SlideShare a Scribd company logo

Byod security audit program

Download as DOCX, PDF
J
Jon Pyles

BYOD Security! IT managers are well aware of the benefits that BYOD presents your organization in terms of increased productivity and hardware cost savings for your company. But you also know the many risks your organization faces to its data security and internal process integrity when every user in your organization has almost complete control over the technology that is critical to your success. To manage this, your company needs an iron-clad governance plan for mobile device usage. Download this comprehensive 49-point security inspection for mobile device security at your company and find out where your security holes are.

Technology
1 of 10
_COMPANY Mobile DeviceAudit Program © 2013 Page 1 of 10  This document is part of Toolkit Café’s “BYOD Policies and Procedures Toolkit”. Click here for more information about this comprehensive resource for BYOD management in your company!  Click here for more FREE IT management resources from ToolKit Café! Purpose The purpose of Section 1 of this document is to identify the high-level objectives and controls related to the internal audit of the information security issues related to Mobile Device Management. The purpose of Section 2 is to provide a framework for the audit work itself. The content and format of the audit plan should be customized to your Mobile Device Management program. SECTION 1: Audit/Assurance Objectives And Controls 1) Mobile Computing Security Policy Objective:Policies have been defined and implemented to assure protection of enterprise assets. Policy Definition Control:Policies have been defined to support a controlled implementation of mobile devices. 2) Risk Management Objective:Management processes assure that risks associated with mobile computing are thoroughly evaluated and that mobile security risk is minimized. Risk Assessment Control:Risk assessments are performed prior to implementation of new mobile security devices, and a continuous risk monitoring program evaluates changes in or new risks associated with mobile computing devices. Risk Assessment Governance Control:The executive sponsor is actively involved in the risk management of mobile devices. 3) Device Management Objective:Mobile devices are managed and secured according to the risk of enterprise data loss. Device Management Tracking Control:Mobile devices containing sensitive enterprise data are managed and administered centrally. Device Provisioning/Deprovisioning Control:Mobile devices containing sensitive enterprise data are set up for each user according to their job description and managed as their job function changes or they are terminated. 4) Access Control
_COMPANY Mobile DeviceAudit Program © 2013 Page 2 of 10 Objective:Access control is assigned to and managed for mobile security devices according to their risk of enterprise data loss. Access Control Rules Control:Access control rules are established for each mobile device type, and the control characteristics address the risk of data loss. 5) Stored Data Objective:Sensitive enterprise data is protected from unauthorized access and distribution while stored on a mobile device. Encryption Protects Sensitive Data Control:Encryption technology protects enterprise data on mobile devices and is administered centrally to prevent the loss of information due to bypassing encryption procedures or loss of data due to misplaced encryption keys. Data Transfer Control:Data transfer policies are established that define the types of data that may be transferred to mobile devices and the access controls required to protected sensitive data. Data Retention Control:Data retention polices are defined for mobile devices and are monitored and aligned with enterprise data retention policies, and data retention is executed according to policy. 6) Malware Avoidance Objective:Mobile computing will not be disrupted by malware nor will mobile devices introduce malware into the enterprise. Malware Technology Control:Malware prevention software has been implemented according to device risk. 7) Secure Transmission Objective:Sensitive enterprise data are protected from unauthorized access during transmission. Secure Connections Control:Virtual private network (VPN), Internet Protocol Security (IPSec), and other secure transmission technologies are implemented for devices receiving and/or transmitting sensitive enterprise data. 8) Awareness Training Objective:Employees and contractors utilizing enterprise equipment or receiving or transmitting enterprise sensitive information receive initial and ongoing training relevant to the technology assigned to them. Mobile Computing Awareness Training Control:Mobile computing awareness training is ongoing and is based on the sensitive nature of the mobile computing devices assigned to the employee or contractor. Mobile Computing Awareness Governance Control:Mobile computing awareness includes processes for management feedback to understand the usage and risks identified by device users.
_COMPANY Mobile DeviceAudit Program © 2013 Page 3 of 10
_COMPANY Mobile DeviceAudit Program © 2013 Page 4 of 10 SECTION 2: Detailed Audit Procedures Ref # Description ofAudit Procedures Audited By Comments 1. Mobile Computing Security Policy Determine if a security policy exists for mobile devices. 2. Determine if the mobile device security policy defines the data classification permitted on each type of mobile device and the control mechanisms required based on the data classification. 3. Determine if the mobile device security policy utilizes the data classification policy, if one exists. 4. Determine if the mobile device security policy defines the types of permitted mobile devices. 5. Determine if the mobile device security policy addresses the approved applications by device based on data classification and data loss risk. 6. Determine if the mobile device security policy defines the authentication method for each mobile device based on the data classification policy. 7. Determine if the mobile device security policy requires enterprise-issued devices if the device receives enterprise data. 8. Determine if the mobile device security policy requires a centrally managed asset management system for appropriate devices. 9. Determine if the mobile device security policy prescribes authentication and encryption storage/transmission (data in transit or at rest) requirements by device type. 10. Determine if the mobile device security policy requires a risk assessment before a device is approved for use and a risk assessment update at least annually to determine that new threats are assessed and new technologies considered for deployment. 11. Risk Management Risk Assessments Determine if a risk assessment has been performed for each device type, including assessment of device trustworthiness.
_COMPANY Mobile DeviceAudit Program © 2013 Page 5 of 10 Ref # Description ofAudit Procedures Audited By Comments 12. Obtain the initial risk assessment for each device and subsequent assessments. 13. Determine how the risk assessment results should be integrated into the current audit. 14. . Risk Assessment Governance Determine if there is evidence of the executive sponsor reviewing the risk assessment for each device program. 15. Device Management Device Management Tracking Determine if there is an asset management process in place for tracking mobile devices. 16. Determine the procedures for lost or stolen devices and whether the data stored on these devices can be remotely wiped. 17. Determine if locator technology is used to monitor and retrieve lost devices. 18. Determine if the device management process is centrally administered. If distributed, determine the procedures to ensure compliance with policies. 19. Determine if devices are approved by an authorized manager based on the job function requirements. 20. Determine if there are exception approval processes for corporate devices to be managed outside the enterprise management system. 21. Determine if foreign mobile devices belonging to external personnel (contractors, individual employees, etc.) are permitted to receive enterprise data. 22. Determine what authorizations are required by enterprise management prior to adding the foreign device to the enterprise mobile network.
_COMPANY Mobile DeviceAudit Program © 2013 Page 6 of 10 Ref # Description ofAudit Procedures Audited By Comments 23. Device Provisioning/De-provisioning Determine if there is a process for provisioning and deprovisioning employee smartphones upon hiring, transfer or termination. a) Select a sample of recent new hires and terminations and determine that appropriate procedures were followed, including provisioning, deprovisioning, returning devices, etc. 24. Access Controls Determine the access control rules for each mobile device type. 25. Determine if access authentication (single or multilevel) and complexity are appropriate for the device and data classification of the data stored. 26. Determine if access control rules and access rights are established for each device by job function and applications installed. 27. Determine if mobile devices containing network, infrared or Bluetooth technology have sharing configured according to policy, based on the classification of data stored or in transit to the device. 28. Determine if access can be administered and disabled centrally. 29. Determine if mobile devices having storage, i.e. computers, smartphones, etc., have restrictions as to the applications that can be installed and the data content that can be stored on the devices. 30. Determine if centrally controlled processes restrict data synchronization to mobile devices. 31. Determine if mobile devices require disabling of USB, infrared, eSata or firewire ports according to the data classification policy. 32. Stored Data Encryption Protects Sensitive Data Determine if encryption technology has been applied to the devices based on the data classification of data at rest or in transit to and from the mobile device.
_COMPANY Mobile DeviceAudit Program © 2013 Page 7 of 10 Ref # Description ofAudit Procedures Audited By Comments 33. If encryption is required,determine that it is appropriate for the device and data sensitivity and that it cannot be disabled. 34. Determine if the encryption keys are secured and administered centrally. 35. Data Transfer Determine if policies and access controls rules are established that define the data that are permitted to be transferred to mobile devices by device type and the required access controls to protect the data. 36. Determine if there are monitoring procedures in effect to assure only authorized data may be transferred and if the required access controls are in effect. 37. Data Retention Determine if a data retention policy exists for applicable mobile devices. 38. Determine if data is destroyed according to policy once the retention period has expired. 39. Determine if retention processes are monitored and enforced. 40. Malware Avoidance Determine, as appropriate, that mobile devices are equipped with malware technology. 41. Determine that malware technology cannot be disabled, definition files are updated regularly, all disc drives are routinely scanned, and compliance with malware detection is centrally monitored and managed. 42. Secure Transmission Determine if secure connections are required for specific mobile devices based on the data classification policy and the data stored or transmitted to and from the mobile device. 43. Determine if controls are in place to require use of the secure transmission. 44. Awareness Training Mobile Computing Awareness Training Determine if mobile security awareness training programs exist.
_COMPANY Mobile DeviceAudit Program © 2013 Page 8 of 10 Ref # Description ofAudit Procedures Audited By Comments 45. Determine if the mobile security topics within the awareness training are customized for the risks and policies associated with the specific device and its security components. 46. Determine if the training programs are revised to reflect current technologies and enterprise policies. 47. Determine if policies and practices requiresecurity awareness training before receiving the device. 48. Determine if participation in the mobile awareness training is documented, monitored and reviewed. a) Select a sample of mobile device assignments, and determine if the mobile device user has received appropriate initial and follow-up training. 49. Mobile Computing Awareness Governance Determine if awareness programs address accountability, responsibility and communication with device users through feedback to management.
_COMPANY Mobile DeviceAudit Program © 2013 Page 9 of 10 A Practical Methodology for BYOD Governance This premium IT management template is provided by the IT management experts at ToolkitCafe, makers of the BYOD Policies and Procedures Toolkit. Check out what’s inside The BYOD Policies & Procedures Toolkit The BYOD Policies and Procedures Toolkit consists of 8 distinct forms and templates in Microsoft Word which you can easily customize to meet the needs of your business. Each document was developed and put to use in the field by seasoned IT managers just like you so you can be assured the content has been thoroughly vetted and covers most common usage scenarios. Read on for a description of each document in the toolkit: Instructions Document – This brief pdf document explains the simple process of accessing and using the tools in the kit and provides useful advice on the approach you should take as you customize the documents for your specific needs. Master Checklist – This 10-item checklist walks you through each recommended step for setting up and maintaining a thorough mobile device governance program. You can use this document as your “dashboard” for managing the other templates in the kit. Where a specific tool or template is referenced you can simply click on the document link to open and customize the appropriate document. You can also set the status of each step within this tool as a way to remind you which governance tasks are complete and which require more work. Security Audit Program – This detailed 7-page document will step you through an exhaustive security analysis to ensure you are leaving no stone unturned when it comes to managing mobile device and data security. It contains a 49 point checklist that we advise every IT manager to carefully consider. Mobile Device Equipment Standard – This template provides language describing the specific approved devices, applications, operating systems and employee compliance standards that are expected. Mobile Device Usage Standard – The usage standard provides employees with a clean and unambiguous list of controls and procedures each employee is expected to agree to and take complete responsibility for. Mobile Device Policy (Employee Choice) – This policy is issued to employees to describe the company’s rules and process for BYOD management. Mobile Device Policy (Company Issued Devices) – This policy is issued to employees who will be issued mobile devices provided by the company. Mobile Device Request Form – This is a form an employee may use to request the issuance of a personal mobile device from the company. Employee Agreement Form – Employees who use mobile devices at work should sign this form stating they understand the rules. This form will go into the employee’s HR file.
_COMPANY Mobile DeviceAudit Program © 2013 Page 10 of 10 Mobile Device Employee Training Form – If you provide mobile device training to employees, this form can be used to document the completion of such training and kept in the employee’s HR file. Download the BYOD Policies & Procedures Toolkit Risk-Free Today! The instant you purchase the kit, all the tools, templates and instruction described above will be available to you through a simple download. You may use the kit for up to 30 days. If anytime during that period you decide it does not meet the needs of you or your company, just let us know and we will refund the purchase.

Recommended

Project Proposal Sample: RFID on Warehouse Management System
Project Proposal Sample: RFID on Warehouse Management SystemProject Proposal Sample: RFID on Warehouse Management System
Project Proposal Sample: RFID on Warehouse Management SystemCheri Amour Calicdan
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture CodeSkeleton Technologies
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 

Recommended

Project Proposal Sample: RFID on Warehouse Management System
Project Proposal Sample: RFID on Warehouse Management SystemProject Proposal Sample: RFID on Warehouse Management System
Project Proposal Sample: RFID on Warehouse Management SystemCheri Amour Calicdan
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture CodeSkeleton Technologies
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Scott Andery
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024Albert Qian
 

More Related Content

Recently uploaded

Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Scott Andery
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 

Recently uploaded (20)

Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 

Featured

Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsKurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summarySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentLily Ray
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesVit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project managementMindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...RachelPearson36
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Applitools
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at WorkGetSmarter
 
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...DevGAMM Conference
 
Barbie - Brand Strategy Presentation
Barbie - Brand Strategy PresentationBarbie - Brand Strategy Presentation
Barbie - Brand Strategy PresentationErica Santiago
 
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them wellGood Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them wellSaba Software
 

Featured (20)

Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work
 
ChatGPT webinar slides
ChatGPT webinar slidesChatGPT webinar slides
ChatGPT webinar slides
 
More than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike RoutesMore than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike Routes
 
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
 
Barbie - Brand Strategy Presentation
Barbie - Brand Strategy PresentationBarbie - Brand Strategy Presentation
Barbie - Brand Strategy Presentation
 
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them wellGood Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
 

Byod security audit program

  • 1. _COMPANY Mobile DeviceAudit Program © 2013 Page 1 of 10  This document is part of Toolkit Café’s “BYOD Policies and Procedures Toolkit”. Click here for more information about this comprehensive resource for BYOD management in your company!  Click here for more FREE IT management resources from ToolKit Café! Purpose The purpose of Section 1 of this document is to identify the high-level objectives and controls related to the internal audit of the information security issues related to Mobile Device Management. The purpose of Section 2 is to provide a framework for the audit work itself. The content and format of the audit plan should be customized to your Mobile Device Management program. SECTION 1: Audit/Assurance Objectives And Controls 1) Mobile Computing Security Policy Objective:Policies have been defined and implemented to assure protection of enterprise assets. Policy Definition Control:Policies have been defined to support a controlled implementation of mobile devices. 2) Risk Management Objective:Management processes assure that risks associated with mobile computing are thoroughly evaluated and that mobile security risk is minimized. Risk Assessment Control:Risk assessments are performed prior to implementation of new mobile security devices, and a continuous risk monitoring program evaluates changes in or new risks associated with mobile computing devices. Risk Assessment Governance Control:The executive sponsor is actively involved in the risk management of mobile devices. 3) Device Management Objective:Mobile devices are managed and secured according to the risk of enterprise data loss. Device Management Tracking Control:Mobile devices containing sensitive enterprise data are managed and administered centrally. Device Provisioning/Deprovisioning Control:Mobile devices containing sensitive enterprise data are set up for each user according to their job description and managed as their job function changes or they are terminated. 4) Access Control
  • 2. _COMPANY Mobile DeviceAudit Program © 2013 Page 2 of 10 Objective:Access control is assigned to and managed for mobile security devices according to their risk of enterprise data loss. Access Control Rules Control:Access control rules are established for each mobile device type, and the control characteristics address the risk of data loss. 5) Stored Data Objective:Sensitive enterprise data is protected from unauthorized access and distribution while stored on a mobile device. Encryption Protects Sensitive Data Control:Encryption technology protects enterprise data on mobile devices and is administered centrally to prevent the loss of information due to bypassing encryption procedures or loss of data due to misplaced encryption keys. Data Transfer Control:Data transfer policies are established that define the types of data that may be transferred to mobile devices and the access controls required to protected sensitive data. Data Retention Control:Data retention polices are defined for mobile devices and are monitored and aligned with enterprise data retention policies, and data retention is executed according to policy. 6) Malware Avoidance Objective:Mobile computing will not be disrupted by malware nor will mobile devices introduce malware into the enterprise. Malware Technology Control:Malware prevention software has been implemented according to device risk. 7) Secure Transmission Objective:Sensitive enterprise data are protected from unauthorized access during transmission. Secure Connections Control:Virtual private network (VPN), Internet Protocol Security (IPSec), and other secure transmission technologies are implemented for devices receiving and/or transmitting sensitive enterprise data. 8) Awareness Training Objective:Employees and contractors utilizing enterprise equipment or receiving or transmitting enterprise sensitive information receive initial and ongoing training relevant to the technology assigned to them. Mobile Computing Awareness Training Control:Mobile computing awareness training is ongoing and is based on the sensitive nature of the mobile computing devices assigned to the employee or contractor. Mobile Computing Awareness Governance Control:Mobile computing awareness includes processes for management feedback to understand the usage and risks identified by device users.
  • 3. _COMPANY Mobile DeviceAudit Program © 2013 Page 3 of 10
  • 4. _COMPANY Mobile DeviceAudit Program © 2013 Page 4 of 10 SECTION 2: Detailed Audit Procedures Ref # Description ofAudit Procedures Audited By Comments 1. Mobile Computing Security Policy Determine if a security policy exists for mobile devices. 2. Determine if the mobile device security policy defines the data classification permitted on each type of mobile device and the control mechanisms required based on the data classification. 3. Determine if the mobile device security policy utilizes the data classification policy, if one exists. 4. Determine if the mobile device security policy defines the types of permitted mobile devices. 5. Determine if the mobile device security policy addresses the approved applications by device based on data classification and data loss risk. 6. Determine if the mobile device security policy defines the authentication method for each mobile device based on the data classification policy. 7. Determine if the mobile device security policy requires enterprise-issued devices if the device receives enterprise data. 8. Determine if the mobile device security policy requires a centrally managed asset management system for appropriate devices. 9. Determine if the mobile device security policy prescribes authentication and encryption storage/transmission (data in transit or at rest) requirements by device type. 10. Determine if the mobile device security policy requires a risk assessment before a device is approved for use and a risk assessment update at least annually to determine that new threats are assessed and new technologies considered for deployment. 11. Risk Management Risk Assessments Determine if a risk assessment has been performed for each device type, including assessment of device trustworthiness.
  • 5. _COMPANY Mobile DeviceAudit Program © 2013 Page 5 of 10 Ref # Description ofAudit Procedures Audited By Comments 12. Obtain the initial risk assessment for each device and subsequent assessments. 13. Determine how the risk assessment results should be integrated into the current audit. 14. . Risk Assessment Governance Determine if there is evidence of the executive sponsor reviewing the risk assessment for each device program. 15. Device Management Device Management Tracking Determine if there is an asset management process in place for tracking mobile devices. 16. Determine the procedures for lost or stolen devices and whether the data stored on these devices can be remotely wiped. 17. Determine if locator technology is used to monitor and retrieve lost devices. 18. Determine if the device management process is centrally administered. If distributed, determine the procedures to ensure compliance with policies. 19. Determine if devices are approved by an authorized manager based on the job function requirements. 20. Determine if there are exception approval processes for corporate devices to be managed outside the enterprise management system. 21. Determine if foreign mobile devices belonging to external personnel (contractors, individual employees, etc.) are permitted to receive enterprise data. 22. Determine what authorizations are required by enterprise management prior to adding the foreign device to the enterprise mobile network.
  • 6. _COMPANY Mobile DeviceAudit Program © 2013 Page 6 of 10 Ref # Description ofAudit Procedures Audited By Comments 23. Device Provisioning/De-provisioning Determine if there is a process for provisioning and deprovisioning employee smartphones upon hiring, transfer or termination. a) Select a sample of recent new hires and terminations and determine that appropriate procedures were followed, including provisioning, deprovisioning, returning devices, etc. 24. Access Controls Determine the access control rules for each mobile device type. 25. Determine if access authentication (single or multilevel) and complexity are appropriate for the device and data classification of the data stored. 26. Determine if access control rules and access rights are established for each device by job function and applications installed. 27. Determine if mobile devices containing network, infrared or Bluetooth technology have sharing configured according to policy, based on the classification of data stored or in transit to the device. 28. Determine if access can be administered and disabled centrally. 29. Determine if mobile devices having storage, i.e. computers, smartphones, etc., have restrictions as to the applications that can be installed and the data content that can be stored on the devices. 30. Determine if centrally controlled processes restrict data synchronization to mobile devices. 31. Determine if mobile devices require disabling of USB, infrared, eSata or firewire ports according to the data classification policy. 32. Stored Data Encryption Protects Sensitive Data Determine if encryption technology has been applied to the devices based on the data classification of data at rest or in transit to and from the mobile device.
  • 7. _COMPANY Mobile DeviceAudit Program © 2013 Page 7 of 10 Ref # Description ofAudit Procedures Audited By Comments 33. If encryption is required,determine that it is appropriate for the device and data sensitivity and that it cannot be disabled. 34. Determine if the encryption keys are secured and administered centrally. 35. Data Transfer Determine if policies and access controls rules are established that define the data that are permitted to be transferred to mobile devices by device type and the required access controls to protect the data. 36. Determine if there are monitoring procedures in effect to assure only authorized data may be transferred and if the required access controls are in effect. 37. Data Retention Determine if a data retention policy exists for applicable mobile devices. 38. Determine if data is destroyed according to policy once the retention period has expired. 39. Determine if retention processes are monitored and enforced. 40. Malware Avoidance Determine, as appropriate, that mobile devices are equipped with malware technology. 41. Determine that malware technology cannot be disabled, definition files are updated regularly, all disc drives are routinely scanned, and compliance with malware detection is centrally monitored and managed. 42. Secure Transmission Determine if secure connections are required for specific mobile devices based on the data classification policy and the data stored or transmitted to and from the mobile device. 43. Determine if controls are in place to require use of the secure transmission. 44. Awareness Training Mobile Computing Awareness Training Determine if mobile security awareness training programs exist.
  • 8. _COMPANY Mobile DeviceAudit Program © 2013 Page 8 of 10 Ref # Description ofAudit Procedures Audited By Comments 45. Determine if the mobile security topics within the awareness training are customized for the risks and policies associated with the specific device and its security components. 46. Determine if the training programs are revised to reflect current technologies and enterprise policies. 47. Determine if policies and practices requiresecurity awareness training before receiving the device. 48. Determine if participation in the mobile awareness training is documented, monitored and reviewed. a) Select a sample of mobile device assignments, and determine if the mobile device user has received appropriate initial and follow-up training. 49. Mobile Computing Awareness Governance Determine if awareness programs address accountability, responsibility and communication with device users through feedback to management.
  • 9. _COMPANY Mobile DeviceAudit Program © 2013 Page 9 of 10 A Practical Methodology for BYOD Governance This premium IT management template is provided by the IT management experts at ToolkitCafe, makers of the BYOD Policies and Procedures Toolkit. Check out what’s inside The BYOD Policies & Procedures Toolkit The BYOD Policies and Procedures Toolkit consists of 8 distinct forms and templates in Microsoft Word which you can easily customize to meet the needs of your business. Each document was developed and put to use in the field by seasoned IT managers just like you so you can be assured the content has been thoroughly vetted and covers most common usage scenarios. Read on for a description of each document in the toolkit: Instructions Document – This brief pdf document explains the simple process of accessing and using the tools in the kit and provides useful advice on the approach you should take as you customize the documents for your specific needs. Master Checklist – This 10-item checklist walks you through each recommended step for setting up and maintaining a thorough mobile device governance program. You can use this document as your “dashboard” for managing the other templates in the kit. Where a specific tool or template is referenced you can simply click on the document link to open and customize the appropriate document. You can also set the status of each step within this tool as a way to remind you which governance tasks are complete and which require more work. Security Audit Program – This detailed 7-page document will step you through an exhaustive security analysis to ensure you are leaving no stone unturned when it comes to managing mobile device and data security. It contains a 49 point checklist that we advise every IT manager to carefully consider. Mobile Device Equipment Standard – This template provides language describing the specific approved devices, applications, operating systems and employee compliance standards that are expected. Mobile Device Usage Standard – The usage standard provides employees with a clean and unambiguous list of controls and procedures each employee is expected to agree to and take complete responsibility for. Mobile Device Policy (Employee Choice) – This policy is issued to employees to describe the company’s rules and process for BYOD management. Mobile Device Policy (Company Issued Devices) – This policy is issued to employees who will be issued mobile devices provided by the company. Mobile Device Request Form – This is a form an employee may use to request the issuance of a personal mobile device from the company. Employee Agreement Form – Employees who use mobile devices at work should sign this form stating they understand the rules. This form will go into the employee’s HR file.
  • 10. _COMPANY Mobile DeviceAudit Program © 2013 Page 10 of 10 Mobile Device Employee Training Form – If you provide mobile device training to employees, this form can be used to document the completion of such training and kept in the employee’s HR file. Download the BYOD Policies & Procedures Toolkit Risk-Free Today! The instant you purchase the kit, all the tools, templates and instruction described above will be available to you through a simple download. You may use the kit for up to 30 days. If anytime during that period you decide it does not meet the needs of you or your company, just let us know and we will refund the purchase.