Article 17
|
(Control and management of mobile device and equipment for business use)
- An organization shall establish the regulations for application for, use, renewal, return and loss of a mobile device.
- When there is a change in the staff of the organization, a mobile device should be reset or the settings should be cleared to ensure the mobile device has a secure environment.
- An organization shall conduct risk assessments on mobile devices and resources accessible to the mobile devices, and implement appropriate security control and management measures based on the results of the risk assessments, such as screen lock, restrictions on accessing sensitive information, installation of antivirus software programs, installation of mobile device management software, etc.
- An organization is advised to take the following security control and management measures on mobile devices storing sensitive information:
- It is advisable a mobile device has an identity verificationmechanism.
- It is advisable to allow an authorized party to change the settings of theenvironment of the operating system of a mobile device.
- It is advisable to conduct regular examinations of the operating system and antivirus software programs of the mobile device and to prevent the owner from making unauthorized changes to the settings, such as jailbreaking or rooting.
- It is advisable for a mobile device to have a method for data deletion when the device is lost, e.g. deleting data remotely, or automatic deletion of data after a certain number of failed identification verifications have taken place.
- It is advisable a mobile device imposes restrictions on or turns off unnecessary wireless connection, such as NFC, infrared, Wi-Fi or Bluetooth.
- It is advisable a mobile device adopts an encryption or data redaction method for protection of transmission of sensitive information.
- It is advisable a mobile device prevents storing of sensitive information on the mobile device, or encrypts sensitive information for protection.
- A mobile device used to handle an organization’s business should avoid installation of an unofficial mobile application or should install only the installable mobile applications that have passed testing as listed by the organization.
|