New Standard from Last Update.

1. SCOPE

This standard (Part 2) identifies high level security risks, related security threats, and define security characteristics with security control requirements to mitigate threats to mobile device technology stack consisting of mobile hardware, firmware, operating system, and pre-installed apps from the mobile ecosystem.

The security threats to mobile device for personal and enterprise use covered in this standard are:

a) Direct security threats by mobile device; and

b) Indirect security threats from other components of mobile ecosystem like network, user and malicious apps.

The security threats to other core components of the mobile ecosystem such as third party mobile apps, mobile network, and infrastructure are out of scope as independent entities.

2. REFERENCES

The standards/documents given below contains provisions, which through reference in this text constitute provisions of this standard. At the time of publication, the editions indicated were valid. All standards/documents are subject to revision, and parties to agreement based on this standard are encouraged to investigate the possibility of applying the most recent editions of the standards listed as follows:

17737 (Part 1) : 2021 Mobile device security: Part 1 Overview

17737 (Part 4) : 2021 Mobile device security: Part 4 Assessment and evaluation

IS 15256 (Part 1) : 2011 Banking - Key management (retail): Part 1 Principles (first revision)

ISO/IEC 19790 : 2012 Information technology - Security techniques - Security requirements for cryptographic modules

CIS Benchmarks (Android and iOS)

OWASP Top 10 Mobile Security Risks, 2016

OWASP Mobile Application Security Verification Standard (MASVS), Version 1.1

SANS Mobile Device Checklist