Each agency must adhere to the following policies for mobile devices with sensitive data. A mobile device is defined as any electric and/or battery operated device that can be easily transported and that has the capability for storing, processing, and/or transmitting data including Laptops, Portable Digital Assistants (PDAs), Tablet/Mini PCs, Blackberries, SmartPhones, and Hand-Held PCs. It is recommended that agencies consider enforcing some or all of these policies for any mobile device regardless of classification of the data.
A. Agencies employing the use of mobile devices for access to agency systems or storage of agency data must appropriately secure those devices to prevent sensitive data from being lost or compromised, to reduce the risk of spreading viruses/malware, and to mitigate other forms of abuse.B. While traveling and using a mobile device in public places, never leave the device unattended and take precautions to avoid the risk of unauthorized persons viewing information on-screen.C. Agencies must consider software that aids in tracking and recovery of the mobile device if lost or stolen.D. Agencies that allow the use of mobile devices for access to state data, must consider implementing a management platform that allows them to administer the appropriate security policy to all devices supported by the agency.E. Access Control 1. Prohibit users from downloading, running, and/or installing software and applications or enabling unauthorized protocols or services without agency IT approval and assistance.2. Mobile device users must minimize the potential loss of data via WiFi, 3G, or Bluetooth connections to their device by configuring them in a secure manner or turning those services off when not in use.3. Disable boot-up capabilities of other drives. Disabling the secondary boot drive sequence hinders the ability to access the system from a secondary drive.4. Rename the Administrator Account using a non-descript name.5. Prevent the last user name from displaying in the login dialog box.6. When connected to the state network, ensure only one active connected network interface is enabled at a time. For example, if WiFi is enabled, then other access methods are disabled.7. Establish hard drive and/or BIOS password standards for the agency or each department of the agency. Enable these features on each mobile device and configure a password per this standard.F. Authentication1. All mobile devices must require authentication before accessing state resources/services. Where mobile devices will have access to sensitive information, the agency should consider two-factor authentication and at minimum use strong authentication/password characteristics.2. Mobile devices should be configured to timeout after 30 minutes of inactivity and require re-authentication. Authentications must not be disabled on the mobile device.3. Agencies should require users to log out or turn mobile devices off if leaving the device unattended.G. Encryption1. Refer to chapter 9 of this document for information regarding data encryption.2. Many mobile devices support the use of removable storage devices to store data. If sensitive data is stored on removable storage devices, the data must be encrypted.3. Consider implementing whole disk encryption. Whole disk encryption is preferred as it "locks" the hard drive preventing it from being accessed by physically installing it in similar equipment.4. Consider installing disk wiping technology that remotely wipes the mobile device clean in the event of loss or theft. Miss. Code Ann. § 25-53-1 to § 25-53-25.