Caution must be exercised when mobile computing equipment is placed or used in uncontrolled spaces such as vehicles, public spaces, hotel rooms, meeting places, conference centers, and other unprotected areas outside the organization’s premises.
When using remote hosts and mobile computing equipment, users must take care that information on the device (e.g. displayed on the screen) cannot be read by unauthorized persons if the device is being used to connect to the organization’s systems or work with the organization’s data.
Remote hosts must be updated and patched for the latest security updates on at least a monthly basis.
Remote hosts must have endpoint protection software (e.g. malware scanner) installed and updated at all times.
Persons using mobile computing equipment off-premises are responsible for regular backups of organizational data that resides on the the device.
Access to the organization’s systems must be done through an encrypted and authenticated VPN connection with multi-factor authentication enabled. All users requiring remote access must be provisioned with VPN credentials from the organization’s information technology team. VPN keys must be rotated at least twice per year. Revocation of VPN keys must be included in the Offboarding Policy.
Information stored on mobile computing equipment must be encrypted using hard drive full disk encryption.