Mobile Device Security Audit Program



BYOD Security!  As a manager of information technology, you are well aware of the benefits that BYOD presents your organization in terms of increased productivity and hardware cost savings for your company. But you also know the many risks your organization faces to its data security and internal process integrity when every user in your organization has almost complete control over the technology that is critical to your success. To manage this, your company needs an iron-clad governance plan for mobile device usage.  Download this comprehensive 49-point security inspection for mobile device security at your company and find out where your security holes are.

Read on for exceprts from the full document:


The purpose of Section 1 of this document is to identify the high-level objectives and controls related to the internal audit of the information security issues related to Mobile Device Management.

The purpose of Section 2 is to provide a framework for the audit work itself.  The content and format of the audit plan should be customized to your Mobile Device Management program.

SECTION 1: Audit/Assurance Objectives And Controls

  1. Mobile Computing Security Policy

Objective: Policies have been defined and implemented to assure protection of enterprise assets.

Policy Definition Control: Policies have been defined to support a controlled implementation of mobile devices.

  1. Risk Management

Objective: Management processes assure that risks associated with mobile computing are thoroughly evaluated and that mobile security risk is minimized.

Risk Assessment Control: Risk assessments are performed prior to implementation of new mobile security devices, and a continuous risk monitoring program evaluates changes in or new risks associated with mobile computing devices.

Risk Assessment Governance Control: The executive sponsor is actively involved in the risk management of mobile devices.

  1. Device Management

Objective: Mobile devices are managed and secured according to the risk of enterprise data loss.

Device Management Tracking Control: Mobile devices containing sensitive enterprise data are managed and administered centrally.

Device Provisioning/Deprovisioning Control: Mobile devices containing sensitive enterprise data are set up for each user according to their job description and managed as their job function changes or they are terminated.

  1. Access Control

Objective: Access control is assigned to and managed for mobile security devices according to their risk of enterprise data loss.

Access Control Rules Control: Access control rules are established for each mobile device type, and the control characteristics address the risk of data loss.

  1. Stored Data

Objective: Sensitive enterprise data is protected from unauthorized access and distribution while stored on a mobile device.

Encryption Protects Sensitive Data Control: Encryption technology protects enterprise data on mobile devices and is administered centrally to prevent the loss of information due to bypassing encryption procedures or loss of data due to misplaced encryption keys.

Data Transfer Control: Data transfer policies are established that define the types of data that may be transferred to mobile devices and the access controls required to protected sensitive data.

Data Retention Control: Data retention polices are defined for mobile devices and are monitored and aligned with enterprise data retention policies, and data retention is executed according to policy.

  1. Malware Avoidance

Objective: Mobile computing will not be disrupted by malware nor will mobile devices introduce malware into the enterprise.

Malware Technology Control: Malware prevention software has been implemented according to device risk.

  1. Secure Transmission

Objective: Sensitive enterprise data are protected from unauthorized access during transmission.

Secure Connections Control: Virtual private network (VPN), Internet Protocol Security (IPSec), and other secure transmission technologies are implemented for devices receiving and/or transmitting sensitive enterprise data.

  1. Awareness Training

Objective: Employees and contractors utilizing enterprise equipment or receiving or transmitting enterprise sensitive information receive initial and ongoing training relevant to the technology assigned to them.

Mobile Computing Awareness Training Control: Mobile computing awareness training is ongoing and is based on the sensitive nature of the mobile computing devices assigned to the employee or contractor.

Mobile Computing Awareness Governance Control: Mobile computing awareness includes processes for management feedback to understand the usage and risks identified by device users.