Requirement:
The cybersecurity requirements for mobile devices security and BYOD must include at least the following:
Sub-Controls:
2-6-3-1:
Requirement:
Separation and encryption of organization's data and information stored on mobile devices and BYODs.
Control Implementation Guidelines:
- Define and document the requirements of this ECC in the cybersecurity requirements of mobile devices and BYOD at the organization and must be approved by the representative
- Implement the requirements of separating and encrypting the organization's data and information stored on mobile devices and BYOD devices, which may include the following:
- Separation and cryptography of data and information
- Appropriate and advanced technologies for separating and encrypting data and information
- Use necessary technologies (such as Mobile Device Management) to encrypt the organization's data and information stored on mobile devices and BYOD
Expected Deliverables:
- Cybersecurity policy that covers all the security requirements of mobile devices and personal devices (BYOD) at the organization (e.g., electronic copy or official hard copy)
- Formal approval by the head of the organization or his/her deputy on such requirements (e.g., via the organization's official e-mail, paper or electronic signature)
- Sample showing the implementation of mobile devices and BYOD security requirements, including but not limited to:
- Sample showing the implementation of the requirements of appropriate and advanced technologies for the security of mobile devices and BYOD (e.g., screenshot showing the use of advanced systems to provide and ensure data cryptography on mobile devices and BYOD at the organization)
- Defined and approved procedures for encrypting data and information stored on mobile devices and BYOD
2-6-3-2:
Requirement:
Controlled and restricted use based on job requirements.
Control Implementation Guidelines:
- Define and document the requirements of this ECC in the cybersecurity requirements of mobile devices and BYOD at the organization and must be approved by the representative
- Implement the specified and restricted use requirements based on the requirements of the organization's business interest. These requirements may include the following:
- The use must be specified and restricted to the requirements of the organization
- Appropriate and advanced technologies for specific and restricted use based on the requirements of the organization's business interest
- Develop necessary procedures to restrict the use of mobile devices and link them to their network based on the requirements of the business interest
- Assess mobile devices configuration and security controls, including but not limited to the implementation of (Patches, AV) prior to linking them to the organization's domain or network
Expected Deliverables:
- Cybersecurity policy that covers all the security requirements of mobile devices and personal devices (BYOD) at the organization (e.g., electronic copy or official hard copy)
- Formal approval by the head of the organization or his/her deputy on such requirements (e.g., via the organization's official e-mail, paper or electronic signature)
- Sample showing the implementation of requirements related to the specific and restricted use based on the organization's business interest, including but not limited to:
- Sample showing the implementation of the specific and restricted use requirements based on the organization's business interest (e.g., a screenshot showing evidence that the necessary procedures are in place to restrict the use of mobile devices and link them to their network based on the business interest)
- Defined and approved procedures for restricting the use of mobile devices (e.g., a form of procedures, as well as a sample report showing evidence of ensuring that the mobile device settings and security controls are assessed, including the implementation of patches and antivirus updates prior to being linked to the network)
2-6-3-3:
Requirement:
Secure wiping of organization's data and information stored on mobile devices and BYOD in cases of device loss, theft or after termination/separation from the organization.
Control Implementation Guidelines:
- Define and document the requirements of this ECC in the cybersecurity requirements of mobile devices and BYOD at the organization and must be approved by the representative
- Ensure that data and information of the organization stored on mobile devices and BYOD must be deleted when devices are lost or after the end/termination of the functional relationship with the organization
- Use necessary technologies (such as Mobile Device Management) to ensure the deletion of sensitive data and information when the devices are lost, and after the end/termination of the functional relationship with the organization
Expected Deliverables:
- Cybersecurity policy that covers all the security requirements of mobile devices and personal devices (BYOD) at the organization (e.g., electronic copy or official hard copy)
- Formal approval by the head of the organization or his/her deputy on such requirements (e.g., via the organization's official e-mail, paper or electronic signature)
- Sample showing the implementation of requirements related to the deletion of data and information stored on mobile devices and BYOD to include, but not limited to:
- Sample showing the implementation of deletion requirements for data and information stored on mobile devices and BYOD devices (e.g., a screenshot showing evidence of deleting data and information stored on mobile devices and personal devices when, for example, the subscription with a data deletion service and integrated secure management of mobile devices and BYOD devices provider is no longer valid
- Sample of the followed procedures template showing evidence of ensuring the deletion of data and information stored on mobile devices and personal devices BYOD when they are lost or after the end/termination of the functional relationship with the organization
2-6-3-4:
Requirement:
Security awareness for mobile devices users.
Control Implementation Guidelines:
- Define and document the requirements of this ECC in the cybersecurity requirements of mobile devices and BYOD at the organization and must be approved by the representative
- Implement security awareness requirements for users, which may include the following:
- Provide security awareness to users
- Appropriate and advanced technologies to provide security awareness to users
- Implement the requirements of this control by providing security awareness to users on mobile devices and BYOD on a regular basis
Expected Deliverables:
- Cybersecurity policy that covers all the security requirements of mobile devices and personal devices (BYOD) at the organization (e.g., electronic copy or official hard copy)
- Formal approval by the head of the organization or his/her deputy on such requirements (e.g., via the organization's official e-mail, paper or electronic signature)
- Sample showing the implementation of security awareness requirements for users, including but not limited to:
- Sample showing the implementation of security awareness requirements for users (e.g., presentation showing security awareness to the organization's employees regarding the optimal and safe use of mobile devices and BYOD devices or a screen shot from mobile devices' screensaver showing an awareness message to users)
Quick & Simple
Discover Our Cybersecurity Compliance Solutions:
Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you
CMMC Level 1 Compliance
Become compliant, provide compliance services, or verify partner compliance with CMMC Level 1 Basic Safeguarding of Covered Contractor Information Systems requirements.
NIST SP 800-171 & CMMC Level 2 Compliance
Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC Level 2 requirements.
HIPAA Compliance
Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
ISO 27001 Compliance
Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.
FAR 52.204-21 Compliance
Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.