Mobile Device Encryption Policy

Mobile devices such as smart phone and tablets offer great flexibility and improved productivity for employees. However, they can also create added risk and potential targets for data loss. As such, there use must be in alignment with appropriate standards and encryption technology should be used when possible.

This document describes Information Security’s requirements for encrypting data at rest on Data Migrators mobile devices.

This policy applies to any mobile device issued by Data Migrators or used for Data Migrators business which contains stored data owned by Data Migrators.

All mobile devices containing stored data owned by Data Migrators must use an approved method of encryption to protect data at rest. Mobile devices are defined to include laptops, PDAs, and cell phones.

Users are expressly forbidden from storing Data Migrators data on devices that are not issued by Data Migrators, such as storing Data Migrators email on a personal cell phone or PDA.

Laptops must employ full disk encryption with an approved software encryption package. No Data Migrators data may exist on a laptop in plaintext.

Any Data Migrators data stored on a cell phone or PDA must be saved to an encrypted file system using Data Migrators-approved software. Data Migrators shall also employ remote wipe technology to remotely disable and delete any data stored on a Data Migrators PDA or cell phone which is reported lost or stolen.

All encryption keys and pass-phrases must meet complexity requirements described in Data Migrators’ Password Protection Policy.

The loss or theft of any mobile device containing Data Migrators data must be reported immediately.

The Infosec team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.

Any exception to the policy must be approved by the Infosec Team in advance.

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

The following definition and terms can be found in the SANS Glossary: