Check: WIR-SPP-020
Smartphone Policy:
WIR-SPP-020
(in version v1 r8)
Title
All non-core applications on the smartphone must be approved by the DAA or the Command IT Configuration Control Board. (Cat II impact)
Discussion
Non-approved applications can contain malware. Approved applications should be reviewed and tested by the approving authority to ensure they do not contain malware, spyware, or have unexpected features (e.g., send private information to a web site, track user actions, connect to a non-DoD management server). The DAA or Command IT Configuration Control Board is responsible for setting up procedures to review, test, and approve smartphone applications. It is expected the process will be similar to what is used to approve and manage applications on command PCs.
Check Content
Core applications are applications included in the smartphone operating system. Applications added by the wireless carrier are not considered core applications. All non-core applications on the smartphone must be approved by the DAA or the Command IT Configuration Control Board. -Select 3-4 random devices managed by the site to review. -Make a list of non-core applications on each device. --Have the user log into the device. View all App icons on the home screen or in folders on the home screen. --If an App is not in the list of core Apps (see below), then note the name of the App. --Verify the site has written approval to use the App from the DAA or site IT CCB. -Mark as a finding if any App has not been approved. A list of standard core mobile OS applications can be found in the mobile device manual from the handset manual.
Fix Text
Have DAA or Command IT CCB review and approve all non-core applications on mobile OS devices.
Additional Identifiers
Rule ID:
Vulnerability ID: V-32674
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |