The organization must follow the incident handling policy if classified information is found on mobile devices.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-MPOL-061	SRG-MPOL-061	SRG-MPOL-061_rule		High

Description
In spite of the best security policies, restrictive controls, and random review procedures, incidents of leakage of classified data to unclassified mobile devices are bound to occur. In these instances, the organization must have a set of defined procedures to be implemented when classified data is discovered on mobile devices. Failure to have incident handling procedures defined could result in confusion in the proper handling of the incident by organization personnel, or, worst case, classified data being disclosed to unauthorized sources. This requirement applies to mobile operating system (OS) smartphones and tablets. This requirement also applies to sensitive DoD information stored on mobile OS devices that are not authorized to connect to DoD networks or store/process sensitive DoD information. Sensitive DoD data or information is defined as any data/information that has not been approved for public release by the site/Command Public Affairs Officer (PAO).

Description

In spite of the best security policies, restrictive controls, and random review procedures, incidents of leakage of classified data to unclassified mobile devices are bound to occur. In these instances, the organization must have a set of defined procedures to be implemented when classified data is discovered on mobile devices. Failure to have incident handling procedures defined could result in confusion in the proper handling of the incident by organization personnel, or, worst case, classified data being disclosed to unauthorized sources. This requirement applies to mobile operating system (OS) smartphones and tablets. This requirement also applies to sensitive DoD information stored on mobile OS devices that are not authorized to connect to DoD networks or store/process sensitive DoD information. Sensitive DoD data or information is defined as any data/information that has not been approved for public release by the site/Command Public Affairs Officer (PAO).

STIG	Date
Mobile Policy Security Requirements Guide	2012-10-10

Details

Check Text ( C-SRG-MPOL-061_chk )
Review the organization's access control and security policy, incident handling procedures, and any other relevant documents. Ensure the organization has defined an incident handling policy with specific actions to be implemented when classified information has been found on mobile devices. Determine if the site has had a data spill within the previous 24 months. If yes, review written records, incident reports, and/or after action reports and determine if required procedures were followed. If the incident handling policy is not being followed, this is a finding.

Check Text ( C-SRG-MPOL-061_chk )

Review the organization's access control and security policy, incident handling procedures, and any other relevant documents. Ensure the organization has defined an incident handling policy with specific actions to be implemented when classified information has been found on mobile devices. Determine if the site has had a data spill within the previous 24 months. If yes, review written records, incident reports, and/or after action reports and determine if required procedures were followed.

If the incident handling policy is not being followed, this is a finding.

Fix Text (F-SRG-MPOL-061_fix)
Follow all incident handling policy actions to be taken when classified information has been identified on mobile devices.