| Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the system if used maliciously. Mobile code technologies include: Java, JavaScript, ActiveX, PDF, Postscript, Shockwave movies, Flash animations, and VBScript. Usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on organizational servers and mobile code downloaded and executed on individual workstations. Organization-defined software may be a specific application, web site or web sites in general. Organization-defined actions include but are not limited to: alerts to the user, logging actions, a centralized alarm, or any combination thereof.
Rationale for non-applicability:
The MOS SRG requires application sandboxing, which is core security architecture common to most commercial mobile OSs. In this environment, an application cannot enforce the behavior or actions of another application. Only the OS can effectively enforce mobile code requirements throughout the device. If an application were ever granted the privileges to perform such a function on a mobile device, the application would pose a significant IA risk to device integrity. |
