Byod security audit program1. _COMPANY Mobile DeviceAudit Program
© 2013
Page 1 of 10
This document is part of Toolkit Café’s “BYOD Policies and Procedures Toolkit”.
Click here for more information about this comprehensive resource for BYOD
management in your company!
Click here for more FREE IT management resources from ToolKit Café!
Purpose
The purpose of Section 1 of this document is to identify the high-level objectives and controls
related to the internal audit of the information security issues related to Mobile Device
Management.
The purpose of Section 2 is to provide a framework for the audit work itself. The content and
format of the audit plan should be customized to your Mobile Device Management program.
SECTION 1: Audit/Assurance Objectives And Controls
1) Mobile Computing Security Policy
Objective:Policies have been defined and implemented to assure protection of enterprise
assets.
Policy Definition Control:Policies have been defined to support a controlled
implementation of mobile devices.
2) Risk Management
Objective:Management processes assure that risks associated with mobile computing are
thoroughly evaluated and that mobile security risk is minimized.
Risk Assessment Control:Risk assessments are performed prior to implementation of new
mobile security devices, and a continuous risk monitoring program evaluates changes in
or new risks associated with mobile computing devices.
Risk Assessment Governance Control:The executive sponsor is actively involved in the
risk management of mobile devices.
3) Device Management
Objective:Mobile devices are managed and secured according to the risk of enterprise
data loss.
Device Management Tracking Control:Mobile devices containing sensitive enterprise
data are managed and administered centrally.
Device Provisioning/Deprovisioning Control:Mobile devices containing sensitive
enterprise data are set up for each user according to their job description and managed as
their job function changes or they are terminated.
4) Access Control
2. _COMPANY Mobile DeviceAudit Program
© 2013
Page 2 of 10
Objective:Access control is assigned to and managed for mobile security devices
according to their risk of enterprise data loss.
Access Control Rules Control:Access control rules are established for each mobile device
type, and the control characteristics address the risk of data loss.
5) Stored Data
Objective:Sensitive enterprise data is protected from unauthorized access and distribution
while stored on a mobile device.
Encryption Protects Sensitive Data Control:Encryption technology protects enterprise
data on mobile devices and is administered centrally to prevent the loss of information
due to bypassing encryption procedures or loss of data due to misplaced encryption keys.
Data Transfer Control:Data transfer policies are established that define the types of data
that may be transferred to mobile devices and the access controls required to protected
sensitive data.
Data Retention Control:Data retention polices are defined for mobile devices and are
monitored and aligned with enterprise data retention policies, and data retention is
executed according to policy.
6) Malware Avoidance
Objective:Mobile computing will not be disrupted by malware nor will mobile devices
introduce malware into the enterprise.
Malware Technology Control:Malware prevention software has been implemented
according to device risk.
7) Secure Transmission
Objective:Sensitive enterprise data are protected from unauthorized access during
transmission.
Secure Connections Control:Virtual private network (VPN), Internet Protocol Security
(IPSec), and other secure transmission technologies are implemented for devices
receiving and/or transmitting sensitive enterprise data.
8) Awareness Training
Objective:Employees and contractors utilizing enterprise equipment or receiving or
transmitting enterprise sensitive information receive initial and ongoing training relevant
to the technology assigned to them.
Mobile Computing Awareness Training Control:Mobile computing awareness training is
ongoing and is based on the sensitive nature of the mobile computing devices assigned to
the employee or contractor.
Mobile Computing Awareness Governance Control:Mobile computing awareness
includes processes for management feedback to understand the usage and risks identified
by device users.
4. _COMPANY Mobile DeviceAudit Program
© 2013
Page 4 of 10
SECTION 2: Detailed Audit Procedures
Ref # Description ofAudit Procedures
Audited
By
Comments
1.
Mobile Computing Security Policy
Determine if a security policy exists for mobile
devices.
2.
Determine if the mobile device security policy
defines the data classification permitted on each
type of mobile device and the control mechanisms
required based on the data classification.
3.
Determine if the mobile device security policy
utilizes the data classification policy, if one exists.
4.
Determine if the mobile device security policy
defines the types of permitted mobile devices.
5.
Determine if the mobile device security policy
addresses the approved applications by device
based on data classification and data loss risk.
6.
Determine if the mobile device security policy
defines the authentication method for each mobile
device based on the data classification policy.
7.
Determine if the mobile device security policy
requires enterprise-issued devices if the device
receives enterprise data.
8.
Determine if the mobile device security policy
requires a centrally managed asset management
system for appropriate devices.
9.
Determine if the mobile device security policy
prescribes authentication and encryption
storage/transmission (data in transit or at rest)
requirements by device type.
10.
Determine if the mobile device security policy
requires a risk assessment before a device is
approved for use and a risk assessment update at
least annually to determine that new threats are
assessed and new technologies considered for
deployment.
11.
Risk Management
Risk Assessments
Determine if a risk assessment has been performed
for each device type, including assessment of
device trustworthiness.
5. _COMPANY Mobile DeviceAudit Program
© 2013
Page 5 of 10
Ref # Description ofAudit Procedures
Audited
By
Comments
12.
Obtain the initial risk assessment for each device
and subsequent assessments.
13.
Determine how the risk assessment results should
be integrated into the current audit.
14.
.
Risk Assessment Governance
Determine if there is evidence of the executive
sponsor reviewing the risk assessment for each
device program.
15.
Device Management
Device Management Tracking
Determine if there is an asset management process
in place for tracking mobile devices.
16.
Determine the procedures for lost or stolen devices
and whether the data stored on these devices can
be remotely wiped.
17.
Determine if locator technology is used to monitor
and retrieve lost devices.
18.
Determine if the device management process is
centrally administered. If distributed, determine
the procedures to ensure compliance with policies.
19.
Determine if devices are approved by an
authorized manager based on the job function
requirements.
20.
Determine if there are exception approval
processes for corporate devices to be managed
outside the enterprise management system.
21.
Determine if foreign mobile devices belonging to
external personnel (contractors, individual
employees, etc.) are permitted to receive enterprise
data.
22.
Determine what authorizations are required by
enterprise management prior to adding the foreign
device to the enterprise mobile network.
6. _COMPANY Mobile DeviceAudit Program
© 2013
Page 6 of 10
Ref # Description ofAudit Procedures
Audited
By
Comments
23.
Device Provisioning/De-provisioning
Determine if there is a process for provisioning
and deprovisioning employee smartphones upon
hiring, transfer or termination.
a) Select a sample of recent new hires and
terminations and determine that appropriate
procedures were followed, including
provisioning, deprovisioning, returning
devices, etc.
24.
Access Controls
Determine the access control rules for each mobile
device type.
25.
Determine if access authentication (single or
multilevel) and complexity are appropriate for the
device and data classification of the data stored.
26.
Determine if access control rules and access rights
are established for each device by job function and
applications installed.
27.
Determine if mobile devices containing network,
infrared or Bluetooth technology have sharing
configured according to policy, based on the
classification of data stored or in transit to the
device.
28.
Determine if access can be administered and
disabled centrally.
29.
Determine if mobile devices having storage, i.e.
computers, smartphones, etc., have restrictions as
to the applications that can be installed and the
data content that can be stored on the devices.
30.
Determine if centrally controlled processes restrict
data synchronization to mobile devices.
31.
Determine if mobile devices require disabling of
USB, infrared, eSata or firewire ports according to
the data classification policy.
32.
Stored Data
Encryption Protects Sensitive Data
Determine if encryption technology has been
applied to the devices based on the data
classification of data at rest or in transit to and
from the mobile device.
7. _COMPANY Mobile DeviceAudit Program
© 2013
Page 7 of 10
Ref # Description ofAudit Procedures
Audited
By
Comments
33.
If encryption is required,determine that it is
appropriate for the device and data sensitivity and
that it cannot be disabled.
34.
Determine if the encryption keys are secured and
administered centrally.
35.
Data Transfer
Determine if policies and access controls rules are
established that define the data that are permitted
to be transferred to mobile devices by device type
and the required access controls to protect the data.
36.
Determine if there are monitoring procedures in
effect to assure only authorized data may be
transferred and if the required access controls are
in effect.
37.
Data Retention
Determine if a data retention policy exists for
applicable mobile devices.
38.
Determine if data is destroyed according to policy
once the retention period has expired.
39.
Determine if retention processes are monitored and
enforced.
40.
Malware Avoidance
Determine, as appropriate, that mobile devices are
equipped with malware technology.
41.
Determine that malware technology cannot be
disabled, definition files are updated regularly, all
disc drives are routinely scanned, and compliance
with malware detection is centrally monitored and
managed.
42.
Secure Transmission
Determine if secure connections are required for
specific mobile devices based on the data
classification policy and the data stored or
transmitted to and from the mobile device.
43.
Determine if controls are in place to require use of
the secure transmission.
44.
Awareness Training
Mobile Computing Awareness Training
Determine if mobile security awareness training
programs exist.
8. _COMPANY Mobile DeviceAudit Program
© 2013
Page 8 of 10
Ref # Description ofAudit Procedures
Audited
By
Comments
45.
Determine if the mobile security topics within the
awareness training are customized for the risks and
policies associated with the specific device and its
security components.
46.
Determine if the training programs are revised to
reflect current technologies and enterprise policies.
47.
Determine if policies and practices requiresecurity
awareness training before receiving the device.
48.
Determine if participation in the mobile awareness
training is documented, monitored and reviewed.
a) Select a sample of mobile device
assignments, and determine if the mobile
device user has received appropriate initial
and follow-up training.
49.
Mobile Computing Awareness Governance
Determine if awareness programs address
accountability, responsibility and communication
with device users through feedback to
management.
9. _COMPANY Mobile DeviceAudit Program
© 2013
Page 9 of 10
A Practical Methodology for BYOD Governance
This premium IT management template is provided by the IT management experts at ToolkitCafe,
makers of the BYOD Policies and Procedures Toolkit.
Check out what’s inside The BYOD Policies & Procedures Toolkit
The BYOD Policies and Procedures Toolkit consists of 8 distinct forms and templates in Microsoft
Word which you can easily customize to meet the needs of your business. Each document was
developed and put to use in the field by seasoned IT managers just like you so you can be assured the
content has been thoroughly vetted and covers most common
usage scenarios. Read on for a description of each document in
the toolkit:
Instructions Document – This brief pdf document explains the
simple process of accessing and using the tools in the kit and
provides useful advice on the approach you should take as you
customize the documents for your specific needs.
Master Checklist – This 10-item checklist walks you through each
recommended step for setting up and maintaining a thorough
mobile device governance program. You can use this document as
your “dashboard” for managing the other templates in the kit.
Where a specific tool or template is referenced you can simply
click on the document link to open and customize the appropriate document. You can also set the status of
each step within this tool as a way to remind you which governance tasks are complete and which require
more work.
Security Audit Program – This detailed 7-page document will step you through an exhaustive security
analysis to ensure you are leaving no stone unturned when it comes to managing mobile device and data
security. It contains a 49 point checklist that we advise every IT manager to carefully consider.
Mobile Device Equipment Standard – This template provides language describing the specific approved
devices, applications, operating systems and employee compliance standards that are expected.
Mobile Device Usage Standard – The usage standard provides employees with a clean and unambiguous
list of controls and procedures each employee is expected to agree to and take complete responsibility for.
Mobile Device Policy (Employee Choice) – This policy is issued to employees to describe the company’s
rules and process for BYOD management.
Mobile Device Policy (Company Issued Devices) – This policy is issued to employees who will be issued
mobile devices provided by the company.
Mobile Device Request Form – This is a form an employee may use to request the issuance of a personal
mobile device from the company.
Employee Agreement Form – Employees who use mobile devices at work should sign this form stating
they understand the rules. This form will go into the employee’s HR file.
10. _COMPANY Mobile DeviceAudit Program
© 2013
Page 10 of 10
Mobile Device Employee Training Form – If you provide mobile device training to employees, this form
can be used to document the completion of such training and kept in the employee’s HR file.
Download the BYOD Policies & Procedures Toolkit
Risk-Free Today!
The instant you purchase the kit, all the tools, templates and instruction described above will be
available to you through a simple download. You may use the kit for up to 30 days. If anytime during
that period you decide it does not meet the needs of you or your company, just let us know and we will
refund the purchase.