Which control does this apply to?
Authorization of Mobile Devices [Default Description]: Mobile devices may connect to the network when authorized. A list of approved devices is maintained. All mobile device connections are monitored and logged.
This language should be customized to reflect the specific process that your organization has defined. It's important that your stated control description accurately reflects how your organization implements this control.
Which framework is this for?
SOC 2 - Privacy, GDPR, and HIPAA (depending on the data being held).
Why is this control important?
A Mobile Device Management (MDM) solution is a software platform that helps organizations manage and secure the use of mobile devices, such as smartphones and tablets, within their networks. An MDM solution can help organizations to better manage and secure the use of mobile devices within their networks, which can lead to improved security, enhanced productivity, cost savings, and compliance.
There are several benefits to using an MDM solution, including:
Improved security: an MDM solution can help to protect your organization's data by enforcing security policies on mobile devices, such as requiring strong passwords and enabling encryption.
Enhanced productivity: an MDM solution can help employees stay productive by allowing them to access corporate resources from their mobile devices, such as email and file servers.
Simplified device management: an MDM solution can help to streamline the process of managing and updating mobile devices, which can be especially useful for large organizations with many devices to manage.
Enhanced compliance: an MDM solution can help organizations ensure that they are complying with industry regulations and standards related to mobile device use, such as HIPAA in the healthcare industry.
What controls can I rely on if I am not ready for an MDM solution?
Some organizations are not quite ready to purchase and install an MDM solution, but this doesn’t minimize the risk of inappropriate access by mobile devices. To address the risk, appropriate compensating controls can be found in the Strike Graph control library:
Mobile Device Policy - Create and enforce a policy that outlines the acceptable use of mobile devices within your organization, such as requiring employees to use strong passwords and prohibiting the use of personal devices for storing sensitive data.
Multi-Factor Authentication - Requiring additional authentication methods, such as a one-time code sent to a user's phone, and help to increase the security of mobile devices
Network Segmentation - Creating separate network segments for mobile devices to help limit the spread of any potential security threats.
Organizations that consider mobile devices a high risk or that do not have an MDM, may also want to consider defining and adding custom controls related to:
Device Encryption - Encrypting data on mobile devices can offer protection in the event that the device is lost or stolen.
Regular Security Assessments - Regularly evaluating the security of your mobile devices can help you identify potential vulnerabilities and take actions to address them.
For example: Mobile devices are evaluated at a regular frequency to facilitate the identification of potential vulnerabilities. Any vulnerabilities are actioned and addressed in a timely manner.
Who’s involved with these controls?
Typical control owner: Data Privacy Officer
Typical parties involved: Network administrators
How often should I perform this control?
Continuously, however, it doesn't hurt to set up a process to periodically reassess settings to make sure that devices remain secure.
How do I demonstrate these controls?
Take a screenshot of the mobile device settings that you have established for your organization. Many MDM services are configurable, so it is also important that if changes are made to the configurations, they follow the change management process.