Mobile Security Standard

Transcription

1 Mobile Security Standard Title Mobile Security Standard Mobile Device Security Category Version: 18/07/2013 PUBLISHED Author:, IT Services Contact:

2 Mobile Security Standard Contents 1 Introduction Background Purpose Scope and Applicability Compliance 4 2 Responsibilities Controls Information Handling Approved Operating System Lists Authorisation, Granting Access Security of Mobile Devices Passwords Tampering with, modifying or adapting applications and security on mobile devices Change or Termination of Access Rights 6 Glossary... 7 References... 7 Document Control Version Date Author Description /05/13 Code of practice developed for the Mobile Security project /05/13 Reformatted to standard document template and updated with minor changes decided by UEB /07/13 Updated with minor comments from ISSG members and published. Page 2 of 7

3 1 Introduction 1.1 Background The University operates in a highly competitive global market for students, staff and research funding in which information is a valuable asset, a significant amount of which is commercially sensitive. At the same time the University must comply with the law and protect its interests avoiding or mitigating the risk of damage or prejudice resulting from unauthorised or accidental disclosure, modification or destruction of information. Information security, or information assurance, is concerned with maximising the business benefit conferred by information while ensuring that the University also fulfils its legal and contractual obligations through achieving a balance between: 1.2 Purpose Confidentiality preserving authorised restrictions on information access and disclosure, including means of preserving personal privacy and proprietary information. A loss of confidentiality is the unauthorised disclosure of information. Integrity guarding against improper information falsification, modification or destruction, and includes ensuring information non-repudiation and authenticity. A loss of integrity is the falsification, unauthorised modification or destruction of information. Availability ensuring that information is made available as and when required for the University to conduct its business efficiently and without delay. Information that is not available may be secure but delivers no business benefit. The widespread use of mobile devices such as smartphones and tablet computers creates new security vulnerabilities when used by University members to access and store confidential information in the form of messages and files. This Standard defines controls that protect information assets under the ownership or custodianship of the University, based upon the potential impact of unauthorised access, disclosure, modification or destruction of the asset as defined in the Information Classification Standard [2]. This Standard supplements and expands Section 6 the University s Information Security Policy [4]. The main purpose of this document is to state unequivocally the rules that apply when using mobile devices to access University held data. 1.3 Scope and Applicability This Standard applies to mobile devices only smartphones and tablet computers. Laptop computers, USB storage devices and other portable media are excluded from scope. It is part of the University s Information Security Management System (ISMS) and is subservient to the Information Security Policy (ISP) [4] and the General Conditions of Use [1]. This Standard applies to all Members of the University and, as determined by Legal Services and/or IT Services, to partners, third parties, external contractors, contingent workers, and other contributors, having access to the University s information resources. Control requirements in this Standard are defined to avoid breaches of any law, statutory, regulatory or contractual obligations. Where local laws and regulations require controls that are more restrictive than those identified in this Standard, those control requirements must be applied. The terminology used in this document conforms to the Information Security Glossary [3]. The requirements are stated using the MoSCoW prioritisation scheme. Page 3 of 7

4 1.4 Compliance Accountability for ensuring compliance lies with the appropriate Head of School or Director under advice from IT Services. In practice, this means ensuring that all staff that need access to from mobile devices are allocated a licence to the appropriate product and that all exceptions are formally approved by the Head of College or Registrar. 2 Responsibilities Objective: Ensure that ownership, custodianship, responsibility and accountability for information assets are clearly defined. All Staff and others as appropriate 1. Abide by the terms of the Information Security Policy [4] and General Conditions of Use of Computing and Network Facilities [1]. 2. Individuals have specific responsibilities for information and data security. They are responsible for taking reasonable precautions against breaches of confidentiality or integrity of the information they have access to. 3. Ensure that mobile devices used to access University held data are on the approved mobile device operating systems list, which can be found in the IT Services Knowledge Base article KB12006 on the IT Service Desk web site [5]. 4. Not to store University held data on unmanaged or unencrypted mobile devices. 5. To protect any University data held on mobile devices with a strong password as described in the Access Management Standard [6] section 4 and Appendix A. 6. Not to share usernames and passwords. 7. To keep passwords secure. 8. To notify the IT Service Desk within 1 working day of the loss or theft of any mobile device holding University data or applications ( or +44 (121) To notify the IT Service Desk within 1 working day in the event of any suspected instances of virus or malware infection on any mobile device holding University data or applications ( or +44 (121) ). IT Services Staff: 10. Provide and configure technical facilities to authorised staff. 11. Ensure that only mobile devices that are on the approved operating system product list are permitted to connect to University held data. 12. Maintain, update and publicise the approved mobile device operating systems lists. Heads of School and College Directors of Operations 13. Authorise budget centre staff remote access using approved mobile devices. 14. Identify and propose exceptions for individual staff members to be allowed to freely download messages from their University accounts without using approved mobile device management (MDM) or mobile application management (MAM) software. Heads of School are responsible for proposing exceptions for academic staff and College Directors of Operations for administrative staff. The exceptions will be approved by the Head of College. Directors of Professional Services 15. Authorise budget centre staff remote access using approved mobile devices. 16. Identify and propose exceptions for individual staff members to be allowed to freely download messages from their University accounts without using approved Page 4 of 7

5 3 Controls mobile device management (MDM) or mobile application management (MAM) software. The exceptions will be approved by the Registrar. Heads of College and Registrar 17. Approve exceptions from the requirement to access University using approved mobile device management (MDM) or mobile application management (MAM). The exceptions are proposed by the Heads of School for approval by their Heads of College and by corporate services directors to the Registrar. 3.1 Information Handling Objective: Ensure that information assets are handled according to their classification. 1. and data must not be stored on mobile devices unless appropriate measures as defined by IT Services have been taken to ensure the security of the information. 2. Confidential data may only be transferred across networks, or copied to other media, when the confidentiality and integrity of the data can be assured. 3. Confidential data must only be accessed in a secure manner from devices using an approved operating system, using supported delivery methods. 4. Where applicable, IT Services will provide guidance on alternative methods of using mobile devices to securely access data which do not involve storing any such data on the device. All users may access their university accounts via a web browser using Outlook Web Access (OWA) because it does not store messages or attachments locally. 3.2 Approved Operating System Lists 1. A list of approved mobile device operating systems will be published by IT Services and updated as required. 2. Mobile device operating systems not on the approved list will not be supported or permitted to connect to access controlled data held by the University. 3. Operating systems on the approved list which IT Services will supply on behalf of the University will be clearly indicated as such. 3.3 Authorisation, Granting Access Objective: Prevent unauthorised access to information resources by implementing controls that ensure the timely and controlled action relating to requesting, establishing, issuing, suspending and closing User IDs 1. Staff requiring access to University data on mobile devices must have the approval of a senior manager in their budget centre to do so. 2. Senior managers within their budget centre must give due consideration to the risks involved. Factors which will need to be taken into account include protection of confidential information and any legal issues. 3. Approved requests for the use of mobile devices must be submitted from the senior manager within the budget centre to IT Services. 4. Personally owned mobile devices may be used to access University held data, subject to the following conditions: a. The device meets the requirements of the approved devices and operating systems product list. b. Approval from a senior manager within the budget centre has been obtained. Page 5 of 7

6 3.4 Security of Mobile Devices c. Any required licences are purchased. d. The University will not reimburse data or other charges incurred through the use of personally owned mobile devices, which for the avoidance of doubt shall include roaming charges for data use incurred when using a mobile device overseas. Objective: Prevent unauthorised access by implementing controls that ensure the effectiveness of authentication and access mechanisms, and to prevent the fraudulent use of authentication credentials Passwords Passwords are subject to the general controls on authentication credentials defined in the Access Management Standard [6] section Security of Passwords the provisions concerning passwords and management of passwords outlined in section 2. Responsibilities must be observed. 2. Strong Passwords must be used, with at least 8 characters and contain letters and numbers, unless the device is configured to lock itself after no more than five consecutive unsuccessful sign-on attempts in succession and can only be unlocked by a University administrator. 3. Password Lifecycle passwords used to protect University data on mobile devices must be managed as defined in the Access Management Standard [6]. 4. Password Uniqueness passwords used for mobile device security should be different from the user s passwords used to gain access to other University systems and information resources Tampering with, modifying or adapting applications and security on mobile devices 1. Jailbreaking or rooting of any mobile device that holds or connects to University data is forbidden. 2. Tampering with, modifying or adapting any University provided software application installed on any mobile device is forbidden. 3.5 Change or Termination of Access Rights 1. The University reserves the right to withdraw access to and/or wipe remotely any University data whether stored within University owned applications or not which is held on mobile devices whether personally owned or University owned, in particular in the event of: a. Loss or theft of mobile devices. b. Jailbreaking or rooting of mobile devices. c. Tampering with, modifying or adapting any University provided software application installed on any mobile device d. Suspected virus or malware infections on mobile devices. 2. A member of staff s access to University owned data on mobile devices, whether personally owned or University owned, will be terminated immediately upon termination of employment with or engagement by the University and the University will forthwith remotely wipe any University data from such devices. Page 6 of 7

7 Glossary Control Information Asset ISMS Jailbreaking MAM MDM Member Mobile Device Mobile Operating System MoSCoW OWA Rooting Security Mechanism Smartphone Tablet University Held Data An administrative, procedural, technical, physical or legal means of preventing or managing the impact upon an asset of an information security incident. Controls may be: Preventative prevents impact upon an asset. Detective detects impact upon an asset. Reactive reacts to impact on an asset, includes: o Corrective actively reduces impact. o Recovery restores an asset after impact. A physical or virtual artefact containing data that realises information. This includes documents, s, databases etc. Information Security Management System the collection of information security documents and resources. A process of removing limitations imposed by mobile device manufacturers, through the use of hardware/software exploits, to gain privileged access. Also called Rooting. Mobile Application Management software that monitors and controls mobile apps. Mobile Device Management software that secures, monitors, manages and supports mobile devices deployed across mobile operators, service providers and enterprises Member of the University as defined in the University Regulations. Smartphone or tablet computer. An operating system (such as Apple ios, Blackberry OS, Windows Phone or Google Android) designed specifically for use on mobile devices. Requirements prioritisation scheme: M must be met. S should be met if possible (high priority). C could be met in future if time and resources permit. W won t be met now, but may be considered in the future. Outlook Web Access a Microsoft web application used to access Exchange hosted accounts. See Jailbreaking. The realisation or implementation of a Control. A high specification mobile phone (such as Apple iphone, Blackberry and HTC phones) that offers advanced computing and internet connectivity features. A tablet sized computer (such as Apple ipad, Samsung Galaxy and Asus Transformer) that has many features of a full sized computer. Data normally held on University systems. This includes , calendar and contacts information. References [1]. General Conditions of Use of Computing and Network Facilities [2]. Information Classification Standard [3]. Information Security Glossary [4]. Information Security Policy [5]. Service Desk Knowledge Base article KB12006 [6]. Access Management Standard Page 7 of 7