How can you manage risks for mobile devices in ISMS risk management?

Mobile devices, such as smartphones, tablets, and laptops, are increasingly used by employees and customers to access information systems and services. However, they also pose significant risks to the security, confidentiality, integrity, and availability of the data and systems they connect to. Therefore, it is essential to manage these risks effectively as part of an information security management system (ISMS) that follows a standard framework, such as ISO 27001. In this article, you will learn how to identify, analyze, evaluate, treat, monitor, and review the risks associated with mobile devices in ISMS risk management.

1 Identify the risks

When it comes to ISMS risk management, the first step is to identify the potential sources and impacts of risks that mobile devices may introduce to your information assets and processes. Common risks include loss or theft of sensitive data, unauthorized access or modification of data or systems, exposure to malware or ransomware, non-compliance with legal or ethical obligations, and damage to reputation. To accurately identify these risks, you need to consider the context, scope, and objectives of your ISMS, as well as the characteristics, functions, and locations of mobile devices. Various methods such as interviews, surveys, audits, inspections, checklists, or threat modeling can be used to gather information and evidence about the risks.

Add your perspective

Michael Xavier Burns III🛡💎❤️

CEO @ UGOWEEGO | Recruiting, Reselling & Executive Leadership | Builder of High-Impact Teams & GTM Dominance 🛡💎❤️ | Startup Scaling| Cybersecurity & Data | Generative AI & LLM| Strategic Advisor | Mentor & Career Coach
Report contribution
Im not sure if this helps but take a peak Gradient manages risks of compromise to mobile devices in the same way we do for laptops and workstations: the our software process secures access credentials down to the phone's low level hardware such that only valid users on their devices can access the enterprise

Like

Load more contributions

2 Analyze the risks

The next step in ISMS risk management is to analyze the risks that you have identified to determine their likelihood and consequences. Likelihood is the probability or frequency of a risk occurring, while consequences are the effects or outcomes of a risk on your information assets and processes. You can use qualitative or quantitative methods, or a combination of both, to measure and estimate the likelihood and consequences of the risks. For example, you can use scales, ratings, scores, matrices, or formulas to assign values or categories to the risks based on your criteria and assumptions.

Add your perspective

Tom Siu
Report contribution
With the advent of mobile payment proceses enabled the by utility of apps (ApplePay, SamsungPay, GooglePay, to name a few) mobile devices (particularly smartphones) have a increased the risk impact when the combined threat of a stolen device and knowledge of the device access codes (passcode) is disclosed. A recent Wall Street Journal article by Joanna Stern (December 20, 2023) titled "An iPhone Thief Explains How He Steals Your Passcode and Bank Account," is an example of this fusion of risk. In particular, armed with the iPhone passcode AND the stolen device, the thief was able to access online financial accounts of the user (mostly personal) and access mobile credit lines. This means that mobile devices have a higher risk impact.

Like

Load more contributions

3 Evaluate the risks

The third step in ISMS risk management is to evaluate the risks that you have analyzed to decide whether they are acceptable or unacceptable, and whether they need further treatment or not. Acceptable risks are those that are within your risk appetite or tolerance, which is the level of risk that you are willing to accept or bear in pursuit of your objectives. Unacceptable risks are those that exceed your risk appetite or tolerance, and that may jeopardize your objectives. You can use various criteria, such as cost-benefit analysis, risk-return ratio, stakeholder expectations, or best practices, to evaluate the risks and prioritize them according to their severity and urgency.

Add your perspective

Load more contributions

4 Treat the risks

The fourth step in ISMS risk management is to treat the risks that you have evaluated as unacceptable or requiring further action. Risk treatment is the process of selecting and implementing appropriate measures or controls to modify the risks to an acceptable level or to achieve your objectives. You can avoid the risk by eliminating or discontinuing the activity or source that causes the risk, reduce it by implementing preventive or detective controls, transfer it by sharing or transferring the responsibility or liability for the risk, or retain it by accepting or tolerating the residual risk after applying other options. Various methods, such as policies, procedures, guidelines, standards, training, awareness, encryption, authentication, backup, recovery, and contingency can be used to treat the risks associated with mobile devices. Additionally, you should document your risk treatment plan which outlines objectives, scope, responsibilities, resources, timeframes and performance indicators for your risk treatment activities.

Add your perspective

Chris White

Eliminating Digital Credential Theft
Report contribution
Enforcing the use of biometrics, natively supported on mobile devices greatly reduces the risk of unauthorized access to the device. But you must also ensure that sensitive credentials issued to the device are UNIQUE to that device and STAY on that device. Look for solutions that anchor access credentials to the roots of trust of the device, like Apple's secure enclave processors so that you can be sure that mobile logins only come from trusted devices initiated by the legitimate owners of those trusted devices!

Like
Tom Siu
Report contribution
Many of us are attempting to treat mobile device risks in the context of the Bring Your Own Device (BYOD) risk environment, where users have a personally owned, personally managed, mobile smartphone or tablet that corporate IT must account for and mitigate. To treat these risks, some have opted for a mobile device management (MDM) solution that extends to personally owned devices that access the enteprise IT. Some have chosen to drive the users to secure their own devices, while others eschew the BYOD model completely. If you've ever been in a meeting with a person who has two phones, that is category three. To balance all three, CISOs need to look for authentication solutions that transcend passwords and makes these devices "trustable."

Like

Load more contributions

5 Monitor the risks

The fifth step in ISMS risk management is to monitor the risks that you have treated or retained to ensure that they remain within your acceptable level and that your risk treatment measures are effective and efficient. Monitoring is the process of collecting and analyzing data and information about the performance and status of your risks and controls, and identifying any changes or deviations that may affect your objectives or risk appetite. You can use various methods, such as audits, reviews, inspections, tests, reports, or feedback, to monitor the risks and controls related to mobile devices.

Add your perspective

6 Review the risks

The sixth and final step in ISMS risk management is to review the risks that you have monitored to evaluate whether they are still relevant and accurate, and whether they need any adjustments or improvements. Reviewing is the process of comparing and assessing the results and outcomes of your risk management activities against your expectations and objectives, and identifying any gaps, weaknesses, opportunities, or threats that may arise. You can use various methods, such as surveys, interviews, meetings, workshops, or lessons learned, to review the risks and controls related to mobile devices.

Add your perspective

7 Here’s what else to consider

This is a space to share examples, stories, or insights that don’t fit into any of the previous sections. What else would you like to add?

Add your perspective

Tom Siu
Report contribution
One additional consideration: a user doesnt' have a particular mobile device longer than 3 years (according to a study by "Average Lifespan (replacement cycle lentgth) of smartphones in the United States from 2013 to 2027"; (Ref:Statista.com) The migration or recovery of data when a phone is replaced can expose important data and applications in recovery files that are artifacts of the update. In my experience, these files can be stored in a computer or unencrypted backup in the cloud, and therefore broaden the threat surface during a device replacement cycle.

Like

How can you manage risks for mobile devices in ISMS risk management?

1

2

3

4

5

6

7

1 Identify the risks

2 Analyze the risks

3 Evaluate the risks

4 Treat the risks

5 Monitor the risks

6 Review the risks

7 Here’s what else to consider

Network Security

Rate this article

Thanks for your feedback

More articles on Network Security

More relevant reading

How can you manage risks for mobile devices in ISMS risk management?

1

2

3

4

5

6

7

1 Identify the risks

2 Analyze the risks

3 Evaluate the risks

4 Treat the risks

5 Monitor the risks

6 Review the risks

7 Here’s what else to consider

Network Security

Rate this article

Thanks for your feedback

Explore Other Skills