Rationale
The use of mobile devices has become essential to everyday communication. Mobile devices can provide employees with access to email, the Internet and even agency systems, allowing them to work from home, an airport lounge or hotel room. They provide greater accessibility, mobility, convenience and, importantly, efficiency.
While agencies should naturally embrace the potential of mobile devices, it is important to understand and evaluate the risks associated with their use and how they impact an agency’s security risk profile.
Once a mobile device leaves a controlled office environment, it also leaves behind the protection that environment affords. Some of the best qualities of mobile devices, such as their portability and capacity for use outside the office, have introduced new risks. The more capable these devices are of helping users access and use data, the more capable they are of being manipulated by malicious actors for the same end.
Poorly controlled mobile devices are vulnerable to loss and compromise, and may provide a malicious actor with an access point into an agency’s system. For instance, users who access websites and web–based email from their mobile devices can make themselves vulnerable to Internet–based threats, such as malware. The employee can then inadvertently expose the corporate network to these threats when they connect to the agency’s system from the same device. Further, agencies that allow business use of personal mobile devices can introduce significant risks to their information, as personal devices often do not have sufficient security features enabled, such as authentication controls and encryption. These risks apply equally for home-based workstations. Privacy rights should also be considered by agencies permitting the use of personal devices for business purposes, as access to records in the event of an incident can be restricted due to privacy concerns.
Agencies must also consider their obligations under relevant legislation, such as government data retention requirements under the Archives Act 1983.
It is important for agencies to identify the circumstances where the liability and security risks of using mobile devices outweigh the benefits. In particular, mobile devices carrying highly classified information should not be used outside of appropriately certified facilities, as the risk of classified information being overheard or observed is considered too high.
Although mobile networking alters the risks associated with various threats to security, the overall security objectives remain the same: maintaining confidentiality, integrity and availability of systems and their information. To reduce the risks of use, agencies must develop and implement policies to ensure users protect mobile devices in an appropriate manner when they are used outside controlled facilities, and that personnel working from home or outside the office protect information in the same manner as in the office environment.
Information on security considerations, technical controls and associated risk reduction measures for allowing the use of personal mobile devices for accessing agency information
PRIN CIPLES : W ORK ING O F F–SITE
Scope
This chapter describes managing the use of mobile devices and accessing information from unsecured locations and home environments.
Principles 1. Acceptable Use
Prevent mobile devices from becoming a security risk to the system or network they connect to by implementing, and educating personnel on, an effective mobile device usage policy.
Information being communicated via a mobile device outside a controlled facility can be more easily overheard or observed by those not authorised to do so. An agency policy governing the use of mobile devices can help build awareness of the elevated risks relating to their use, and ensure confidentiality and integrity of information is maintained. Under an acceptable use policy, personnel need to know the classification of information which the device has been approved to process or communicate before use.24
Using mobile devices for both personal and business purposes can make them more susceptible to Internet–
based threats. For instance, during personal web–
browsing, personnel are more likely to open unidentified links or visit unfamiliar sites, which can bring about the spread of malware. Users also need to be aware that mobile applications can contain malicious code or malicious content that is installed along with the legitimate software.
Malware can provide an entry route into the associated business network as well as access to information stored or communicated on the mobile device.
Connecting mobile devices to an unknown or untrusted source (for charging or to provide network connectivity) can also pose a security risk to an agency. For example, if a smartphone is plugged into an unknown computer via a USB cable to charge, then the contents of the device could be compromised or malware loaded onto the device. For the same reason, agency users should not allow unknown or untrusted people to connect a mobile device to their laptop.
2. Mobile Device Configuration
Limit situations, or mitigate the consequences of situations, where a user loses control over a mobile device by securely configuring the device and implementing appropriate processes.
Most mobile devices have been designed for use outside the office and thus can be more easily accessed or stolen. Emergency destruction procedures and lost device labels can help reduce the risk of data spills when a mobile device is lost or compromised.
Proper encryption technology can enhance the security of information stored on a mobile device and help protect sensitive or classified information being communicated wirelessly or over unsecured public infrastructure from unauthorised access.
24 Symantec Corporation, Internet Security Threat Report 2013, 2013.
A Symantec
DID YOU KNOW? A Symantec study found a
PRINCIPLES : W ORKING O FF–SITE
3. Wireless Communications and Connectivity
Protect sensitive or classified information from unauthorised access by only enabling wireless communications on a mobile device that are needed and can be secured.
Wireless networks do not have the inbuilt physical security of wired networks, providing malicious actors with greater opportunities to connect to agency networks remotely. The wireless transfer of information, for instance through Bluetooth, infrared or Wi–Fi, can serve as an illicit entry point for an entire network. When using public wireless access points, malicious actors can easily intercept information being communicated, including secure log–on details, using basic software available on the Internet.
4. Upkeep and Maintenance
Maintain the integrity and confidentiality of the information stored or communicated on a mobile device by conducting regular audits and security updates.
Although agencies may initially provide a secure mobile device, the state of security may degrade over time. It is important for agencies to remain aware of new vulnerabilities as the information technology environment evolves. Keeping security software up to date will protect the mobile device from new variants of malware and viruses that threaten an agency’s critical information.25
5. Working From Home
Prevent systems or mobile devices from becoming a weak link in an agency system’s security by ensuring that home environments used for business purposes meet the minimum security requirements in the Australian Government Physical Security Management Protocol of the Australian Government Protective Security Policy Framework.
If sensitive or classified information is being accessed by personnel working from home, specifically when information systems and devices are used, it needs to be afforded the same protection as in the office environment.
References
Information relating to physical security is contained in the Australian Government Physical Security Management Protocol of the Protective Security Policy Framework, which can be found at www.protectivesecurity.gov.au.
For further information on working from home see the Australian Government Physical Security Management Guidelines—Working Away From the Office, which can be found at
www.protectivesecurity.gov.au.
Information on enterprise mobility considerations can be found in ASD’s Protect publication More than 200,000 mobile
phones are reported lost or stolen each year in Australia. This equates to 4,000 each week, or one mobile phone every 3 minutes.26
DID YOU KNOW?
More than 200,000 mobile phones are reported lost or stolen each year in Australia. This equates to 4,000 each week, or one mobile phone every 3 minutes.26
DID YOU KNOW?