Policy Name: 2.
7 Mobile security policy
1
PURPOSE
The purpose of this policy is to ensure sensitive and critical data of Organization that is accessible by
the employees onto their mobile devices are protected against unauthorized access and prevent
unauthorized information disclosure.
2
SCOPE
This policy applies to:
Employee’s personal mobile devices like smartphones and tablet computers that can access
Organization’s networks, data and systems.
Applications used by employees on devices, whether owned by Organization or by employee,
which store or access company’s data.
Portable devices such as flash drives, external hard disks, CDs etc.
3
POLICY
Access to business information shall be provided only after users have signed an end user agreement
acknowledging their duties (physical protection, software updating, etc.), waiving ownership of
business data, allowing remote wiping of data by the organization in case of theft or loss of the device
or when no longer authorized to use the service. This policy shall take account of privacy legislation.
The policy also covers separation of private and business use of the devices, including using software
to support such separation and protect business data on a private device.
Page 79 of 175
3.1
Mobile Device Management
1. Mobile Device Registration- All mobile devices shall be registered and authenticated before being
allowed to connect to and access Organization’s infrastructure and applications.
2. Device Physical Protection- The user shall be responsible for physical protection of the mobile
device. Refer BYOD security policy for BYOD security requirements.
3. Centralized mobile device management- System administrators shall use a centralized mobile
device management (MDM) solution for the management of all registered mobile devices.
4. User Access Profiles – Access to Organization’s resources shall be granted based on business need.
5. Lost / Stolen Devices – When Mobile Devices or Removable Media containing Sensitive Data or
Organization’s connection information is lost or stolen, a report shall be filed immediately. Refer to
section ‘Incident Management’ in this policy for details.
�6. MDM Software Features- The MDM solution shall, at minimum, have the following features:
Deletion (often known as remote wipe) to securely destroy all information stored on the device and
any attached storage.
Data Encryption- Mobile devices shall use hardware encryption and deploy file-based encryption
software.
Training shall be arranged for personnel using mobile devices to raise their awareness of the
additional risks resulting from this way of working and the controls that should be implemented
3.2
Incident reporting
1. MDM users shall report immediately to system administrator for data wiping, in case of their
device being misplaced or stolen.
2. In case an owner device is hacked for manipulation or deletion of stored data, device owner shall
take action and report to the system administrator.
3.3
Log management
Detailed logs shall be recorded and managed for MDM.
