iOS Hardening Configuration Guide - DSD
iOS Hardening Configuration Guide - DSD
iOS Hardening Configuration Guide - DSD
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Chapter Four<br />
Suggested Policies<br />
This chapter lists suggested policies in graduated levels of response, applied to <strong>iOS</strong><br />
devices at varying security classifications. The agency’s Information Technology<br />
Security Advisor should be consulted for the specific usage scenarios for a<br />
deployment.<br />
Note: at the time of writing, <strong>iOS</strong> devices implement <strong>DSD</strong> Approved Cryptographic Algorithms<br />
and Protocols (and the implementations have been submitted for FIPS-140-2 certification),<br />
but have not yet completed a <strong>DSD</strong> Cryptographic Evaluation (DCE) conducted by <strong>DSD</strong>.<br />
In the absence of a DCE, use with PROTECTED and/or RESTRICTED content would<br />
require the agency head and accreditation authority, (typically an SES level staff member<br />
tasked with CISO responsibilities) to provide a dispensation for use. The ISM and agency<br />
security policy should be consulted directly for risk assessment and mitigation procedures in<br />
such use-cases.<br />
If <strong>iOS</strong> devices are being considered for use at classifications above RESTRICTED/<br />
PROTECTED, agencies must undertake a risk assessment following the guidance in the<br />
ISM as well as their own agency security policies and determine mitigation procedures and<br />
policy. Agencies must also obtain any dispensations as required by the ISM.<br />
Feature Unclassified XX-in-Confidence Restricted/Protected<br />
Hardware Crypto<br />
<strong>iOS</strong> Devices<br />
Agency’s Decision Recommended Must<br />
BYOD ( Bring Your<br />
Own Device )<br />
Passcode<br />
iTunes Account<br />
Sync to<br />
Content/Sync to<br />
iTunes Account.<br />
Agency’s Decision May be possible<br />
(MDM opt-in for AUP<br />
agreement and<br />
enforcement<br />
recommended).<br />
See ISM section on<br />
Mobile Devices<br />
Must Must Must<br />
May be possible.<br />
(MDM opt-in for AUP<br />
agreement and<br />
enforcement<br />
recommended)<br />
See ISM section on<br />
Mobile Devices.<br />
Personal or Agency Personal or Agency Personal or Agency<br />
Yes, if Personal<br />
iTunes<br />
Generally no Generally no<br />
22 | D efence Signals Directorate