MOS: Mobile Security


MOS-01: Anti-Malware

Anti-malware awareness training, specific to mobile devices, shall be included in the provider’s information security awareness training.

MOS-02: Application Stores

A documented list of approved application stores has been defined as acceptable for mobile devices accessing or storing provider managed data.

MOS-03: Approved Applications

The company shall have a documented policy prohibiting the installation of non-approved applications or approved applications not obtained through a pre-identified application store.

MOS-04: Approved Software for BYOD

The BYOD policy and supporting awareness training clearly states the approved applications, application stores, and application extensions and plugins that may be used for BYOD usage.

MOS-05: Awareness and Training

The provider shall have a documented mobile device policy that includes a documented definition for mobile devices and the acceptable usage and requirements for all mobile devices. The provider shall post and communicate the policy and requirements through the company’s security awareness and training program.

MOS-06: Cloud Based Services

All cloud-based services used by the company’s mobile devices or BYOD shall be pre-approved for usage and the storage of company business data.

MOS-07: Compatibility

The company shall have a documented application validation process to test for mobile device, operating system, and application compatibility issues.

MOS-09: Device Inventory

An inventory of all mobile devices used to store and access company data shall be kept and maintained. All changes to the status of these devices (i.e., operating system and patch levels, lost or decommissioned status, and to whom the device is assigned or approved for usage (BYOD)) will be included for each device in…

MOS-10: Device Management

A centralized, mobile device management solution shall be deployed to all mobile devices permitted to store, transmit, or process customer data.

MOS-11: Encryption

The mobile device policy shall require the use of encryption either for the entire device or for data identified as sensitive on all mobile devices, and shall be enforced through technology controls.

MOS-12: Jailbreaking and Rooting

The mobile device policy shall prohibit the circumvention of built-in security controls on mobile devices (e.g., jailbreaking or rooting) and shall enforce the prohibition through detective and preventative controls on the device or through a centralized device management system (e.g., mobile device management).

MOS-13: Legal

The BYOD policy includes clarifying language for the expectation of privacy, requirements for litigation, e-discovery, and legal holds. The BYOD policy shall clearly state the expectations regarding the loss of non-company data in the case that a wipe of the device is required.

MOS-14: Lockout Screen

BYOD and/or company-owned devices are configured to require an automatic lockout screen, and the requirement shall be enforced through technical controls.

MOS-15: Operating Systems

Changes to mobile device operating systems, patch levels, and/or applications shall be managed through the company’s change management processes.

MOS-16: Passwords

Password policies, applicable to mobile devices, shall be documented and enforced through technical controls on all company devices or devices approved for BYOD usage, and shall prohibit the changing of password/PIN lengths and authentication requirements.

MOS-17: Policy

The mobile device policy shall require the BYOD user to perform backups of data, prohibit the usage of unapproved application stores, and require the use of anti-malware software (where supported).

MOS-18: Remote Wipe

All mobile devices permitted for use through the company BYOD program or a company-assigned mobile device shall allow for remote wipe by the company’s corporate IT or shall have all company-provided data wiped by the company’s corporate IT.

MOS-19: Security Patches

Mobile devices connecting to corporate networks, or storing and accessing company information, shall allow for remote software version/patch validation. All mobile devices shall have the latest available security-related patches installed upon general release by the device manufacturer or carrier and authorized IT personnel shall be able to perform these updates remotely.

MOS-20: Users

The BYOD policy shall clarify the systems and servers allowed for use or access on a BYOD-enabled device.