NCCoE Releases Mobile Device Security Guidance for Corporate-Owned Personally Enabled Devices

The National Cybersecurity Center of Excellence (NCCoE) has published new draft NIST mobile device security guidance to help groups address the risks created by corporate-owned personally enabled (COPE) devices.

Mobile devices permit staff members to access resources vital for their work duties, no matter where those individuals are based. As such, the devices allow groups to enhance efficiency and productivity, but the devices bring unique threats to a group.

The devices normally have an always-on Internet connection and the devices often lack the strong security controls that are applied to devices such as desktop devices. Malicious or risky apps can be installed to mobile devices by users without the knowledge or permission of the IT department. App downloads could introduce malware and app permissions could permit unauthorized access to sensitive data.

Groups therefore need to have total visibility into all mobile devices used by staff for work activities and they must ensure that mobile device security risks are effectively addressed. If not, flaws could be exploited by threat actors to obtain access to sensitive data and network resources.

The focus of the new guidance – NIST Special Publication 1800-21 – is to help groups find and address risks and improve mobile device security to reduce the chance of unauthorized device access and data loss and theft.

The guidance includes how-to guides and an example solution created in a lab environment using commercially available mobile management tools which can be used by enterprises to safeguard their Apple iOS and Android devices and networks while minimizing the impact on operational processes.

The guidance was created by NIST and technology partners Kryptowire, Lookout, Appthority, MobileIron, Palo Alto Networks, and Qualcomm and is available from NCCoE on this link (PDF – 14.5MB). Comments are being welcomed until September 23, 2019.

Further advice on mobile device security for Bring Your Own Device (BYOD) is currently in the works.

Author: Maria Perez