The Finding
Laptops are encrypted. Policy ISP 11 should define encryption levels.
Some Context to the Finding
It is normal to use passwords to prevent people gaining unauthorised access to files on a device. However, encrypted passwords provide a higher level of protection because they can only be decoded with a key. (If you use online banking, there is a fair chance that you need to use a special device to gain access to your account, or you may have experienced occasions where a pass code gets sent to your mobile phone before you can access a software package, or pay for something online).
During the Stage 1 assessment it was identified that this software development company had implemented effective control measures, having made use of password encryption for mobile devices such as laptops. However, the control had not been documented within the company's Information Security Policy (ISP) for Mobile Devices.
Action taken to address the finding
The company updated their mobile devices policy to reflect the use of encrypted passwords.
In reviewing the policy, the company also identified the opportunity to strengthen the wording around the controls for ensuring that mobile devices are shut down properly before leaving company (or client) premises. This extra step was intended to minimise the level of risk in the event of loss or theft of a mobile device.
Lessons to take from this finding
The use of encrypted passwords helps to add an extra level of protection to mobile devices.
Security documentation should reflect the level of controls that should be applied within the organisation to ensure that new devices are configured in the same way in future.
Remind staff of the basic need to shut down devices so that nobody can bypass the protection of the encrypted passwords.
If you've got Certification Body reports where you think other people could benefit from your findings, we'd love to hear from you! You can send reports to info@penarth.co.uk and can be sure that details will be anonymised.