The organization must establish usage restrictions for organization-controlled portable and mobile devices.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-MPOL-040 | SRG-MPOL-040 | SRG-MPOL-040_rule | Medium |
| Description |
|---|
| In order to effectively control access to its information systems, the organization must define usage restrictions for its portable and mobile devices. In the absence of such restrictions, users could execute unauthorized programs and/or utilities, access unauthorized web sites, gain access to and/or download restricted or classified information, knowingly or unknowingly load malware to the organization's information systems, etc. Lack of usage restrictions could result in unauthorized access to, or modification or destruction of, sensitive or classified data. |
| STIG | Date |
|---|---|
| Mobile Policy Security Requirements Guide | 2012-10-10 |
Details
| Check Text ( C-SRG-MPOL-040_chk ) |
|---|
| Review the organization's access control and security policy, procedures addressing access control for portable and mobile devices, information system configuration settings, and associated documentation. Organizational personnel who use portable and mobile devices to access the information system will be interviewed. Ensure the organization has developed and published usage restrictions for all portable and mobile devices under its control. If the access control or other appropriate security policy does not address the use of portable and mobile devices, this is a finding. |
| Fix Text (F-SRG-MPOL-040_fix) |
|---|
| Develop and publish usage restrictions for all organization controlled portable and mobile devices. |