Guiding Principles for Mobile Device Security
Mobile devices and their security present both challenges and opportunities for managers and auditors alike. To maximize the business value of mobile device use and to minimize the risk associated with it, the following principles should be applied. While the guiding principles may not be exhaustive, they provide a reasonable basis for managing the security of mobile devices.
Principle 1: Know the business value and risk of mobile device use.
The business impact and risk of using mobile devices should be weighed against the potential business value. To adequately manage security, the tolerable levels of risk and impact must be known. This includes knowledge about the way in which end users actually use, or expect to use, mobile devices. Business value and business risk are strongly influenced by organizational culture and user behavior patterns. In managing security, these factors should be taken into account.
Principle 2: Clearly state the business case for mobile device use.
The business case in terms of value and risk will determine the overall strategy adopted by the enterprise: centralized management, partial BYOD or full BYOD. To provide adequate and appropriate security for mobile devices, the business case must be defined and generally understood. This includes cost-benefit considerations as well as the prevailing organizational values with regard to security.
Principle 3: Establish systemic security for mobile devices.
Mobile devices form part of a larger organizational system so they should not be seen in isolation. When mobile devices interact with other devices or services, their security should be seen as systemic. Optimized security management for mobile devices requires consideration of the overall system.
Principle 4: Establish security governance over mobile devices.
Mobile device security exists within the values and objectives of the enterprise and its members. As such, security should be subject to clear governance rules that provide a sense of direction as well as reasonable boundaries for mobile device use and security. This includes adopting the organizational governance framework for mobile devices.
Principle 5: Manage mobile device security using enablers.
In addition to the systemic perspective on security, mobile device security should be managed using the enabler model. This includes the processes, controls, activities and key indicators associated with each of the enablers to form a full picture of mobile device security.
Principle 6: Place security technology in context.
While mobile devices require hardening and the application of technology, this should be seen in the context of value derived from technology and risk incurred through technology. Mobile device security management requires careful examination of the relative benefits of technology utilization against the restrictions and limitations imposed by security-related technology. Applying technology in the context of security should be an optimal balance between restrictions and opportunities.
Principle 7: Know the assurance universe and objectives.
Mobile devices may be anything that moves. To provide assurance over mobile device security, the assurance universe should be known, defined and within the organizational sphere of interest. Assurance objectives should be clear, plausible and manageable. As many mobile devices may act outside the organizational perimeter, the associated risk and assurance issues should be taken into account.
Principle 8: Provide reasonable assurance over mobile device security.
To provide reasonable assurance over mobile device security, all three lines of defense within the enterprise should be defined and managed. This includes appropriate monitoring, internal reviews, audits and, when needed, investigative and forensic analysis.