S 2.309 Security policies and rules for the use of mobile IT

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Head of IT, IT Security Officer

IT systems used outside one's own organisation are exposed to more risks than those operated inside protected premises. But there are many means to protect mobile IT systems when travelling. In order to ensure that these means are also used, a security policy specifying all the security mechanisms to be implemented should be drawn up. In addition, a brief and clearly laid out leaflet on the secure use of mobile IT systems should be drawn up for the users.

Raising user awareness

Experience has shown that the smaller and lighter IT systems become, the more thoughtlessly they are handled. The employees' awareness of the value of mobile IT systems and the value of the information stored on them should therefore be raised. Since mobile IT systems offer a broad range of variants and combination possibilities (from mobile phones to PDA to laptops with WLAN interfaces), employees should be informed, in particular, of the specific threats and safeguards pertaining to the devices they use.

It should also be pointed out to the employees that they should not pass on confidential information to arbitrary persons when travelling and that the exchange of information should not be performed within hearing or viewing distance of third parties. In particular, the communication partner must be asked to identify himself before providing detailed information (see also T 3.45 Inadequate checking of the identity of communication partners).

Rules on using mobile IT systems

A number of issues need to be clarified when using mobile IT systems:

• The users must be informed of which information may be processed when using mobile IT systems when travelling. The data should be classified such that the restrictions become transparent to the users (see also S 2.217 Careful classification and handling of information, applications and systems). Professional or official secrets may only be processed on mobile IT systems if suitable and approved security mechanisms are used for this purpose.
• Data that require a high degree of security (e.g. offers, construction data, business data of the company) should always be stored on the mobile IT system in encrypted form.
• When using mobile IT systems, whether mobile employees are allowed access to internal data of their organisation when travelling must be defined.
  
  If this is the case, this access must be adequately protected (see also S 5.121 Secure communication when travelling and S 5.122 Secure connection of laptops to local networks).
• Whether these systems may be used for private purposes, e.g. private correspondence or playing games after work must be clarified.
• Users should be informed of the care they should take with their mobile IT systems to avoid loss or theft and to ensure a long service life of the device (e.g. battery care, storage outside the office or living spaces, sensitivity of device to excessively high or low temperatures).
• Rules should be set for the administration, maintenance and passing on of mobile IT systems.
• Every time the user changes, all necessary passwords must be passed on securely (see S 2.22 Escrow of passwords).

If possible, mobile IT systems should not be left unattended. If a mobile IT system must be left in a vehicle, the device should not be visible from the outside. The device can be covered or locked up in the boot. A mobile IT system is of sufficient value to attract potential thieves.

If mobile IT systems are used on location in other offices, the security regulations of the visited organisation must be observed.

Mobile IT systems should not be left unprotected in external premises such as hotel rooms. All password protection mechanisms should be enabled at this point, at the latest. Locking the device up in a cabinet will discourage casual thieves.

Disposal of data media and documents

Even when travelling, an employee will often need to dispose of material, even if it is just to keep luggage light and bearable. While there are practised procedures available in the employee's organisation for disposing of old or unusable data media and documents (see also S 2.13 Correct disposal of resources requiring protection), it is not always possible to follow these procedures while travelling. For this reason, the data media and documents must be examined closely to determine if they contain any sensitive information before they are disposed of. If they do contain sensitive information, then the data media and documents should be transported back to the organisation, if necessary. This also applies if data media are defective, because experts can extract valuable information from them as well. Even the use of shredder devices in outside organisations should be considered carefully because it is usually not totally clear who disposes of the shreds or how reliable they are.

Ban on the use of mobile IT systems

Whether there ought to be restrictions on the use of mobile IT systems, or even on taking them along to all or certain areas of a government agency or a company should be considered.

For example, this could make sense for meeting rooms (see also, for example S 5.80 Protection against bugging of indoor conversations using mobile phones). If the organisation's IT security policy does not allow bringing
along mobile IT systems, this must be clearly indicated at all entrances. Checks should then be made at regular intervals to ensure that the policy is adhered to.

Review questions:

• Does a current security policy for the use of mobile IT systems exist?
• Has the users' awareness in terms of the protection requirements of mobile IT systems and the data stored on them been raised?
• Has the users' awareness in terms of the specific threats and/or adequate safeguards during use of mobile IT systems been raised?
• Are the users informed of which type of information may be processed on mobile IT systems?