ГОСТ Р № 57580.1-2017 от 01.01.2018

УПД.13 Реализация защищенного удаленного доступа субъектов доступа к объектам доступа через внешние информационно-телекоммуникационные сети

ЗУР.3 Обеспечение и контроль соблюдения требований и выполнения мер, направленных на реализацию процесса «Защита информации при осуществлении удаленного логического доступа с использованием мобильных (переносных) устройств», предусмотренных ГОСТ Р 57580.1.

/STANDARD
Smartphones and tablets are a part of our daily personal and professional lives. The first recommendation consists precisely of not sharing personal and professional uses on the single and same device, for example by not simultaneously synchronising professional and personal email, social networks and calendar accounts, etc. 

The devices, provided by the organization and used in a professional context, must be subject to a separate securing, as soon as they are connected to the organization’s information system or as soon as they contain potentially sensitive professional information (mails, shared files, contacts, etc.). Consequently, the use of a centralised management solution for mobile devices is to be favoured. It will be desirable to uniformly configure the inherent security policies: a method for unlocking the device, limiting the use of the application store to validated applications from a security point of view, etc. 

Otherwise, configuration prior to distribution of the device and an awareness raising session with users is desirable. 

/STRENGTHENED 
Finally, in order to make the device on its own unusable, the use of an additional external media (smart card or USB token for example) to hold decryption or authentication secrets may be considered. In this case, it must be kept separate. 

/STANDARD
Frequent journeys in a professional context and the miniaturisation of IT hardware often lead to their loss or theft in a public space. This may put the sensitive data of the organization which is stored on it at risk. 

Therefore, on all mobile hardware (laptops, smartphones, USB keys, external hard drives, etc.), only data that has already been encrypted must be stored, in order to maintain its confidentiality. Only confidential information (password, smart card, PIN code, etc.) will allow the person who has it to access this data. 

A partition, archive or file encryption solution may be considered depending on the needs. Here, once again, it is essential to ensure the uniqueness and robustness of the decryption method used. 

As far as possible, it is advisable to start by a complete disk encryption before considering archive and file encryption. These last two respond to different needs and can potentially leave the data storage medium unencrypted (backup files from office suites for example). 

/STANDARD
Mobile devices (laptops, tablets and smartphones) are, naturally, exposed to loss and theft. They may contain sensitive information for the organization, locally, and constitute an entry point to wider resources of the information system. Beyond the minimal application of the organization’s security policies, specific security measures for these devices must therefore be provided. 

First and foremost, users’ awareness must be raised to increase their level of vigilance during their trips and keep their devices within sight. Any organization, even a small sized one, may be the victim of a cyberattack. Consequently, when mobile, any device becomes a potential or even favoured target.
 
It is recommended that mobile devices are as ordinary as possible, avoiding any explicit mention of the organization they belong to (by displaying a sticker with the colours of the organization for example). 

To avoid any indiscretion during journeys, especially on public transport or in waiting areas, a privacy filter must be placed on each screen.. 

/STANDARD
In a mobile working situation, it is not uncommon for a user to need to connect to the organization’s information system. Consequently, it is important to ensure this network connection is secure through the Internet. Even if the option of establishing VPN SSL/TLS tunnels is now common, the establishment of a VPN IPsec tunnel between the mobile workstation and a VPN IPsec gateway, provided by the organization, is strongly recommended. 

To guarantee an optimal level of security, this VPN IPsec tunnel must be automatically established and not removable by the user, in other words no flow must be able to be sent outside of this tunnel. 

For specific authentication needs on captive portals, the organization may choose to depart from automatic connection by authorising a connection upon request, or keep this recommendation by encouraging the user to use tethering on a trusted mobile phone.. 

A.11.2.6 Безопасность оборудования и активов вне помещений организации 
Мера обеспечения информационной безопасности: Следует обеспечивать безопасность активов вне помещений организации, учитывая различные риски информационной безопасности, связанные с работой вне помещений организации 

А.6.7 Удаленная работа
В случае удаленной работы персонала должны быть реализованы меры безопасности для защиты информации, к которой осуществляется доступ, и той которая обрабатывается или хранится за пределами помещений организации.

А.7.9 Безопасность активов за пределами организации
Должны защищаться активы за пределами защищаемого периметра организации.

А.7.9 Security of assets off-premises
Off-site assets shall be protected.

А.6.7 Remote working
Security measures shall be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organization’s premises.