• No results found

Mobile Security Standard

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Mobile Security Standard"

Copied!
7
0
0

Loading.... (view fulltext now)

Download now ( 7 Page )

Full text

(1)

Mobile

Security Standard

Title Mobile Security Standard Mobile Device Security

Category RESTRICTED

Version: 18/07/2013 PUBLISHED

Author: , IT Services

(2)

Contents

1

Introduction ... 3

1.1 Background 3

1.2 Purpose 3

1.3 Scope and Applicability 3

1.4 Compliance 4

2

Responsibilities ... 4

3

Controls ... 5

3.1 Information Handling 5

3.2 Approved Operating System Lists 5

3.3 Authorisation, Granting Access 5

3.4 Security of Mobile Devices 6

3.4.1 Passwords 6

3.4.2 Tampering with, modifying or adapting applications and security on mobile devices 6

3.5 Change or Termination of Access Rights 6

Glossary ... 7

References ... 7

Document Control

Version Date

Author

Description

0.1 21/05/13 Code of practice developed for the Mobile Security project 0.2 30/05/13 Reformatted to standard document template and updated with

minor changes decided by UEB.

1.0 18/07/13 Updated with minor comments from ISSG members and published.

(3)

IT Services / Mobile Security Standard 18/07/2013

1 Introduction

1.1 Background

The University operates in a highly competitive global market for students, staff and research funding in which information is a valuable asset, a significant amount of which is commercially sensitive. At the same time the University must comply with the law and protect its interests – avoiding or mitigating the risk of damage or prejudice resulting from unauthorised or accidental disclosure, modification or destruction of information.

Information security, or information assurance, is concerned with maximising the business benefit conferred by information while ensuring that the University also fulfils its legal and contractual obligations through achieving a balance between:

Confidentiality – preserving authorised restrictions on information access and disclosure, including means of preserving personal privacy and proprietary information. A loss of confidentiality is the unauthorised disclosure of information.

Integrity – guarding against improper information falsification, modification or destruction, and includes ensuring information non-repudiation and authenticity. A loss of integrity is the falsification, unauthorised modification or destruction of information.

Availability – ensuring that information is made available as and when required for the University to conduct its business efficiently and without delay. Information that is not available may be secure but delivers no business benefit.

The widespread use of mobile devices such as smartphones and tablet computers creates new security vulnerabilities when used by University members to access and store confidential information in the form of email messages and files.

1.2 Purpose

This Standard defines controls that protect information assets under the ownership or custodianship of the University, based upon the potential impact of unauthorised access, disclosure, modification or destruction of the asset as defined in the Information Classification Standard [2].

This Standard supplements and expands Section 6 the University’s Information Security Policy [4]. The main purpose of this document is to state unequivocally the rules that apply when using mobile devices to access University held data.

1.3 Scope and Applicability

This Standard applies to mobile devices only – smartphones and tablet computers. Laptop computers, USB storage devices and other portable media are excluded from scope.

It is part of the University’s Information Security Management System (ISMS) and is subservient to the Information Security Policy (ISP) [4] and the General Conditions of Use [1]. This Standard applies to all Members of the University and, as determined by Legal Services and/or IT Services, to partners, third parties, external contractors, contingent workers, and other contributors, having access to the University’s information resources.

Control requirements in this Standard are defined to avoid breaches of any law, statutory, regulatory or contractual obligations. Where local laws and regulations require controls that are more restrictive than those identified in this Standard, those control requirements must be applied.

The terminology used in this document conforms to the Information Security Glossary [3]. The requirements are stated using the MoSCoW prioritisation scheme.

(4)

1.4 Compliance

Accountability for ensuring compliance lies with the appropriate Head of School or Director under advice from IT Services. In practice, this means ensuring that all staff that need access to email from mobile devices are allocated a licence to the appropriate product and that all exceptions are formally approved by the Head of College or Registrar.

2 Responsibilities

Objective: Ensure that ownership, custodianship, responsibility and accountability for

information assets are clearly defined.

All Staff and others as appropriate

1. Abide by the terms of the Information Security Policy [4] and General Conditions of Use of Computing and Network Facilities [1].

2. Individuals have specific responsibilities for information and data security. They are responsible for taking reasonable precautions against breaches of confidentiality or integrity of the information they have access to.

3. Ensure that mobile devices used to access University held data are on the approved mobile device operating systems list, which can be found in the IT Services Knowledge Base article KB12006 on the IT Service Desk web site [5].

4. Not to store University held data on unmanaged or unencrypted mobile devices.

5. To protect any University data held on mobile devices with a strong password as described in the Access Management Standard [6] section 4 and Appendix A.

6. Not to share usernames and passwords. 7. To keep passwords secure.

8. To notify the IT Service Desk within 1 working day of the loss or theft of any mobile device holding University data or applications (www.itservicedesk.bham.ac.uk or +44 (121) 414 7171

9. To notify the IT Service Desk within 1 working day in the event of any suspected instances of virus or malware infection on any mobile device holding University data or applications (www.itservicedesk.bham.ac.uk or +44 (121) 414 7171).

IT Services Staff:

10. Provide and configure technical facilities to authorised staff.

11. Ensure that only mobile devices that are on the approved operating system product list are permitted to connect to University held data.

12. Maintain, update and publicise the approved mobile device operating systems lists. Heads of School and College Directors of Operations

13. Authorise budget centre staff remote access using approved mobile devices.

14. Identify and propose exceptions for individual staff members to be allowed to freely download email messages from their University email accounts without using approved mobile device management (MDM) or mobile application management (MAM) software. Heads of School are responsible for proposing exceptions for academic staff and College Directors of Operations for administrative staff. The exceptions will be approved by the Head of College.

Directors of Professional Services

15. Authorise budget centre staff remote access using approved mobile devices.

(5)

IT Services / Mobile Security Standard 18/07/2013

mobile device management (MDM) or mobile application management (MAM) software. The exceptions will be approved by the Registrar.

Heads of College and Registrar

17. Approve exceptions from the requirement to access University email using approved mobile device management (MDM) or mobile application management (MAM). The exceptions are proposed by the Heads of School for approval by their Heads of College and by corporate services directors to the Registrar.

3 Controls

3.1 Information Handling

Objective: Ensure that information assets are handled according to their classification.

1. Email and data must not be stored on mobile devices unless appropriate measures as defined by IT Services have been taken to ensure the security of the information.

2. Confidential data may only be transferred across networks, or copied to other media, when the confidentiality and integrity of the data can be assured.

3. Confidential data must only be accessed in a secure manner from devices using an approved operating system, using supported delivery methods.

4. Where applicable, IT Services will provide guidance on alternative methods of using mobile devices to securely access data which do not involve storing any such data on the device. All users may access their university email accounts via a web browser using Outlook Web Access (OWA) because it does not store messages or attachments locally.

3.2 Approved Operating System Lists

1. A list of approved mobile device operating systems will be published by IT Services and updated as required.

2. Mobile device operating systems not on the approved list will not be supported or permitted to connect to access controlled data held by the University.

3. Operating systems on the approved list which IT Services will supply on behalf of the University will be clearly indicated as such.

3.3 Authorisation, Granting Access

Objective: Prevent unauthorised access to information resources by implementing controls

that ensure the timely and controlled action relating to requesting, establishing, issuing, suspending and closing User IDs

1. Staff requiring access to University data on mobile devices must have the approval of a senior manager in their budget centre to do so.

2. Senior managers within their budget centre must give due consideration to the risks involved. Factors which will need to be taken into account include protection of confidential information and any legal issues.

3. Approved requests for the use of mobile devices must be submitted from the senior manager within the budget centre to IT Services.

4. Personally owned mobile devices may be used to access University held data, subject to the following conditions:

a. The device meets the requirements of the approved devices and operating systems product list.

(6)

c. Any required licences are purchased.

d. The University will not reimburse data or other charges incurred through the use of personally owned mobile devices, which for the avoidance of doubt shall include roaming charges for data use incurred when using a mobile device overseas.

3.4 Security of Mobile Devices

Objective: Prevent unauthorised access by implementing controls that ensure the

effectiveness of authentication and access mechanisms, and to prevent the fraudulent use of authentication credentials

3.4.1 Passwords

Passwords are subject to the general controls on authentication credentials defined in the Access Management Standard [6] section 4.1.

1. Security of Passwords – the provisions concerning passwords and management of passwords outlined in section 2. Responsibilities must be observed.

2. Strong Passwords – must be used, with at least 8 characters and contain letters and numbers, unless the device is configured to lock itself after no more than five consecutive unsuccessful sign-on attempts in succession and can only be unlocked by a University administrator. 3. Password Lifecycle – passwords used to protect University data on mobile devices must be

managed as defined in the Access Management Standard [6].

4. Password Uniqueness – passwords used for mobile device security should be different from the user’s passwords used to gain access to other University systems and information resources.

3.4.2 Tampering with, modifying or adapting applications and security on mobile devices 1. ‘Jailbreaking’ or ‘rooting’ of any mobile device that holds or connects to University data is

forbidden.

2. Tampering with, modifying or adapting any University provided software application installed on any mobile device is forbidden.

3.5 Change or Termination of Access Rights

1. The University reserves the right to withdraw access to and/or wipe remotely any University data whether stored within University owned applications or not which is held on mobile devices whether personally owned or University owned, in particular in the event of:

a. Loss or theft of mobile devices.

b. Jailbreaking or rooting of mobile devices.

c. Tampering with, modifying or adapting any University provided software application installed on any mobile device

d. Suspected virus or malware infections on mobile devices.

2. A member of staff’s access to University owned data on mobile devices, whether personally owned or University owned, will be terminated immediately upon termination of employment with or engagement by the University and the University will forthwith remotely wipe any University data from such devices.

(7)

IT Services / Mobile Security Standard 18/07/2013

Glossary

Control An administrative, procedural, technical, physical or legal means of preventing or managing the impact upon an asset of an information security incident. Controls may be:

Preventative – prevents impact upon an asset. Detective – detects impact upon an asset.

Reactive – reacts to impact on an asset, includes: o Corrective – actively reduces impact. o Recovery – restores an asset after impact. Information

Asset

A physical or virtual artefact containing data that realises information. This includes documents, emails, databases etc.

ISMS Information Security Management System – the collection of information security documents and resources.

Jailbreaking A process of removing limitations imposed by mobile device manufacturers, through the use of hardware/software exploits, to gain privileged access. Also called Rooting. MAM Mobile Application Management – software that monitors and controls mobile apps. MDM Mobile Device Management – software that secures, monitors, manages and supports

mobile devices deployed across mobile operators, service providers and enterprises Member Member of the University as defined in the University Regulations.

Mobile Device Smartphone or tablet computer. Mobile

Operating System

An operating system (such as Apple iOS, Blackberry OS, Windows Phone or Google Android) designed specifically for use on mobile devices.

MoSCoW Requirements prioritisation scheme:

M – must be met.

S – should be met if possible (high priority).

C – could be met in future if time and resources permit. W – won’t be met now, but may be considered in the future.

OWA Outlook Web Access – a Microsoft web application used to access Exchange hosted email accounts.

Rooting See Jailbreaking. Security

Mechanism

The realisation or implementation of a Control.

Smartphone A high specification mobile phone (such as Apple iPhone, Blackberry and HTC phones) that offers advanced computing and internet connectivity features.

Tablet A tablet sized computer (such as Apple iPad, Samsung Galaxy and Asus Transformer) that has many features of a full sized computer.

University Held Data

Data normally held on University systems. This includes email, calendar and contacts information.

References

[1]. General Conditions of Use of Computing and Network Facilities http://www.it.bham.ac.uk/policy/ [2]. Information Classification Standard http://www.it.bham.ac.uk/policy/ [3]. Information Security Glossary http://www.it.bham.ac.uk/policy/

[4]. Information Security Policy http://www.it.bham.ac.uk/policy/

[5]. Service Desk Knowledge Base article KB12006

References

Download now ( PDF - 7 Page - 731.48 KB )

Related documents

Effectiveness of Regulatory Structure in the Power Sector of Pakistan

The electricity sector in Pakistan in the post-1958 period is dominated by two vertically integrated publicly owned utilities, Water and Power Development Authority (WAPDA)

Euchlorocystis gen. nov and Densicystis gen. nov., Two New Genera of Oocystaceae Algae from High-altitude Semi-saline Habitat (Trebouxiophyceae, Chlorophyta)

The Oocystaceae family, with the type genus Oocystis, is generally considered to be a kind of common freshwa- ter coccal microalgae with the distinctive morphology of oval or

mobile connect mobileconnect A complete software, hardware and managed service solution for mobile workers

a multitude of devices and operating systems, it can house all of the pertinent application data and business logic on the device or wirelessly download it in real time from the

66265657 Go With the Flow Gloria Copeland

Believer's Voice of Victory Television Broadcast Join Kenneth and Gloria Copeland and the Believer's Voice of Victory broadcasts Monday through Friday and

A Software Framework for PCA-based Face Recognition

The framework describes the complete process of PCA-based face recognition including image representation, face detection, feature detection, pre- processing, PCA, and

The Cloud-Enabled Social Mobile Enterprise. Neil Florio, Fiberlink Andrew Borg, Aberdeen Group

Mobility Center of Excellence.. homogeneous) mix of mobile device platforms Ensure all mobile devices with enterprise access are compliant with corporate standards.. Percent

UNWTO Author Guidelines. How to Create a Manuscript in English

UNWTO Communications and Publications UNWTO Author guidelines – English page 7 | 113 version 1 – July 2014.. List

SOFTWARE UNIT 1 PART B C O M P U T E R T E C H N O L O G Y ( S 1 O B J A N D O B J 3-2)

and mp3 players run operating systems that are designed specifically for mobile devices. • Examples of mobile operating