This document describes the security guidelines developed for mobile devices. Like desktop computers, mobile devices (such as iPads, Android tablets, mobile phones, PDAs, and laptop computers) must be appropriately secured to prevent sensitive data from being lost or compromised, to reduce the risk of spreading viruses, and to mitigate other forms of abuse to computing infrastructure.
User Responsibilities and Procedures
- Password-protect your mobile device – Physical security is a major concern for mobile devices, which tend to be small and easily lost or misplaced. If your mobile device is lost or stolen, a device password may be all that stands in the way of someone reading your email and other sensitive data.
- Choose a strong password. The security of your system is only as strong as the password you select to protect it. Review ISO guidelines for selecting a secure password.
- It may be difficult to type especially complex passwords on the small keypad of some devices, but it is important that you try to choose a strong, effective password that is not easily guessed.
- Use anti-malware app – Mobile devices can be just as susceptible to malware and viruses as desktop computers. This is new terrain for hackers, but industry analysts expect viruses, Trojans, spam, and all manner of scams to grow as the mobile device market grows. A couple of examples encountered to date include malicious versions of well-known apps like “Angry Birds”, bitcoin mining software that consumes the battery and your data plan, and malware that silently installs other apps and backdoors.
- Encrypt your device if this is possible – Mobile devices are easier to steal and to lose. Their convenience makes it more likely that they’ll be carried everywhere, put down, and lost. Your mobile device might be configured with important passwords that would enable the thief to access your e-mail, credit card information, or most importantly, CMU’s institutional data. Encryption automatically comes with the iPhone/iPad 3 and later, and Android phones/tablets that run Gingerbread 2.3.4 and later OS versions.
- Promptly report a lost or stolen device – In some cases a device can be remotely deactivated thus preventing email or other sensitive data from being exposed. Understand what options are available to you and exercise them promptly when necessary.
- Verify encryption mechanisms – Your accounts and passwords should never travel unencrypted over a wireless network. Wireless network traffic can be easily sniffed. Therefore, any sensitive data, especially login information, should always be encrypted.
- Disable options and applications that you don’t use – Reduce security risk by limiting your device to only necessary applications and services. You won’t need to manage security updates for applications you don’t use and you may even conserve device resources like battery life. Bluetooth and IR are two examples of services that can open your device to unwelcome access if improperly configured.
- Regularly back up your data – Be sure to have a back up copy of any necessary data in case your mobile device is lost or damaged. Consider using multiple backup mechanisms and if you travel, have a portable backup device that you can take with you.
- Follow-up safe disposal practices – When you are ready to dispose of your device, be sure to remove all sensitive information first.
- Keep your operating system up-to-date – To mitigate security threats, you need to accept updates and patches to your mobile device’s operating software by enabling automatic updates, or accept updates when prompted by the device manufacturer, operating system provider, service provider or application provider.
- Avoid jailbreaking – Tampering with your mobile device factory security setting makes it more susceptible to attacks or makes it more likely that your device will attack other systems.
- Verify applications before downloading – Some apps could be harmful to your mobile device, either by carrying malware or by directing you to a malicious website that may collect your sensitive information (e.g. credit card information). To protect yourself and your device, run a search about the app you plan to download to assess the legitimacy of the app and people’s experience with it. Also, make sure that you download apps from a well-known trusted source.
- Turn off WiFi and Bluetooth – When not connected to secure networks ensure that WiFi and Bluetooth are switched off, otherwise the device will be searching for networks and devices to connect with and can be a vulnerability.
- User Agreement Policy – establish and communicate out a mobile user policy that protects your business and your employee’s, implement a User Agreement policy that outlines how and what the phone is to be used for and the uses obligations for duty of care when using the device and responsibility for the condition of the device, chargeback for excessive usage, deletion of user profiles on exiting the business etc