Are Your Smartphones & Tablets on Santa’s Compliance Naughty Or Nice List?
Melissa Stevens 270005B76W MELISSAS@US.IBM.COM | | Tags:  ibmsecurity mobile security
0 Comments | 3,825 Visits
This post was contributed by Kimber Spradlin, Product Marketing at IBM Security for BigFix/ Endpoint.
Guess what? All those regulations like PCI, HIPAA, SOX, and the many Data Privacy Laws that say helpful things like “thou shalt document and enforce security configuration policies / standards/ baselines" apply to mobile devices too. If it processes or stores protected information, it needs to be secured.
For quick, inexpensive help with this problem, security professionals often go shopping for public guidelines from the Center for Internet Security (CIS), National Institute of Standards & Technology (NIST), and Defense Information Systems Agency (DISA), and then modify as needed. This is a great approach and most endpoint security and audit tools incorporate some combination of these benchmarks to make it even easier.
But there are a few lumps of coal in the stocking when it comes to mobile devices. In general, the typical sources mentioned above began publishing standards for iOS and Android in late 2011 with updates in early 2012. But . . . materials for other mobile operating systems (Microsoft, Symbian, Blackberry) is nearly non-existent and the standards organizations are struggling to keep up with the rapid release of new OS versions with significant differences from version to version. This is understandable given their requirements for published drafts and comment periods, but the problem is compounded by the fact that you can’t control when devices are upgraded.
This means that you should plan on maintaining your own Mobile OS Configuration Baselines, with resources (internal or external) available for quarterly reviews and updates. I’d recommend including a check for any updates from CIS, NISA, and DISA STIG as part of the process – whether you are a private or public organization – to find coverage for the operating systems and versions in your environment. You will also have to maintain multiple standards for each OS to cover the different versions. While you can’t control what version the smartphones and tablets are running, you can put older versions on the “naughty” list and prevent them from accessing organizational resources.
IBM, however, has put a present under your tree. IBM Endpoint Manager for Mobile Devices now includes CIS Benchmarks for iOS and Android devices. This means you can audit and enforce both enterprise- and personally-owned mobile devices against a globally-recognized 3rd party standard. But more importantly, it means those devices can now provide real-time compliance reporting alongside your servers, laptops, desktops, and other endpoints in a single-pane-of-glass Compliance Dashboard. And as these benchmarks are updated, you’ll soon receive new content in your Endpoint Manager console automatically – no software updates required.
For more information on IBM Endpoint Manager for Mobile devices, please visit here.
Follow @ibmsecurity on Twitter to get the latest security news.