Mobile Security

A key component of the Information Security Program are mobile security policies.

MOS Control Domains

MOS-01: Anti-Malware -

  • MOS-01.1: Do you provide anti-malware training specific to mobile devices as part of your information security awareness training?


Policy to be referenced here is INSERT
*Action item: INSERT

MOS-02: Application Stores -

  • MOS-02.1: Do you document and make available lists of approved application stores for mobile devices accessing or storing company data and/or company systems?


Policy to be referenced here is INSERT
*Action item: INSERT

MOS-03: Approved Applications -

  • MOS-03.1: Do you have a policy enforcement capability (e.g., XACML) to ensure that only approved applications and those from approved application stores can be loaded onto a mobile device?


Policy to be referenced here is INSERT
*Action item: INSERT

MOS-04: Approved Software for BYOD -

  • MOS-04.1: Does your BYOD policy and training clearly state which applications and applications stores are approved for use on BYOD devices?


Policy to be referenced here is INSERT
*Action item: INSERT

MOS-05: Awareness Training -

  • MOS-05.1: Do you have a documented mobile device policy in your employee training that clearly defines mobile devices and the accepted usage and requirements for mobile devices?


Policy to be referenced here is INSERT
*Action item: INSERT

MOS-06: Cloud Based Services -

  • MOS-06.1: Do you have a documented list of pre-approved cloud based services that are allowed to be used for use and storage of company business data via a mobile device?


Policy to be referenced here is INSERT
*Action item: INSERT

MOS-07: Compatibility -

  • MOS-07.1: Do you have a documented application validation process for testing device, operating system, and application compatibility issues?


Policy to be referenced here is INSERT
*Action item: INSERT

MOS-08: Device Eligibility -

  • MOS-08.1: Do you have a BYOD policy that defines the device(s) and eligibility requirements allowed for BYOD usage?


Policy to be referenced here is INSERT
*Action item: INSERT

MOS-09: Device Inventory -

  • MOS-09.1: Do you maintain an inventory of all mobile devices storing and accessing company data which includes device status (e.g., operating system and patch levels, lost or decommissioned, device assignee)?


Policy to be referenced here is INSERT
*Action item: INSERT

MOS-10: Device Management -

  • MOS-10.1: Do you have a centralized mobile device management solution deployed to all mobile devices that are permitted to store, transmit, or process company data?


Policy to be referenced here is INSERT
*Action item: INSERT

MOS-11: Encryption -

  • MOS-11.1: Does your mobile device policy require the use of encryption for either the entire device or for data identified as sensitive enforceable through technology controls for all mobile devices?


Policy to be referenced here is INSERT
*Action item: INSERT

MOS-12: Jailbreaking and Rooting -

  • MOS-12.1: Does your mobile device policy require the use of encryption for either the entire device or for data identified as sensitive enforceable through technology controls for all mobile devices?


Policy to be referenced here is INSERT
*Action item: INSERT

  • MOS-12.2: Do you have detective and preventative controls on the device or via a centralized device management system which prohibit the circumvention of built-in security controls?


Policy to be referenced here is INSERT
*Action item: INSERT

MOS-13: Legal -

  • MOS-13.1: Does your BYOD policy clearly define the expectation of privacy, requirements for litigation, e-discovery, and legal holds?


Policy to be referenced here is INSERT
*Action item: INSERT

  • MOS-13.2: Does the BYOD policy clearly state the expectations over the loss of non-company data in case a wipe of the device is required?


Policy to be referenced here is INSERT
*Action item: INSERT

MOS-14: Lockout Screen -

  • MOS-14.1: Do you require and enforce via technical controls an automatic lockout screen for BYOD and company owned devices?


Policy to be referenced here is INSERT
*Action item: INSERT

MOS-15: Operating Systems -

  • MOS-15.1: Do you manage all changes to mobile device operating systems, patch levels, and applications via your company's change management processes?


Policy to be referenced here is INSERT
*Action item: INSERT

MOS-16: Passwords -

  • MOS-16.1: Do you have password policies for enterprise issued mobile devices and/or BYOD mobile devices?


Policy to be referenced here is INSERT
*Action item: INSERT

  • MOS-16.2: Are your password policies enforced through technical controls (i.e. MDM)?


Policy to be referenced here is INSERT
*Action item: INSERT

  • MOS-16.3: Do your password policies prohibit the changing of authentication requirements (i.e. password/PIN length) via a mobile device?


Policy to be referenced here is INSERT
*Action item: INSERT

MOS-17: Policy -

  • MOS-17.1: Do you have a policy that requires BYOD users to perform backups of specified corporate data?


Policy to be referenced here is INSERT
*Action item: INSERT

  • MOS-17.2: Do you have a policy that requires BYOD users to prohibit the usage of unapproved application stores?


Policy to be referenced here is INSERT
*Action item: INSERT

  • MOS-17.3: Do you have a policy that requires BYOD users to use anti-malware software (where supported)?


Policy to be referenced here is INSERT
*Action item: INSERT

MOS-18: Remote Wipe -

  • MOS-18.1: Does your IT provide remote wipe or corporate data wipe for all company-accepted BYOD devices?


Policy to be referenced here is INSERT
*Action item: INSERT

  • MOS-18.2: Does your IT provide remote wipe or corporate data wipe for all company-assigned mobile devices?


Policy to be referenced here is INSERT
*Action item: INSERT

MOS-19: Security Patches -

  • MOS-19.1: Do your mobile devices have the latest available security-related patches installed upon general release by the device manufacturer or carrier?


Policy to be referenced here is INSERT
*Action item: INSERT

  • MOS-19.2: Do your mobile devices allow for remote validation to download the latest security patches by company IT personnel?


Policy to be referenced here is INSERT
*Action item: INSERT

MOS-20: Users -

  • MOS-20.1: Does your BYOD policy clarify the systems and servers allowed for use or access on the BYOD-enabled device?


Policy to be referenced here is INSERT
*Action item: INSERT

  • MOS-20.2: Does your BYOD policy specify the user roles that are allowed access via a BYOD-enabled device?


Policy to be referenced here is INSERT
*Action item: INSERT

Related Documents

  • None