Governance

GOV049

Protecting mobile devices

Consider the following strategies for protecting mobile devices.

Mobile devices include portable computers, mobile communication devices, and USBs or other portable storage devices.

Prepare devices for use

  • Ensure security and application updates are installed on each device, and that your people understand how to carry our further updates on their devices.
  • Enable device security features and ensure that PINs and passwords are changed. Always use complex passwords containing upper and lower-case letters, numbers, and symbols.
  • Remove any information that is not required to reduce the risk of information exposure.
  • Back up information stored on the device. If a device becomes compromised, your opportunity to recover information from it may be limited.
  • Evaluate the potential for compromise if the device will hold any encrypted information.

Give instructions for keeping devices safe and secure

Ensure each mobile device user gets as many of the following instructions as they apply.

  • Maintain physical control of the device at all times. Do not leave it unattended in places where it may be an easy target for theft or tampering.
  • Be vigilant at all times. When using a device, make sure that a conversation can’t be overheard and screen data can’t be seen by others.
  • Avoid taking devices into situations where a sensitive or private conversation is likely. If you can’t avoid this situation, turn off the device and, when possible, remove the battery.
  • If you lose physical control of the device (for example, when it is secured outside a meeting), ask your ICT security people for guidance before you use it again.
  • Use corporate devices with all relevant security measures enabled. Only use a personal device for official business when BYOD polices allow and appropriate security measures are in place.
  • If you’re concerned about the risk of tracking, disable any GPS capability. For extra security, turn off the device and, when possible, remove the battery.
  • Disable any features or capabilities that you don’t need. For example, disable wireless, Bluetooth, and location services. Consider doing this before having confidential conversations.
  • Always confirm the integrity of any new storage media with your ICT security people before you connect it to a device. All storage media should be regularly scanned for threats.

Ensure email usage is secure

To help keep emails secure, provide clear instructions in line with your policies on the following topics.

  • Use of private email accounts to store or communicate official information.
  • Forwarding emails from corporate email systems to personal email accounts, such as Gmail. This policy is especially relevant for emails with a classification of ‘restricted’ or higher.
  • When you need additional email security and how to achieve it.
  • How to reduce the risk of downloading hidden malware.

Keep internet usage secure

To help keep internet usage from becoming a security concern, provide clear instructions in line with your policies on the following topics.

  • Using the privacy mode in an internet browser.
  • Use of cookies.
  • Disabling autofill to prevent your browser from storing usernames and passwords.
  • Connecting to external networks. The simplest precaution is to not connect to the internet using unknown hotspots and instead use mobile 3G or 4G mobile networks.

Secure devices after use

  • Following travel it is a good idea to change all device passwords.
  • Treat any unencrypted information on a device that is lost as compromised.

Page last modified: 4/05/2022