U8: All devices (including desktops, laptops and mobile devices such as smartphones and tablets) storing or processing confidential information must meet Harvard device protection requirements.
See User Device Requirements.
U12: Confidential information in any form must be appropriately protected.
D4: Client applications on the device which might be used to access or transfer confidential information must be configured to protect their communications.
SA3: Communications between servers or applications and client machines must be protected.
SA4: Communications between servers or applications must be protected.