ISO 27001 Annex: A.6.2 Mobile Devices and Teleworking
-
- 23 June 2021
The goal of the program is to ensure the security of teleworking and mobile device use.
A.6.2.1 Mobile Device Policy
Control
Mobile device use introduces several risks to the organization. Safety policies and related measures should be implemented to minimize risks.
Implementation Guidance
When using mobile devices, a great deal of care must be taken to protect business information. Working with mobile devices in unsecured environments should be taken into account in the mobile device policy.
Among these are essential elements of mobile device policy:
1. Mobile device registration;
2. Physical protection requirements;
3. Restrictions on the installation of the software;
4. Technical requirements for mobile device software updates and patch installations;
5. Restrictions on access to information services;
6. Cryptographic techniques; Access controls;
7. Protection against malware;
8. Disabling remotely,
9. A lockout or erasure;
10. Creating backups;
11. The use of web services and web applications.
Mobile devices should be used with caution in public places, such as meeting rooms and other unprotected areas. To prevent unauthorized access to the devices’ stored and processed data, preventative measures should be taken, such as employing cryptographic techniques and using secret authentication codes.
Physically securing mobile devices is also important, especially in vehicles and other modes of transportation, hotels, convention centres, and public venues. For cases of theft or loss of mobile devices, a protocol should be chosen that takes into account the regulatory, insurance, and other security requirements of the organization. When devices contain sensitive business information, it is vital to protect them physically or by using special locks. Items containing this type of sensitive information should not be ignored, and if possible, kept secure.
Workers who use mobile devices must be trained to better understand the potential risks associated with this method of operating as well as controls that should be in place.
As part of the mobile device policy, there will also be rules and security controls related to the use of private mobile devices, including:
1. Having personal and business devices used separately, including using a software tool to make personal devices safer and business data more accessible;
2. Allowing access to business data only when an end-user agreement has been signed (such as a physical safeguard, software update, etc.) grants the client the right to wipe all data if the client is burglarized, loses a device, or isn’t authorized to use the service. This strategy must take into account the Privacy Legislation.
Other Information
Mobile devices make use of wireless networks similar to other types of networks, however, changes should be considered when determining how to detect a secure device.
Here are some of the significant differences:
1. Certain wireless security protocols are in their infancy and have defined issues;
2. If there is not enough network bandwidth, mobile device storage may not be backed up, and it may not even be possible to schedule a backup when devices are not connected.
Networking, Internet access, e-mail, and data handling, among other functions, are common across mobile as well as fixed-use devices. For security on mobile devices, it is typically either a matter of using those within the organization’s fixed-use systems or countering the risks presented by their use outside.
A.6.2.2 Teleworking
Control
A policy, as well as security measures, must be implemented in teleworking sites to protect data accessed, processed, or stored.
Implementation Guidance
Teleworking organizations are encouraged to formulate teleworking policies. In cases that are deemed relevant and authorized by law, you may consider the following:
1. Report on the physical security of the teleworking site, taking into consideration the physical security of buildings and, consequently, the local environment;
2. The physical environment proposed for teleworking;
3. Security requirements for communications, taking into account how direct access needs to be granted to the internal network, the sensitive nature of the information that is to be obtained and communicated through the contact channel, including the vulnerability of internal systems;
4. Enabling virtual desktop access to prevent information from being processed and stored on private hardware;
5. The possibility of unauthorized access to resources and information by people using the amenities, e.g. relatives and friends.
6. The use and configuration of home networks, and any requirements or limitations;
7. Disputes over property rights involving privately-owned equipment;
8. Obtaining access to private facilities (including those used to test the security of the device or for investigations), unless prohibited by law;
9. These organizations may be responsible for licensing client software for workstations owned by their employees or by external parties such as service providers and vendors;
10. Firewall and malware protection requirements.
Following are the guidelines and arrangements to be followed:
– In cases where the organization cannot allow the use of private devices not under its control, the procurement of suitable teleworking facilities and storage furniture is required;
– A description of the work that can be done, the hours it will take to complete, what information needs to be stored, and what internal systems a teleworker will have access to;
– Implementing a secure remote access method as well as a reliable communication system;
– Provide physical safety, insurance coverage, and support and maintenance for software and hardware
– Guidelines for accessing the equipment and information available to families and visitors;
– Audit and security monitoring,
– Planning the backup and continuity of the business
– Following termination of teleworking operations, authorization and privileges are revoked, as well as facilities are removed.
Other Information
Telecommunications apply to all types of working practices, especially non-traditional ones, with terms like telework, flexible working, virtual work, and remote work.
Related Questions
1. What are the requirements of ISO 27001?
2. What are the controls of ISO 27001?
3. How do information processing facilities work?
4. What does physical and environmental security mean?
5. Describe ISO 27001 Annex: A.6.2 Mobile Devices and Teleworking
6. What controls are in ISO 27001 Annex: A.6.2 Mobile Devices and Teleworking?
