Mobile Device Security Requirements and Recommendations

Resource: SANS Securing the Human video Mobile Device Security

There are both required and recommended (optional) elements of a secure mobile device. The required elements of security (denoted throughout as “Requirement“) apply to any personally-owned, university-owned or university-issued device that accesses university data, including email.

Securing Your Device

Password protection / lock

Requirement 

See specific implementation guidelines for further details.

  • Use password protection on all mobile devices.
  • Follow the guidelines for establishing passwords as allowed by your device.
  • Configure devices to require a password for access after power on prior to initial use, and again after a short period of inactivity.
  • Configure devices to lock out further access after a number of failed password attempts.
  • Change your mobile device password at least once a year.
  • Use two-factor authentication on the device if available.
  • When an application requests permission to use features or data on your device, consider whether or not that application should have those permissions before granting them. This will help protect your device from malware.

Loss or theft protection

Prevention

Requirement

Document the serial number of your device.

Recommendation

  • Take appropriate physical security measures to prevent theft of mobile devices.
  • Never leave your mobile device unattended in a non-secure location.

If the device is lost/stolen

Requirement

  • Report loss or theft of any mobile device (regardless of ownership) to your department and wireless carrier (if applicable).
  • For university-owned devices, follow the procedure for reporting lost/stolen assets: (link)
  • Immediately change any passwords saved on the device unless stored only in a secure password keeper application.

Recommendation

Initiate a remote wipe of the device if it has not been recovered in a reasonable time period to reduce the risk of exposure to university data as well as personal data.

Recovery/Tracking

Recommendation

  • Include appropriate contact information on the device. For example, put
    “If found, please call [include number]”
    on the lock screen or engrave the information on the device.
  • Set up your device-specific lost/stolen location services (e.g., GPS tracking) to assist in the recovery of the device.

Antivirus protection

Requirement

  • Install antivirus software on the device, if available.
  • Configure antivirus software to auto-update definitions in a timely manner and verify that the update mechanism is functioning correctly.

Device updates

Requirement

  • Use vendor-supported versions of your operating system and any installed applications.
  • Apply updates and patches in a timely manner.

Recommendation

  • Configure the device and the applications on it to automatically apply updates.
  • Remove applications that are no longer being used.

Securing Your Data

Access and storage

Requirement

Comply with the data security restrictions applicable to the data you are accessing from or storing on your mobile device.

Encryption

Requirement

Use encryption software or built-in encryption options on the device to protect sensitive University data.

Backup

Recommendation

  • Regularly back up all data on your mobile device. Consider using multiple backup mechanisms. If you travel, have a portable backup device that you can take with you (carried separately and similarly secured).
  • Make regular backups of your important data from your mobile device to a server, preferably university-managed.

Password storage

Recommendation

  • Disable remembering of passwords on your device unless required for syncing or connecting to wireless networks.
  • Use a secure password keeper application if storing passwords on your mobile device.

Data retention

Recommendation

  • Consider whether it is necessary to store data on your mobile device for the long term.
  • Remove any university data no longer being used from the device.

Securing Your Communications

Wireless network access

Requirement

Disable auto-join of newly discovered wireless networks.

Recommendation

  • Disable any wireless networking features not currently in use (Wi-Fi, Bluetooth).
  • Use VPN (https://vpn.ncsu.edu) when accessing university data over any non-university or non-secure network. This includes cable modem, DSL, 3G/4G/WiMax, off-campus Wi-Fi, and the current non-secure NOMAD wireless network.

Bluetooth devices

Requirement

Set a new value for the PIN or password when establishing a connection with a Bluetooth device instead of using the default/zero/null value if possible.

Recommendation

Secure all other wireless communications used by your device, such as infrared.

Sharing / tethering Internet connections over WiFi/Bluetooth

Requirement

  • Disable Internet sharing/tethering when not in use.
  • Set a strong password (not your Unity password) for access when tethering other devices to your mobile device over WiFi/Bluetooth.

Emerging Technologies

  • There are always new features being developed for mobile devices that have security concerns, such as Apple’s Airplay, which allows a user to share content with multimedia presentation devices over the wireless network.
  • Requirements and guidelines will need to evolve along with the technology to ensure safety and security.
  • As a result, additional requirements may be in effect if needed.