IT Baseline Protection Manual S 2.190 Setting up a mobile phone pool
S 2.190 Setting up a mobile phone pool
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Administrator
Setting up a mobile phone pool
If a large number of mobile phones are in use within the organisation and their users change frequently, it may be advisable to keep those mobile phones which are temporarily not in use in a pool.
Steps must be taken to ensure that all mobile phones are kept charged so that they can be used immediately. It should be noted here that a battery discharges over time even if it is not being used. If the mobile phones are frequently used for long periods then a stock of extra spare batteries should be held.
Note: the battery chargers should be assigned uniquely to the mobile phones in a manner which makes them easy to identify. Most battery chargers look very similar but unfortunately they are generally not interchangeable.
In addition, returns and issues of mobile phones must be documented so that it is clear at any time which device is being used by whom. Every user should be entered in the issue journal by name, organisational unit, date and time.
The following points must be borne in mind in connection with the issue and return of mobile phones:
Issue:
The new user should be given all the necessary PINs and passwords required to use the mobile phone. If any of these are changed by the user himself, the new values must be documented when the equipment is returned.
In addition, the user must be given the call number of the mobile phone.
The new user should be provided with an instruction sheet on the secure handling of the mobile phone. He should also be given the operating instructions for the mobile phone. As well as being able to use the phone in the normal manner, it is important that the user should also be able to interpret any warning displays (such as icons shown on the display).
The mobile phone should be handed over charged and together with the appropriate battery charger. If the mobile phone is to be used for long periods at a time, an additional replacement battery should also be supplied, likewise charged.
Return or transfer:
The user should provide the most recently used PINs and passwords. These must be checked to make sure they are correct. They must be written down (and kept in a safe place).
The equipment, accessories and documentation must be checked for completeness. The device should be checked for any faults.
The user must ensure that all data still required is transferred to data media which he can access (e.g. his PC) prior to returning the equipment. In addition, the user himself must take steps to ensure that all data generated by him (e.g. phone numbers) has been deleted.
The number memory of the mobile phone will contain details of the phone numbers called most recently. The numbers of the people who called most recently will also be held if a caller identification function is available and has been enabled. These numbers should be cleared prior to a change of user. It is also possible for call numbers to be stored in telephone directories both on the mobile phone itself and also on the SIM card. Personal call numbers should similarly be deleted prior to transferring possession of the phone. The call numbers which are important for business communications purposes should be permanently available to all users.
Again, short messages, faxes or e-mails may be held on the mobile phone or the SIM card. These too should be deleted before passing on the equipment.
Additional controls:
Are users informed of the rules and security precautions which they are expected to observe when they are issued with a mobile phone?
Are users informed of the importance of taking proper care of the mobile phone when they are issued with it?
Are issues and returns of mobile phones documented?