Mobile Security Standard



Similar documents
BYOD Policy for [AGENCY]

[BRING YOUR OWN DEVICE POLICY]

Mobile Devices Policy

USE OF PERSONAL MOBILE DEVICES POLICY

Network Password Management Policy & Procedures

Guideline on Safe BYOD Management

AirWatch for Android Devices

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING

Information Security Policy

How To Support Bring Your Own Device (Byod)

Supplier Information Security Addendum for GE Restricted Data

Bring Your Own Device. Individual Liable User Policy Considerations

ISO27001 Controls and Objectives

BEConnected User Agreement

INFORMATION TECHNOLOGY SECURITY STANDARDS

Data Protection Act Guidance on the use of cloud computing

ISO Controls and Objectives

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Consumer Device Policy (Smartphones / Tablets) BYOD (Bring Your Own Device)

IT ACCESS CONTROL POLICY

INFORMATION SECURITY POLICY

University of Sunderland Business Assurance Information Security Policy

BYOD Guidance: BlackBerry Secure Work Space

KEELE UNIVERSITY IT INFORMATION SECURITY POLICY

Guidelines. London School of Economics & Political Science. Remote Access and Mobile Working Guidelines. Information Management and Technology

INFORMATION SECURITY PROCEDURES

Mobile Device Security Is there an app for that?

Policy Checklist. Directorate of Performance and Reform. Stephen Hylands, Head of Information Technology

IT TECHNOLOGY ACCESS POLICY

BYOD in the Enterprise

Enterprise Mobility as a Service

Bring Your Own Device (BYOD) Policy

INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc.

Bring Your Own Device (BYOD) Policy

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

McAfee Multi Access from ø. Step-by-step guide to protecting your devices. Always.

Data Protection Act Bring your own device (BYOD)

ICT OPERATING SYSTEM SECURITY CONTROLS POLICY

How To Protect Your Mobile Devices From Security Threats

Auditing the Security and Management of Smart Devices. ISACA Dallas Meeting February 13, 2014

Information Security

Two-Factor Authentication (2FA) Registration Instructions Symantec VIP Access

AirWatch for ios Devices

Lowanna College 2015 BYOD PROGRAM AGREEMENT. BYOD Program BYOD Student Agreement/Acceptable Use Policy/Online Services Policy

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

Information Security Program

Research Information Security Guideline

TERMS AND CONDITIONS GOVERNING THE USE OF NBADS ONLINE TRADING

BYOD. and Mobile Device Security. Shirley Erp, CISSP CISA November 28, 2012

Information Security It s Everyone s Responsibility

CCG LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY

University of Cincinnati HIPAA Administrative, Physical and Technical Safeguards

{ipad Security} for K-12. Understanding & Mitigating Risk. plantemoran.com

INFORMATION SECURITY POLICY

ONE Mail Direct for Mobile Devices

Mobile Device Management for CFAES

Acceptable Use Guidelines

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

Access Control Policy

How To Write A Mobile Device Policy

Symantec Mobile Management 7.1

Catalyst Consulting & Events (CCE) takes seriously its commitment to preserve the privacy of the personal information that we collect.

How To Manage A Mobile Device Management (Mdm) Solution

Yes MAM: How Mobile Device Management Plus Mobile Application Management Protects and Addresses BYOD

BYOD: End-to-End Security

Office 365 Data Processing Agreement with Model Clauses

How to configure your mobile devices post migrating to Microsoft Office 365

Bring Your Own Device Policy

Data Management Policies. Sage ERP Online

Securely Yours LLC IT Hot Topics. Sajay Rai, CPA, CISSP, CISM

Remote Working and Portable Devices Policy

esnc ACCESS AGREEMENT

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129

Portable Devices and Removable Media Acceptable Use Policy v1.0

Third Party Security Requirements Policy

INFORMATION SECURITY MANAGEMENT POLICY

Exchange ActiveSync (EAS)

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

Deploy secure, corporate access for mobile device users with the Junos Pulse Mobile Security Suite

Transcription:

Mobile Security Standard Title Mobile Security Standard Mobile Device Security Category Version: 18/07/2013 PUBLISHED Author:, IT Services Contact: itsecurity@contacts.bham.ac.uk

Mobile Security Standard Contents 1 Introduction... 3 1.1 Background 3 1.2 Purpose 3 1.3 Scope and Applicability 3 1.4 Compliance 4 2 Responsibilities... 4 3 Controls... 5 3.1 Information Handling 5 3.2 Approved Operating System Lists 5 3.3 Authorisation, Granting Access 5 3.4 Security of Mobile Devices 6 3.4.1 Passwords 6 3.4.2 Tampering with, modifying or adapting applications and security on mobile devices 6 3.5 Change or Termination of Access Rights 6 Glossary... 7 References... 7 Document Control Version Date Author Description 0.1 21/05/13 Code of practice developed for the Mobile Security project 0.2 30/05/13 Reformatted to standard document template and updated with minor changes decided by UEB. 1.0 18/07/13 Updated with minor comments from ISSG members and published. Page 2 of 7

1 Introduction 1.1 Background The University operates in a highly competitive global market for students, staff and research funding in which information is a valuable asset, a significant amount of which is commercially sensitive. At the same time the University must comply with the law and protect its interests avoiding or mitigating the risk of damage or prejudice resulting from unauthorised or accidental disclosure, modification or destruction of information. Information security, or information assurance, is concerned with maximising the business benefit conferred by information while ensuring that the University also fulfils its legal and contractual obligations through achieving a balance between: 1.2 Purpose Confidentiality preserving authorised restrictions on information access and disclosure, including means of preserving personal privacy and proprietary information. A loss of confidentiality is the unauthorised disclosure of information. Integrity guarding against improper information falsification, modification or destruction, and includes ensuring information non-repudiation and authenticity. A loss of integrity is the falsification, unauthorised modification or destruction of information. Availability ensuring that information is made available as and when required for the University to conduct its business efficiently and without delay. Information that is not available may be secure but delivers no business benefit. The widespread use of mobile devices such as smartphones and tablet computers creates new security vulnerabilities when used by University members to access and store confidential information in the form of email messages and files. This Standard defines controls that protect information assets under the ownership or custodianship of the University, based upon the potential impact of unauthorised access, disclosure, modification or destruction of the asset as defined in the Information Classification Standard [2]. This Standard supplements and expands Section 6 the University s Information Security Policy [4]. The main purpose of this document is to state unequivocally the rules that apply when using mobile devices to access University held data. 1.3 Scope and Applicability This Standard applies to mobile devices only smartphones and tablet computers. Laptop computers, USB storage devices and other portable media are excluded from scope. It is part of the University s Information Security Management System (ISMS) and is subservient to the Information Security Policy (ISP) [4] and the General Conditions of Use [1]. This Standard applies to all Members of the University and, as determined by Legal Services and/or IT Services, to partners, third parties, external contractors, contingent workers, and other contributors, having access to the University s information resources. Control requirements in this Standard are defined to avoid breaches of any law, statutory, regulatory or contractual obligations. Where local laws and regulations require controls that are more restrictive than those identified in this Standard, those control requirements must be applied. The terminology used in this document conforms to the Information Security Glossary [3]. The requirements are stated using the MoSCoW prioritisation scheme. Page 3 of 7

1.4 Compliance Accountability for ensuring compliance lies with the appropriate Head of School or Director under advice from IT Services. In practice, this means ensuring that all staff that need access to email from mobile devices are allocated a licence to the appropriate product and that all exceptions are formally approved by the Head of College or Registrar. 2 Responsibilities Objective: Ensure that ownership, custodianship, responsibility and accountability for information assets are clearly defined. All Staff and others as appropriate 1. Abide by the terms of the Information Security Policy [4] and General Conditions of Use of Computing and Network Facilities [1]. 2. Individuals have specific responsibilities for information and data security. They are responsible for taking reasonable precautions against breaches of confidentiality or integrity of the information they have access to. 3. Ensure that mobile devices used to access University held data are on the approved mobile device operating systems list, which can be found in the IT Services Knowledge Base article KB12006 on the IT Service Desk web site [5]. 4. Not to store University held data on unmanaged or unencrypted mobile devices. 5. To protect any University data held on mobile devices with a strong password as described in the Access Management Standard [6] section 4 and Appendix A. 6. Not to share usernames and passwords. 7. To keep passwords secure. 8. To notify the IT Service Desk within 1 working day of the loss or theft of any mobile device holding University data or applications (www.itservicedesk.bham.ac.uk or +44 (121) 414 7171 9. To notify the IT Service Desk within 1 working day in the event of any suspected instances of virus or malware infection on any mobile device holding University data or applications (www.itservicedesk.bham.ac.uk or +44 (121) 414 7171). IT Services Staff: 10. Provide and configure technical facilities to authorised staff. 11. Ensure that only mobile devices that are on the approved operating system product list are permitted to connect to University held data. 12. Maintain, update and publicise the approved mobile device operating systems lists. Heads of School and College Directors of Operations 13. Authorise budget centre staff remote access using approved mobile devices. 14. Identify and propose exceptions for individual staff members to be allowed to freely download email messages from their University email accounts without using approved mobile device management (MDM) or mobile application management (MAM) software. Heads of School are responsible for proposing exceptions for academic staff and College Directors of Operations for administrative staff. The exceptions will be approved by the Head of College. Directors of Professional Services 15. Authorise budget centre staff remote access using approved mobile devices. 16. Identify and propose exceptions for individual staff members to be allowed to freely download email messages from their University email accounts without using approved Page 4 of 7

3 Controls mobile device management (MDM) or mobile application management (MAM) software. The exceptions will be approved by the Registrar. Heads of College and Registrar 17. Approve exceptions from the requirement to access University email using approved mobile device management (MDM) or mobile application management (MAM). The exceptions are proposed by the Heads of School for approval by their Heads of College and by corporate services directors to the Registrar. 3.1 Information Handling Objective: Ensure that information assets are handled according to their classification. 1. Email and data must not be stored on mobile devices unless appropriate measures as defined by IT Services have been taken to ensure the security of the information. 2. Confidential data may only be transferred across networks, or copied to other media, when the confidentiality and integrity of the data can be assured. 3. Confidential data must only be accessed in a secure manner from devices using an approved operating system, using supported delivery methods. 4. Where applicable, IT Services will provide guidance on alternative methods of using mobile devices to securely access data which do not involve storing any such data on the device. All users may access their university email accounts via a web browser using Outlook Web Access (OWA) because it does not store messages or attachments locally. 3.2 Approved Operating System Lists 1. A list of approved mobile device operating systems will be published by IT Services and updated as required. 2. Mobile device operating systems not on the approved list will not be supported or permitted to connect to access controlled data held by the University. 3. Operating systems on the approved list which IT Services will supply on behalf of the University will be clearly indicated as such. 3.3 Authorisation, Granting Access Objective: Prevent unauthorised access to information resources by implementing controls that ensure the timely and controlled action relating to requesting, establishing, issuing, suspending and closing User IDs 1. Staff requiring access to University data on mobile devices must have the approval of a senior manager in their budget centre to do so. 2. Senior managers within their budget centre must give due consideration to the risks involved. Factors which will need to be taken into account include protection of confidential information and any legal issues. 3. Approved requests for the use of mobile devices must be submitted from the senior manager within the budget centre to IT Services. 4. Personally owned mobile devices may be used to access University held data, subject to the following conditions: a. The device meets the requirements of the approved devices and operating systems product list. b. Approval from a senior manager within the budget centre has been obtained. Page 5 of 7

3.4 Security of Mobile Devices c. Any required licences are purchased. d. The University will not reimburse data or other charges incurred through the use of personally owned mobile devices, which for the avoidance of doubt shall include roaming charges for data use incurred when using a mobile device overseas. Objective: Prevent unauthorised access by implementing controls that ensure the effectiveness of authentication and access mechanisms, and to prevent the fraudulent use of authentication credentials 3.4.1 Passwords Passwords are subject to the general controls on authentication credentials defined in the Access Management Standard [6] section 4.1. 1. Security of Passwords the provisions concerning passwords and management of passwords outlined in section 2. Responsibilities must be observed. 2. Strong Passwords must be used, with at least 8 characters and contain letters and numbers, unless the device is configured to lock itself after no more than five consecutive unsuccessful sign-on attempts in succession and can only be unlocked by a University administrator. 3. Password Lifecycle passwords used to protect University data on mobile devices must be managed as defined in the Access Management Standard [6]. 4. Password Uniqueness passwords used for mobile device security should be different from the user s passwords used to gain access to other University systems and information resources. 3.4.2 Tampering with, modifying or adapting applications and security on mobile devices 1. Jailbreaking or rooting of any mobile device that holds or connects to University data is forbidden. 2. Tampering with, modifying or adapting any University provided software application installed on any mobile device is forbidden. 3.5 Change or Termination of Access Rights 1. The University reserves the right to withdraw access to and/or wipe remotely any University data whether stored within University owned applications or not which is held on mobile devices whether personally owned or University owned, in particular in the event of: a. Loss or theft of mobile devices. b. Jailbreaking or rooting of mobile devices. c. Tampering with, modifying or adapting any University provided software application installed on any mobile device d. Suspected virus or malware infections on mobile devices. 2. A member of staff s access to University owned data on mobile devices, whether personally owned or University owned, will be terminated immediately upon termination of employment with or engagement by the University and the University will forthwith remotely wipe any University data from such devices. Page 6 of 7

Glossary Control Information Asset ISMS Jailbreaking MAM MDM Member Mobile Device Mobile Operating System MoSCoW OWA Rooting Security Mechanism Smartphone Tablet University Held Data An administrative, procedural, technical, physical or legal means of preventing or managing the impact upon an asset of an information security incident. Controls may be: Preventative prevents impact upon an asset. Detective detects impact upon an asset. Reactive reacts to impact on an asset, includes: o Corrective actively reduces impact. o Recovery restores an asset after impact. A physical or virtual artefact containing data that realises information. This includes documents, emails, databases etc. Information Security Management System the collection of information security documents and resources. A process of removing limitations imposed by mobile device manufacturers, through the use of hardware/software exploits, to gain privileged access. Also called Rooting. Mobile Application Management software that monitors and controls mobile apps. Mobile Device Management software that secures, monitors, manages and supports mobile devices deployed across mobile operators, service providers and enterprises Member of the University as defined in the University Regulations. Smartphone or tablet computer. An operating system (such as Apple ios, Blackberry OS, Windows Phone or Google Android) designed specifically for use on mobile devices. Requirements prioritisation scheme: M must be met. S should be met if possible (high priority). C could be met in future if time and resources permit. W won t be met now, but may be considered in the future. Outlook Web Access a Microsoft web application used to access Exchange hosted email accounts. See Jailbreaking. The realisation or implementation of a Control. A high specification mobile phone (such as Apple iphone, Blackberry and HTC phones) that offers advanced computing and internet connectivity features. A tablet sized computer (such as Apple ipad, Samsung Galaxy and Asus Transformer) that has many features of a full sized computer. Data normally held on University systems. This includes email, calendar and contacts information. References [1]. General Conditions of Use of Computing and Network Facilities http://www.it.bham.ac.uk/policy/ [2]. Information Classification Standard http://www.it.bham.ac.uk/policy/ [3]. Information Security Glossary http://www.it.bham.ac.uk/policy/ [4]. Information Security Policy http://www.it.bham.ac.uk/policy/ [5]. Service Desk Knowledge Base article KB12006 [6]. Access Management Standard http://www.it.bham.ac.uk/policy/ Page 7 of 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information