The organization must assign personnel to perform reviews/inspections of mobile devices in facilities containing information systems processing, storing, or transmitting classified information.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-35969	SRG-MPOL-051	SV-47285r1_rule		Medium

Description
The organization's access control procedures and security policies establish the requirement to (i) control the use of various mobile devices and connected or imbedded capabilities, and (ii) conduct random reviews/inspections of mobile devices to ensure compliance with the established access control and security policies. In order to effectively execute the random review/inspection of mobile devices, the organization must identify, minimally by position title, organization security officials responsible for conducting mobile device reviews/inspections.

Description

The organization's access control procedures and security policies establish the requirement to (i) control the use of various mobile devices and connected or imbedded capabilities, and (ii) conduct random reviews/inspections of mobile devices to ensure compliance with the established access control and security policies. In order to effectively execute the random review/inspection of mobile devices, the organization must identify, minimally by position title, organization security officials responsible for conducting mobile device reviews/inspections.

STIG	Date
Mobile Policy Security Requirements Guide	2013-01-24

Details

Check Text ( C-44206r1_chk )
Review the organization's access control and security policy; documentation officially assigning the responsibility for conducting random inspections of mobile devices to nominated security officials (e.g., position descriptions outlining the responsibility, official letters of assignment, etc.); and other relevant documents or records. Organizational personnel responsible for reviewing/inspecting mobile devices will be interviewed. Ensure the organization has documented the nomination and official notification of nominated security officials of their responsibility to perform reviews/inspections of mobile devices within its facilities, and these security officials have been notified and are aware of this responsibility. If the organization has not assigned responsibility for conducting inspection of mobile devices in facilities containing information systems processing, storing, or transmitting classified information, this is a finding.

Check Text ( C-44206r1_chk )

Review the organization's access control and security policy; documentation officially assigning the responsibility for conducting random inspections of mobile devices to nominated security officials (e.g., position descriptions outlining the responsibility, official letters of assignment, etc.); and other relevant documents or records. Organizational personnel responsible for reviewing/inspecting mobile devices will be interviewed. Ensure the organization has documented the nomination and official notification of nominated security officials of their responsibility to perform reviews/inspections of mobile devices within its facilities, and these security officials have been notified and are aware of this responsibility.

If the organization has not assigned responsibility for conducting inspection of mobile devices in facilities containing information systems processing, storing, or transmitting classified information, this is a finding.

Fix Text (F-40496r1_fix)
Nominate and officially notify security personnel of their responsibility to perform reviews/inspections of mobile devices within facilities containing information systems processing, storing, or transmitting classified information. The notification will be recorded in appropriate official documents of record (e.g., position descriptions, letters of assignment, etc.).