Hand-Held Device use has become common place in today’s business environment to include company owned assets, and personal “Bring Your Own Device” (BYOD)’s. Security of Hand Held Devices normally spans over many of the other standard domains making it practical to treat them as a separate domain..
The SANS Reading Room article; Security Policy for the use of handheld devices in corporate environments, provides a security policy template for Governing the use of hand-held devices in a corporate environment. Standard template elements are as follows:
- Introduction
- Purpose
- Scope of application and obligation
- Roles and Responsibilities
- Target Readership
- How to use the policy template
- Definitions
- References
The actual security policy contains the following elements:
- General policy requirements which discuss a wide range of elements to include roles and responsibilities of users, inventory of mobile devices, authorized and forbidden services, and user awareness training.
- Physical security. This policy includes, physical security as it relates to theft or loss of a mobile device, device safety, password requirements, ownership, remote blocking and wiping, availability and business continuity, and camera use.
- Operating System (OS) security. Items covered include firmware and OS update and patching, hardening, signed and unsigned application use, firewalls and anti-virus, and defining a security model for the device itself.
- Personal Area Network (PAN) security. Items covered here include, the use of Bluetooth, PINS and pairing, Bluetooth device security, file transfer over PAN, audits, and unauthorized use.
- Data security. A few items covered here include, information classification, restrictions, data security as it relates handling information, and encryption.
- Corporate network access security. Some items listed are. Access control to the network, remote access to corporate resources, internal access to resources, and wireless support.
- Over-the-air provisioning security. This policy covers device management, provision security, and communications security
- Internet security. Includes acceptable use, general email security, and attachment restrictions,
- Forbidden services
- Unauthorized actions
Overall, the template generally falls in line with other commonly used policy frameworks. It covers all the general elements with the exception of legal or industry general requirements.
References
Guerin, N., & Wanner, R. (2008, May 29). Security Policy for the use of handheld devices in corporate environments. Retrieved September 19, 2017, from https://www.sans.org/reading-room/whitepapers/pda/security-policy-handheld-devices-corporate-environments-32823.
Johnson, R. (2015). Security Policies and Implementation Issues (2nd ed.). Burlington, MA: Jones & Bartlett Learning.
