Page 83 - ITGC_Audit Guides
P. 83

other on-device configurations may be necessary to protect the network. Such controls often
                   involve coordination between IT and IS teams to ensure their people, processes, and
                   technologies are aligned to sufficiently mitigate risks. In organizations without centralized
                   administration, policies still generally require local controls to meet internal security
                   requirements.

                   When evaluating controls over endpoint security, internal auditors may examine whether secure
                   configurations for remote access are established using a formalized configuration management
                   process, with sufficient policies, technologies, and personnel deployed to implement effective
                   and, ideally, largely automated controls.

                   Controls over establishing secure baseline configurations for remote devices are primarily found in:

                   •   COBIT 2019 Framework: Governance and Management Objectives  practices:
                          o  DSS05.03 Manage Endpoint Security.
                          o  BAI10.01 Establish and Maintain a Configuration Model.

                   •   NIST SP 800-53r5  controls:
                          o  CM-2 Baseline Configuration.

                          o  SC-18 Mobile Code.
                   •   CIS Controls  safeguards:

                          o  4.10 Enforce Automatic Device Lockout on Portable End-User Devices.
                          o  4.11 Enforce Remote Wipe Capability on Portable End-User Devices.

                   Device Scanning
                   When a device attempts to connect to the organization’s network, automated controls may be
                   in place to scan and determine whether the device has sufficient protections for the system that
                   it is trying to access. As mentioned in the Centralized Device Administration section above,
                   security requirements often lead to configuration standards for operating systems, patches,
                   applications, services, and ports. When noncompliant technologies are detected, remediation is
                   typically required before the device is allowed to access the environment. For nonmanaged
                   devices, partitions or similar on-device protection may be required.

                   An internal audit engagement of mobile computing may seek to determine:
                   •   Whether noncompliant devices are remediated before they are allowed to connect to the
                       network remotely.
                   •   Whether nonmanaged devices are allowed to connect if security requirements are met.

                   Controls over device scanning, enforcement of security requirements, and authorization of
                   nonmanaged devices are found mainly in NIST SP 800-53r5 controls AC-19 Access Control for
                   Mobile Devices and MA-4 Nonlocal Maintenance.

                   Anti-Malware
                   An assessment of risks at each layer in the technology ecosystem generally provides the basis
                   for decisions about where to apply anti-malware programs and which solutions to implement.


                   8 — theiia.org
   78   79   80   81   82   83   84   85   86   87   88