Under Annex A control A.6.2.1, the organisation must be able to demonstrate a policy and supporting security controls to reduce the risk posed by mobile or remote devices.
As a result of this, it is the organisations responsibility to issue a mobile device policy that should cover the registration/de-registration of mobile devices, physical security requirements, technical security requirements including remote connections, software control, access control and encryption at rest/in-transit.
The mobile device policy should include all of the above topics, stating the businesses requirements for use of mobile devices and when they are appropriate. It is in this policy that the company should specify their expectations for topics such as bring your own device (BYOD).
BYOD is a hot topic for information security, with many practitioners agreeing that the risks posed by unmanaged, personally owned devices is too great. However, ISO 27001 does not specify whether BYOD is or is not permitted – it simply requires that the organisation determines this, issues a policy stating their intentions and monitors compliance with this policy through audit or technical controls.
The use of BYOD must be determined by the organisation and documented in the mobile device policy
For example, a mobile device policy may state that “only corporately issued and managed devices can be used to process company data” and that “unauthorized devices must not be used to access, store or process company data”. If this is the policy, the organisation must monitor for the use of unauthorized devices and specify what the consequences of not adhering to the policy may be e.g. disciplinary procedures.
As well as BYOD, the mobile device policy should address technical subjects such as access control, secure configuration and remote access methods. For example, the organisation may require its employees to utilize secure authentication methods such as two-factor authentication and only connect over encrypted channels such as VPN’s.
If these methods of connection are specified, as above, compliance with the policy should be enforced technically, monitored for compliance and reported on. In most cases, if the technical capability is not there to support the policy users will not adhere with it so making device builds include VPN clients and reminding users of the need for secure authentication goes a long way.
Mobile security controls should be defined by policy and implemented technically
Other considerations should include physical security of devices in public areas, shoulder surfing and other physical security issues. Employees should be aware of the need to protect their device from unauthorized access at all times, especially when in public places such as on trains and coffee shops. The policy should include a section addressing these requirements.
Once the policy has been issued, signed-off by management and communicated to all employees the organisation should continue to monitor compliance through auditing and technical controls. For example, mobile device management (MDM) tools may be used to enforce policy and monitor for policy violations. Furthermore, logs may be reviewed periodically to identify unauthorized access attempts.
