CISA Publishes Mobile Device Cybersecurity Checklist for Organizations

The Cybersecurity and Infrastructure Security Agency (CISA) has published new guidance for enterprises to help them secure mobile devices and safely access enterprise resources using mobile devices.

The Enterprise Mobility Management (EMM) system checklist has been created to help businesses implement best practices to mitigate vulnerabilities and block threats that could compromise mobile devices and the enterprise networks to which they connect. The steps outlined in the checklist are easy for enterprises to implement and can greatly improve mobile device security and allow mobile devices to be safely used to access business networks.

CISA recommends a security-focused approach to mobile device management. When selecting mobile devices that meet enterprise requirements, an assessment should be performed to identify potential supply chain risks. The Mobile Device Management (MDM) system should be configured to update automatically to ensure it is always running the latest version of the software and patches are applied automatically to fix known vulnerabilities.

A policy should be implemented for trusting devices, with access to enterprise resources denied if the device does not have the latest patch level, has not been configured to enterprise standards, is jailbroken or rooted, and if the device is not continuously monitored by the EMM.

Strong authentication controls need to be implemented, including strong passwords/PINs, with PINs consisting of a minimum of 6 digits. Wherever possible, face or fingerprint recognition should be enabled. Two-factor authentication should be implemented for enterprise networks that require a password/passphrase plus one additional method of authentication such as an SMS message, rotating passcode, or biometric input.

CISA recommends practicing good app security, including only downloading apps from trusted app stores, isolating enterprise applications, minimizing PII stored in apps, disabling sensitive permissions, restricting OS/app synchronization, and vetting enterprise-developed applications.

Network communications should be protected by disabling unnecessary network radios (Bluetooth, NFC, Wi-Fi, GPS) when not in use, disabling user certificates, and only using secure communication apps and protocols such as a VPN for connecting to the enterprise network.

Mobile devices should be protected at all times. A Mobile Threat Defense (MTD) system should guard against malicious software that can compromise apps and operating systems and detect improper configurations. Devices should only be charged using trusted chargers and cables, and the lost device function should be enabled to ensure the devices are wiped after a certain number of incorrect login attempts (10 for example). It is also important to protect critical enterprise systems and prevent them from being accessed using mobile devices due to the risk of transferring malware.

The CISA mobile device cybersecurity checklist for organizations can be downloaded here.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.