T5.7.1 - ACCESS CONTROL FOR MOBILE DEVICES Implementation Guidance
The entity shall adopt the appropriate security measures to protect against the risks of using portable and mobile devices.
Usage restrictions and implementation guidance for mobile devices include, for example, configuration management, device identification and authentication, implementation of mandatory protective software (e.g., malicious code detection, firewall), scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software- integrity checks, and disabling unnecessary hardware (e.g., wireless, infrared). Entities are cautioned that the need to provide adequate security for mobile devices goes beyond the requirements in this control. Many relevant safeguards and countermeasures for mobile devices are reflected in the other security controls in the catalog allocated in the initial control baselines as starting points for the development of security plans and overlays using the tailoring process.
The entity should:
1. Prohibit the use of unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official (See T2.2.5 - WORKING IN SECURE AREAS Implementation Guidance )
2. Enforce the following restrictions on individuals permitted by the authorizing official to use unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information
- Connection of unclassified mobile devices to classified information systems is prohibited;
- Connection of unclassified mobile devices to unclassified information systems requires approval from the authorizing official
- Use of internal or external modems or wireless interfaces within the unclassified mobile devices is prohibited
- Unclassified mobile devices and the information stored on those devices are subject to random reviews and inspections by the assignment security officials, and if classified information is found, the incident handling policy is followed
Also see T1.2.4 - ACCEPTABLE BRING YOUR OWN DEVICE (BYOD) ARRANGEMENTS Implementation Guidanace on Acceptable use for BYOD
