The organization must authorize connection of mobile devices to organizational information systems.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-MPOL-056	SRG-MPOL-056	SRG-MPOL-056_rule		Medium

Description
In order to protect their information systems, organizations must have a process in place ensuring mobile devices adhere to implementation guidance, meet published usage restrictions, and are processed through an authorization process prior to connecting to the information system(s). Lacking such a process, organizations will experience an array of unauthorized mobile devices, with a myriad of configuration settings and no usage restrictions, connecting to their information systems. Such an environment would be unmanageable and could result in unauthorized access to, modification of, or destruction of sensitive or classified data.

Description

In order to protect their information systems, organizations must have a process in place ensuring mobile devices adhere to implementation guidance, meet published usage restrictions, and are processed through an authorization process prior to connecting to the information system(s). Lacking such a process, organizations will experience an array of unauthorized mobile devices, with a myriad of configuration settings and no usage restrictions, connecting to their information systems. Such an environment would be unmanageable and could result in unauthorized access to, modification of, or destruction of sensitive or classified data.

STIG	Date
Mobile Policy Security Requirements Guide	2012-10-10

Details

Check Text ( C-SRG-MPOL-056_chk )
Review the organization's access control and security policy, and procedures addressing access control and authorization process for portable and mobile devices. Ensure the organization has developed and published an authorization process to be performed on each mobile device before the device can connect to the organization's information system(s). This authorization process will ensure the mobile device complies with all organization-published usage restrictions and implementation guidance. If an authorization process has not been developed and published, this is a finding.

Check Text ( C-SRG-MPOL-056_chk )

Review the organization's access control and security policy, and procedures addressing access control and authorization process for portable and mobile devices. Ensure the organization has developed and published an authorization process to be performed on each mobile device before the device can connect to the organization's information system(s). This authorization process will ensure the mobile device complies with all organization-published usage restrictions and implementation guidance.

If an authorization process has not been developed and published, this is a finding.

Fix Text (F-SRG-MPOL-056_fix)
Develop and publish an authorization process to be performed on each mobile device before the device can connect to the organization's information system(s).