Information Asset Management Guidelines

All information assets shall be handled securely to maintain the required level of confidentiality, integrity, and availability.

An Organization shall maintain a set of guidelines in order to achieve this,

• Information Asset owners shall be identified for all information assets.
• Information asset inventory shall be maintained by the information asset owner.
• Sufficient records shall be maintained to locate and navigate information assets as and when required by authorized parties.
• All information assets shall be stored and disposed of securely as per the information classification level. 
• All assets shall be returned at the change of employment status (transfers, promotions, resignations, terminations, retirements, secondments, etc.) or long duration of leave as per the procedure defined by the HR department.
• The physical security of information assets shall be ensured by the Asset Custodian and/or Asset Owner as applicable.

The following template can be used for Asset inventory,

Information handling for electronic materials,

Information handling for printed materials,

Mobile Device Policy

Having a Mobile Device Policy is very important for every organization. Today we will look at a sample policy that can be modified to suit your organization.

Policy Statement:

"When using mobile devices, special care shall be taken to ensure that business information is not compromised"

Policy Components:

    Information communication and usage devices:

• For generally used software at the organization, licensed and updated versions that are approved by IT Division shall be used. For other sectional-specific requirements, software approved by the Unit Head of the relevant operational area shall be used.
• Before using open-source software, the outcome of the information security risk assessment shall be considered.
• User shall not make any changes to the hardware or software without the approval of the device issuing section/party of the organization.
• For mobile devices owned by third parties, to connect to the organizational network prior approval shall be obtained considering the outcome of the risk assessment.
• For mobile devices owned by third parties shall be protected with required security controls.
• All mobile devices shall be kept updated with the latest patches.

    Information Storage mobile devices:

• All information storage mobile devices shall be documented at the business unit level.
• Confidential information stored in the mobile device shall be encrypted.  

    Security Controls:

• Reputed anti-virus software shall be installed and kept updated.
• Screen locking mechanism shall be deployed.

Mobile Device Security

“Mobile Device” is a general term used to identify common portable devices such as smartphones, tablets, and laptop computers. These devices have revolutionized the way we do work but at the same time, brought unique security and privacy challenges for us. 

What is Mobile Device Security?

Mobile device security refers to being free from the danger or risk of asset loss or data loss using mobile computers and communication hardware.

Organizations use mobile devices under different enterprise mobility strategies to improve productivity, facilitate teleworking, and ensure access to data anytime/anywhere.

Based on the selected approach, Organizations would implement mobile device security policies and assign roles/responsibilities accordingly. 

A study conducted by Verizon® found that 1 out of 3 companies who use enterprise mobility solutions surveyed reported a compromise involving a mobile device. 47% say remediation was "difficult and expensive," and 64% say they suffered downtime.

Threats for Mobile Devices

Smartphones and personal digital assistants (PDAs) like tablets give users mobile access to email, the internet, GPS navigation, and many other applications. However, smartphone security has not kept pace with traditional computer security. In addition to that, many smartphone users do not recognize security shortcomings in their devices. Due to this reason, mobile phones are becoming more and more valuable as targets for attackers. So, it is important to take steps to protect your mobile devices from attacks from the threats such as those listed below. 

Take Steps to Protect Your Mobile Devices

With nearly every employee possessing a mobile device, organizations need to be cognizant of the fact that this is a huge attack vector for criminals with malign intentions.

Even the most careful users can still fall victim to attacks on their mobile phones. However, following best practices regarding mobile phone security can reduce the likelihood or consequences of an attack. Remember, a hacked mobile device can be used to compromise an entire corporate network.

• Use a Secure Lock Screen: If someone gets ahold of your device, the last thing you want is for them to just turn it on to access everything!!! Therefore, use a secure screen lock. This could be a strong password or perhaps a biometric lock such as a fingerprint scanner.
• Enable Services to Track Device Location: A feature available in your device may help you identify where your lost device could start ringing or include a helpful screen message as to how to contact you, the owner, and track your device.
• Use Remote Wipe Security Application: Remote wipe security applications give device owners the ability to “wipe” or lock down devices from a distance.
• Use secure Wi-Fi: Using password-protected Wi-Fi connections keeps unwanted third parties from snooping or carrying out man-in-the-mobile attacks between your device and your intended destination. Avoid public Wi-Fi as much as possible.
• Watch your email/SMS and instant messaging: Don't click on links in email and other messages, as these may direct you to phishing or malware websites — this applies to all mobile platforms.
• Be consistent: Only download apps from trusted sources. This ensures that the apps are legitimate and not havens for mobile malware. Further, assign permissions to the applications in a minimal way and keep them updated.
• Install antivirus protection: Antivirus and anti-malware solutions are now popping up for mobile devices; install one from a trusted source, then run it regularly to ensure your device is clean.
• Don't jailbreak or root your device: Doing so increases your risk of infection from untrusted third-party sources. Stay rooted and benefit from automatic security updates and patches.
• Switch off Bluetooth or Wi-Fi when not in use: Mobile devices pairing on open connections enables attackers to eavesdrop and intercept data transmission using techniques such as blue bugging and blue snarfing. You can also disable automatic WiFi/Bluetooth connect features.
• Use Encryption: If the device manages critical functions and sensitive information, you can encrypt your device.

In addition to the above, it is mandatory to follow the organization’s security policies and guidelines while using your mobile device for official work. At the same time, Root of Trust (RoT) principles can be used to provide a robust level of security to official mobile devices handling critical data, if necessary.

It is the best practice that all the devices connecting to an enterprise network need to be authenticated. Proper authentication provides secure identity provisioning for devices to allow trusted communications with servers for data exchanges and can help identify, isolate, and exclude compromised devices.