Page 633 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 633
Patch Management
The mobile device policy should define the means and mechanisms of
patch management for a personally owned mobile device. Is the user
responsible for installing updates? Should the user install all available
updates? Should the organization test updates prior to on-device
installation? Are updates to be handled over the air (via service
provider) or over Wi-Fi? Are there versions of the mobile OS that
cannot be used? What patch or update level is required?
Antivirus Management
The mobile device policy should dictate whether antivirus, anti-
malware, and antispyware scanners are to be installed on mobile
devices. The policy should indicate which products/apps are
recommended for use, as well as the settings for those solutions.
Forensics
The mobile device policy should address forensics and investigations
as related to mobile devices. Users need to be aware that in the event
of a security violation or a criminal activity, their devices might be
involved. This would mandate gathering evidence from those devices.
Some processes of evidence gathering can be destructive, and some
legal investigations require the confiscation of devices.
Privacy
The mobile device policy should address privacy and monitoring.
When a personal device is used for business tasks, the user often loses
some or all of the privacy they enjoyed prior to using their mobile
device at work. Workers may need to agree to be tracked and
monitored on their mobile device, even when not on company
property and outside work hours. A personal device in use under
BYOD should be considered by the individual to be quasi-company
property.
On-boarding/Off-boarding
The mobile device policy should address personal mobile device on-
