SANS Penetration Testing

SANS Checklist for Securing Mobile Devices in the Enterprise

[Editor's Note: Lee Neely has developed a very useful spreadsheet checklist to help organizations better plan and mitigate security risks associated with mobile devices, including phones and tablets. It's really handy stuff, and I strongly recommend you check it out! -Ed.]

By Lee Neely

To help organizations better understand, manage, and mitigate risks associated with mobile devices and their infrastructures, we've released an updated SANS SCORE Mobile Device Checklist. This checklist is designed to provide a repeatable approach to adding mobile devices to your environment in a secure fashion. The intent is to be device agnostic, to support long-lasting results, and to provide a basis for making consistent decisions around having these devices in your environment, as well as proper protection of the information on and around them. Too often, I've seen instances where mobile devices were brought into the workplace without consideration of all of the aspects of safely incorporating these devices. Disaster often ensues.

I have a bias around both physical use and disposition (lifecycle) of mobile devices, due to my background in U.S. Government Cyber Security. For the public sector, consider these devices as an uncleared visitor in the room who is listening and recording. This analogy, though, useful elsewhere. For private sector, consider mobile devices as a live webcam in the closed session of your board meeting. Ask yourself what (unauthorized) information is leaving the room and where it is being stored. There are ways to mitigate this risk, depending on your risk appetite. We've provided the checklist to help you think through these issues. We also hope the checklist helps inspire conversations with management and users to aid management in making a conscious decision that will achieve necessary protections, while allowing the devices to remain useful.

In this case, by mobile devices, I am referring to smartphones and tablets rather than laptops. I see tremendous growth in technology and capabilities for these devices.
This checklist is designed to be simple, non-threatening, and easy to use. It is organized into tabs related to various aspects of mobile devices including Policies, Lifecycle, Security Settings, Applications, COPE, BYOD and References. Each tab has a list of areas to consider such as: understanding use cases, performing risk assessments, policy, training, operational models, physical presence, etc. with the intent of recording decisions on each as a basis to plan your adoption and implementation. Some of the tabs are linked together where more in-depth consideration is warranted. These items are also intended to encourage thoughts about anything else that should be included in the list. I'd love to get feedback on ways to make this tool more useful.

This update also includes a new tab relating to COPE, more application security and device forensic information, as well as updated references. This version doesn't cover Samsung KNOX or BlackBerry Balance. Both are forms of sandboxing, which is covered in a more general way, and whose specific future is unclear right now. Time will help. I'm not sure when it will be time to address NFC, or the larger question of using these as payment devices, particularly in a corporate environment.

Many thanks to all who contributed to the checklist, and I am looking forward to your comments.

You can download the checklist here: SANS SCORE Mobile Device Checklist

-Lee Neely

p.s., If you really want to take a deep dive into mobile device attacks and defenses, please check out the excellent SANS SEC 575 course, which provides in-depth, hands-on experience in securing Android, Apple iOS, and other related technologies. There are sessions upcoming on the following dates and locations:

April 28 in Austin, Texas

May 8 in San Diego, CA

June 16 in Berlin, Germany


Posted April 8, 2015 at 8:03 AM | Permalink | Reply


Hello! I've tried to download the checklist but I'm getting 404 all the time, could you check the link?
Thanks in advance!

Posted December 7, 2017 at 8:09 AM | Permalink | Reply


Self assessment for testing.

Posted January 5, 2018 at 4:47 AM | Permalink | Reply


the links are broken

Post a Comment


* Indicates a required field.