Mobile devices are the cornerstone of enterprise operations, enabling flexibility, productivity, and connectivity like never before. In an era where agility and accessibility are paramount, employees and officials rely heavily on their mobile devices to access critical information, regardless of location. However, ensuring the security of these devices is necessary for organizations to uphold operational continuity and protect against potential threats that could compromise data and disrupt essential functions.
The National Institute of Standards and Technology (NIST) provides invaluable guidance throughout its framework, the NIST Special Publication 800-124 Revision 2(NISTSP800-124R2). Considering there are multiple factors to consider when deploying mobile devices within an enterprise, this framework delineates the stages of deploying and managing mobile devices throughout their operational lifecycle, offering a strategic approach to effectively addressing security challenges.
Navigating the NIST Enterprise Mobile Device Lifecycle
In section 5, NIST SP800-124R2, the NIST Enterprise Mobile Device Deployment Life Cycle outlines the stages of deploying and managing mobile devices throughout their operational lifecycle. It involves selecting appropriate management technologies and devices, deploying them to users, and documenting a mobile security policy’s decision-making process and implementation details.
Identify Mobile Requirements
The first step in the mobile device deployment lifecycle is to define security needs and requirements for an organization’s fleet of mobile devices. Organizations should conduct an inventory of existing mobile devices and then identify the deployment model that best aligns with their needs for current and future functionality, as well as privacy and security considerations. These deployment models encompass options such as corporate-issued, bring-your-own-device (BYOD), or corporate-owned personally enabled (COPE). By understanding the impact of mobile devices on mission needs, organizations can refine their selection process, narrowing it down to a select few that effectively meet the organization’s specific requirements.
Perform Risks Assessment
Conducting risk assessments at various levels–organizational, mission, or information system–is foundational to cybersecurity practices. These assessments play a crucial role in identifying, estimating, and prioritizing risks that could impact the organization’s operations, assets, and workforce. It’s important to include mobile devices and apps as well as the systems responsible for managing the mobile ecosystem. Organizations can effectively identify and mitigate potential risks by leveraging methodologies and frameworks to maintain a robust cybersecurity posture.
NIST recommends these risk assessment methodologies:
- NIST SP800-30R1, Guide for Conducting Risk Assessments
- Guide for MITRE Mobile ATT&CK Framework
- NIST SP 800-154, Guide to Data-Centric System Threat Modeling
Implement Enterprise Mobility Strategy
Selecting and installing mobile technology based on security needs and business objectives will guide deployment options, devices, and EMM systems. Whether opting for on-premises or cloud-based solutions, organizations should integrate Enterprise Mobility Management (EMM) technologies into their management strategy. Defining policies, device configurations, and provisions that align with security standards is essential for a robust mobile security strategy.
Operate & Maintain
Organizations must engage in ongoing data gathering through audits to continuously assess and improve security measures. Regular audits of enterprise IT and mobile networking infrastructure are essential for establishing security baselines. Implementing automated processes further streamlines these efforts. IT audits play a crucial role in periodically evaluating the effectiveness of security controls, identifying security issues, and making necessary modifications or additions to fortify the system against future threats.
Auditors rely on data for these evaluations, with mobile device usage logs serving as valuable sources of information for assessing the efficacy of controls within the mobile computing environment.
Dispose and/or Re-Use Devices
Mobile devices often store sensitive information, from passwords and account numbers to emails and mission-critical data. Proper disposal of devices is necessary to prevent data breaches and safeguard this sensitive information. Organizations must develop security and privacy policies for mobile devices and app usage, identifying all device apps, features used, and data accessed by these apps. Taking proper steps to ensure sensitive information is safe during device disposal is important.
By following the principles outlined in the NIST Enterprise Mobile Device Deployment Lifecycle, organizations can strengthen their defenses against mobile threats and ensure the security of their mobile deployments. With Zimperium’s comprehensive mobile security solutions, organizations can align to NISTSP800-124R2 guidelines. Read our whitepaper, Unlock Compliance Success: Zimperium’s Role in Attaining NIST SP800-124R2 Compliance, to learn more about how your security team can integrate NIST guidelines into your organization.
Contact us today for more information.