Audit of the Cost and Security Policies and Procedures for USAID's Mobile Devices
Recommendations
USAID's Chief Information Officer implement formal written procedures for reviewing excessive mobile device charges, including the frequency of those reviews and a determination of whether users should be changed to another mobile device plan with features that accommodated the mobile
needs and/or use alternate solutions to meet Agency mobile needs.
USAID's Chief Information Officer implement formal written procedures for reviewing unused mobile devices with responsible Agency officials. At a minimum, the procedures should include an acceptable level for the number and cost of unused devices and the frequency of the reviews (no less than quarterly).
USAID's Chief Information Officer implement documented procedures for mobile devices that define policy violations and describe monitoring for and reporting on those violations (other than when the device is on the network and violates those policies).
USAID's Chief Information Officer implement documented policies that define the conditions for remotely wiping mobile devices if the device is lost or stolen and is at risk of having its data recovered by an unauthorized individual or entity and for failed password attempts.
USAID's Chief Information Officer implement documented policies that define the conditions for remotely locking devices suspected of being left unlocked in an unsecured location.
USAID's Chief Information Officer implement documented procedures for digitally signing USAID-developed applications.
USAID's Chief Information Officer implement documented procedures that describe how policies will be managed on BlackBerry Enterprise Servers.
USAID's Chief Information Officer implement
documented policies that define which types of mobile devices are permitted to access the Agency's resources.
USAID's Chief Information Officer implement
documented policies that define the degree of access that various classes of mobile devices (e.g., organization-issued devices versus those that are personally owned) can have to Agency resources.
USAID's Chief Information Officer revise Mobile Computing Standards: A Mandatory Reference for ADS Chapter 545 to be consistent with the requirements regarding encryption of information stored on mobile devices in Automated Directives System 545.3.6.6, "Mobile Computing Devices,"
(November 9, 2012).
USAID's Chief Information Officer revise Automated Directives System 549.3.4.3, "Electronic Mail (E-Mail)," to reflect the Agency's current policy regarding e-mail usage for sensitive but unclassified information.
USAID's Chief Information Officer revise the
following documents, as appropriate, to make clear policy statements regarding requirements for antivirus software and firewalls on mobile devices: Automated Directives System 545.3.6.6 "Mobile Computing Devices;" Mobile Computing Standards: A Mandatory Reference for ADS Chapter 545.
USAID's Chief Information Security Officer document a risk assessment for the 'Agency for International Development Network.'
After implementing Recommendation 13, we recommend that USAID's Chief Information Security Officer incorporate necessary updates to the risk assessments for iPads, iPad2s, iPad3s, and iOS 6.
USAID's Chief Information Security Officer include the following plans in the Agency's written plan of action and milestones, as required by National Institute of Standards and Technology's Recommended Security Controls for Federal Information Systems and Organizations:
Establish usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies. Create tools and applications for mobile devices. Develop, test, and document sanitization procedures for mobile devices.
USAID's Chief Information Security Officer either finalize the risk assessment for the Agency's BlackBerry mobile devices or, if the devices will be phased out in the next year, formally document and accept the risk of not completing the risk assessment for them.
USAID's Chief Information Security Officer update the security policy for Agency BlackBerrys if USAID finalizes the risk assessment for Agency BlackBerrys detailed in Recommendation 16.
USAID's Chief Information Security Officer implement and require two-factor authentication for access to Agency e-mail with one factor separate from the device, as required, and document the results.
USAID's Chief Information Officer implement the Agency's strong password policy to unlock iPhones and BlackBerry mobile devices, as required, and document the results.
USAID Did Not Configure Its BlackBerry Mobile
After implementing Recommendation 15, USAID's Chief Information Officer configure the servers for mobile devices to restrict the ability to download applications to the devices, as appropriate.