Mobile devices such as smartphones and tablets have allowed major productivity in the field and in the office and are starting to become an integral part of the business lifestyle. Although their intelligence allows greater productivity, it also makes them vulnerable to attack. A network is only as secure as its weakest link.
Personal Communication Devices and Voicemail Policy
This document describes Information Security’s requirements for Personal Communication Devices and Voicemail for Richman.
This policy applies to any use of Personal Communication Devices and Richman Voicemail issued by Richman or used for Richman business.
3.1 Issuing Policy
Personal Communication Devices (PCDs) will be issued only to Richman personnel with duties that require them to be in immediate and frequent contact when they are away from their normal work locations. For the purpose of this policy, PCDs are defined to include handheld wireless devices, cellular telephones, laptop wireless cards and pagers. Effective distribution of the various technological devices must be limited to persons for whom the productivity gained is appropriate in relation to the costs incurred.
Handheld wireless devices may be issued, for operational efficiency, to Richman personnel who need to conduct immediate, critical Richman business. These individuals generally are at the executive and management level. In addition to verbal contact, it is necessary that they have the capability to review and have documented responses to critical issues.
Hands-free enabling devices, such as the Bluetooth, may be issued to authorized Richman personnel who have received approval. Care must be taken to avoid being recorded when peering Bluetooth adapters, Bluetooth 2.0 Class 1 devices have a range of 330 feet.
Voicemail boxes may be issued to Richman personnel who require a method for others to leave messages when they are not available. Voicemail boxes must be protected by a PIN which must never be the same as the last four digits of the telephone number of the voicemail box.
3.4 Loss and Theft
Files containing confidential or sensitive data may not be stored in PCDs unless protected by approved encryption. Confidential or sensitive data shall never be stored on a personal PCD. Charges for repair due to misuse of equipment or misuse of services may be the responsibility of the employee, as determined on a case-by-case basis. The cost of any item beyond the standard authorized equipment is also the responsibility of the employee. Lost or stolen equipment must immediately be reported.
3.5 Personal Use
PCDs and voicemail are issued for Richman business. Personal use should be limited to minimal and incidental use.
3.6 PCD Safety
Conducting telephone calls or utilizing PCDs while driving can be a safety hazard. Drivers should use PCDs while parked or out of the vehicle. If employees must use a PCD while driving, Richman requires the use of hands-free enabling devices.
Any employee found to have violated this policy may be subject to disciplinary action that leads to being ineligible for continued use of PCDs. Extreme cases could lead to additional discipline, up to and including termination of employment.
BluetoothBluetooth is an industrial specification for wireless personal area networks (PANs), also known as IEEE 802.15.1. Bluetooth provides a way to connect and exchange information between devices such as personal digital assistants (PDAs), and mobile phones via a secure, globally unlicensed short-range radio frequency. Source: Wikipedia
Confidential or sensitive dataAll data that is not approved for public release shall be considered confidential or sensitive.
6.0 Revision History
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 © SANS Institute 2006 All Rights Reserved
Mobile Device Encryption Policy
This document describes Information Security’s requirements for encrypting data at rest on Richman mobile devices.
This policy applies to any mobile device issued by Richman or used for Richman business which contains stored data owned by Richman.
All mobile devices containing stored data owned by Richman must use an approved method of encryption to protect data at rest. Mobile devices are defined to include laptops, PDAs, and cell phones.
Users are expressly forbidden from storing Richman data on devices that are not issued by Richman, such as storing Richman email on a personal cell phone or PDA.
Laptops must employ full disk encryption with an approved software encryption package. No Richman data may exist on a laptop in cleartext.
3.2 PDAs and Cell phones
Any Richman data stored on a cell phone or PDA must be saved to an encrypted file system using Richman-approved software. Richman shall also employ remote wipe technology to remotely disable and delete any data stored on a Richman PDA or cell phone which is reported lost or stolen.
All keys used for encryption and decryption must meet complexity requirements described in Richman’s Password Protection Policy.
3.4 Loss and Theft
The loss or theft of any mobile device containing Richman data must be reported immediately.
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
Full disk encryptionTechnique that encrypts an entire hard drive, including operating system and data KeyPhrase used to encrypt or decrypt data
PDAPersonal Data Assistant.
Remote wipeSoftware that remotely deletes data stored on a mobile device.
6.0 Revision History
1.0 initial policy version, 2/22/2008
Keeping mobile devices secured on the network, however difficult, can be accomplished. Because of their portability, 100% security of devices cannot be guaranteed; securing the access to resources on the network, however, can. With these policies in place, Richman can be rest assured knowing that their network is guarded against both passive and active attacks.
Boulter, O. (2012, November 21). Adjunct – Information Technology. (M. Ryan, Interviewer) SANS.org. (2012, November 26). Information Security Policy Templates. Retrieved from SANS.org: http://www.sans.org/security-resources/policies/bluetooth_security_policy.pdf SANS.org. (2012, November 26). Mobile Security Policy Templates. Retrieved from SANS.org: http://www.sans.org/security-resources/policies/mobile.php