Page 79 - ITGC_Audit Guides
P. 79

Mobile Computing Control Groups









                   This section describes significant components of a
                   mobile computing ecosystem as well as typical risks   Ecosystem
                   and related controls.                                 In IT, the term ecosystem often
                                                                         refers to the interdependent and
                   Certain controls in specific IT-IS control frameworks
                   are referenced so that readers may pursue             evolving nature of hardware,
                   additional detailed guidance. Just as each            software, and communications
                   framework has a distinct way of grouping controls,    elements. This differs from the use
                   this guide categorizes controls to facilitate         of “digital ecosystem” to describe
                   discussion and learning. This section generally       an organization’s use of a core
                   associates controls within a process or control       technology platform to offer
                   objective typically managed by a team in either IT    multiple services, as Amazon and
                   or IS. However, this categorization scheme is not     Facebook have done.
                   meant to replace or override those used in the cited
                   frameworks or elsewhere. The way controls are
                   organized varies from one organization to the next, so internal auditors are encouraged to
                   customize their approach as appropriate.


                   Remote Access

                   In the old model of physically connecting a computing device to a network, the data
                   transmissions were secured by controls over the wired network. Mobile computing requires a
                   secure method for establishing a trusted wireless connection. Many organizations use a VPN
                   connection to secure remote access. A VPN not only establishes an encrypted transmission path
                   between the user and the enterprise network, but also it can provide multi-factor
                   authentication, for example, if the software is linked to a specific device.

                   Controls over remote access are described more fully as follows:
                   •   In the COBIT 2019 Framework: Governance and Management Objectives in objectives:

                          o  BAI09 Managed Assets, especially in practice BAI09.02 Manage Critical Assets.
                          o  DSS05 Managed Security Services, particularly DSS05.02 Manage Network and
                              Connectivity Security.
                   •   NIST SP 800-53r5  covers similar guidance in control AC-17 Remote Access.
                   •   CIS Controls  provides relevant coverage in subcontrols called “safeguards,” specifically:
                          o  12.7 Ensure Remote Devices Utilize a VPN and are Connecting to an Enterprise’s AAA
                              Infrastructure.
                          o  13.5 Manage Access Control for Remote Assets.


                   4 — theiia.org
   74   75   76   77   78   79   80   81   82   83   84