last sync: 2024-Oct-04 17:51:30 UTC

Define mobile device requirements | Regulatory Compliance - Documentation

Azure BuiltIn Policy definition

Source Azure Portal
Display name Define mobile device requirements
Id 9ca3a3ea-3a1f-8ba0-31a8-6aed0fe1a7a4
Version 1.1.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description CMA_0122 - Define mobile device requirements
Additional metadata Name/Id: CMA_0122 / CMA_0122
Category: Documentation
Title: Define mobile device requirements
Ownership: Customer
Description: Microsoft recommends that your organization establish mobile device requirements, which may include usage restrictions, configuration/connection requirements, and implementation guidance for organization-controlled mobile devices. This, in parallel with a MDM (Mobile Device Management), will enable your organization to ensure that mobile device usage is appropriate and secure. Some items that can be taken into account for establishing these requirements are as follows: - Ownership models for mobile devices; - Separation between work and personal data; - Use of enterprise mobility management solution; - Encryption requirements for sensitive information; and - Sources trusted by the organization for downloading applications - Backup and restoration processes
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 39 compliance controls are associated with this Policy definition 'Define mobile device requirements' (9ca3a3ea-3a1f-8ba0-31a8-6aed0fe1a7a4)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 AC-19 FedRAMP_High_R4_AC-19 FedRAMP High AC-19 Access Control Access Control For Mobile Devices Shared n/a The organization: a. Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and b. Authorizes the connection of mobile devices to organizational information systems. Supplemental Guidance: A mobile device is a computing device that: (i) has a small form factor such that it can easily be carried by a single individual; (ii) is designed to operate without a physical connection (e.g., wirelessly transmit or receive information); (iii) possesses local, non- removable or removable data storage; and (iv) includes a self-contained power source. Mobile devices may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones, E-readers, and tablets. Mobile devices are typically associated with a single individual and the device is usually in close proximity to the individual; however, the degree of proximity can vary depending upon on the form factor and size of the device. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of desktop systems, depending upon the nature and intended purpose of the device. Due to the large variety of mobile devices with different technical characteristics and capabilities, organizational restrictions may vary for the different classes/types of such devices. Usage restrictions and specific implementation guidance for mobile devices include, for example, configuration management, device identification and authentication, implementation of mandatory protective software (e.g., malicious code detection, firewall), scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware (e.g., wireless, infrared). Organizations are cautioned that the need to provide adequate security for mobile devices goes beyond the requirements in this control. Many safeguards and countermeasures for mobile devices are reflected in other security controls in the catalog allocated in the initial control baselines as starting points for the development of security plans and overlays using the tailoring process. There may also be some degree of overlap in the requirements articulated by the security controls within the different families of controls. AC-20 addresses mobile devices that are not organization-controlled. Related controls: AC-3, AC-7, AC-18, AC-20, CA-9, CM-2, IA-2, IA-3, MP-2, MP-4, MP-5, PL-4, SC-7, SC-43, SI-3, SI-4. References: OMB Memorandum 06-16; NIST Special Publications 800-114, 800-124, 800-164. link 1
FedRAMP_High_R4 AC-19(5) FedRAMP_High_R4_AC-19(5) FedRAMP High AC-19 (5) Access Control Full Device / Container-Based Encryption Shared n/a The organization employs [Selection: full-device encryption; container encryption] to protect the confidentiality and integrity of information on [Assignment: organization-defined mobile devices]. Supplemental Guidance: Container-based encryption provides a more fine-grained approach to the encryption of data/information on mobile devices, including for example, encrypting selected data structures such as files, records, or fields. Related controls: MP-5, SC-13, SC-28. References: OMB Memorandum 06-16; NIST Special Publications 800-114, 800-124, 800-164. link 2
FedRAMP_Moderate_R4 AC-19 FedRAMP_Moderate_R4_AC-19 FedRAMP Moderate AC-19 Access Control Access Control For Mobile Devices Shared n/a The organization: a. Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and b. Authorizes the connection of mobile devices to organizational information systems. Supplemental Guidance: A mobile device is a computing device that: (i) has a small form factor such that it can easily be carried by a single individual; (ii) is designed to operate without a physical connection (e.g., wirelessly transmit or receive information); (iii) possesses local, non- removable or removable data storage; and (iv) includes a self-contained power source. Mobile devices may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones, E-readers, and tablets. Mobile devices are typically associated with a single individual and the device is usually in close proximity to the individual; however, the degree of proximity can vary depending upon on the form factor and size of the device. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of desktop systems, depending upon the nature and intended purpose of the device. Due to the large variety of mobile devices with different technical characteristics and capabilities, organizational restrictions may vary for the different classes/types of such devices. Usage restrictions and specific implementation guidance for mobile devices include, for example, configuration management, device identification and authentication, implementation of mandatory protective software (e.g., malicious code detection, firewall), scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware (e.g., wireless, infrared). Organizations are cautioned that the need to provide adequate security for mobile devices goes beyond the requirements in this control. Many safeguards and countermeasures for mobile devices are reflected in other security controls in the catalog allocated in the initial control baselines as starting points for the development of security plans and overlays using the tailoring process. There may also be some degree of overlap in the requirements articulated by the security controls within the different families of controls. AC-20 addresses mobile devices that are not organization-controlled. Related controls: AC-3, AC-7, AC-18, AC-20, CA-9, CM-2, IA-2, IA-3, MP-2, MP-4, MP-5, PL-4, SC-7, SC-43, SI-3, SI-4. References: OMB Memorandum 06-16; NIST Special Publications 800-114, 800-124, 800-164. link 1
FedRAMP_Moderate_R4 AC-19(5) FedRAMP_Moderate_R4_AC-19(5) FedRAMP Moderate AC-19 (5) Access Control Full Device / Container-Based Encryption Shared n/a The organization employs [Selection: full-device encryption; container encryption] to protect the confidentiality and integrity of information on [Assignment: organization-defined mobile devices]. Supplemental Guidance: Container-based encryption provides a more fine-grained approach to the encryption of data/information on mobile devices, including for example, encrypting selected data structures such as files, records, or fields. Related controls: MP-5, SC-13, SC-28. References: OMB Memorandum 06-16; NIST Special Publications 800-114, 800-124, 800-164. link 2
hipaa 0227.09k2Organizational.12-09.k hipaa-0227.09k2Organizational.12-09.k 0227.09k2Organizational.12-09.k 02 Endpoint Protection 0227.09k2Organizational.12-09.k 09.04 Protection Against Malicious and Mobile Code Shared n/a The organization takes specific actions to protect against mobile code performing unauthorized actions. 18
hipaa 0301.09o1Organizational.123-09.o hipaa-0301.09o1Organizational.123-09.o 0301.09o1Organizational.123-09.o 03 Portable Media Security 0301.09o1Organizational.123-09.o 09.07 Media Handling Shared n/a The organization, based on the data classification level, registers media (including laptops) prior to use, places reasonable restrictions on how such media are used, and provides an appropriate level of physical and logical protection (including encryption) for media containing covered information until properly destroyed or sanitized. 14
hipaa 0401.01x1System.124579-01.x hipaa-0401.01x1System.124579-01.x 0401.01x1System.124579-01.x 04 Mobile Device Security 0401.01x1System.124579-01.x 01.07 Mobile Computing and Teleworking Shared n/a Mobile computing devices are protected at all times by access controls, usage restrictions, connection requirements, encryption, virus protections, host-based firewalls, or equivalent functionality, secure configurations, and physical protections. 7
hipaa 0403.01x1System.8-01.x hipaa-0403.01x1System.8-01.x 0403.01x1System.8-01.x 04 Mobile Device Security 0403.01x1System.8-01.x 01.07 Mobile Computing and Teleworking Shared n/a The organization monitors for unauthorized connections of mobile devices. 7
hipaa 0405.01y1Organizational.12345678-01.y hipaa-0405.01y1Organizational.12345678-01.y 0405.01y1Organizational.12345678-01.y 04 Mobile Device Security 0405.01y1Organizational.12345678-01.y 01.07 Mobile Computing and Teleworking Shared n/a Teleworking activities are only authorized if security arrangements and controls that comply with relevant security policies and organizational requirements are in place. 1
hipaa 0407.01y2Organizational.1-01.y hipaa-0407.01y2Organizational.1-01.y 0407.01y2Organizational.1-01.y 04 Mobile Device Security 0407.01y2Organizational.1-01.y 01.07 Mobile Computing and Teleworking Shared n/a Prior to authorizing teleworking, the physical security of the teleworking site is evaluated and any threats/issues identified are addressed. 2
hipaa 0409.01y3Organizational.3-01.y hipaa-0409.01y3Organizational.3-01.y 0409.01y3Organizational.3-01.y 04 Mobile Device Security 0409.01y3Organizational.3-01.y 01.07 Mobile Computing and Teleworking Shared n/a Additional insurance to address the risks of teleworking is provided. 1
hipaa 0410.01x1System.12-01.xMobileComputingandCommunications hipaa-0410.01x1System.12-01.xMobileComputingandCommunications 0410.01x1System.12-01.xMobileComputingandCommunications 04 Mobile Device Security 0410.01x1System.12-01.xMobileComputingandCommunications 01.07 Mobile Computing and Teleworking Shared n/a If it is determined that encryption is not reasonable and appropriate, the organization documents its rationale and acceptance of risk. 2
hipaa 0415.01y1Organizational.10-01.y hipaa-0415.01y1Organizational.10-01.y 0415.01y1Organizational.10-01.y 04 Mobile Device Security 0415.01y1Organizational.10-01.y 01.07 Mobile Computing and Teleworking Shared n/a Suitable protections of the teleworking site are in place to protect against the theft of equipment and information, the unauthorized disclosure of information, and unauthorized remote access to the organization's internal systems or misuse of facilities. 5
hipaa 0416.01y3Organizational.4-01.y hipaa-0416.01y3Organizational.4-01.y 0416.01y3Organizational.4-01.y 04 Mobile Device Security 0416.01y3Organizational.4-01.y 01.07 Mobile Computing and Teleworking Shared n/a The organization instructs all personnel working from home to implement fundamental security controls and practices; including, but not limited to, passwords, virus protection, personal firewalls, laptop cable locks, recording serial numbers and other identification information about laptops, and disconnecting modems at alternate worksites. 4
hipaa 0417.01y3Organizational.5-01.y hipaa-0417.01y3Organizational.5-01.y 0417.01y3Organizational.5-01.y 04 Mobile Device Security 0417.01y3Organizational.5-01.y 01.07 Mobile Computing and Teleworking Shared n/a Remote access is limited only to information resources required by users to complete job duties. 1
hipaa 0425.01x1System.13-01.x hipaa-0425.01x1System.13-01.x 0425.01x1System.13-01.x 04 Mobile Device Security 0425.01x1System.13-01.x 01.07 Mobile Computing and Teleworking Shared n/a A documented list of approved application stores has been defined as acceptable for mobile devices accessing or storing entity (client) or cloud service provider-managed client data, and the use of unapproved application stores is prohibited for company-owned and BYOD mobile devices. Non-approved applications or approved applications not obtained through approved application stores are prohibited. 1
hipaa 0426.01x2System.1-01.x hipaa-0426.01x2System.1-01.x 0426.01x2System.1-01.x 04 Mobile Device Security 0426.01x2System.1-01.x 01.07 Mobile Computing and Teleworking Shared n/a A centralized, mobile device management solution has been deployed to all mobile devices permitted to store, transmit, or process organizational and/or customer data, enforcing built-in detective and preventative controls. 7
hipaa 0427.01x2System.2-01.x hipaa-0427.01x2System.2-01.x 0427.01x2System.2-01.x 04 Mobile Device Security 0427.01x2System.2-01.x 01.07 Mobile Computing and Teleworking Shared n/a The organization ensures that mobile devices connecting to corporate networks, or storing and accessing company information, allow for remote software version/patch validation. 4
hipaa 0428.01x2System.3-01.x hipaa-0428.01x2System.3-01.x 0428.01x2System.3-01.x 04 Mobile Device Security 0428.01x2System.3-01.x 01.07 Mobile Computing and Teleworking Shared n/a The organization ensures that mobile devices connecting to corporate networks, or storing and accessing company information, allow for remote wipe. 4
hipaa 0429.01x1System.14-01.x hipaa-0429.01x1System.14-01.x 0429.01x1System.14-01.x 04 Mobile Device Security 0429.01x1System.14-01.x 01.07 Mobile Computing and Teleworking Shared n/a The organization prohibits the circumvention of built-in security controls on mobile devices (e.g., jailbreaking or rooting). 7
ISO27001-2013 A.11.2.6 ISO27001-2013_A.11.2.6 ISO 27001:2013 A.11.2.6 Physical And Environmental Security Security of equipment and assets off-premises Shared n/a Security shall be applied to off-site assets taking into account the different risks of working outside the organization's premises. link 10
ISO27001-2013 A.13.2.1 ISO27001-2013_A.13.2.1 ISO 27001:2013 A.13.2.1 Communications Security Information transfer policies and procedures Shared n/a Formal transfer policies, procedures and controls shall be in place to protect the transfer of information through the use of all types of communication facilities. link 32
ISO27001-2013 A.6.2.1 ISO27001-2013_A.6.2.1 ISO 27001:2013 A.6.2.1 Organization of Information Security Mobile device policy Shared n/a A policy and supporting security measures shall be adopted to manage the risks introduced by using mobile devices. link 13
mp.eq.1 Clear desk mp.eq.1 Clear desk 404 not found n/a n/a 19
mp.eq.3 Protection of portable devices mp.eq.3 Protection of portable devices 404 not found n/a n/a 71
mp.eq.4 Other devices connected to the network mp.eq.4 Other devices connected to the network 404 not found n/a n/a 35
mp.info.2 Rating of information mp.info.2 Rating of information 404 not found n/a n/a 45
mp.si.2 Cryptography mp.si.2 Cryptography 404 not found n/a n/a 32
NIST_SP_800-171_R2_3 .1.18 NIST_SP_800-171_R2_3.1.18 NIST SP 800-171 R2 3.1.18 Access Control Control connection of mobile devices. Shared Microsoft is responsible for implementing this requirement. A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection (e.g., wirelessly transmit or receive information); possesses local, non-removable or removable data storage; and includes a self-contained power source. Mobile devices may also include voice communication capabilities, on-board sensors that allow the device to capture information, or built-in features for synchronizing local data with remote locations. Examples of mobile devices include smart phones, e-readers, and tablets. Due to the large variety of mobile devices with different technical characteristics and capabilities, organizational restrictions may vary for the different types of devices. Usage restrictions and implementation guidance for mobile devices include: device identification and authentication; configuration management; implementation of mandatory protective software (e.g., malicious code detection, firewall); scanning devices for malicious code; updating virus protection software; scanning for critical software updates and patches; conducting primary operating system (and possibly other resident software) integrity checks; and disabling unnecessary hardware (e.g., wireless, infrared). The need to provide adequate security for mobile devices goes beyond this requirement. Many controls for mobile devices are reflected in other CUI security requirements. [SP 800-124] provides guidance on mobile device security. link 1
NIST_SP_800-171_R2_3 .1.19 NIST_SP_800-171_R2_3.1.19 NIST SP 800-171 R2 3.1.19 Access Control Encrypt CUI on mobile devices and mobile computing platforms Shared Microsoft is responsible for implementing this requirement. Organizations can employ full-device encryption or container-based encryption to protect the confidentiality of CUI on mobile devices and computing platforms. Container-based encryption provides a more fine-grained approach to the encryption of data and information including encrypting selected data structures such as files, records, or fields. See [NIST CRYPTO]. Mobile devices and computing platforms include, for example, smartphones and tablets. link 2
NIST_SP_800-53_R4 AC-19 NIST_SP_800-53_R4_AC-19 NIST SP 800-53 Rev. 4 AC-19 Access Control Access Control For Mobile Devices Shared n/a The organization: a. Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and b. Authorizes the connection of mobile devices to organizational information systems. Supplemental Guidance: A mobile device is a computing device that: (i) has a small form factor such that it can easily be carried by a single individual; (ii) is designed to operate without a physical connection (e.g., wirelessly transmit or receive information); (iii) possesses local, non- removable or removable data storage; and (iv) includes a self-contained power source. Mobile devices may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones, E-readers, and tablets. Mobile devices are typically associated with a single individual and the device is usually in close proximity to the individual; however, the degree of proximity can vary depending upon on the form factor and size of the device. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of desktop systems, depending upon the nature and intended purpose of the device. Due to the large variety of mobile devices with different technical characteristics and capabilities, organizational restrictions may vary for the different classes/types of such devices. Usage restrictions and specific implementation guidance for mobile devices include, for example, configuration management, device identification and authentication, implementation of mandatory protective software (e.g., malicious code detection, firewall), scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware (e.g., wireless, infrared). Organizations are cautioned that the need to provide adequate security for mobile devices goes beyond the requirements in this control. Many safeguards and countermeasures for mobile devices are reflected in other security controls in the catalog allocated in the initial control baselines as starting points for the development of security plans and overlays using the tailoring process. There may also be some degree of overlap in the requirements articulated by the security controls within the different families of controls. AC-20 addresses mobile devices that are not organization-controlled. Related controls: AC-3, AC-7, AC-18, AC-20, CA-9, CM-2, IA-2, IA-3, MP-2, MP-4, MP-5, PL-4, SC-7, SC-43, SI-3, SI-4. References: OMB Memorandum 06-16; NIST Special Publications 800-114, 800-124, 800-164. link 1
NIST_SP_800-53_R4 AC-19(5) NIST_SP_800-53_R4_AC-19(5) NIST SP 800-53 Rev. 4 AC-19 (5) Access Control Full Device / Container-Based Encryption Shared n/a The organization employs [Selection: full-device encryption; container encryption] to protect the confidentiality and integrity of information on [Assignment: organization-defined mobile devices]. Supplemental Guidance: Container-based encryption provides a more fine-grained approach to the encryption of data/information on mobile devices, including for example, encrypting selected data structures such as files, records, or fields. Related controls: MP-5, SC-13, SC-28. References: OMB Memorandum 06-16; NIST Special Publications 800-114, 800-124, 800-164. link 2
NIST_SP_800-53_R5 AC-19 NIST_SP_800-53_R5_AC-19 NIST SP 800-53 Rev. 5 AC-19 Access Control Access Control for Mobile Devices Shared n/a a. Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and b. Authorize the connection of mobile devices to organizational systems. link 1
NIST_SP_800-53_R5 AC-19(5) NIST_SP_800-53_R5_AC-19(5) NIST SP 800-53 Rev. 5 AC-19 (5) Access Control Full Device or Container-based Encryption Shared n/a Employ [Selection: full-device encryption;container-based encryption] to protect the confidentiality and integrity of information on [Assignment: organization-defined mobile devices]. link 2
op.mon.1 Intrusion detection op.mon.1 Intrusion detection 404 not found n/a n/a 50
org.2 Security regulations org.2 Security regulations 404 not found n/a n/a 100
org.3 Security procedures org.3 Security procedures 404 not found n/a n/a 83
org.4 Authorization process org.4 Authorization process 404 not found n/a n/a 126
SOC_2 CC6.7 SOC_2_CC6.7 SOC 2 Type 2 CC6.7 Logical and Physical Access Controls Restrict the movement of information to authorized users Shared The customer is responsible for implementing this recommendation. • Restricts the Ability to Perform Transmission — Data loss prevention processes and technologies are used to restrict ability to authorize and execute transmission, movement, and removal of information. • Uses Encryption Technologies or Secure Communication Channels to Protect Data — Encryption technologies or secured communication channels are used to protect transmission of data and other communications beyond connectivity access points. • Protects Removal Media — Encryption technologies and physical asset protections are used for removable media (such as USB drives and backup tapes), as appropriate. • Protects Mobile Devices — Processes are in place to protect mobile devices (such as laptops, smart phones, and tablets) that serve as information assets 29
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add 9ca3a3ea-3a1f-8ba0-31a8-6aed0fe1a7a4
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC