S 2.188 Security guidelines and rules for the use of mobile phones

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Head of IT, IT Security Officer

When using mobile phones, there are numerous possibilities for protecting mobile phones against misuse. In order to ensure that these possibilities are actually used, a security policy specifying all security mechanisms to be implemented should be drawn up. In addition, a brief and clearly written leaflet on the secure use of mobile phones should be drawn up for the users.

Accruing types of data

Once a mobile phone is switched on, it registers with the network operator using the nearest base station. The network operator logs and stores data about the user's identity, the serial number of the mobile phone, and the ID of the base station used for registration. This is performed even if no call is made using the mobile phone. Furthermore, every attempt to establish a connection, regardless of whether or not successful, is stored.

The types of data accruing within the framework of telecommunications can roughly be divided into three groups:

• Inventory data (also master data) refers to the data continuously stored and provided in a service or network. This includes the telephone number and possibly the name and the address of the subscriber, information on the type of terminal device, features and authorisations which may be available in each case for the connection, as well as data regarding the assignment to subscriber groups.
• Content data refers to the actual "user data", i.e. the transmitted information and messages.
• Call detail records provide information about the further particulars of communication procedures. These include information about the communication partner (e.g. telephone numbers of the calling and the called connection), time and duration of the connection, system services used, connections used, lines and other technical equipment, services and - for mobile services - the location identifiers of the mobile terminal devices.

Recommendations on how this data can be protected against misuse are provided below.

Protection against the misuse of cards

The mobile phone and the SIM card must always be kept securely. They should never be left unsupervised during business trips. In particular, they should not be left in vehicles.

Mobile phones and services offered in connection with mobile phones can be secured by PINs or passwords at different spots. This includes:

• access to the SIM card,
• access to the actual terminal device, i.e. the mobile phone,
• access to certain functions of the mobile phone, e.g. the telephone book,
• access to the voice mail, i.e. the answering machine function, or other services of the network operator,
• access to data with the network operator (in the event of billing-related questions to the hotline, a password may have to be stated).

All of these security mechanisms should actually be used (see also S 4.114 Use of the security mechanisms provided on mobile phones). Here, the protection of the SIM card certainly is most important, since its misuse may cause significant financial damage. The personal identification number (PIN) must not be kept together with the SIM card belonging to the mobile phone.

If the SIM card is lost, the card should be blocked immediately with the network operator in order to prevent potential misuse and therefore significant financial damage (see S 2.189 Blocking of the mobile phone in the event of its loss).

In order to notice the misuse of the SIM card in due time, the itemised bill should be checked for unexplainable charges and destination phone numbers in any case.

Itemised bill

The network operator stores the data of the call for billing purposes. In Germany, the network operator is only allowed to store this data until the time of billing, and for a maximum of 80 days in accordance with the TDSV (German Telecommunications Data Protection Ordinance - Data Protection Ordinance for Companies providing Telecommunications Services). However, for the customer it may make sense to allow the network operator to store the data of the call for a longer period in case there are subsequent billing issues.

Every customer should request an itemised bill in order to be able to control the use of the mobile phone. In Germany, the customers are entitled to a free itemised bill. This itemised bill may be used to obtain the following information, for example:

• billing date,
• called telephone number (complete and/or the last numbers illegible),
• start, end, or duration of the connection,
• cost of the call.

Anyone who also uses the mobile phone must be informed about the fact that an itemised bill was requested and about the data captured on this bill.

If itemised bills are maintained and evaluated to control the costs in a government agency and/or company, the procedure must be coordinated with the Personnel and/or Supervisory Board and the Data Protection Officer and the users must be informed accordingly.

The itemised bills should always be checked for correctness upon receipt. This may also be used to discover where costs could be reduced.

Disclosure of the telephone number

The user may select whether and which data about the mobile phone connection is entered into public telephone directories and/or made available for queries using directory assistance. A telephone directory entry makes it easier to call communication partners. However, this does not make sense for all operational purposes, e.g. for mobile phones from a pool or if the number of calls is to be kept low.

If calling line identity presentation (CLIP) is enabled, the communication partners (depending on the equipment) can see the number calling them. This service can generally be enabled or disabled by the network operator for a mobile phone

Calling line identity restriction

In the GSM network, the communication partners involved may be provided with the respective telephone numbers. If this is not desired, S 5.79 Protection against call number identification during use of mobile phones should be taken into consideration.

Protection against bugging of phone calls

The only effective protection against the content of phone calls being listened in on is interoperable, cross-network end-to-end encryption. Since this encryption is not implemented, every connection may potentially be listened in on, regardless of whether in the fixed or mobile phone network. However, the communication between mobile phone and base station is encrypted automatically in Germany and in most other countries.

The following safeguards can be recommended to reduce the threat:

• Phone calls should not be made always and everywhere. An undisturbed area should be found for making telephone calls (this also reduces the nuisance for other people).
• As a matter of principle, no telephone calls with confidential content should be made.
• Some mobile phones indicate on their display when the transmission between mobile phone and base station is not encrypted. If this indication is provided, the users should be informed accordingly. Now and then, the users should look at the display in order to make sure that encryption is actually being performed. For example, there are some countries where the communication between mobile phone and base station is not encrypted.
• There are also some, relatively expensive, mobile phones that are capable of providing end-to-end encryption for the communication. However, both communication partners must have compatible devices for this. This may make sense if highly sensitive information is to be disclosed frequently using the mobile phone.
• During data transmission, e.g. from a laptop using GSM, the transmitted data should be encrypted on the terminal device beforehand. There are numerous programs which allow this to be done easily.
• If mobile phones and/or SIM cards are changed, listening in on phone calls in a targeted manner is extremely time-consuming. Therefore, this may be expedient when transmitting highly sensitive information and/or data.
• It should be checked whether the subscriber was charged with all call charges. Missing charges for certain connections may be indicative of eavesdropping.

Raising user awareness

Since the risk of eavesdropping in the field of telecommunications is often handled carelessly, government agencies and/or companies should verify the extent to which the measures regarding the information of their employees about threats in the telecommunications sector taken so far are sufficient. It may be appropriate to inform the employees regularly about the risks of eavesdropping in order to raise their awareness.

The employees should also be informed that they should not disclose confidential information without thinking twice. In particular, the communication partner must be asked to identify him/herself before providing detailed information (see also T 3.45 Inadequate checking of the identity of communication partners). When using mobile phones, the employees should furthermore make sure that confidential messages are not discussed in public.

Sensational, but incorrect warnings circulate time and again (see also T 5.80 Hoax). The employees should be informed about new hoaxes as quickly as possible in order to not to waste any valuable working time on verifying the verisimilitude of such messages. There are different information services forwarding corresponding warnings.

Rules for using mobile phones

When mobile phones are used in a government agency or company, some items must be clarified. This applies to the use of both private and official mobile phones.

Use of private mobile phones

Due to insufficient equipment, private mobile phones may be used for official purposes. In this, the following aspects must be clarified beforehand:

• Who will pay for official calls and how are these billed?
• State-of-the-art mobile phones contain calendars, address books, email support, etc. In order to reasonably use these functions, synchronisation with a PC is usually required. Therefore, it must be clarified whether installing the hardware and software required for this is allowed.

Use of official mobile phones

Likewise, a number of items must be clarified when using official mobile phones:

• It must be clarified whether and/or to what extent private calls may be made using official mobile phones.
• It should be considered whether the use of the mobile phones should be restricted to certain communication partners, e.g. in order to prevent unnecessary costs or to also limit the disclosure of information (see also S 2.42 Determination of potential communications partners). For this, an organisational specification may be provided, but it is also possible to clarify this from a technical point of view, as described further below in the keywords "Call restrictions" and "Closed user group"
• The users should also receive information about the incurred costs for official mobile phones in order to keep these as low as possible. For example, the users should be informed about the rate structure and roaming agreements so that they are able to select the most reasonable network operators when abroad.
• Users should be informed of the care they should take with their mobile phones to avoid loss or theft and to ensure a long service life of the device (e.g. battery care, storage outside the office or residential spaces, sensitivity of the device to excessively high or low temperatures).
• Rules should be set for the administration, maintenance, and passing on of mobile phones. For this, creating a mobile phone pool is recommendable (see S 2.190 Setting up a mobile phone pool).
• Every time the user changes, all necessary PINs must be passed on securely (see S 2.22 Escrow of passwords).

General rules

Regardless of whether privately or officially purchased mobile phones are used, the employer should clarify in writing

• that the driver of officially used vehicles must not use the mobile phone while driving, since otherwise the driver may be subject to joint accident liability
• that official secrets must not be disclosed using the mobile phone. Here, there is the risk of persons located in the immediate vicinity listening in on the conversion rather than the communication being listened in on along the connection (via the network).
• that you should convince yourself of the identity of the communication partners and/or not draw any premature conclusions before disclosing internal information.

If possible, mobile phones should not be left unattended. If a mobile phone must be left in a vehicle, the device should not be visible from the outside. The device can be covered or locked up in the boot. A mobile phone is of sufficient value to attract potential thieves.

If mobile phones are used on site in third party offices, the security policies of the visited organisation must be observed.

Mobile phones should not be left unprotected in external premises such as hotel rooms. All password protection mechanisms should be enabled at this point, at the latest. Locking the device up in a cabinet will discourage casual thieves.

Information about the costs

GSM phone calls are becoming less expensive every year, but there are some options that may incur high costs in the long run. Since the structure of rates and charges is subject to frequent changes, the users should regularly obtain information as to what costs are incurred by which connection types, connection times, and other options.

For example, answering a phone call may even be subject to charges when using mobile phones if the person called is located abroad or has enabled call forwarding to the fixed network. Since the caller is not able to know where the person called is located, the caller is not charged with the forwarding costs.

Availability rules

Even when using a mobile phone, a user may not be or may not want to be available at all times. For example, it does not make a good impression if mobile phones are used whenever possible. Mobile phones should be switched off during meetings or presentations, as far as possible. The ringtone should at least be switched off or set to a quiet and discrete mode. Using the mobile phone should be avoided in the first place whenever speaking freely is not possible (meetings, restaurant, etc.).

On the other hand, the availability of the user should also be ensured. For this, there are different possibilities, for example

• availability periods may be specified,
• the answering machine function may be used, or
• calls can be forwarded to a secretary's office.

Ban on using mobile phones

Whether there ought to be restrictions on the use of mobile phones, or even on taking them along to all or certain areas of a government agency or a company should be considered. For example, this could make sense for meeting rooms (see also S 5.80 Protection against bugging of indoor conversations using mobile phones). If the organisation's security strategy does not allow mobile phones to be brought along, this must be clearly indicated at all entrances. Checks should then be made at regular intervals to ensure that the strategy is adhered to.

The use of mobile phones may possibly also have adverse effects on the functionality of other technical devices. Therefore, mobile phones must be switched off on aeroplanes or in intensive care units. Other sensitive IT systems may also be disturbed by mobile phones. For example, this has been observed in server rooms and computer centres. Possible interferences are more unlikely the lower the transmitting power of the mobile phone and/or the farther away it is.

For IT systems used to process sensitive data or connected to a computer network, no mobile phone cards should be admitted (see also S 5.81 Secure transmission of data over mobile phones).

There is no absolute protection against the unauthorised transfer of data using mobile phones - particularly in the case of insiders. However, bringing along mobile phones should be prohibited in sensitive areas and regular checks regarding the compliance with this ban should be performed.

Telephone book

The telephone book of a mobile phone can be used in order to store telephone numbers and related names or additional details. A telephone book may be stored to the terminal device, i.e. the mobile phone, or to the SIM card. Their contents must not necessarily match. Accordingly, PINs may optionally be used to protect the access to the telephone book in the memory of the terminal device and/or the SIM card.

Whether telephone numbers are preferably stored to the terminal device or the SIM card depends on different considerations, for example the level of complexity of backing up the data to other media (see S 6.72 Precautions relating to mobile phone failures). In general, the data should preferably be stored to the SIM card, since

• the data is thereby also available on other devices if the SIM card is changed and
• this potentially sensitive data can be removed easily from the device (important during repair work or when changing users, for example).

If possible, only one type of storage should be selected. This telephone book should be used in order to store all important telephone numbers so that these are available at any time. The stored telephone numbers should be checked occasionally as to whether they still are correct and/or needed. All telephone numbers should be stored in such a way that they can be called from anywhere in the world, i.e. including the country and local area codes. Since only the country codes are coordinated internationally, not the zero, every telephone number should be entered starting with a "+", followed by the country code (e.g. +49 for Germany), local area code without leading zero, and then the telephone number. An entry may appear as follows: +4922895825369 IT-Grundschutz Hotline.

If the mobile phone is used by several users, only the jointly used telephone numbers should be stored here. Furthermore, the option of preventing any changes to the telephone book using the existing blocking options should be used.

Use of the answering machine function

In general, an answering machine function can be enabled for a mobile telephone by the network operator. With this, incoming calls are stored to so-called voice mail with the network operator, which may be retrieved by the user at any time. This may make sense, but normally incurs additional costs.

Voice mail access should be protected by a PIN. Even if the voice mail is not used, the preset PIN should be changed quickly in order to prevent third parties from using this function.

Recorded messages should be retrieved regularly. All users must be informed about how to retrieve messages.

Call forwarding

The call forwarding function can be used in order to redirect incoming calls to the voice mail or to another telephone number. There are several variants:

• All incoming calls can be forwarded.
• Calls are only forwarded if the line is occupied.
• Calls are only forwarded if the connection is not available, e.g. due to a dead zone or because the mobile phone is switched off.
• Certain types of calls may be forwarded, e.g. voice calls, data calls, or fax calls.

It should however be taken into consideration that forwarding calls to landline connections may incur high costs, since the person called must bear the costs of forwarding him/herself.

Call restrictions

Call restrictions may be used in order to block telephone calls to or from a telephone number. These functions are provided by the network operator and may be changed using the mobile phone. For this, a password must generally be entered.

Call restrictions may make sense if the mobile phone is to be handed over to third parties. There are different options for call restrictions:

• Restriction of all outgoing calls
  
  This way, it is only possible to receive calls and telephone numbers cannot be called, except for the emergency numbers.
• Restriction of all outgoing international calls
  
  When this restriction is enabled, only telephone numbers of the country one is currently located in can be dialled. It is still possible to receive calls from abroad.
• Restriction of all outgoing international calls, except for home country calls
  
  This way, the home country (of the network operator) may be called from abroad. Calls to other countries are not possible.
• Restriction of all incoming calls
  
  It is possible to select any telephone number. Disturbances caused by incoming calls are ruled out.
• Restriction of all incoming calls when abroad
  
  Within the home country it is still possible to make phone calls as usual. However, no phone calls may be received abroad. This option may make sense since answering phone calls abroad sometimes incurs high charges.

Whether and which type of call restrictions should be selected depend on the type of application of the respective mobile phone.

Closed user group

The "Closed user group" service can be used to restrict communications to the members of this group (see also S 5.47 Configuration of a Closed User Group).

The group members must be registered with the network operator. The "Closed user group" option can be enabled in the mobile phone. The configuration of closed user groups may make sense in order to restrict data transfer using mobile phone networks, for example.

Review questions:

• Is there an up-to-date security policy for the use of mobile phones?
• Were the users of mobile phones informed of the rules they are required to follow?
• Have the users of mobile phones been informed of how to store them properly?