Information on agency-owned mobile devices is protected from unauthorised disclosure.

]]> This section covers information relating to the use of agency-owned mobile devices including, but not restricted to, mobile phones, smartphones, portable electronic devices, personal digital assistants, laptops, netbooks, tablet computers, and other portable Internet connected devices.

]]> It is important to note that product security, selection, maintenance, sanitisation and disposal requirements in Chapter 12 - Product Security also apply to agency-owned mobile devices.

]]> A Trusted Operating Environment (TOE) provides assurance that every reasonable effort has been made to secure the operating system of a mobile device such that it presents a managed risk to an agency’s information and systems.  Any residual risks are explicitly accepted by the agency.

]]> Special care is necessary when dealing with All-of-Government systems or systems that affect several agencies. Security measures that can be implemented to assist in the development of a TOE include:

  • strong usage policies are in place;
  • unnecessary hardware, software and operating system components are removed;
  • unused or undesired functionality in software and operating systems is removed or disabled;
  • anti-malware and other security software is installed and regularly updated;
  • downloads of software, data or documents are limited or not permitted;
  • installation of unapproved applications is not permitted;
  • software-based firewalls limiting inbound and outbound network connections are installed;
  • patching of installed the operating system and other software is current;
  • each connection is authenticated (multi-factor) before permitting access to an agency network;
  • both the user and mobile device are authenticated during the authentication process;
  • mobile device configurations may be validated before a connection is permitted;
  • privileged access from the mobile device to the agency network is not allowed;
  • access to some data may not be permitted; and
  • agency control of the mobile device may supersede any convenience aspects.
]]> When an agency issues a workstation for home-based work instead of a mobile device the requirements in this section apply equally to the issued workstation.

]]> Some mobile devices may have functionality to allow them to operate in either an unclassified state or a classified state.  In such cases the mobile devices will need to be handled according to the state that it is being operated in at the time.  For example, some devices can start-up in an unclassified mode or start-up in a cryptographically protected mode.

]]> Bluetooth and Infra-Red devices, such as keyboards, headsets and mice are subject to an additional set of risks.  Refer to Chapter 11 – Communication Systems and Devices.

]]> Relevant PSR requirements can be found at:

Reference Title Source

PSR Mandatory Requirements

GOV2, GOV4, GOV6, INFOSEC1, INFOSEC2, INFOSEC3, INFOSEC4, PHYSEC1 and PHYSEC2

Home | Protective Security Requirements

Security governance (GOV) | Protective Security Requirements

Information security (INFOSEC) | Protective Security Requirements   

Physical security (PHYSEC) | Protective Security Requirements
]]> As mobile devices routinely leave the office environment and the physical protection it affords it is important that policies are developed to ensure that they are protected in an appropriate manner when used outside of controlled agency facilities.

]]> Agencies MUST develop a policy governing the use of mobile devices.

]]> Agencies MUST NOT allow mobile devices to process or store TOP SECRET information unless explicitly approved by GCSB to do so.

]]> Agencies SHOULD implement a Mobile Device Management (MDM) solution.

]]> Mobile devices can have both a data and voice component capable of processing or communicating classified information. In such cases, personnel will need to be aware of the approved classification level for each function.

This includes Paging Services, Multi-Media Message Service (MMS) and Short Message Service (SMS) which are NOT appropriate for sensitive or classified information. Paging and message services do not appropriately encrypt information and cannot be relied upon for the communication of classified information.

]]> Agencies MUST advise personnel of the maximum permitted classifications for data and voice communications when using mobile devices.

]]> Agencies SHOULD NOT use Paging Services, SMS or MMS for sensitive or classified communications.

]]> Agencies need to retain control of any non-agency device that contains agency or government information.  Non-agency devices are discussed in Section 21.4 – BYOD.

]]> Agencies MUST apply the full set of BYOD controls for devices NOT directly owned and controlled by the agency.  These controls are detailed in Section 21.4 – BYOD.

]]> Encrypting the internal storage and removable media of agency owned mobile devices will reduce the risk of data loss associated with a lost or stolen device. While the use of encryption may not be suitable to treat the device as an unclassified asset it will still present a significant challenge to a malicious actor looking to gain easy access to information stored on the device. To ensure that the benefits of encryption on mobile devices are maintained, users must not store passphrases, passwords, PINS or other access codes for the encryption software on, or with, the device.

]]> Information on the use of encryption to reduce storage and physical transfer requirements is detailed in Section 17.1 – Cryptographic Fundamentals and 17.2 – Approved Cryptographic Algorithms.

]]> Refer to the PSR - Mobile and Remote working

Refer to the PSR - Handling Requirements for protectively marked information and equipment

]]> Agencies unable to lower the storage and physical transfer requirements of a mobile device to an unclassified level through the use of encryption MUST physically store or transfer the device as a classified asset in accordance with the relevant handling instructions.

]]> Users MUST NOT store passwords, passphrases, PINs or other access codes for encryption on or with the mobile device on which data will be encrypted when the device is issued for normal operations.

]]> Agencies unable to lower the storage and physical transfer requirements of a mobile device to an unclassified level through the use of encryption SHOULD physically store or transfer the device as a classified asset in accordance with the relevant handling instructions.

]]> Agencies SHOULD encrypt classified information on all mobile devices using an Approved Cryptographic Algorithm.

]]> Pool or shared devices SHOULD be reissued with unique passwords, passphrases, PINs or other access codes for each separate issue or deployment.

]]> The above approach cannot be used for communicating classified information over public infrastructure, the internet or non-agency controlled networks.  If appropriate encryption is not available the mobile device will not be approved for communicating classified information.

]]> Note: This applies to information and systems classified as RESTRICTED/SENSITIVE and any higher classification.

]]> Encryption does not change the classification level of the information or system itself but allows reduced handling requirements to be applied.

]]> Agencies MUST use encryption on mobile devices communicating over public infrastructure, the Internet or non-agency controlled networks.

]]> Agencies SHOULD use encryption for Official Information or any classified information on mobile devices communicating over public infrastructure, the Internet or non-agency controlled networks.

]]> Privacy filters can be applied to the screens of mobile devices to prevent onlookers from reading the contents off the screen of the device.  This assists in mitigating a shoulder surfing or other oversight attack or compromise.

]]> Agencies SHOULD apply privacy filters to the screens of mobile devices.

]]> As Bluetooth provides little security for the information that is passed between devices and a number of exploits have been publicised, it SHOULD NOT be used on mobile devices. Refer to Chapter 11 – Communications Systems and Devices.

]]> Agencies MUST NOT enable Bluetooth functionality on mobile devices.

]]> Agencies SHOULD NOT enable Bluetooth functionality on mobile devices.

]]> Poorly controlled devices are more vulnerable to compromise and provide an attacker with a potential access point into agency systems.  Although agencies may initially provide a secure device, the state of security may degrade over time.  The agency will need to revaluate the security of devices regularly to ensure their integrity.

]]> Agency personnel MUST NOT disable security functions or security configurations on a mobile device once provisioned.

]]> Agencies SHOULD control the configuration of mobile devices in the same manner as devices in the agency’s office environment.

]]> Agencies SHOULD prevent personnel from installing unauthorised applications on a mobile device once provisioned.

]]> As mobile devices are not continually connected to ICT systems within an agency it is important that they are routinely returned to the agency so that patches can be applied and they can be tested to ensure that they are still secure.

Alternatively a mobile device management solution may implement policy checks and updates on connection to agency systems.

]]> Agencies SHOULD ensure that mobile devices have security updates applied on a regular basis and are tested to ensure that the mobile devices are still secure.

]]> Agencies SHOULD conduct policy checks as mobile devices connect to agency systems.

]]> During the period that a device is connected to the Internet, without a VPN connection, it is exposed to attacks.  This period needs to be minimised to reduce the security risks.  Minimising this period includes ensuring that system users do not connect directly to the Internet to access the Web between VPN sessions.

]]> A split tunnel VPN can allow access to an agency’s systems from another network, including unsecure networks such as the Internet.  If split tunnelling is enabled there is an increased security risk that the VPN connection is susceptible to attack from such networks.

]]> Agencies MUST disable split tunnelling when using a VPN connection from a mobile device to connect to an agency network.

]]> Agencies SHOULD NOT allow mobile devices to connect to the Internet except when temporarily connecting to facilitate the establishment of a VPN connection to an agency network.

]]> Where a mobile device carries classified information, or there is an increased risk of loss or compromise of the device, agencies will need to develop emergency destruction procedures.  Such procedures should focus on the destruction of information on the mobile device and not necessarily the device itself.  Many mobile devices used for classified information achieve this through the use of a cryptographic key zeroise or sanitisation function.

]]> Staff will need to understand the rationale and be familiar with emergency destruction procedures, especially where there is a higher probability of loss, theft or compromise.

]]> Agencies MUST develop an emergency destruction plan for mobile devices.

]]> If a cryptographic zeroise or sanitise function is provided for cryptographic keys on a mobile device it MUST be used as part of the emergency destruction procedures.

]]> Agencies SHOULD ensure personnel are trained in emergency destruction procedures and are familiar with the emergency destruction plan.

]]> Agencies may wish to affix an additional label to mobile devices asking finders of lost devices to hand it in to any New Zealand police station, or if overseas, a New Zealand embassy, consulate or high commission.

]]> Agencies SHOULD use soft labelling for mobile devices when appropriate to reduce their attractiveness value.

]]> Where mobile devices are issued to personnel for business purposes their use for private purposes should be governed by agency policy and agreed by the employee or contractor to whom the device is issued.

]]> Agencies must recognise the risks and costs associated with personal use of an agency device.

]]> Agencies SHOULD develop a policy to manage the non-business or personal use of an agency owned device.

]]> Mobile devices SHOULD NOT be used other than by personnel specifically authorised by the agency.

]]>