IS Audit/Assurance Program Byod: Column Name Description Instructions

IS Audit/Assurance ProgramBYOD
IS Audit/Assurance Program
BYOD
Column Name Description Instructions
Process Sub-area An activity within an overall process influenced by the enterprise's To make the audit program manageable, it is recommended to break out
policies and procedures that takes inputs from a number of sources, the scope of the audit into sub-areas. The auditor can modify this field to
manipulates the inputs and produces outputs entity-specific names and terms. ISACA has used the most commonly used
terms as the basis to develop this audit program.
Ref. Risk Specifies the risk this control is intended to addressed This field can be used to input a reference/link to risk described in the
entity's risk register or enterprise risk management (ERM) system, or to
input a description of the risk a particular control is intended to address.
Control Objectives A statement of the desired result or purpose that must be in place to This field should describe the behaviors, technologies, documents or
address the inherent risk in the review areas within scope processes expected to be in place to address the inherent risk that is part
of the audit scope.
An IS audit manager can review this information to determine whether

the review will meet the audit objectives based on the risk and control
objectives included in the audit program.
Controls The means of managing risk, including policies, procedures, guidelines, This field should describe in detail the control activities expected to be in
practices or organizational structures, which can be of an administrative, place to meet the control objective. Control activities can be in roles and
technical, management or legal nature responsibilities, documentation, forms, reports, system configuration,
segregation of duties, approval matrices, etc.
An IS audit manager performing a quality control review must decide

whether an auditor has planned to identify enough controls on which to
base an assessment and whether the planned evidence is sufficiently
objective.
Control Type Controls can be automated (technical), manual (administrative) or Specify whether the control under review is automated, manual, physical
physical. or a combination. This information is useful in determining the testing
steps necessary to obtain assessment evidence.
Automated/technical controls are things managed or performed by
computer systems.
Manual/administrative controls are usually things that employees can or
cannot do.
Physical controls include locks, fences, mantraps and even geographic
specific controls.
(c) ISACA 2016 All Rights Reserved Instructions, Page 1

Control Classification Another way to classify controls is by the way they address a risk Specify whether the control under review is preventive, detective,
exposure. corrective or compensating. This information will be helpful when defining
testing steps and requesting evidence.
Preventive controls should stop an event from happening.
Detective controls should identify an event when it is happening and
generate an alert that prompts a corrective control to act.
Corrective controls should limit the impact of an event and help resume
normal operations within a reasonable time frame.
Compensating controls are alternate controls designed to accomplish the
intent of the original controls as closely as possible when the originally
designed controls cannot be used due to limitations of the environment.
Control Frequency Control activities can occur in real-time, daily, weekly, monthly, annually, Specify whether the control under review occurs in real-time, daily,
etc. weekly, monthly, annually, etc. This information will be helpful when
defining testing steps and requesting evidence.
Testing Step Identifies the steps being tested to evaluate the effectiveness of the This field should describe in detail the steps necessary to test control
control under review activities and collect supporting documentation. The auditor can modify
this field to meet entity-specific needs. ISACA has used a set of generic
steps develop this audit program.
An IS audit manager may determine if the proposed steps are adequate to

review a particular control.
Ref. COBIT 5 Identifies the COBIT 5 process related to the control objective or control Input the COBIT 5 process or practice that relates to this control.
activities
Ref. Specifies frameworks and/or standards that relate to the control under Input references to other frameworks used by the entity as part of their
Framework/Standards review (e.g., NIST, HIPAA, SOX, ISO) compliance program.
Ref. Workpaper The evidence column usually contains a reference to other documents Specify the location of supporting documentation detailing the audit steps
that contain the evidence supporting the pass/fail mark for the audit step. and evidence obtained.
An IS audit manager performing a quality control review must decide

whether an auditor has tested enough controls on which to base an
assessment and whether the obtained evidence is sufficiently objective to
support a pass or fail conclusion.

Pass/Fail Document preliminary conclusions regarding the effectiveness of controls. Specify whether the overall control is effective (Pass) or not effective (Fail)
based on the results of the testing.
Comments Free format field Document any notes related to the review of this Process Sub-area or
specific control activities.

BYOD
Ref. Control Control Control
Process Sub-area Risk Control Objectives Controls Type Class Frequency
Governance CO1. BYOD is subject to oversight and monitoring C1. BYOD policy has been approved by executive
by management. management.
C2. Executive management receives regularly

scheduled status reports on BYOD usage and
adherence to policy.
C3. An information security framework has been

established by management identifying
acceptable risk levels.
C4. Security awareness and periodic training is

required and conducted as required, at least
annually.
Training CO2. BYOD users attend initial orientation C5. BYOD users are required to attend initial
training and regular follow-up training. training on BYOD policy, MAUP and support
procedures.
(c) 2016 ISACA All Rights Reserved Governance, Page 4

BYOD
Legal Issues CO3. BYOD procedures comply with legal C6. Legal counsel has reviewed and provided
requirements and minimize the organization’s documented approval of BYOD policies and
exposure to legal actions. procedures with respect to legal issues.
C7. Legal hold policy and procedures are in place

and enforced for all BYOD owners and devices.
CO4. A help desk or similar support function has C8. A help desk or similar support function exists
been established to process technical and user for BYOD.
issues.

Ref. Ref. Ref. Pass /

Testing Steps COBIT 5 Framework/ Workpaper Fail Comments
Standards
1. Determine the reporting structure of BYOD approval process and evaluate if the approval EDM01
process includes affected business units.
2. Obtain the minutes of the meeting and other documentation used to evaluate the approval
process.
1. Obtain executive management status reports for the BYOD initiative. MEA01.04;
2. Determine the frequency at which management receives status reports. EDM01
3. Determine the contents of the status report including:
- Key performance indicators established during program implementation
- Escalation summary
- Lost BYOD devices with sensitive organization data
- Estimates of savings through BYOD program
1. Obtain a representative sample of security incidents related to BYOD and determine if there are APO12
risk exposures resulting from weaknesses in the information security framework.
2. Validate with management if the number of risk exposures related to weaknesses in the
information security framework are within acceptable risk levels.
3. Select a representative sample of third-party supplier contracts and determine the number of
contracts that do not define control requirements.
4. Validate with management if the number of noncompliant contracts are within acceptable risk
levels.
1. Obtain the BYOD awareness program. APO12

2. Determine that the contents of the program continue to address BYOD and security policies.
3. Determine the requirement for attendance at training programs.
4. Select a sample of BYOD users; determine the frequency of attendance.
5. Determine the percentage of BYOD users who have attended the subsequent training program.
6. Evaluate the effectiveness of the training program.
1. Obtain the training resources used in initial training. APO07.03

2. Evaluate the completeness of the training program. Ensure that it addresses all policy issues
identified in the policy section of this audit program.
3. Determine that BYOD users have attended the session(s).
4. Select a sample of BYOD users at all organizational levels.
5. Inspect attendance logs and other documentation to determine if the selected BYOD users have
completed required training.


Standards
1. Determine if legal counsel has reviewed and approved legal issues relating to BYOD policies and MEA03.01
procedures. Consider:
- Separation of business and personal data and information
- Respect for personal property
- Search and seizure laws of the employee’s locale
2. Obtain evidence of legal counsel review and approval.
1. Determine if the enterprise’s BYOD agreement addresses legal hold related to information APO01.03;
stored or potentially stored on BYOD devices. APO01.08
2. Determine that the BYOD owner formally accepts that each device is subject to the enterprise’s
legal hold policy.
1. Obtain and review policies and procedures for BYOD-related help desk requests, escalation and APO01.03;
follow-up to ensure completeness, timeliness and oversight. APO01.08
2. Obtain a sample of BYOD help desk requests. Determine if:
- BYOD requests were resolved within the service level agreement (SLA).
- BYOD issues indicated information security issues that should have been escalated and were not.

BYOD
Risk Management CO1. BYOD is subject to routine risk assessment C1. Management performed a risk assessment
processes. prior to implementing the BYOD program.
C2. A risk assessment is performed and approved

by management where major changes are
initiated to the BYOD program or to reaffirm the
previous risk assessment.
(c) 2016 ISACA All Rights Reserved Risk Management, Page 8


Standards
1. Determine if a risk assessment of BYOD had been performed prior to acceptance of the program. APO12.03
2. Determine if the risk assessment takes into account regulatory requirements if any.
3. Obtain board minutes or other documentation to support the approval of the risk assessment.
1. Determine if subsequent risk assessments have been performed after the initial risk assessment. APO12.02;
2. Obtain and review the risk assessment documentation, if available, to determine if the risk APO12.04
assessment scope is adequate to support the changes in the BYOD program and protects the
enterprise as appropriate.
(c) 2016 ISACA All Rights Reserved Risk Management, Page 9

BYOD
Policies CO1. Policies supporting BYOD initiatives have C1. The employee agreement (or any other policy
been defined, documented, approved, that includes BYOD Acceptable Use statements
implemented and maintained. and is required to be signed by all
employees/contractors) clearly defines the
mutual responsibilities of the enterprise and the
signatory, prior to connecting employee owned
device(s) to the enterprise’s network and
systems.
(c) 2016 ISACA All Rights Reserved Policies, Page 10

BYOD
C1. Cont…
C1. Cont…

BYOD
C2. The employee must adhere to the

organization's Mobile Acceptable Use Policy
(MAUP).
C3. BYOD processes are integrated into HR

services, policies and compliance.

BYOD
C4. Contractors are limited in their access and

capabilities when connecting to the enterprise
networks and IT systems.
Exemptions From BYOD CO2. Exemptions from BYOD policies are C5. Exemptions from BYOD policies are applied
Policies appropriately controlled and monitored in for, reviewed and authorized in conformance
conformance with the enterprise’s Exemptions to with the enterprise’s Policy Exceptions
Policy procedure. procedures.


Standards
1. Verify that the employee must sign the BYOD agreement before their device is activated on the APO1.03;
enterprise’s network. APO7.03
2. Verify that as an awareness technique, employees must review and sign the BYOD agreement
annually.
3. Verify that employees are required to re-sign the BYOD agreement whenever a new BYOD
device is deployed.
4. Review the employee BYOD agreement for the following practices:
- Enterprise is not responsible for employee service plan or device.
- Employee must promptly report a lost or stolen mobile device, within a defined period.
- If the enterprise provides a subsidy or stipend for business use of device, the terms of employee
use and financial responsibilities are clearly described, and the employee documents agreement via
a signature.
- Employee will exercise reasonable due care of the device.
- Employee will not disclose to unauthorized parties the enterprise’s data stored on, or accessible
via, the BYOD device.
- Employee will subscribe to the enterprise use policies.
- Employee will subscribe to the enterprise data security policies.
- Employee will abide by the updated BYOD agreement when it is revised and distributed.
- Employee will keep the BYOD device in working order, completing necessary repairs in a
reasonable time frame.


Standards
5. Review the BYOD agreement to ascertain that the employee accepts, subject to enterprise APO1.03;
policies, the enterprise’s right to: APO7.03
- Wipe all data and programs (factory reset), e.g., if the device is lost, stolen or compromised
- Set password rules and length of character string for screen unlock
- Monitor attempts to unlock
- Wipe device on excessive unsuccessful unlock attempts
- Control how and when the screen locks
- Set screen lock password expiration time
- Require stored application data be encrypted
- Control use of device camera(s)
- Encrypt user data on device or SD cards upon activation
- Control sync data as manual or automatic when roaming
- Download, update or remove organization apps, over-the-air (OTA)
- Allow administrator to enable or disable Wi-Fi
- Allow administrator to enable or disable storage card
- Allow administrator to enable or disable browser
- Allow administrator to enable or disable text messaging
- Limit applications installed on device
- Install anti-malware updates
-Quarantine a mobile device in case of malware or breach of acceptable use policies
- Delete an application that is deemed malicious or inappropriate
- Audit the device
6. Determine the date of the last BYOD employment agreement revision. APO1.03;
7. Select a sample of employees with BYOD devices connected to the enterprise’s networks. APO7.03
Include in the sample employees of varying job functions and titles. Obtain their employee BYOD
agreements and determine that they:
- Are based on the most current employee agreement
- Are signed and dated
- Are amended if revisions have been instituted since the previous signed document


Standards
1. Obtain and verify that the MAUP aligns with the organization’s network security policy. APO01.03;
2. Determine that employees participating in BYOD have signed the MAUP. APO13.01;
3. Determine the date of the last revision to the MAUP APO13.03
4. Select a sample of employees with BYOD devices connected to the organization’s network.
Include in the sample employees of varying job functions and titles. Obtain their employee
agreements and determine that each agreement is:
- The most current MAUP agreement
- Signed and dated
- Amended if revisions have been instituted since the previous signed document
1. Determine if the HR function is responsible for initial and annual signing of employee BYOD and APO01.03;
MAUP documents. APO01.08
2. Determine if HR onboarding includes signing of employee BYOD and MAUP statements. Select a
sample of new employees participating in the BYOD program. Determine if the employees had
signed the appropriate documents.
3. Determine if HR has a current list of BYOD participants to ensure termination procedures
include BYOD exit procedures. Obtain the BYOD participant list. For a select sample, determine if
the names on the list are current employees. Obtain the list of terminated employees. Verify that
the terminated employees are not on the BYOD participant list.
4. Determine how HR manages the transfer of BYOD participants to other divisions or locations.
Prepare appropriate audit test procedures to satisfy audit objective.
5. Obtain a copy of the enterprise’s Code of Conduct and determine if it specifically states that a
violation of the BYOD policy is considered a violation of the Code of Conduct with applicable
sanctions.
6. Determine if disciplinary policies and supporting processes are in effect for violations to BYOD
and MAUP policies. These should include:
- Established penalties for infringements
- Uniform application of penalty policy
7. Determine if disciplinary policies and supporting processes are in effect for violations to BYOD
and MAUP policies. These should include:
- Established penalties for infringements
- Uniform application of penalty policy


Standards
1. Determine the policies in effect to permit contractors to utilize the enterprise resources, while DSS05.04
protecting the organization’s assets and intellectual property from unauthorized access by
contractors and other third parties.
2. Evaluate the effectiveness of BYOD controls upon third parties.
3. Evaluate BYOD employee policies and determine if additional controls, policies or procedures are
required to protect the organization’s assets.
1. If the enterprise grants exemptions from BYOD policies, obtain a copy of the list of authorized APO01.03;
exemptions and a copy of the enterprise’s procedure for Exemptions to Policy. APO01.08
2. Determine that each exemption was authorized in compliance with the enterprise’s Exemptions
to Policy procedure.
3. Determine that exemptions are granted only for a limited time period, maximum one year.
4. Determine that each BYOD exemption is regularly reviewed for continuing applicability.
5. Determine that a new application for exemption was submitted and approved in each case
where the BYOD owner needed an extension in time for the exemption.

BYOD
Mobile Device Layer CO1. BYOD users are required to maintain basic C1. BYOD users are required to restrict access to
Security security procedures for the device. their devices.
C2. Data access is aligned with organization data

classification requirements and employee job
function.
Connectivity Security CO2. Only authenticated BYOD users may C3. BYOD users are subject to the same access
connect to the enterprise’s networks. controls as all other users.
C4. BYOD users are required to commit in writing

to security procedures to protect or wipe the
organization’s data and apps in the event the
device is no longer available to the organization.
(c) 2016 ISACA All Rights Reserved Security, Page 18

BYOD
C5. Strong encryption is deployed to protect the

confidentiality of sensitive data at rest on, or in
transit to/from, all BYOD mobile devices.
C6. Remote access connections to BYOD devices

are restricted.
C7. BYOD mobile devices are required to have

standard anti-malware defenses.


Standards
1. Determine that BYOD users are required to set a password to open the device. Depending on DSS05.04
the device’s capabilities, this should be either:
- A numeric PIN of at least 4 digits, or
- A “strong” alphanumeric password in conformance with the organization’s password policy, if this
feasible on the device
2. Determine that users with access to highly sensitive data have a second authentication factor in
addition to the PIN/password, e.g., use of the device’s camera for facial recognition or retinal scan.
3. Determine if the PIN or password is set to expire on a regular schedule, at least every 90 days.
4. Verify that the device locks automatically after five minutes of inactivity.
5. Determine that the device will lock after three unsuccessful PIN/password attempts.
6. Determine that the device pauses for an incremental time before the next attempt, e.g., 30-
second delay after first set of three unsuccessful attempts, then 90 seconds, then three minutes,
etc. to protect against brute force attempts against the login PIN/password.
1. Determine if data available to BYOD users subscribes to the data classification within the APO01.06;
organization. DSS05.04
2. Select a sample of BYOD users and assess if the permitted data is within the user’s job function
requirements and the data classification definition.
1. Determine that encrypted SSL/TLS or VPN tunnel is required to connect to any of the enterprise’s DSS05.04;
networks. DSS05.02
2. Verify that BYOD connections are validated against the enterprise’s identity store, e.g., Active
Directory, and only authenticated users are permitted access.
3. Verify that a second authentication factor is implemented for connection from BYOD devices to
highly sensitive apps and data.
1. Determine that BYOD users agree in writing to report loss of their device(s) without delay, i.e., APO01.03;
based on the time frame specified in the policy/procedure. APO01.08;
2. Determine that BYOD users agree in writing that enterprise data and apps on the device may be APO013.01;
remotely wiped if the device is lost or stolen, or on termination of employment. APO13.03
3. Determine that BYOD users agree in writing that the enterprise data and apps on the device may
be remotely wiped after a specific number of unsuccessful login attempts.


Standards
1. Determine that: DSS05.02;
- Full disk encryption is required on all BYOD devices with access to sensitive data. DSS001.01;
- Only standard encryption algorithms are permitted. DSS05.02-05;
- Length of encryption keys must be adequate to the encryption algorithm used. DSS06.03;
DSS06.06
1. Determine that the Bluetooth configuration on BYOD devices is set not to be discoverable—to DSS05.02
prevent unauthorized attempts to pair with the device.
2. Verify that BYOD mobile devices connect only with previously paired devices, such as earpieces
or other mobile devices.
3. Verify that BYOD devices may connect into the enterprise’s networks only via specific virtual
private networks (VPNs) which use strong encryption, i.e., either Secure Sockets Layer (SSL) VPNs
or IP Security (IPSec) tunnels.
4. Verify that BYOD devices may only connect via Wi-Fi into the enterprise’s networks only via
specific VPNs or IPSec tunnels with strong encryption.
5. Verify that users are instructed—in security awareness training—always to use an encrypted Wi-
Fi connection based on Wi-Fi Protected Access (WPA2) or better, i.e., never to use Wi-Fi
connections that are either unprotected or that use inferior “protection,” such as Wired Equivalent
Privacy (WEP).
1. Determine that industry-standard antivirus software is required on any device with access to the DSS05.01
organization’s networks or sensitive data.
2. If an industry-standard firewall is installed on the device, verify it is operational at all times on all
BYOD mobile devices.

BYOD
Technical and User CO1. A help desk or similar support function has C1. A help desk or similar support function exists
Support been established to process technical and user for BYOD.
issues.
Mobile Device CO2. The enterprise uses an automated Mobile C2. An industry-standard MDM software tool is
Management Device Management (MDM) software tool to deployed to manage all mobile devices, including
manage all BYOD mobile devices. employee-owned (BYOD) devices.
C3. The MDM provides centralized management

features commensurate with the complexity and
size of the BYOD population.
(c) 2016 ISACA All Rights Reserved User and Device Management, Page 22
BYOD


BYOD

C4. The MDM facilitates the secure distribution of

business-sensitive apps with appropriate controls
against the introduction of “rogue” apps.
C5. The MDM provides adequate querying and

reporting capabilities to manage the BYOD
population proactively.
BYOD
C6. The MDM facilitates interfaces to other

financial and business systems.
C7. Verifying remote management functionality
CO3. The MDM architecture restricts access to C8. The MDM servers are subject to the same
the MDM software to authorized administrators. network protection as other sensitive enterprise
servers.

Standards
1. Obtain and review policies and procedures for BYOD-related help desk requests, escalation and APO12
follow-up to ensure completeness, timeliness and oversight.
2. Obtain a sample of BYOD help desk requests. Determine if:
- BYOD requests were resolved within the service level agreement (SLA).
- BYOD issues indicated information security issues that should have been escalated and were not.
1. Determine that an industry-standard MDM tool is deployed to manage all BYOD mobile devices DSS05.07;
with access to the organization’s networks and information. BAI10.03
2. By review of appropriate procedure documentation, determine that the MDM has been
deployed and is used to manage all BYOD mobile devices.
3. If the MDM system was installed since the last review, obtain documentary evidence that the
selection process was conducted according to the enterprise’s system development life cycle
(SDLC) standards for acquiring standard software packages.
1. By discussion and review of MDM documentation and IT procedures, determine that at least the APO13.01;
following device security features are enabled with the MDM tool(s): APO13.03;
- A secure portal for BYOD users to enroll and provision their devices BAI10.01-02;
- Centralized security policy enforcement BAI10.04;
- Remotely lock and wipe data and installed apps DSS02.01
- Inventory devices, operating systems (OSs), patch levels, organization and third-party apps, and
revision levels
- Distribution whitelists and blacklists
- Permission-based access controls for access to the organization’s networks and data
- Selective wipe and privacy policies for organization apps and data, i.e., sandboxing
- Distribution and management of digital certificates (to encrypt and digitally sign emails and
sensitive documents)
- Role-based access groups with fine-grained access control policies and enforcement
- Over-the-air (OTA) distribution of software (apps, patches, updates) and policy changes
- Postpone automatic updates from Internet service providers (ISPs), e.g., in cases where an
automatic OS update may cause critical apps to fail
- Secure logs and audit trails of all sensitive BYOD activities
- Capability to locate and map lost phones for recovery
- Backup and restore BYOD device data
- Remove or install profiles based on geographic location, to ensure compliance with relevant
foreign legislation, e.g., data privacy and security

Standards
2. When BYOD devices attempt to connect to the organization’s networks, the MDM system APO13.01;
automatically checks: APO13.03;
a) Patch levels for OSs and apps BAI10.01-02;
b) Required security software is active and current, i.e., antivirus, firewall, full-disk encryption, etc. BAI10.04;
c) Device is not jailbroken (Apple) or rooted (Android) DSS02.01
d) Presence of unapproved devices (if any)
e) Presence of blacklisted apps
– If any of the above login checks fail, the MDM can automatically update the device concerned
(e.g., patch levels) or disallow access.
3. By discussion and observation, determine that the MDM enables the following support APO13.01;
functions: APO13.03;
- Send text messages to one or a group of selected devices with troubleshooting instructions BAI10.01-02;
- Perform remote device diagnostics for a wide range of BYOD devices BAI10.04;
- Remotely view a device’s screen and take screen shots to assist with troubleshooting DSS02.01
- Take remote control of a device for troubleshooting
- Activate or deactivate specific apps
- Permission-based access controls for access to the organization’s networks and data
- Selective wipe and privacy policies for organization apps and data, i.e., sandboxing
- Distribution and management of digital certificates (to encrypt and digitally sign emails and
sensitive documents)
- Role-based access groups with fine-grained access control policies and enforcement
- Over-the-air (OTA) distribution of software (apps, patches, updates) and policy changes
- Postpone automatic updates from Internet service providers (ISPs), e.g., in cases where an
automatic OS update may cause critical apps to fail
- Secure logs and audit trails of all sensitive BYOD activities
- Capability to locate and map lost phones for recovery
- Backup and restore BYOD device data
- Remove or install profiles based on geographic location, to ensure compliance with relevant
foreign legislation, e.g., data privacy and security

Standards
4. When BYOD devices attempt to connect to the organization’s networks, the MDM system APO13.01;
automatically checks: APO13.03;
a) Patch levels for OSs and apps BAI10.01-02;
b) Required security software is active and current, i.e., antivirus, firewall, full-disk encryption, etc. BAI10.04;
c) Device is not jailbroken (Apple) or rooted (Android) DSS02.01
d) Presence of unapproved devices (if any)
e) Presence of blacklisted apps
f) If any of the above login checks fail, the MDM can automatically update the device concerned
(e.g., patch levels) or disallow access.
1. Determine by discussion and observation that the MDM includes a private “app store” for secure DSS05.01
distribution of organization apps.
2. Determine that access to the enterprise’s app store is restricted to BYOD devices owned by
employees.
3. Determine that all apps in the store must be digitally signed by the enterprise.
4. Determine by discussion and observation that a sample of the supported BYOD platforms all
check the validity of the apps’ digital signatures before such apps are permitted to execute on the
device.
1. Determine by discussion and observation that IT support staff are able to query the MDM MEA02.01-
database for events of a security and compliance nature, e.g., devices not backed up for seven 02;
days. MEA03.04
2. Determine by discussion and observation that the MDM system provides IT with automatic
reports of predetermined exceptions to security policies. Examples include:
-
Devices out of compliance with policy, e.g., jailbroken or rooted
- Devices that have not checked in for a certain time, e.g., one week
- Non-supported OS or Hardware
- Devices with blacklisted apps
- Devices with excessive data usage that may predict high charges or indicate possible malfeasance
3. Verify that the MDM provides suitable real-time dashboards and regular management reports
for IT to maintain tight control over the MDM population. Consider the following:
- A rules
engine exists for IT to define policies and noncompliant events
- The system automatically alerts system administrators of noncompliant events by email or text
message.

Standards
1. Confirm that suitable information is provided for export to the organization’s fixed asset register, DSS05.02;
i.e., for assets at least partially owned by the enterprise. BAI10.03
2. Determine that suitable information is provided for export to a business intelligence (BI) system
in order to generate suitable management metrics about BYOD deployment, security and
compliance.
1. Confirm that a remote management component has been exercised when a device is reported DSS05.02;
lost/stolen (e.g., device wipe took place). BAI10.03
2. Confirm that devices are reporting violations of enforced technical policy controls.
1. Obtain a copy of the MDM network architecture and determine that the MDM servers are BAI10.03
behind organization firewalls and intrusion detection systems/intrusion prevention systems
(IDS/IPS).

IS Audit/Assurance Program Byod: Column Name Description Instructions

Uploaded by

Copyright:

Available Formats

IS Audit/Assurance Program Byod: Column Name Description Instructions

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IS Audit/Assurance Program Byod: Column Name Description Instructions

Uploaded by

Copyright:

Available Formats

IS Audit/Assurance ProgramBYOD

An IS audit manager can review this information to determine whether

An IS audit manager performing a quality control review must decide

(c) ISACA 2016 All Rights Reserved Instructions, Page 1

An IS audit manager may determine if the proposed steps are adequate to

An IS audit manager performing a quality control review must decide

(c) ISACA 2016 All Rights Reserved Instructions, Page 2

(c) ISACA 2016 All Rights Reserved Instructions, Page 3

C2. Executive management receives regularly

C3. An information security framework has been

C4. Security awareness and periodic training is

(c) 2016 ISACA All Rights Reserved Governance, Page 4

C7. Legal hold policy and procedures are in place

(c) 2016 ISACA All Rights Reserved Governance, Page 5

Ref. Ref. Ref. Pass /

1. Obtain the BYOD awareness program. APO12

1. Obtain the training resources used in initial training. APO07.03

(c) 2016 ISACA All Rights Reserved Governance, Page 6

Ref. Ref. Ref. Pass /

(c) 2016 ISACA All Rights Reserved Governance, Page 7

C2. A risk assessment is performed and approved

(c) 2016 ISACA All Rights Reserved Risk Management, Page 8

Ref. Ref. Ref. Pass /

(c) 2016 ISACA All Rights Reserved Risk Management, Page 9

(c) 2016 ISACA All Rights Reserved Policies, Page 10

(c) 2016 ISACA All Rights Reserved Policies, Page 11

C2. The employee must adhere to the

C3. BYOD processes are integrated into HR

(c) 2016 ISACA All Rights Reserved Policies, Page 12

C4. Contractors are limited in their access and

(c) 2016 ISACA All Rights Reserved Policies, Page 13

Ref. Ref. Ref. Pass /

(c) 2016 ISACA All Rights Reserved Policies, Page 14

Ref. Ref. Ref. Pass /

(c) 2016 ISACA All Rights Reserved Policies, Page 15

Ref. Ref. Ref. Pass /

(c) 2016 ISACA All Rights Reserved Policies, Page 16

Ref. Ref. Ref. Pass /

(c) 2016 ISACA All Rights Reserved Policies, Page 17

C2. Data access is aligned with organization data

C4. BYOD users are required to commit in writing

(c) 2016 ISACA All Rights Reserved Security, Page 18

C5. Strong encryption is deployed to protect the

C6. Remote access connections to BYOD devices

C7. BYOD mobile devices are required to have

(c) 2016 ISACA All Rights Reserved Security, Page 19

Ref. Ref. Ref. Pass /

(c) 2016 ISACA All Rights Reserved Security, Page 20

Ref. Ref. Ref. Pass /

(c) 2016 ISACA All Rights Reserved Security, Page 21

C3. The MDM provides centralized management

C3. The MDM provides centralized management

C3. The MDM provides centralized management

C3. The MDM provides centralized management

C4. The MDM facilitates the secure distribution of

C5. The MDM provides adequate querying and

C6. The MDM facilitates interfaces to other

C7. Verifying remote management functionality

Ref. Ref. Ref. Pass /