Page 27 - ITGC_Audit Guides
P. 27
offers efficiencies, it can introduce potential security concerns. (For purposes of this guidance, we
will refer to both concepts of BYOD and BYOT as BYOD.)
Mobile Operating Systems
Mobile operating systems are the primary level software that allows mobile devices to manage
their own internal components and interact with the device user. The mobile OS controls input on
the mobile device from various sources (e.g., touchscreen, microphone, camera, GPS) and
allows users to interact with the device via applications loaded onto it.
The most common mobile OSs are Apple iOS and Android, but there are others, such as
Microsoft’s Windows Mobile, Symbian, and Blackberry OS. Though these may not be as
prevalent as iOS or Android, organizations should be aware of the use of these other OSs if they
allow their employees to bring their own devices, as any device connected to an organization’s
network can pose security risks.
The open source nature of the Android OS implies that device manufacturers and network
providers can make changes to the OS for many reasons, including device and network
optimization. This layered approach can have a significant impact on the security and features of
the Android OS. On the other hand, Apple strictly controls the iOS environment. Source code is
not shared with network providers and Apple pushes updates to their devices.
Mobile Device Management and Mobile Application Management
Mobile device management (MDM) is software that allows an organization to control the features
of a device (e.g., smartphones, tablets, eReaders, wearables) to secure and enforce policies.
This enables organizations to manage large numbers of their mobile devices in a consistent and
scalable manner. MDM also allows the organization to remotely wipe clean any device that is lost
or compromised. The drawback to this is the resultant limited user flexibility on the corporate
mobile device.
Mobile application management (MAM) describes the software and services responsible for
provisioning and managing access to mobile applications (developed in-house or commercially
available) whether applied to organization-owned mobile devices or BYOD. MAM also has the
added benefit of being able to limit the sharing of corporate data among applications.
The main focus of MDM and MAM is to control exposure of corporate applications, mail, and
confidential documents, and to maintain integration with other corporate technology assets (e.g.,
laptops, printers). In addition, security policies can be embedded and enforced at the corporate
application level and may not rely on device-level security or OS patches. This implies that
constant testing of MAM applications is required to ensure compatibility with device-level OS
upgrades.
Organizations should consider an appropriate mobile device management policy and BYOD
policy.
Infrastructure Challenges and Risks
An organization’s infrastructure is the backbone of its IT operations. When set up well, it can help
maximize efficiency. When not optimized, it can introduce unnecessary risks and challenges.
19 — theiia.org
