Mobile device usage policy
Since mobile devices routinely leave the office environment, and the protection it affords, it is important that organisations develop a mobile device usage policy governing their use.
Security Control: 1082; Revision: 2; Updated: Aug-19; Applicability: O, P, S, TS
A mobile device usage policy is developed and implemented.
Mobile devices can have both a voice and data component capable of processing or communicating information. In such cases, personnel should know the sensitivity or classification of information that mobile devices have been approved to process, store and communicate.
Security Control: 1083; Revision: 2; Updated: Sep-18; Applicability: O, P, S, TS
Personnel are advised of the sensitivity or classification permitted for voice and data communications when using mobile devices.
Paging and message services
As paging and message services do not appropriately encrypt information they cannot be relied upon for the communication of sensitive or classified information.
Security Control: 0240; Revision: 5; Updated: Sep-18; Applicability: O, P, S, TS
Paging, Multimedia Message Service, Short Message Service or instant messaging apps are not used to communicate sensitive or classified information.
Using mobile devices in public spaces
Personnel should be aware of the environment they use mobile devices in to view or communicate sensitive or classified information, especially in public areas such as public transport, transit lounges and coffee shops. In such locations personnel taking care to ensure information is not observed or conversations are overheard will assist in maintaining the confidentiality of their organisation’s information. In some cases, privacy filters can be applied to the screen of a mobile device to prevent onlookers from reading content off its screen.
Security Control: 0866; Revision: 4; Updated: Apr-19; Applicability: O, P, S, TS
Sensitive or classified information is not viewed or communicated in public locations unless care is taken to reduce the chance of conversations being overheard or the screen of a mobile device being observed.
Security Control: 1145; Revision: 3; Updated: Sep-18; Applicability: S, TS
Privacy filters are applied to the screens of highly classified mobile devices.
Maintaining control of mobile devices
As mobile devices are portable in nature, and can be easily lost or stolen, it is strongly advised that personnel do not leave mobile devices unattended when being actively used.
Security Control: 0871; Revision: 3; Updated: Apr-19; Applicability: O, P, S, TS
Mobile devices are kept under continual direct supervision when being actively used.
Security Control: 0870; Revision: 3; Updated: Apr-19; Applicability: O, P, S, TS
Mobile devices are carried or stored in a secured state when not being actively used.
Carrying mobile devices
As mobile devices used outside the office will be carried through areas not authorised to process the information stored on them, carrying them in a secured state (i.e. encryption is active when they are not in use) will decrease the likelihood of accidental or deliberate compromise of information. Depending on the type of mobile device, the effectiveness of encrypting its internal storage might be reduced if the device is lost or stolen while it is in sleep mode or powered on with a locked screen.
Security Control: 1084; Revision: 2; Updated: Sep-18; Applicability: O, P, S, TS
If unable to apply encryption to mobile devices that is suitable for them to be carried through areas not authorised to process the information stored on them, they are physically transferred in a security briefcase or an approved multi-use satchel, pouch or transit bag.
Mobile device emergency sanitisation process and procedures
The sanitisation of mobile devices in emergency situations can assist in reducing the potential for compromise of information by an adversary. This may be achieved through the use of a remote wipe capability or a cryptographic key zeroise or sanitisation function if present.
Security Control: 0701; Revision: 4; Updated: Aug-19; Applicability: O, P, S, TS
A mobile device emergency sanitisation process, and supporting mobile device emergency sanitisation procedures, is developed and implemented.
Security Control: 0702; Revision: 4; Updated: Aug-19; Applicability: S, TS
If a cryptographic zeroise or sanitise function is provided for cryptographic keys on highly classified mobile devices, the function is used as part of the mobile device emergency sanitisation process.
Before travelling overseas with mobile devices
Personnel travelling overseas with mobile devices face additional security risks compared to travelling domestically, especially when travelling to high/extreme risk countries. As such, appropriate precautions should be taken. Personnel should also be aware that when they leave Australian borders they also leave behind any expectations of privacy.
Security Control: 1298; Revision: 2; Updated: Oct-19; Applicability: O, P, S, TS
Personnel are advised of privacy and security risks when travelling overseas with mobile devices.
Security Control: 1554; Revision: 0; Updated: Oct-19; Applicability: O, P, S, TS
If travelling overseas with mobile devices to high/extreme risk countries, personnel are:
- issued with newly provisioned accounts and devices from a pool of dedicated travel devices which are used solely for work-related activities
- advised on how to apply and inspect tamper seals to key areas of devices
- advised to avoid taking any personal devices, especially if rooted or jailbroken.
Security Control: 1555; Revision: 0; Updated: Oct-19; Applicability: O, P, S, TS
Before travelling overseas with mobile devices, personnel take the following actions:
- record all details of the devices being taken, such as product types, serial numbers and International Mobile Equipment Identity numbers
- update all applications and operating systems
- remove all non-essential accounts, applications and data
- apply security configuration settings, such as lock screens
- configure remote locate and wipe functionality
- enable encryption, including for any media used
- backup all important data and configuration settings.
While travelling overseas with mobile devices
Personnel lose control of mobile devices and media any time they are not on their person. This includes when placing mobile devices and media in checked-in luggage or leaving them in hotel rooms (including hotel room safes). In addition, allowing untrusted people to access mobile devices provides an opportunity for them to be tampered with.
Security Control: 1299; Revision: 2; Updated: Oct-19; Applicability: O, P, S, TS
Personnel take the following precautions when travelling overseas with mobile devices:
- never leaving devices or media unattended for any period of time, including by placing them in checked-in luggage or leaving them in hotel safes
- never storing credentials with devices that they grant access to, such as in laptop bags
- never lending devices to untrusted people, even if briefly
- never allowing untrusted people to connect other devices or media to their devices, including for charging
- never using designated charging stations, wall outlet charging ports or chargers supplied by untrusted people
- avoiding connecting devices to open or untrusted Wi-Fi networks
- using an approved Virtual Private Network to encrypt all device communications
- using encrypted mobile applications for communications instead of using foreign telecommunication networks
- disabling any communications capabilities of devices when not in use, such as cellular data, wireless, Bluetooth and Near Field Communication
- avoiding reuse of media once used with other parties’ devices or systems
- ensuring any media used for data transfers are thoroughly checked for malicious code beforehand
- never using any gifted devices, especially media, when travelling or upon returning from travelling.
Security Control: 1088; Revision: 4; Updated: Oct-19; Applicability: O, P, S, TS
Personnel report the potential compromise of mobile devices, media or credentials to their organisation as soon as possible, especially if they:
- provide credentials, decrypt devices or have devices taken out of sight by foreign government officials
- have devices or media stolen that are later returned
- loose devices or media that are later found
- observe unusual behaviour of devices.
After travelling overseas with mobile devices
Following overseas travel with mobile devices, personnel should take appropriate precautions to ensure that their devices don’t pose an undue security risk to their organisation’s systems and information. In most cases, sanitising and resetting mobile devices, including all media used with them, will be sufficient; however, upon returning from high/extreme risk countries, additional precautions will likely be needed.
Security Control: 1300; Revision: 4; Updated: Oct-19; Applicability: O, P, S, TS
Upon returning from travelling overseas with mobile devices, personnel take the following actions:
- sanitise and reset devices, including all media used with them
- decommission any physical credentials that left their possession during their travel
- report if significant doubt exists as to the integrity of any devices following their travel.
Security Control: 1556; Revision: 0; Updated: Oct-19; Applicability: O, P, S, TS
If returning from travelling overseas with mobile devices to high/extreme risk countries, personnel take the following additional actions:
- reset user credentials used with devices, including those used for remote access to their organisation’s systems
- monitor accounts for any indicators of compromise, such as failed login attempts.
Further information on the management of mobile devices can be found in the mobile device management section of these guidelines.
Further information on using mobile devices in highly classified areas can be found in the wireless devices and Radio Frequency transmitters section of the Guidelines for Physical Security.
Further information on travelling overseas with mobile devices can be found in the ACSC’s Travelling Overseas with Electronic Devices publication at https://www.cyber.gov.au/acsc/view-all-content/publications/travelling-overseas-with-electronic-devices.
Further information on security briefcases can be found in the Australian Security Intelligence Organisation (ASIO)’s Security Equipment Guide-005, Briefcases for the Carriage of Security Classified Information, from the Protective Security Policy GovTEAMS community or ASIO by email.
Further information on approved multi-use satchels, pouches and transit bags can be found in the Security Construction and Equipment Committee’s Security Equipment Evaluated Products List at https://www.scec.gov.au/catalogue.