IT Baseline Protection Manual S 2.188 Security guidelines and rules for the use of mobile phones

-->

S 2.188 Security guidelines and rules for the use of mobile phones

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Head of IT Section, IT Security Management

A number of different ways of protecting mobile phones against misuse are available. In order that the methods are also used, a set of security guidelines specifying all the security mechanisms to be implemented should be drawn up. In addition, a short and clear instruction sheet covering the secure use of mobile phones should be prepared for the users.

Data classes found

As soon as a mobile phone is switched on, it registers itself with the network provider through the nearest base station. At the network provider, data on the identity of the user, the serial number of the mobile phone and the identity of the base station over which registration has occurred is logged and stored. This is done even if no conversation takes place. Moreover, every time a number is dialled this event is stored, irrespective of whether a connection is established or not.

The classes of data generated during use of mobile phones fall into three rough categories:

Inventory data (or master data) is data which is permanently held in a service or network and is kept available. This includes the call number and, if necessary, the name and address of the subscriber, information about the type of terminal device, if appropriate any features and authorisations relevant to the connection as well as data about the assignment of subscriber groups.

Content data is the real "useful data", i.e. the information and messages transmitted.

Call data provides information about the detailed instances of communication. This includes data on communication partners (e.g. call numbers of the calling and called connection), time and duration of the connection, system services used, connections used, lines and other technical facilities, services and, in the case of mobile services, the location IDs of the mobile terminals.

Recommendations are provided below as to how this data can be protected against misuse.

Protection against card misuse

The mobile phone and SIM card must always be kept safe. They should never be left unattended during business trips. In particular they should not be left in parked vehicles.

Mobile phones and related services offered can be protected at various points by means of PINs and passwords. These include:

access to the SIM card,

access to the actual terminal device, i.e. the mobile phone,

access to certain functions of the mobile phone, e.g. the telephone directory,

access to the mailbox, i.e. to the answer phone function, or to other services of the network provider,

access to data held by the network provider (e.g. when a caller queries the hotline about billing, sometimes a password has to be given).

All these security mechanisms should be used (see also S 4.114 Use of the security mechanisms provided on mobile phones). Under no circumstances should the personal identification number (PIN) be kept in the same place as the SIM card for the mobile phone.

If the SIM card is lost, arrangements should be taken immediately for the network provider to block the card so as to prevent possible misuse and any resulting financial loss (see S 2.189 Blocking of the mobile phone in the event of its loss).

To ensure that misuse of the SIM card is noticed promptly, the itemised call breakdown should always be checked for inexplicable charges and destination numbers.

Itemised call breakdowns

The network provider stores the call data for billing purposes. In Germany, under the directive concerning data protection for companies which provide telecommunications services (TDSV) the network provider is only allowed to retain this data up to the date on which an invoice is prepared, but no longer than 80 days. However, it can be appropriate for the customer to allow the network provider to store the call data for longer in case any problems should subsequently occur in connection with invoicing.

Every customer should demand itemised call breakdowns in order to be able to review mobile phone usage. In Germany customers are entitled to receive itemised call breakdowns free of charge. The following data can be obtained from this source:

invoice date,

numbers called (full number or else the last numbers may be unavailable)

beginning, end and duration of the call,

cost of the call.

All users who share the telephone must be informed of the fact that an itemised call breakdown has been requested and what data will be collected by this means.

If an organisation maintains and analyses itemised call breakdowns for cost control reasons, the procedure must be agreed with the works council or staff council, and the Data Privacy Officer and users must be advised.

The itemised call breakdowns should always be checked following receipt to ensure that they are correct. This will provide insight into possible ways of reducing costs.

Disclosure of call numbers

It is possible to choose whether and what data on mobile phone connections should be entered in public phone directories and/or be available to users of directory enquiry services. If a call number is entered it is easier for other people to call one. However, this is not appropriate for all applications, e.g. where a mobile phone pool is used or if it is desirable to keep the number of incoming calls low.

If the calling number display function is enabled, persons called can see the number from which they are being called (assuming their equipment has the appropriate configuration). This service can generally be enabled or disabled by the network provider for a given mobile phone.

Call number suppression

In the GSM network, the number from which a call is being made can be indicated to the recipient of a call. If this is not desirable, then the precautions suggested in S 5.79 Protection against call number identification during use of mobile phones should be heeded.

Protection against interception of phone calls

The only effective protection against interception of the contents of phone calls is to employ interoperable, network-wide end-to-end encryption. As this encryption is not implemented, every connection over either the landline network or the mobile communication network can potentially be intercepted. However, in Germany and most other countries communications between mobile phone and base station are automatically encrypted.

The following measures are recommended as a means of reducing the threat:

Phone calls should not be made at any time and in any place. To make a phone call, a quiet area should be sought (this will also mean less disturbance to other people).

As a matter of principle, confidential information should not be communicated on the telephone.

Some mobile phones indicate on the display when the transmission between mobile phone and base station is not encrypted. If such a display is provided, users should be told about it. From time to time users should glance at the display to satisfy themselves that calls are actually being encrypted. Thus, for example, there are some countries in which communications between mobile phone and base station are not encrypted.

There are also a few, relatively expensive mobile phones which allow end-to end encryption of communications. However, to avail oneself of this facility, both the caller and the person receiving the call must use compatible equipment. If there is a need to frequently communicate highly sensitive information over mobile phone, it may be appropriate to invest in such equipment.

Where data is to be transmitted e.g. from a laptop over GSM, it should be encrypted on the terminal device prior to transmission. A number of programs are available for achieving this relatively simply.

When mobile phones or SIM cards are passed around a circle of users, it requires a lot of effort to intercept telephone calls in a targeted manner. It may therefore be appropriate to employ such means when highly sensitive information or data is to be transmitted.

A check should be made as to whether all call charges are billed to the subscriber. If certain connections do not incur any charges, this could be a sign that interception is taking place.

Raising the awareness of users

Because people are often careless about the danger of communications being intercepted, organisations should check that existing measures aimed at creating staff awareness of the relevant dangers are sufficient. If necessary it may be appropriate to inform staff at regular intervals about the dangers of having their calls intercepted and of making them fully aware.

Employees should also be briefed on the requirement not to disclose confidential information on the telephone without taking additional precautions. In particular, checks should be made as to the identity of callers before giving out any detailed information (see also T 3.45 Inadequate checking of the identity of communication partners). Where mobile phones are used, care should also be taken to ensure that confidential information is not discussed in public.

Spectacular but false warning messages are always in circulation (see also T 5.80 Hoaxes). To avoid wasting valuable working time checking whether such messages are true or not, all staff should be informed as soon as possible following the occurrence of a new hoax. There are various information services which send out appropriate warnings.

Rules on the use of mobile phones

Where mobile phones are used in an organisation, a number of aspects needs to be subject to control. These concern the use of both private and also work mobile phones.

Use of private mobile phones

If there are not enough mobile phones to go round within the organisation, it is possible that private mobile phones could be used for business purposes. However, the following aspects must be settled in advance:

Who pays for business calls and how will they be settled?

Modern mobile phones contain diaries, address books, e-mail support and other functions. To make the most of these functions it is usually necessary to synchronise the phone with a PC. Therefore the issue of whether installation of the hardware and software necessary for this is permitted must be resolved.

Use of business mobile phones

Similarly, a number of items need to be regulated with regard to the use of mobile phones belonging to the company/organisation:

A policy must be established as to whether private calls may be made with work mobile phones and, if so, to what extent.

Consideration should be given to whether only calls to certain communication partners should be allowed, e.g. to avoid unnecessary expense and/or restrict the disclosure of information (see also S 2.42 Determination of potential communications partners). This can be achieved through either an organisational procedure or technical means, as described below under the keywords "Call restrictions" and "Closed User Group".

Even where work mobile phones are used, users should be informed of the related costs in order that these can be kept as low as possible. Thus, users should be informed of the tariff structure and roaming agreements in order that, for example, they can select the most favourable network provider when making calls abroad.

Users should be informed as to the care they should take with their mobile phones to avoid loss or theft and to ensure that the equipment has a long useful life (e.g. looking after batteries, care of phones outside office or living rooms, sensitivity of equipment to excessively high or low temperatures).

The administration, maintenance and issue of mobile phones should be controlled. For this purpose it is recommended that a mobile phone pool is set up (see S 2.190 ).

Every time a change of user occurs, all the necessary PINs must be passed on securely (see S 2.22 Escrow of passwords).

General rules

Irrespective of whether the mobile phones used have been purchased privately or by the business, the employer should issue the following rules in writing:

Anyone driving a vehicle on business must not make any calls during the journey, as otherwise in the event of an accident the organisation could be held jointly liable.

Business secrets must not be disclosed over the mobile phone. The threat here is not so much that the communication will be intercepted on the communications link (over the network) as that it will be overheard by persons in the immediate environment.

Users should satisfy themselves as regards the identity of the person they are talking to and should not jump to hasty conclusions before passing on information that is internal to the organisation.

As far as possible, a mobile phone should never be left unattended. If a mobile phone has to be left behind in a motor vehicle, then the device must not be visible from outside. Alternatives are to cover the device or to lock it up in the boot. Mobile phones have a certain value which could attract potential thieves.

If the mobile phone is used on-site in offices which do not belong to the organisation, then the security rules in force in the organisation being visited must be observed.

Mobile phones should not be left around unprotected on third-party premises such as hotel rooms. All password protection mechanisms should be enabled now if this has not already been done. Locking the phone up in a cabinet will discourage casual thieves.

Cost information

Every year GSM phone calls become cheaper, but there are certain options which in the long run can incur high charges. As charging structures are changed frequently, users should be informed at regular intervals as to how much the various types of connection cost and how these are affected by the time of the call, as well as the cost of other options.

When mobile phones are used, receiving a call itself can cost money if the person being called is abroad, for example, or has activated call forwarding to the landline network. As the caller has no means of knowing where the person he is calling is, the forwarding costs are not charged to him.

Rules regarding contactability

Even when people have a mobile phone there are times when they either cannot or would not wish to be called. Thus it can create a bad impression if mobile phones are used at every opportunity. If possible, mobile phones should be switched off during meetings or presentations. As a minimum, the ringing tone should be disabled or be set so that it is barely noticeable. Whenever it will not be possible to talk freely (e.g. during meetings, in restaurants etc) use of the mobile phone should be avoided from the outset.

On the other hand, steps should be taken to ensure that the user can be contacted. Various options are available for ensuring this. For example,

times when users are to be contactable can be specified;

the answerphone function can be used;

or the phone can be configured so that calls are diverted to a secretary.

Banning the use of mobile phones

Consideration should be given as to whether the use or even the carrying of mobile phones should be restricted in all or certain areas of the company/agency. For example, this could be a good idea for meeting rooms (see also S 5.80 Protection against bugging of indoor conversations using mobile phones). If the IT security policy of the institution does not allow mobile phones to be brought into the building, clear notices to this effect must be placed on all the entrances. Checks should then be made at regular intervals to ensure that the policy is being adhered to.

The use of mobile phones can sometimes have an adverse effect on the proper functioning of other technical devices. This is why mobile phones have to be switched off, for example, in aircraft or intensive care wards. Mobile phones can also exercise interference on other, sensitive IT systems. For example, such interference has been observed in server rooms and computer centres. The lower the transmitting power of the mobile phone or the further away that the mobile phone is from any sensitive equipment, the less likely it is to cause interference.

Where IT systems are used to process sensitive data or are connected to a computer network, no mobile phone cards should be permitted (see also S 5.81 Secure transmission of data over mobile phones).

There is no foolproof way of protecting against the unauthorised transmission of data over mobile phones, especially by insiders. However, taking mobile phones into sensitive areas should be forbidden and checks should be made at regular intervals to ensure that this ban is being adhered to.

Telephone directories

Call numbers and the associated names and/or additional details can be stored in the telephone directory of a mobile phone. Telephone directories can be stored on the terminal device, i.e. on the mobile phone or SIM card. They do not have to have the same content. PINs can be used to restrict access to a given telephone directory in the memory of the terminal device and/or of the SIM card.

Whether it is best to hold telephone numbers in the mobile terminal or on the SIM card will depend on various factors, for example how easy it is to back up the data to other media (see S 6.72 Precautions relating to mobile phone failures). Generally it is recommended that the data is stored on the SIM card, since

if the SIM card is replaced, the data can be made available on other devices and

any sensitive data can be easily cleared from the device (this is important, for example, where repair work is necessary or a change of user occurs).

If possible, only one type of storage should be chosen. All important call numbers should be stored in this telephone directory to ensure that they are available at all times. The stored call numbers should be checked from time to time to ensure that they are still correct and are necessary. All call numbers should be stored in such a way that they can be called from anywhere in the world, i.e. including the country and area codes. Since only the country code is internationally agreed, and not the zero, every call number should be entered with a "+" at the beginning, followed by the country code (e.g. +49 for Germany), area code without leading zero and then the actual phone number. For example, a possible entry might be +492289582369 GS hotline.

If the mobile phone is used by several users, only phone numbers which are shared should be stored here. In addition, any facilities allowing the prevention of changes to the telephone directory via the existing blocking mechanisms should be used.

Use of answerphone functionality

Most network providers offer a service allowing an answerphone function on a mobile phone. Under such arrangements, incoming calls are stored at the network provider's in a mailbox or mobile box which can be retrieved by the user at any time. This can be very useful, but generally use of the service incurs additional costs.

Access to the mailbox should be protected by a PIN. Even when the mailboxes not used, the preconfigured PIN should be changed early on to prevent use by third parties.

Messages recorded should be listened to at regular intervals. All the users must be informed as to how the answerphone function works.

Call diversion

The call diversion function enables incoming calls to be diverted to the mailbox or to a different call number. There are several variants of this:

All incoming calls are diverted.

Calls are only diverted when the line is busy.

Calls are only diverted if a connection cannot be established to the phone, e.g. due to a gap in coverage or because the mobile phone has been switched off.

Certain types of call can be diverted, e.g. voice, data or fax calls.

However, it should be noted here that call diversions to landline network connections can incur high charges as the person who is being called has to pay the diversion costs himself.

Call restrictions

Call restrictions can be used to block calls to or from a call number. These functions are provided via the network provider and can be modified on the mobile phone. Normally it is necessary to enter a password.

Call restrictions can be a good idea if the mobile phone is to be passed on to third parties. There are various types of call restrictions:

Barring of all outgoing calls

This means that only incoming calls can be handled, and apart from emergency numbers it is not possible to initiate any outgoing calls.

Barring of all outgoing international calls

This restriction means that only numbers in the country in which the user is currently located may be dialled. Calls from abroad can continue to be received.

Barring of all outgoing international calls except for calls to the user's home country.

This allows calls to be made back to the home country (i.e. the country of the network provider). Calls to other countries are barred.

Barring of all incoming calls

It is only possible to make outgoing calls. This ensures that there are no interruptions from incoming calls.

Barring of all incoming calls when the user is abroad

Within the home country calls can continue to be made as normal. However, when the user is abroad, no telephone calls can be received any more. This option can be useful as the reception of calls sometimes attracts high charges in foreign countries.

Whether any call restrictions should be chosen and, if so, which ones, will depend on the way in which the mobile phone concerned is used.

Closed User Group

The "Closed User Group" service allows communications to be restricted to the members of that group (see also S 5.47 Configuration of a Closed User Group).

The group members must be registered with the network provider. The "Closed User Group" option can be activated on the mobile phone. It can be appropriate to set up closed user groups, for example, to restrict the transmission of data by mobile phone.

Additional controls:

Is there an up-to-date set of security guidelines for the use of mobile phones?

How is adherence to the security guidelines on the use of mobile phones checked?

Does every mobile phone user have a copy of these mobile phone guidelines or an instruction sheet which contains a summary of the most important security mechanisms?

Are the security guidelines for the use of mobile phones included in the training given on IT security measures?

Are mobile phone users informed of the rules which they are expected to observe?

Are mobile phone users informed of the importance of taking proper care of the equipment?

last update:
October 2000

home