The head of the sales department purchased a batch of new mobile devices for sales representatives to facilitate the selling process without the approval of the IT department. Which of the following is the best security control to prevent this from recurring? (Wentz QOTD)
A. Mobile Device Security Policies
B. User Education
C. OS & Application Isolation
D. Application Vetting
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is A. Mobile Device Security Policies.
Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.
Mobile device security policies are the best security control to prevent shadow IT usage. User education may promote general awareness of security policies and issues, but mobile device security policies should be set out before user education.
Shadow IT
It is a typical example of shadow IT usage that The head of the sales department purchased a batch of new mobile devices for sales representatives to facilitate the selling process without the approval of the IT department.
The term “Shadow IT” typically denotes staff members’ work-related use of IT-related hardware, software or cloud services without the knowledge of the IT organization.
Source: NIST SP 800-124 R2 (draft)
Application Vetting
Application Vetting refers to the capability to identify vulnerabilities and malicious code in mobile applications, inform administrators, and take remediation actions.
Enterprise Mobility Management (EMM) systems are a suite of products used to deploy, configure and actively manage mobile devices in an enterprise environment. They are central to an enterprise mobile security solution and can be used to control the use of both organization-issued and personally-owned mobile devices by enterprise users. In addition to managing the configuration of mobile devices, these technologies offer other features, such as controlling access to enterprise computing resources.
EMM systems should be integrated with Mobile Threat Defense (MTD) systems to protect the mobile endpoint. MTD systems can detect the presence of malicious apps or operating system (OS) software, known vulnerabilities in software or configurations, and connections to blacklisted websites/servers or networks. The integration of MTD with EMM enables administrators or defense systems to remediate detected vulnerabilities or quarantine applications or devices.
EMM systems can also be extended to provide Mobile Application Vetting (MAV) capabilities using tools that perform enterprise-level security analysis of managed apps and their libraries prior to deployment and throughout the lifecycle of the apps. Vulnerabilities or malicious code discovered prior to deployment can be referred to the developer, or the app may be disallowed for use on the organization’s devices or within the enterprise mobile app store. If vulnerabilities or malicious code are discovered after an app has been deployed or updated, the administrator is informed and offered the option to deploy various EMM remediation actions.
Reference
- NIST SP 800-124 REV. 2 (DRAFT)
業務部主管在未經 IT 部門批准的情況下,為業務代表購買了一批新的移動設備以促進銷售過程。 以下哪一項是防止這種情況再次發生的最佳安全控制措施? (Wentz QOTD)
A. 移動設備安全政策
B. 用戶教育
C. 操作系統和應用程序隔離
D. 應用程式檢審