The organization must require that mobile devices used in facilities containing information systems processing, storing, or transmitting classified information, and the information stored on those devices, are subject to random reviews/inspections by organization defined security officials.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-35962	SRG-MPOL-044	SV-47278r1_rule		Medium

Description
The organization's access control procedures and security policies establish the requirement to control the use of various mobile devices and connected or imbedded capabilities. These policies and procedures are ineffective if there is no process in place ensuring the policies and procedures are being followed. A process of randomly inspecting or reviewing the various mobile devices, to include connected or imbedded capabilities, can be effective in ensuring compliance with the organization’s mobile device policies and procedures.

Description

The organization's access control procedures and security policies establish the requirement to control the use of various mobile devices and connected or imbedded capabilities. These policies and procedures are ineffective if there is no process in place ensuring the policies and procedures are being followed. A process of randomly inspecting or reviewing the various mobile devices, to include connected or imbedded capabilities, can be effective in ensuring compliance with the organization’s mobile device policies and procedures.

STIG	Date
Mobile Policy Security Requirements Guide	2013-07-03

Details

Check Text ( C-44199r1_chk )
Review the organization's access control and security policy, documentation for random inspections of mobile devices, and other relevant documents or records. Organizational personnel responsible for randomly reviewing/inspecting mobile devices and the information stored on those devices; and organizational personnel using mobile devices in facilities containing information systems processing, storing, or transmitting classified information, will be interviewed. Ensure the organization has established a requirement for mobile devices to be randomly reviewed/inspected to ensure compliance with the organization's access control policy regarding the use of mobile devices within its facilities. If a policy or procedure is not in place for random reviews or inspections, this is a finding.

Check Text ( C-44199r1_chk )

Review the organization's access control and security policy, documentation for random inspections of mobile devices, and other relevant documents or records. Organizational personnel responsible for randomly reviewing/inspecting mobile devices and the information stored on those devices; and organizational personnel using mobile devices in facilities containing information systems processing, storing, or transmitting classified information, will be interviewed. Ensure the organization has established a requirement for mobile devices to be randomly reviewed/inspected to ensure compliance with the organization's access control policy regarding the use of mobile devices within its facilities.

If a policy or procedure is not in place for random reviews or inspections, this is a finding.

Fix Text (F-40489r1_fix)
Develop and publish a requirement for mobile devices to be randomly reviewed/inspected for compliance with the organization's access control policy regarding the use of mobile devices within its facilities containing information systems processing, storing, or transmitting classified information, and the information stored on those devices.