Today’s IT admins have to keep in check the growing number of fully managed, corporate-owned, personally enabled (COPE) or BYOD devices that inhabit organizations of all sizes. From activation to retirement, IT admins are aware of every smartphone and tablet present in an organization. And a mobile device management solution plays a key role in accomplishing and improving the management of mobile devices.
Companies may appear to have the best MDM solution available, one that supports various platforms such as Android, macOS, iOS, and Windows 10, but they often fail to assess their health on a regular basis. This may cause non-compliance and leaves companies at risk for security breaches, business disruption, financial losses and more. Now might be a good time for companies to review their existing device management strategy and MDM solution based on their future mobility needs.
What is an Audit?
In general, an audit is an overall assessment of an organization and each department within it. An IT audit is an examination and evaluation of an organization’s IT systems, management, applications, policies, and operations.
Types of IT audits
There are five main types of IT audits – Systems and applications, information processing facilities, systems development, management of IT and enterprise architecture, and telecommunications. An IT audit can be broadly classified into two categories:
- General control overview
- Application control overview (A device management audit would fall into this category)
Why companies need an IT audit
Many organizations spend large amounts of money on MDM solutions in order to reap the benefits of enhanced device and data security and better device compliance. An audit helps companies to evaluate the governance and controls in place to monitor and keep expenses in control. Another reason for considering an audit is evolving technology. An MDM audit can let you know if your device management solution is outdated and needs new features.
Auditing the MDM Solution
1. Check for the latest software
Ensure that the mobile device management solution is running the latest approved software and patches. Running an older version of the software on the mobile device gateways may make the devices vulnerable to known attacks or prevent organizations from taking advantage of robust security features.
Check if up-to-date on patching or weeks away from the patch release date via firmware over the air (FOTA) updates.
2. Verify that protective features are enabled
Requisition a mobile device and verify if the protection features are enabled as per the company’s mobile security policy or other standards.
Many leading MDM solutions, including Scalefusion, provide several security features such as password controls, enforced, periodic password changes, and pre-defined password complexity. With Scalefusion, IT admins can remotely set or reset passwords on Android devices.
Companies can extend their protective features by enabling remote wiping in case of device loss or theft. Wiping the device prevents attackers from retrieving any sensitive data.
3. Check for outdated security policies
An MDM policy is only good as the sum of its parts and an important component of a larger mobile device management framework. If organizations do not have a security policy in place, it is highly recommended to create one for mobile devices.
The mobile security policy should define the devices (BYOD or COPE) allowed to access the organization’s IT resources. IT administrators must continuously identify threats and vulnerabilities related to their onboarded devices and periodically assess their policies to address needed changes.
A few common security policies that allow organizations to enforce rules:
- Disable mobile device features such as copy/paste, email, and more to prevent data leakage.
- Check for blacklisted apps and websites, detect if a device is jailbroken, and enforce password compliance.
- Define which apps and device configuration settings are available for users belonging to a specific group or role.
- Limit access to various device functions, such as camera and web browser.
4. Document logging and monitoring process
MDM IT administrators need to routinely conduct analysis of audit logs to identify security incidents, policy violations, fraudulent activity and abnormal user behavior. The logging and monitoring procedure must be in a written document to minimize operational risks.
An up-to-date written procedure will help IT personnel understand the business expectations and responsibilities for implementing the process in a consistent manner. A written procedure could include defined roles and responsibilities for:
- Extracting audit logs and reports from the MDM system for review.
- Examining audit logs/reports generated by the MDM system, frequency of the reviews, as well as the supporting documentation.
- Investigating suspicious activity identified during log reviews.
- Maintaining and securing audit logs and associated review materials.
In many cases, viewing and retrieving logs for Android devices demands various system permissions and this activity often requires the device to be physically present with the IT admin. Scalefusion for Android devices makes it convenient to acquire audit logs. Users can request audit logs from the portal to prepare audit reports.
5. Evaluate controls in place for device lifecycle management
The lifecycle of an enterprise device – a corporate-owned or BYOD device begins with the activation and provisioning. Then securing, servicing, and deprovisioning of devices to the end of their use in the organization or retirement.
Not tracking devices is one of the easiest ways to increase risk and vulnerability for the organization.
- Because older devices don’t get support from authorized vendors, security patches aren’t available, leaving them vulnerable to external threats.
- Losing track of a device to an employee who is no longer a part of the organization could leave with sensitive corporate information still on the BYOD.
IT admins should revisit their recent provisioning process to check if it focuses on each individual stage of lifecycle management. Check if the device management solution can manage devices from a centralized platform and access details whenever necessary.
Address device retirement with Scalefusion’s remote wipe-off feature to remove data from devices no longer used or from devices used by former employees. Easily revoke app licenses from retired devices and deploy them to new users.
Benefits of Auditing the MDM Platform
- An IT audit of the MDM system will help companies evaluate their investment. This will ensure that the system is performing efficiently and is meeting the goals and objectives.
- A successful IT audit will give you the information and data you need to ensure that the device management, policies, and operations are in order.
- An audit might also uncover the unseen capability of your device management platform. For example, some MDMs can help maintain an audit trail of sensitive files transferred over the air or onto removable data storage.
As the proliferation of mobile devices in an enterprise environment increases, so has its uses, storage capabilities, and power. This has increased the risk they pose to an enterprise. Auditing your MDM solution should not be conducted once a year or when an unexpected attack occurs. It should be an essential part of IT governance and should be conducted regularly. Fixing significant gaps proactively can help save time and money. Conducting an audit can be overwhelming and time-consuming but internal checkups would prove beneficial in the immediate future.