The NCCoE Buzz: Mobile Security Edition
Did you know that mobile devices were initially only used as personal consumer communication devices? Today devices are used to access modern networks and systems that process sensitive data and are often integrated across organizations’ enterprises. With this in mind, organizations need strategies that holistically address mobile security concerns, including mitigations and countermeasures.
In an effort to assist organizations with these deployment strategies, the National Institute of Standards and Technology (NIST) recently released Revision 2 of NIST Special Publication (SP) 800-124, Guidelines for Managing the Security of Mobile Devices in the Enterprise. The publication provides a five-step enterprise mobile device deployment life cycle to help organizations build and manage the security of their deployment:
Identify Mobile Requirements. In the first stage of the life cycle, mobile mission needs and requirements are defined. Devices are inventoried, and the deployment model such as Bring Your Own Device (BYOD) or Corporate-Owned and Personally-Enabled (COPE) is selected.
Perform Risk Assessment. Risk is identified, estimated, and prioritized. Risk assessments should be performed on a regular basis since risks to enterprise systems are always evolving.
Implement Enterprise Mobility Strategy. Mobile technology is selected and installed; an Enterprise Mobility Management (EMM) system is deployed, policies and configurations are created and provisioned to enrolled devices, and system testing is employed. The implementation stage can include additional security- and privacy-enhancing technologies, such as a Virtual Private Network (VPN) or a Mobile Threat Defense (MTD) service.
Operate and Maintain. An initial set of controls is deployed and then periodic audits can evaluate the effectiveness of the security controls. This allows for adjustments to efficiently meet mission needs and improve security posture.
Dispose of and/or Reuse Devices. This step outlines how to prevent sensitive information stored on a mobile device from falling into the wrong hands when a device is no longer in use.
To learn more about NIST Special Publication (SP) 800-124, Guidelines for Managing the Security of Mobile Devices in the Enterprise or to download a copy of the guide, visit the publication page.