If you think of mobile devices as “mini laptops” that will help you appreciate what it takes to keep them secure, and why securing them is so important. Mobile devices store, transfer and access all the same classes of sensitive data as you might find on a laptop: personal data, account data, proprietary corporate data, and so on. Thus you need to put the same basic classes of controls in place to protect that data.
I’m finding that more Pivot Point Security customers in the legal, healthcare and other verticals are zeroing in on mobile device management (MDM). Lately I’ve run into two basic approaches to MDM, which I call “aggressive” and “passive”:
- To take the aggressive approach, you need to put a robust MDM policy in place with appropriate procedures and controls, including technology for automating most if not all of the management functions.
- For the passive approach, simply implement controls in to lock and remotely wipe devices, and advise your employees to notify IT if a device is lost or stolen.
Within ISO 27001, control 6.2.1 pertains to MDM policies. It says:
The mobile device policy should consider:
- registration of mobile devices;
- requirements for physical protection;
- restriction of software installation;
- requirements for mobile device software versions and for applying patches;
- restriction of connection to information services;
- access controls;
- cryptographic techniques;
- malware protection;
- remote disabling, erasure or lockout;
- usage of web services and web apps.
The number and combination of considerations apply to the MDM policy depends on how people in your company use their mobile devices. If you want to take the “aggressive” approach, that would involve most if not all of the areas listed.
Fortunately, technology OEMs are making it easier and cheaper for companies of all sizes to adopt MDM controls that mitigate their security risks. For example, AirWatch from VMWare makes it easy to enroll, configure, monitor and update device settings over-the-air for Android, iOS, Windows, BlackBerry and Mac OS X.
Of course, to be optimally effective MDM should be part of a comprehensive information security management system (ISMS) that takes into account all your key information security risks and related controls. To find out more about how to get started with MDM, contact Pivot Point Security.