to open or public networks.
• All personnel understand that if both a company or personally owned device is lost or stolen, they must notify IT staff within one (1) hour, or as soon as practical after noticing the device is missing. The device should be wiped to protect the integrity of the company data that may be on it.
• When a mobile device is no longer in use, the device should be properly disposed by wiping all information and restoring it back to factory settings.
• Monitoring should be performed to identify any unauthorized mobile devices that connect to the network.

All personnel travelling to high risk locations should be issued specific mobile devices when travelling to these locations. Upon return, these devices should be checked for tampering and/or malware.

All personnel should be trained in the appropriate use of mobile computing devices, the risks inherit to utilizing these devices, and their responsibilities to protect these devices. All other security controls specified in policies and procedures should apply to mobile devices, where applicable.

Mobile Device Use Restrictions

All personnel should be prohibited from using devices while driving, whether the purpose of the use is personal or company-related. Likewise, all personnel should be prohibited from using non-company owned mobile devices while driving if the purpose of use is for business. This prohibition includes receiving or placing calls, text messages, browsing the Internet, receiving or responding to e-mails and checking for voice messages.

A mobile device may be used to receive or place calls by using a hands-free device, which includes, for example, speaker phones, earpieces, wired headsets, and Bluetooth, so long as the use of a hands-free device complies with the laws of the state in which the activity is being conducted. Despite the hand-free exception, all personnel are strongly discouraged from using any mobile device for any purpose while driving. If use of a mobile device is necessary when driving, it is recommended they pull their vehicle aside in a safe place to conduct the activity.

All messages and information communicated using company owned mobile devices and/or systems accessed through personally owned mobile devices should be the property of the company. All personnel should be aware that the organization may monitor, inspect, or access its mobile devices, electronic systems, and/or any messages sent using either company owned mobile devices or systems, at any time with or without notice. This includes, without limitation, monitoring: Internet sites visited by employees, screensavers, software, file downloads, news groups, and e-mail communications. There should be no expectation of privacy in any matter created, accessed, received, stored, or sent using either company owned mobile devices or systems.

Additionally, critical considerations should be taken over the confidentiality and security of information. Any mobile device and BYOD used for business purposes should follow the requirements contained within the policy/procedure.