5 Step Strategy for Enterprise Mobile Deployment

The NCCoE Buzz: Mobile Security Edition is a recurring email on timely topics in mobile device cybersecurity and privacy from the National Cybersecurity Center of Excellence’s (NCCoE’s) Mobile Device Security project team.

Did you know that mobile devices were initially only used as personal consumer communication devices? Today devices are used to access modern networks and systems that process sensitive data and are often integrated across organizations’ enterprises. With this in mind, organizations need strategies that holistically address mobile security concerns, including mitigations and countermeasures.

In an effort to assist organizations with these deployment strategies, the National Institute of Standards and Technology (NIST) recently released Revision 2 of NIST Special Publication (SP) 800-124, Guidelines for Managing the Security of Mobile Devices in the Enterprise. The publication provides a five-step enterprise mobile device deployment life cycle to help organizations build and manage the security of their deployment:

1. Identify Mobile Requirements

In the first stage of the life cycle, mobile mission needs and requirements are defined. Devices are inventoried, and the deployment model such as Bring Your Own Device (BYOD) or Corporate-Owned and Personally-Enabled (COPE) is selected.

2. Perform Risk Assessment

Risk is identified, estimated, and prioritized. Risk assessments should be performed on a regular basis since risks to enterprise systems are always evolving.

3. Implement Enterprise Mobility Strategy

Mobile technology is selected and installed; an Enterprise Mobility Management (EMM) system is deployed, policies and configurations are created and provisioned to enrolled devices, and system testing is employed. The implementation stage can include additional security- and privacy-enhancing technologies, such as a Virtual Private Network (VPN) or a Mobile Threat Defense (MTD) service.

4. Operate and Maintain

An initial set of controls is deployed and then periodic audits can evaluate the effectiveness of the security controls. This allows for adjustments to efficiently meet mission needs and improve security posture.

5. Dispose of and/or Reuse Devices

This step outlines how to prevent sensitive information stored on a mobile device from falling into the wrong hands when a device is no longer in use.

To learn more about NIST Special Publication (SP) 800-124, Guidelines for Managing the Security of Mobile Devices in the Enterprise or to download a copy of the guide, visit the publication page.

The NCCoE Mobile Device Security Team

NIST Cybersecurity and Privacy Program

Questions/Comments about this notice: mobile-nccoe@nist.gov

NCCoE Website questions: nccoe@nist.gov