- Communicate clearly to the staff members the level of access needed for the audit and obtain their consent in case personal devices are being checked i.e. explain that it may involve access of private data on their personal devices.
NB: The auditor should not access any personal mobile device absence of the owner of the device and any step taken should be explained before being implemented.
- What categories of mobile devices does the organization have? (eg, laptops, phones, external drives, cameras, recording devices, etc)
- What are they primarily used for?
- What data is stored on the devices and who has access to them
- Are the devices provided by organization or do staff use personal devices for official work? (Auditor: Review the props and cons of each set up)
- What are the risks involved with using each of the mobile devices? (NB: Auditor should know at least 2 risk for each of the devices in use)
- What is the impact of their use to the organization's work?
- Does the organization have specific policies and procedures concerning mobile devices? (eg; policy on use, encryption, location services, access control, password standards, etc)
- If yes; Do the policies and procedures define the access level to organizational devices and also for personal devices?
- What is the policy on using untrusted networks?
- What are the procedures for interacting with mobile systems which are not owned by the organization?
- What are the existing in/formal security practices for these devices? What are the physical security measures? What are the digital security measures?
- Which mobile phone OS are staff using? What are the props and cons of each?
- Is there someone in-charge of the devices and their security? (NB:Auditor: This checks on the capacity of the organization)
- What applications are installed? (Auditor note: check the device assessment checklist for the technical aspects)
- What are the users' perception towards the installed applications on their devices? (Auditor: Review the perception vs reality check findings)
- What security software if any are installed on the devices? Does it offer remote wipe functions?
- Are the users aware of them? (Exam the different categories separately)
- What is the financial implication of maintaining these devices?
The auditor confirms the number and nature of mobile devices that the organization owns. The auditor should keep within the agreed scope. But in the case where multiple mobile devices outside the agreed scope access the organizations' resources, then redefining of the scope may be necessary. Auditor should also consider the instructions under the device checklist.
As you work with staff members, also remember to interview them about the devices they use. This can alternate between mobile devices and non-mobile devices.
Below are some guiding questions to use. And this is an opportunity for the auditor to go deeper into any area concerning devices.