Byod security audit program

Uploaded on

BYOD Security! IT managers are well aware of the benefits that BYOD presents your organization in terms of increased productivity and hardware cost savings for your company. But you also know the …

BYOD Security! IT managers are well aware of the benefits that BYOD presents your organization in terms of increased productivity and hardware cost savings for your company. But you also know the many risks your organization faces to its data security and internal process integrity when every user in your organization has almost complete control over the technology that is critical to your success. To manage this, your company needs an iron-clad governance plan for mobile device usage. Download this comprehensive 49-point security inspection for mobile device security at your company and find out where your security holes are.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. _COMPANY Mobile DeviceAudit Program© 2013Page 1 of 10 This document is part of Toolkit Café’s “BYOD Policies and Procedures Toolkit”.Click here for more information about this comprehensive resource for BYODmanagement in your company! Click here for more FREE IT management resources from ToolKit Café!PurposeThe purpose of Section 1 of this document is to identify the high-level objectives and controlsrelated to the internal audit of the information security issues related to Mobile DeviceManagement.The purpose of Section 2 is to provide a framework for the audit work itself. The content andformat of the audit plan should be customized to your Mobile Device Management program.SECTION 1: Audit/Assurance Objectives And Controls1) Mobile Computing Security PolicyObjective:Policies have been defined and implemented to assure protection of enterpriseassets.Policy Definition Control:Policies have been defined to support a controlledimplementation of mobile devices.2) Risk ManagementObjective:Management processes assure that risks associated with mobile computing arethoroughly evaluated and that mobile security risk is minimized.Risk Assessment Control:Risk assessments are performed prior to implementation of newmobile security devices, and a continuous risk monitoring program evaluates changes inor new risks associated with mobile computing devices.Risk Assessment Governance Control:The executive sponsor is actively involved in therisk management of mobile devices.3) Device ManagementObjective:Mobile devices are managed and secured according to the risk of enterprisedata loss.Device Management Tracking Control:Mobile devices containing sensitive enterprisedata are managed and administered centrally.Device Provisioning/Deprovisioning Control:Mobile devices containing sensitiveenterprise data are set up for each user according to their job description and managed astheir job function changes or they are terminated.4) Access Control
  • 2. _COMPANY Mobile DeviceAudit Program© 2013Page 2 of 10Objective:Access control is assigned to and managed for mobile security devicesaccording to their risk of enterprise data loss.Access Control Rules Control:Access control rules are established for each mobile devicetype, and the control characteristics address the risk of data loss.5) Stored DataObjective:Sensitive enterprise data is protected from unauthorized access and distributionwhile stored on a mobile device.Encryption Protects Sensitive Data Control:Encryption technology protects enterprisedata on mobile devices and is administered centrally to prevent the loss of informationdue to bypassing encryption procedures or loss of data due to misplaced encryption keys.Data Transfer Control:Data transfer policies are established that define the types of datathat may be transferred to mobile devices and the access controls required to protectedsensitive data.Data Retention Control:Data retention polices are defined for mobile devices and aremonitored and aligned with enterprise data retention policies, and data retention isexecuted according to policy.6) Malware AvoidanceObjective:Mobile computing will not be disrupted by malware nor will mobile devicesintroduce malware into the enterprise.Malware Technology Control:Malware prevention software has been implementedaccording to device risk.7) Secure TransmissionObjective:Sensitive enterprise data are protected from unauthorized access duringtransmission.Secure Connections Control:Virtual private network (VPN), Internet Protocol Security(IPSec), and other secure transmission technologies are implemented for devicesreceiving and/or transmitting sensitive enterprise data.8) Awareness TrainingObjective:Employees and contractors utilizing enterprise equipment or receiving ortransmitting enterprise sensitive information receive initial and ongoing training relevantto the technology assigned to them.Mobile Computing Awareness Training Control:Mobile computing awareness training isongoing and is based on the sensitive nature of the mobile computing devices assigned tothe employee or contractor.Mobile Computing Awareness Governance Control:Mobile computing awarenessincludes processes for management feedback to understand the usage and risks identifiedby device users.
  • 3. _COMPANY Mobile DeviceAudit Program© 2013Page 3 of 10
  • 4. _COMPANY Mobile DeviceAudit Program© 2013Page 4 of 10SECTION 2: Detailed Audit ProceduresRef # Description ofAudit ProceduresAuditedByComments1.Mobile Computing Security PolicyDetermine if a security policy exists for mobiledevices.2.Determine if the mobile device security policydefines the data classification permitted on eachtype of mobile device and the control mechanismsrequired based on the data classification.3.Determine if the mobile device security policyutilizes the data classification policy, if one exists.4.Determine if the mobile device security policydefines the types of permitted mobile devices.5.Determine if the mobile device security policyaddresses the approved applications by devicebased on data classification and data loss risk.6.Determine if the mobile device security policydefines the authentication method for each mobiledevice based on the data classification policy.7.Determine if the mobile device security policyrequires enterprise-issued devices if the devicereceives enterprise data.8.Determine if the mobile device security policyrequires a centrally managed asset managementsystem for appropriate devices.9.Determine if the mobile device security policyprescribes authentication and encryptionstorage/transmission (data in transit or at rest)requirements by device type.10.Determine if the mobile device security policyrequires a risk assessment before a device isapproved for use and a risk assessment update atleast annually to determine that new threats areassessed and new technologies considered fordeployment.11.Risk ManagementRisk AssessmentsDetermine if a risk assessment has been performedfor each device type, including assessment ofdevice trustworthiness.
  • 5. _COMPANY Mobile DeviceAudit Program© 2013Page 5 of 10Ref # Description ofAudit ProceduresAuditedByComments12.Obtain the initial risk assessment for each deviceand subsequent assessments.13.Determine how the risk assessment results shouldbe integrated into the current audit.14..Risk Assessment GovernanceDetermine if there is evidence of the executivesponsor reviewing the risk assessment for eachdevice program.15.Device ManagementDevice Management TrackingDetermine if there is an asset management processin place for tracking mobile devices.16.Determine the procedures for lost or stolen devicesand whether the data stored on these devices canbe remotely wiped.17.Determine if locator technology is used to monitorand retrieve lost devices.18.Determine if the device management process iscentrally administered. If distributed, determinethe procedures to ensure compliance with policies.19.Determine if devices are approved by anauthorized manager based on the job functionrequirements.20.Determine if there are exception approvalprocesses for corporate devices to be managedoutside the enterprise management system.21.Determine if foreign mobile devices belonging toexternal personnel (contractors, individualemployees, etc.) are permitted to receive enterprisedata.22.Determine what authorizations are required byenterprise management prior to adding the foreigndevice to the enterprise mobile network.
  • 6. _COMPANY Mobile DeviceAudit Program© 2013Page 6 of 10Ref # Description ofAudit ProceduresAuditedByComments23.Device Provisioning/De-provisioningDetermine if there is a process for provisioningand deprovisioning employee smartphones uponhiring, transfer or termination.a) Select a sample of recent new hires andterminations and determine that appropriateprocedures were followed, includingprovisioning, deprovisioning, returningdevices, etc.24.Access ControlsDetermine the access control rules for each mobiledevice type.25.Determine if access authentication (single ormultilevel) and complexity are appropriate for thedevice and data classification of the data stored.26.Determine if access control rules and access rightsare established for each device by job function andapplications installed.27.Determine if mobile devices containing network,infrared or Bluetooth technology have sharingconfigured according to policy, based on theclassification of data stored or in transit to thedevice.28.Determine if access can be administered anddisabled centrally.29.Determine if mobile devices having storage, i.e.computers, smartphones, etc., have restrictions asto the applications that can be installed and thedata content that can be stored on the devices.30.Determine if centrally controlled processes restrictdata synchronization to mobile devices.31.Determine if mobile devices require disabling ofUSB, infrared, eSata or firewire ports according tothe data classification policy.32.Stored DataEncryption Protects Sensitive DataDetermine if encryption technology has beenapplied to the devices based on the dataclassification of data at rest or in transit to andfrom the mobile device.
  • 7. _COMPANY Mobile DeviceAudit Program© 2013Page 7 of 10Ref # Description ofAudit ProceduresAuditedByComments33.If encryption is required,determine that it isappropriate for the device and data sensitivity andthat it cannot be disabled.34.Determine if the encryption keys are secured andadministered centrally.35.Data TransferDetermine if policies and access controls rules areestablished that define the data that are permittedto be transferred to mobile devices by device typeand the required access controls to protect the data.36.Determine if there are monitoring procedures ineffect to assure only authorized data may betransferred and if the required access controls arein effect.37.Data RetentionDetermine if a data retention policy exists forapplicable mobile devices.38.Determine if data is destroyed according to policyonce the retention period has expired.39.Determine if retention processes are monitored andenforced.40.Malware AvoidanceDetermine, as appropriate, that mobile devices areequipped with malware technology.41.Determine that malware technology cannot bedisabled, definition files are updated regularly, alldisc drives are routinely scanned, and compliancewith malware detection is centrally monitored andmanaged.42.Secure TransmissionDetermine if secure connections are required forspecific mobile devices based on the dataclassification policy and the data stored ortransmitted to and from the mobile device.43.Determine if controls are in place to require use ofthe secure transmission.44.Awareness TrainingMobile Computing Awareness TrainingDetermine if mobile security awareness trainingprograms exist.
  • 8. _COMPANY Mobile DeviceAudit Program© 2013Page 8 of 10Ref # Description ofAudit ProceduresAuditedByComments45.Determine if the mobile security topics within theawareness training are customized for the risks andpolicies associated with the specific device and itssecurity components.46.Determine if the training programs are revised toreflect current technologies and enterprise policies.47.Determine if policies and practices requiresecurityawareness training before receiving the device.48.Determine if participation in the mobile awarenesstraining is documented, monitored and reviewed.a) Select a sample of mobile deviceassignments, and determine if the mobiledevice user has received appropriate initialand follow-up training.49.Mobile Computing Awareness GovernanceDetermine if awareness programs addressaccountability, responsibility and communicationwith device users through feedback tomanagement.
  • 9. _COMPANY Mobile DeviceAudit Program© 2013Page 9 of 10A Practical Methodology for BYOD GovernanceThis premium IT management template is provided by the IT management experts at ToolkitCafe,makers of the BYOD Policies and Procedures Toolkit.Check out what’s inside The BYOD Policies & Procedures ToolkitThe BYOD Policies and Procedures Toolkit consists of 8 distinct forms and templates in MicrosoftWord which you can easily customize to meet the needs of your business. Each document wasdeveloped and put to use in the field by seasoned IT managers just like you so you can be assured thecontent has been thoroughly vetted and covers most commonusage scenarios. Read on for a description of each document inthe toolkit:Instructions Document – This brief pdf document explains thesimple process of accessing and using the tools in the kit andprovides useful advice on the approach you should take as youcustomize the documents for your specific needs.Master Checklist – This 10-item checklist walks you through eachrecommended step for setting up and maintaining a thoroughmobile device governance program. You can use this document asyour “dashboard” for managing the other templates in the kit.Where a specific tool or template is referenced you can simplyclick on the document link to open and customize the appropriate document. You can also set the status ofeach step within this tool as a way to remind you which governance tasks are complete and which requiremore work.Security Audit Program – This detailed 7-page document will step you through an exhaustive securityanalysis to ensure you are leaving no stone unturned when it comes to managing mobile device and datasecurity. It contains a 49 point checklist that we advise every IT manager to carefully consider.Mobile Device Equipment Standard – This template provides language describing the specific approveddevices, applications, operating systems and employee compliance standards that are expected.Mobile Device Usage Standard – The usage standard provides employees with a clean and unambiguouslist of controls and procedures each employee is expected to agree to and take complete responsibility for.Mobile Device Policy (Employee Choice) – This policy is issued to employees to describe the company’srules and process for BYOD management.Mobile Device Policy (Company Issued Devices) – This policy is issued to employees who will be issuedmobile devices provided by the company.Mobile Device Request Form – This is a form an employee may use to request the issuance of a personalmobile device from the company.Employee Agreement Form – Employees who use mobile devices at work should sign this form statingthey understand the rules. This form will go into the employee’s HR file.
  • 10. _COMPANY Mobile DeviceAudit Program© 2013Page 10 of 10Mobile Device Employee Training Form – If you provide mobile device training to employees, this formcan be used to document the completion of such training and kept in the employee’s HR file.Download the BYOD Policies & Procedures ToolkitRisk-Free Today!The instant you purchase the kit, all the tools, templates and instruction described above will beavailable to you through a simple download. You may use the kit for up to 30 days. If anytime duringthat period you decide it does not meet the needs of you or your company, just let us know and we willrefund the purchase.