Security Technical Implementation Guide for Mobile Devices

It looks like 2012 is going to become the year of BYOD, or Bring Your Own Device.  Expect this trend to continue to heat up, and boil over as the year progresses.  Everyone wants to pare down the number of devices that hang off their belts, and at the same time, maximize their connectivity.  Work and personal communications are going to comingle if BYOD is permitted, and there are some issues that need to be considered by all.

If you don’t have a policy regarding personal devices, or even if you do, it should probably be reviewed with this trend in mind.  The largest concern that I see from the user end of the issue is personal data may be lost if the corporate policy is to wipe devices that contain company information when lost, stolen, or an employee leaves.  From the employers’ perspective, I see the largest concern to be that of data and malware control.  If it is not a corporate device, can it, should it, and will it be scanned, monitored, and patched against vulnerabilities or unlicensed / undesired software?  If not it could pose a serious threat vector to the organization.

The US Department of Defense has released its latest draft STIG specs for Android, Windows Mobile, BlackBerry, and iOS based devices.  This STIG provides policy, training, and operating procedure security controls for the use of mobile devices (smartphones and tablets).  Interesting to a gear-head if their significant other bought them an iPad for Christmas, or their boss cares just as much.  It is worth reviewing the STIGs, even if you don’t apply the specs, just to be aware of the available options, findings, and recommendations.

The Security Technical Implementation Guides (STIGs) and NSA Guides are the configuration standards for DOD systems, containing technical guidance to “lock down” information systems and software that might be vulnerable to attack.  STIGs provide the base for NIST’s Security Content Automation Protocol (SCAP) development in order to automate compliance reporting.  A Benchmark is a STIG which may be used in conjunction with an Security Content Automation Protocol (SCAP) compliant tool to provide automated compliance reporting.  A STIG Security Checklist typically accompanies a STIG, providing a document that contains instructions or procedures to manually verify compliance.

[EDIT]  DarkReading has published a report on tablet security, and covers the BYOD trend quite well.