In today’s blog post we’re going to cover the NIST control AC-19, Access Control for Mobile Devices. First, what counts as a mobile device? A mobile device is defined on the NIST website as a computing device that is small enough that is can easily be carried by a single person, is designed to operate wirelessly, possesses data storage, and has a self-contained power source. This would include laptops, tablets, cell phones, or even E-readers, along with many others.  

Due to the wide variety of mobile devices and capabilities, it is very important that any device in an organization’s environment is authorized and not a threat. There are precautions an organization can establish to help promote safe mobile device usage: 

  • Usage restrictions, configuration requirements, connection requirements, implementation guidance for organization-controlled mobile devices 
    • Ex. Mandatory protective software like malicious code detection or firewall 
    • Ex. Requiring virus protection software be updated 
    • Ex. Scanning for critical software updates and patches 
  • Authorizing the connection of mobile devices to organizational information systems 
    • Ex. Needing approval for having email access on a cell phone 
    • Ex. Putting restrictions on being able to use personal devices for work purposes 

Awareness, training and proper policies and procedures is key when using mobile devices into your environment!