Mobile Phone Voice Security Policy - Cellcrypt Voice Security

By Dustin Gonzales,2014-07-01 11:40
12 views 0
Mobile Phone Voice Security Policy - Cellcrypt Voice Security

    Mobile Phone Information Security Policy

    Template Mobile Phone Information Security Policy. This document is provided to assist organizations in implementing an Information Security Policy (ISO/IEC 27002) regarding the use of Mobile Phones.

    It is provided free of charge and is intended to be modified as appropriate for use for your organization (note the disclaimer below). If you have comments, please email to

1.0 Purpose

    The purpose of this policy is to define standards for use of mobile phones in <Company> to protect information privacy. These standards are designed to minimize exposure of the individual and/or <Company> to damages that may occur through unintended communication of confidential or sensitive information. Damages include the loss of sensitive or company confidential information, sensitive or confidential personal information, intellectual property, damage to public image, damage to infrastructure or increased personal threat to <Company> employees or others.

2.0 Scope

    This policy applies to all <Company> employees, contractors and agents when using mobile phones on company business or to discuss company business (whether or not the phone is owned / paid for by the company).

3.0 Policy

3.1 General

    Mobile phones allow employees to conduct business more effectively. However, as with all electronic communication mechanisms (such as email) mobile phones also add a new dimension for criminals or others to gain illegal or unintended access to confidential company information.

    It is the responsibility of all employees, contractors and agents of <Company> to take reasonable steps to ensure the security of their voice communications on mobile phones and to follow the guidelines set out in this policy document.

3.2 Confidential or sensitive information

    The criteria for information to be classified as confidential or sensitive is not rigidly defined [note in some organizations, information categories are formally defined and this section may be unnecessary or partially incorporated as appropriate]. However, it can be considered to be any information that if disclosed inappropriately could cause material harm to <Company> or its employees. Information included in this category includes:

    ? Information formally classified by official bodies (e.g. Restricted, Confidential,


    ? 2010 Cellcrypt. All rights reserved. (CVSPT180110,1) Page 1 of 4

    ? Information covered by government regulations such as Sarbanes-Oxley or


    ? Information received from others under Non Disclosure agreements or marked

    as private or confidential

    ? Financial data (e.g. sales forecasts)

    ? Commercial data regarding the status, operation or internal workings of the


    ? Information regarding <Company>’s Intellectual Property

    ? Information that impacts the reasonable privacy of individuals such as personally

    identifiable information protected by data protection or privacy legislation such

    as Data Retention Regulations

    ? Information that impacts the security of individuals e.g. travel plans in regions

    where personal security is known to be an issue

3.3 Risk assessment [replace with formal policy if available]

    In the absence of formal information classification labeling, employees must use

    judgment to determine the sensitivity of communicated information. Included in the

    judgment are:

    ? Confidentiality or sensitivity of information (see section 3.2)

    ? Longevity of information (information that becomes obsolete quickly may have a

    lower acceptable risk)

    ? Urgency of communication (so as to balance potential loss by not communicating

    the information versus the loss if it were intercepted)

    ? Likelihood of interception (consideration of location, environmental factors)

3.4 Phone Management

    Mobile phones are inherently open to exploitation and interception. To reduce the

    chance of such exploitation and minimize the danger of interception

    1. Never leave your phone outside your control (e.g. in a hotel room) where it can

    be tampered with. It only takes a few seconds for a phone to be compromised

    2. Always set a PIN / password for your phone that is activated at power-on and

    when the phone goes into standby mode

    3. Ensure Bluetooth, Infrared and other data transfer methods are disabled when

    not in use, require a PIN / password and only connect to trusted sources

    4. Do not install software or open email attachments on your phone unless you are

    sure they have come from a trusted source [replace with reference to existing

    policy regarding downloading programs and email attachments as appropriate]

    5. Remove the battery from your phone when not in use in confidential meetings to

    minimize the risk of a compromised phone acting as a listening device

3.5 Call location [split by information category as appropriate]

    You must ensure you, and the person you are talking to, are in secure environments

    before discussing confidential or sensitive information via mobile phones. A secure

    environment is an environment where you have confidence you will not be overheard or

    lip-read. For the avoidance of doubt, public transport (planes, trains etc), public waiting

    areas (airport lounges), restaurants and other public places should not be used to

    discuss confidential information. It is a false assumption that those around you have no

    interest in your conversations.

? 2010 Cellcrypt. All rights reserved. (CVSPT180110,1) Page 2 of 4

3.6 Calling Practice [split by information category as appropriate]

    To reduce the risk / impact of call interception

    1. Never assume your conversation is secure, especially when calling

    internationally. In some countries, mobile phones have no encryption at all and

    are widely open to interception

    2. Reference existing knowledge in such a way that any eavesdropper would obtain

    an incomplete therefore unusable set of information (e.g. refer to “the customer

    that visited last week” rather than the actual customer name)

    3. Where code words are routinely used e.g. for customer names, ensure that these

    are used uniformly. Be consistent - do not mix code words and customer names

    4. For conversations covering confidential or sensitive information [replace with

    existing categories as appropriate], use trusted call encryption software to secure

    your calls. The use of call encryption software is mandatory for calls covering

    confidential or sensitive information abroad

    5. Don’t assume that “routine” calls are less sensitive than ”important” ad hoc ones.

    The weekly sales, management or Board call usually contains highly sensitive or

    confidential information for a potential attacker

    6. Take particular care to ensure that all members of a conference call are in a

    secure environment before proceeding and that all participants are formally

    authenticated into the call

    7. If confidential calling is not possible, simply don’t disclose any confidential or

    sensitive information [replace with existing categories as appropriate]. Arrange

    to discuss at a later time when call security can be assured

4.0 Enforcement

    This document provides guidance for mobile voice calling. Any employee found to have

    willfully or negligently violated this policy may be subject to disciplinary action.


    This template policy is provided “as is” for guidance only. The provided information - policies, procedures, samples, examples, and guidelines is not guaranteed for accuracy,

    legality, compliance with ISO/IEC 27002 or related international standards, or

    1suitability for use in any particular environment or jurisdiction. Cellcrypt Ltd, Cellcrypt

    2Inc, and any other Cellcrypt company accept no responsibility for any loss arising

    directly or indirectly from the use of this document howsoever caused. The reader is

    encouraged to seek professional advice where appropriate in reusing all or any of this

    template policy.

1 Cellcrypt Limited (5561489) whose registered address is 222 Regent Street, London W1B 5TR, United Kingdom

    2 Cellcrypt Inc, (0380112) 42 Reads Way, City of Newcastle, County of Newcastle, Delaware, 19720 USA

    ? 2010 Cellcrypt. All rights reserved. (CVSPT180110,1) Page 3 of 4

Contact Cellcrypt:

    Europe & Asia Pacific North America Middle East & Africa 222 Regent Street One Freedom Square JLT Lake Plaza London, W1B 5TR 11951 Freedom Drive Unit 1504, P.O. Box 38255 United Kingdom Reston, VA 20190 Dubai, UAE tel: +44 (0) 2070 995 999 United States tel: +971 (0)4390 2908

     tel: +1 703 251 4887 530 Lytton Avenue

     Palo Alto, CA 94301

    United States

    tel: +1 650 617 3219

    Latin America

    7791 NW 46 St, Suite 104

    Miami, FL 33166

    United States

    tel: +1 786 999 8425

    ? 2010 Cellcrypt. All rights reserved. (CVSPT180110,1) Page 4 of 4

Report this document

For any questions or suggestions please email