IT-17 – Mobile Device Management

What is this control really about?

Mobile Device Management (MDM) is important for organizations. Mobile Device Management refers to the set of technologies, policies, and processes used to manage and secure mobile devices (such as smartphones, tablets, and laptops) within an organization’s IT environment.

Available tools in the marketplace

The following listing is “crowdsourced” from our customer base or from external research. TrustCloud does not personally recommend any of the tools below, as we haven’t used them.

Tools

Microsoft Intunes

VmWare

Available templates

TrustCloud has a curated list of templates, internally or externally sourced, to help you get started. Click on the link for a downloadable version.

• N/A no templates

Control implementation

• Define MDM Objectives and Scope:

     – Establish clear objectives for implementing MDM, such as enhancing data security, improving device management, and supporting a mobile workforce.

     – Define the scope of devices to be managed, including smartphones, tablets, laptops, and other mobile endpoints.

• Select an MDM Solution:

     – Research and evaluate various MDM solutions available in the market based on the organization’s requirements, platform support, security features, scalability, and integration capabilities.

     – Choose an MDM solution that aligns with the organization’s needs and budget.

• Develop MDM Policies and Procedures:

     – Create comprehensive MDM policies and procedures that define how mobile devices will be managed, secured, and monitored within the organization.

     – Address areas such as device enrollment, security settings, application management, data access, and compliance requirements.

• Conduct a Device Inventory:

     – Take stock of all existing mobile devices used within the organization.

     – Identify the types of devices, operating systems, and users who will be affected by the MDM implementation.

• Enroll Devices into MDM:

     – Enroll all authorized mobile devices into the chosen MDM solution.

     – Configure device profiles and security policies to ensure consistency and adherence to organizational standards.

• Implement Security Measures:

     – Configure security settings such as passcode requirements, encryption, and remote wipe capabilities to safeguard devices and data.

     – Implement multi-factor authentication (MFA) to enhance device and data protection.

• Define Application Management Policies:

     – Establish policies for managing and distributing applications to mobile devices.

     – Determine which applications are allowed, blocked, or recommended for different user groups.

• Educate and Train Employees:

     – Conduct training sessions to educate employees about the MDM policies and procedures.

     – Ensure employees understand the security measures in place and their responsibilities in complying with the MDM guidelines.

• Conduct Pilot Testing:

     – Perform a pilot test with a select group of users to identify any issues or challenges in the MDM implementation.

     – Gather feedback and fine-tune policies and procedures as needed.

• Monitor and Maintain MDM System:

      – Regularly monitor the MDM system to ensure devices are compliant with security policies.

      – Implement continuous monitoring and reporting to identify any security risks or anomalies

What evidence is the auditor looking for?

Most auditors, at a minimum, are looking for the below-suggested action:

• Security Configurations and Profiles:

   – Documentation of the security configurations and profiles applied to enrolled devices through the MDM solution.

   – Details on passcode requirements, encryption settings, and other security measures enforced on devices.

Evidence example

For the suggested action, an example is provided below:

• Security Configurations and Profiles

Screenshot source