To guard company information and forestall safety incidents, IT will need to have a program in place to audit the cellular endpoints that entry enterprise techniques and information.
What falls below the class of “cellular system” for auditing has developed over time. Whereas smartphones and tablets may come to thoughts first, cellular system safety audits must also account for laptops, BYOD endpoints and different transportable or network-connected gadgets that may entry company sources.
A complete cellular system audit program helps IT perceive which gadgets are in use, how they’re managed, what information they will entry and whether or not they adjust to safety insurance policies. Robust safety controls are essential as workers use extra gadgets throughout workplace, distant and hybrid work environments.
Why are cellular system safety audits vital?
Cell gadgets retailer and transmit delicate information on each managed and unmanaged networks. To mitigate threat, IT departments ought to conduct a cellular system safety audit to systematically consider their group’s cellular system safety measures.
A cellular system safety audit assesses particulars such because the varieties of gadgets, OS variations, insurance policies, entry management, software program updates and encryption. By analyzing these options, organizations can work out how safe company sources are in opposition to potential information breaches.
A cellular system audit program ought to give IT a repeatable method to assess cellular threat, not only a one-time guidelines.
Cell auditing within the enterprise isn’t just about cellphones. It needs to be narrower than an entire community audit, however broad sufficient to incorporate the transportable and network-connected endpoints that may entry company sources. That may embody smartphones, tablets, laptops, BYOD gadgets and a few IoT gadgets, relying on how they join and what information or techniques they will attain.
Some gadgets might sound mounted to 1 place or solely serve one objective, however they will nonetheless pose points in the event that they connect with Wi-Fi, Bluetooth or company networks. The purpose is to not deal with each linked system the identical means, however to resolve which gadgets create cellular or endpoint threat and embody them in the fitting audit scope.
For instance, if a company depends on shared community credentials or weak entry controls, an worker or attacker may join an unmanaged system to the company community. IT admins have to know what that system is, what community section it may attain, whether or not it’s sending information and whether or not it creates a path to extra delicate techniques.
It is vital to think about components comparable to OS model, producer help, possession mannequin, patch standing, app stock, community entry and community segmentation in a cellular audit. As a result of community safety is a key part of cellular safety, IT admins ought to separate high-risk or unmanaged gadgets from important company infrastructure via segmentation, entry controls and monitoring.
An audit should not be a one-and-done activity; it needs to be a recurrent a part of a broader program. Common audits assist IT strengthen cybersecurity measures and preserve them updated, whereas educating finish customers on finest practices for cellular safety.
A cellular system audit program ought to embody measures to stop and handle frequent safety threats, together with malware, phishing and misplaced or stolen gadgets.
8 key facets of a cellular system safety audit program
When conducting an audit, IT ought to take note of unmanaged, underpatched and higher-risk gadgets that workers deliver into the group. Cell system administration (MDM) and unified endpoint administration (UEM) instruments are vital for stock, coverage enforcement, configuration administration and information loss prevention. Cell menace protection instruments can add threat detection for cellular phishing, malicious apps, system compromise and unsafe community connections.
NIST SP 800-124 Rev. 2 supplies present steering for managing cellular system safety within the enterprise, together with centralized system administration and endpoint safety applied sciences. IT groups can use that steering, together with inside threat necessities, to resolve which controls and instruments belong within the audit program.
There are a number of shifting components concerned in a cellular system safety audit program. To make sure that it is complete and efficient, admins ought to concentrate on the next key facets:
Insurance policies and procedures. Organizations should present clear, thorough cellular system insurance policies. These insurance policies ought to cowl acceptable use, information dealing with, passwords and distant entry. IT must also commonly evaluate and replace safety insurance policies.
Entry management. Robust authentication strategies, comparable to multifactor authentication, needs to be in place, together with role-based entry management, conditional entry insurance policies and least-privilege entry for delicate information. Moreover, monitor and log entry makes an attempt, particularly from unmanaged, noncompliant or high-risk gadgets.
Software program and updates. IT ought to observe a rigorous replace schedule for OS variations and safety patches, with updates for important vulnerabilities taking precedence. Use MDM instruments to assist automate updates and compliance as effectively.
MDM and UEM. IT ought to use cellular system administration or unified endpoint administration instruments for central administration, coverage enforcement, stock monitoring, compliance checks, distant wiping and app deployment. Administration logs must also bear common audits.
Encryption. IT ought to require sturdy encryption for information at relaxation and in transit. There must also be clear encryption necessities for delicate info on gadgets. {Hardware}-backed protections, comparable to Trusted Platform Module and Apple’s Safe Enclave, can present extra safety for supported gadgets.Â
Safety consciousness coaching. Customers ought to obtain training on cellular safety and their position in sustaining it. This may embody coaching on password hygiene, phishing, malware and different frequent threats, in addition to directions for what to do within the occasion of system loss or theft.
Detachable media. Organizations ought to outline insurance policies for utilizing detachable media with cellular gadgets. Implement encryption for information switch to and from detachable media, and take into account proscribing entry if it is not important.
Compliance with NIST and different safety requirements. NIST pointers and different related information safety requirements, such because the Cost Card Trade Knowledge Safety Commonplace and HIPAA, should issue into audit applications. Consider password insurance policies, encryption strategies, incident response procedures, MDM, MTD and different components in opposition to these requirements.
Greatest practices for constructing an audit program
There is not a one-size-fits-all audit program that every one IT departments can undertake. The precise particulars to concentrate on for a cellular system safety audit program rely upon the next components:
Group dimension. A big group with a various vary of cellular gadgets may want a extra complete audit program than a smaller group with restricted gadgets.
System sorts. The varieties of cellular gadgets in use inside the group can affect the audit strategy. For instance, IT may concentrate on encryption and bodily safety when auditing laptops, whereas auditing smartphones may require extra concentrate on entry management and app safety.
Trade laws. Organizations in regulated sectors, comparable to healthcare or finance, usually have to observe industry-specific safety requirements. Their audit applications ought to mirror this.
As soon as admins decide the audit goals and scope, they need to create and observe an audit guidelines, which ought to typically embody the next steps:
Audit cellular endpoints, together with smartphones, tablets, laptops, BYOD gadgets and related IoT gadgets.
Affirm system possession, enrollment standing, OS model, patch stage, app stock and compliance standing.
Guarantee applicable community segmentation and entry controls for cellular, BYOD and IoT gadgets.
Replace cellular and IoT gadgets to the most recent supported variations.
Implement MDM or UEM instruments for stock, configuration, coverage enforcement and distant wipe.
Implement superior safety instruments, together with MTD, particularly for high-risk organizations.
Assessment id controls, together with multifactor authentication, conditional entry and entry removing for misplaced gadgets or departing workers.
Doc audit findings, assign homeowners and monitor remediation via completion.
A cellular system audit program ought to give IT a repeatable method to assess cellular threat, not only a one-time guidelines. This system ought to assist groups perceive which gadgets can entry company sources, whether or not these gadgets meet safety necessities and which dangers want remediation first.
As cellular, BYOD and IoT use expands, audit applications ought to evolve with the atmosphere. Common opinions of system stock, entry controls, safety instruments and person habits can assist organizations defend delicate information and cut back the possibility {that a} cellular endpoint turns into a path into important techniques.
Editor’s observe: This text was up to date to enhance readability and embody present cellular system audit program concerns round MDM, UEM, BYOD, MTD, entry controls and compliance.
Michael Goad is a contract author and options architect with expertise dealing with mobility in an enterprise setting.
