New Release: CIS Controls™ Mobile Companion Guide

The CIS Controls team has released a new companion guide to help organizations break down and map the applicable CIS Controls and their implementation in mobile environments. This new resource helps organizations implement the consensus-developed best practices using CIS Controls Version 7 for phones, tablets, and mobile applications.

Download CIS Controls

Introducing CIS Controls Mobile Companion Guide

For the mobile companion guide, we focused on a consistent approach on how to apply the CIS Controls security recommendations to Google Android and Apple iOS environments. Factors such as “Who owns the data?” and “Who owns the device?” all affect how the device can be secured, and against what threats. The guide explores various ways that organizations purchase, provision, and provide devices to employees. Styles include bring your own device (BYOD), corporate-owned, personally-enabled (COPE), fully managed, and unmanaged.

  • Unmanaged – Organizations can provide access to enterprise services, such as email, contacts, and calendar, to employee users without surveying or inspecting the device. Although a popular model for small companies and startups, this is the most dangerous scenario to the enterprise and should be avoided to the extent possible.
  • BYOD (Bring Your Own Device) – Devices are owned by the end-user but occasionally are used for work purposes, and should be permitted the least access to organization resources. These devices could be joined directly to an MDM with end-user consent, but are more often managed through a mail and calendaring system such as Exchange ActiveSync. Access from BYOD devices to organizational resources should be strictly controlled and limited.
  • COPE (Corporate Owned, Personally Enabled) – COPE devices work in a fashion similar to BYOD, except the organization owns and furnishes the mobile device themselves. Restrictions will be applied to the device but generally, don’t prevent most of what the user intends to do with the device. Although a COPE device is personally enabled, it ultimately belongs to the enterprise – as does the information on the device.
  • Fully managed – Devices within this deployment scenario are typically locked down and only permitted to perform business functions. Fully managed devices are often owned by the organization as are all data residing on the device, necessitating that employees have a second device for personal use. These devices are often heavily centrally managed which provides important security benefits, but also presents usability barriers to employees.

In this guide, we also analyzed an explored the systems that help administer and monitor mobile devices, such as Enterprise Mobility Management (EMM), Mobile Device Management (MDM), Mobile Application Vetting (MAV), and Mobile Threat Defense (MTD). All of these technologies can be used in concert to protect an enterprise’s mobile footprint, and are the primary technologies used to implement the CIS Controls for phones, tablets, and mobile apps.

Security on the Go

Mobile devices are everywhere – which means our security mindset needs to adapt to the unique challenges of hardening on-the-go environments and controlling remote access to enterprise resources. Identifying who owns mobile devices and who is responsible for the data they contain is one important step. With this companion guide, users can take security even further and implement the CIS Controls best practices with confidence. Track your progress with a downloadable spreadsheet.