NIST’s New Mobile Device Security Guidance for Corporately-Owned Personally-Enabled (COPE) Devices

The National Institute of Standards and Technology’s (NIST) National Cybersecurity Center of Excellence (NCCoE) released a draft of a mobile device security guidance that aims to help companies strengthen the security of corporately-owned personally-enabled (COPE) mobile gadgets and lower network security risks that may arise because of the devices.

Modern businesses need mobile gadgets to easily access resources and information as well as to enable employees to do their job more effectively. Mobile gadgets are used all the more for performing daily enterprise tasks, which include accessing, viewing, and transmitting sensitive information.

The devices bring in new threats to current businesses. These threats entail different types of attacks that were non-existent for traditional IT devices like desktop computers and mobile units. So, there must be a different approach that would ensure the security of mobile devices and the effective management of risks.

Mobile devices are normally turned on at all times and constantly connected to the web. They are frequently used to gain remote access to company networks by using untrusted networks. Hence, they can easily be installed with malicious apps that access stored information. These small and portable devices have a higher risk of loss or theft.

The new guidance referred to as SP 1800-21 describes the unique threats brought about by mobile gadgets and how the risks could be minimized to a minimal and acceptable level by using privacy protections. By taking on a standards-based strategy to mobile device protection, and by using commercially offered technology, companies can deal with the privacy and security issues related to mobile devices and significantly strengthen their security posture.

NCCoE developed a reference design to show how different mobile security solutions may be incorporated into an enterprise network together with suggested securities to lessen the risk of installing malicious apps that lead to the loss of personal and business data. The guidance additionally talks about what to do to mitigate breaches in case of theft or loss of devices.

The guidance includes a collection of How-to-Guides that provide detailed setup and configuration instructions to enable the security staff to immediately implement and check the new design in their own test settings.

NIST likewise includes recommendations on lowering the cost of providing COPE mobile devices by means of enterprise visibility models and recommends means for system administrators to improve visibility into security incidents and create automated notifications in case of device compromise.

NIST will accept feedback on the new draft guidance up to September 23, 2019.

Download this draft of NIST’s mobile device security guidance for COPE devices from this link.