Professional Documents
Culture Documents
Mobile Devices Toolkit
Mobile Devices Toolkit
Purpose
This toolkit provides a documented approach for evaluating Agency controls to determine if they sufficiently mitigate the risks associated with Agency owned and managed
mobile devices. Specifically to determine if controls safeguard the confidentiality, integrity, and availability of Agency data and information technology resources. Questions
and inquiries within the tool-kit address high level control objectives as identified from applicable controlling laws, rules, and regulations as well as identified best practices.
The auditor completes the assessment utilizing interviews of individuals performing tasks to satisfy the policy statements, best practices, and regulatory requirements. Once
complete, the appropriate management will confirm the accuracy of the assessment. Corrections/revisions should be incorporated into the assessment as necessitated through
a confirmation process.
An automatically calculated percentage will gauge the impact magnitude of the control objectives and scoring will be provided in summary form in the final report.
Contact List
Allows you to capture contact information and to identify those who assisted with the completion of the toolkit. This worksheet is not required to complete an assessment, but
provided as a convenience.
Impact Zones
Policy, Risk Management and Governance - The risk management and governance impact zone covers awareness by senior management, understanding of the
organization's risk appetite for risk, understanding of compliance requirements, embedding risk management responsibilities into the organization, alignment with the business,
maximizing benefits to the organiztion, and resource management.
Device Configuration and Change Management - The device configuration and change management impact zone covers data classification and access control, identification
and authentication, encryption, firewalls and virus protection controls to protect the confidentiality, integrity, and availability of Department data on mobile devices, as well as
processes that ensure the system software (operating systems and suppporting applications), application software, and configuration files are introduced into production in an
orderly and controlled manner.
Media Protection - The media protection impact zone covers loss, theft, data sanitization, destruction, and disposal controls to protect the confidentiality, integrity, and
availibility of Department data on mobile devices.
Network and Device Connectivity - The network and device connectivity impact zone covers connectivity of mobile devices to non-Department networks, as well as to other
devices that are not managed or owned by the Department.
Definitions
Policy -The formal guidance needed to coordinate and execute activity throughout the Agency. When effectively deployed, policy statements help focus attention and
resources on high priority issues - aligning and merging efforts to achieve the Agency's vision. Policy provides the operational framework within which the Agency functions.
Procedure -The operational processes required to implement Agency policies. Operating practices can be formal or informal, specific to an organizational unit or applicable
across the entire Agency. If policy is "what" the Agency does operationally, then its procedures are "how" it intends to carry out those operating policy expressions.
Controls - Any action taken by management and/or other parties or systems to manage and mitigate the negative impact of risk and increase the likelihood that established
objectives and goals will be achieved. Controls include manual processes, automated processes, policies and procedures, reviews and approvals, security, information
processing, monitoring, quality assurance, etc.
The control environment includes the following elements: integrity and ethical values; management's philosophy and operating style; organizational structure; assignment of
authority and responsibility; human resource policies and practices; and competence of personnel. The control environment is directed by top-level objectives and policies. It
reduces risk, improves efficiency, leads to fewer errors, leads to more predictable processes and efficient use of resources.
There are many ways to categorize controls. For the purpose of this review, the following control definitions from Florida Administrative Code, Chapter 71A-1, Security Policies
and Standards will be applied:
▪ Technical controls – security controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by the information
system through mechanisms contained in the hardware, software, or firmware components of the system.
▪ Compensating Control – a management, operational, or technical control (i.e., safeguard or countermeasure) employed by an organization in lieu of a recommended
security control that provides an equivalent or greater level of protection for an information system and the information processed, stored, or transmitted by that system.
▪ Security controls – the management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed to protect the confidentiality, integrity, and
availability of information technology resources.
Fields
ID - Indicates a unique identification within the category tab specific to this toolkit; It's purpose is to aid in sorting and referencing.
Criteria / Guidance - Citation or summary of a control objective or rule requirement
71A F.A.C. Reference - Chapter 71A-1 Security Policies and Standards reference
COBIT 4.1 Reference - COBIT 4.1 control objective reference
Policy - Name and reference all applicable policy documents that address the criteria/guidance.
Procedures - Name and reference procedures document that address the criteria/guidance.
Implemented Controls - Briefly summarize or reference implemented controls. Indicate any control practices that have been implemented to address the criteria/guidance,
even if they have not been documented.
Comments - Any documentation or control clarifications or additional remarks deemed necessary.
Doc - Select a valid score to reflect if documented policy, procedure, or other guidance exists to address the criteria/guidance.
Ctrl - Select a valid score to reflect if controls exists to address the criteria/guidance.
Total - Field automatically adds the "Doc" and "Ctrl" scores.
%Comp - Field automatically calculates the percentage of compliance for the requirement based upon the "Doc" and "Ctrl" scores.
Compliance Rating - Automatically highlights green (Addressed) if the %Comp is >80%, yellow (Partially Addressed) if the %Comp is <39%, and red (Not Addressed) if the
%Comp is <39%.
Control Verification - Summarize or reference control verification performed for the related criteria/guidance.
Auditor Comments - Any compliance rating clarifications or additional remarks deemed necessary by the auditor.
Scoring
Documentation (Policy and Procedures) Controls
0 = NO (Documented policy, procedure, or other guidance does not exist) 0 = NO (Controls do not exist)
1 = DEV (Documented policy, procedure, or other guidance is in development 'e.g.
1 = DEV (Controls are in development 'e.g. current initiative in progress')
draft form')
2 = PAR (The existing policy, procedure, or other guidance partially addresses the
2 = PAR (The controls partially address the requirement)
requirement)
3 = YES (The existing documented policy, procedure, or other guidance is fully 3 = YES (Controls are fully implemented and appear to adequately address the
implemented and meets the requirement) requirement)
NA = Not Applicable (Will be used when a requirement does not apply to a specific NA = Not Applicable (Will be used when a requirement does not apply to a specific
rule, criteria, or device) rule, criteria, or device)
Summary Report
1 of 27
Toolkit Instructions:
Mobile Device Assessment
Once completed, the Tool-kit will indicate where the strongest remediation efforts will need to occur.
2 of 27
Contact List
3 of 27
Contact List
Phone Number
4 of 27
71A F.A.C. COBIT 4.1 Policy Procedure Implemented Controls
ID Criteria / Guidance Reference Reference (IIAMS Ref., hyperlink, etc.) (IIAMS Ref., hyperlink, etc.) (Summarize and/or IIAMS Ref. or hyperlink) Doc Ctrl Total %Comp
The Security Program and supporting policies have been defined to 71A-1.003(1) DS5.2
1 support a controlled implementation of mobile devices. 0 0%
Not_Addressed
Not_Addressed
Not_Addressed
Not_Addressed
Not_Addressed
Not_Addressed
Not_Addressed
Not_Addressed
Not_Addressed
Not_Addressed
Not_Addressed
Not_Addressed
Not_Addressed
Not_Addressed
Control Verification Auditor Comments
Device Configuration
Each agency shall identify agency information and software that is 71A-1.006(3) 0 0%
2 exempt, or confidential and exempt, under provisions of
applicable Florida law or federal law and rules.
Procedures for handling and protecting exempt, and confidential 71A-1.006(6) DS11.6 0 0%
and exempt information shall be referenced in the agency
3 operational information security plan and documented in a policy
that is reviewed and acknowledged by all agency staff.
Mobile computing devices used with exempt, or confidential and 71A-1.006(9) DS11.6 0 0%
4
exempt information are encrypted, (b)
Mobile storage devices with exempt, or confidential and exempt 71A-1.006(9) DS11.6 0 0%
5 agency data have encryption technology enabled such that all (c)
content resides encrypted.
Only agency-owned or agency-managed mobile storage devices 71A-1.007(13) DS11.6 0 0%
6 are authorized to store agency data.
Mobile computing devices shall be issued to and used only by 71A-1.007(15) DS5.4 0 0%
8 agency-authorized users.
Mobile computing devices and mobile storage devices shall conform 71A-1.011(6) 0 0%
to the following configurations: (a)
14 Mobile computing devices used with exempt, or confidential and
exempt information require encryption.
Mobile computing devices and mobile storage devices shall conform 71A-1.011(6) 0 0%
to the following configurations: (b)
Mobile storage devices with exempt, or confidential and exempt
15 agency data shall have encryption technology enabled such that all
content resides encrypted.
8 of 27
Device Configuration
Mobile computing devices and mobile storage devices shall conform 71A-1.011(6) 0 0%
to the following configurations: (e)
18 Only agency-approved software shall be installed on state mobile
computing devices.
Ensure that all users (internal, external and temporary) and their DS5.3 0 0%
activity on IT systems (business application, IT environment, system
operations, development and maintenance) are uniquely
identifiable. Enable user identities via authentication mechanisms.
Confirm that user access rights to systems and data are in line with
defined and documented business needs and that job requirements
are attached to user identities. Ensure that user access rights are
21 requested by user management, approved by system owners and
implemented by the security-responsible person. Maintain user
identities and access rights in a central repository. Deploy cost-
effective technical and procedural measures, and keep them current
to establish user identification, implement authentication and
enforce access rights.
Determine that policies and procedures are in place to organise the DS5.8 0 0%
generation, change, revocation, destruction, distribution,
22 certification, storage, entry, use and archiving of cryptographic keys
to ensure the protection of keys against modification and
unauthorised disclosure.
9 of 27
Device Configuration
Periodically review the configuration data to verify and confirm the DS9.3 0 0%
integrity of the current and historical configuration. Periodically
review installed software against the policy for software usage to
identify personal or unlicensed software or any software instances
27
in excess of current license agreements. Report, act on and correct
errors and deviations.
Assess all requests for change in a structured way to determine the AI6.2 0 0%
impact on the operational system and its functionality. Ensure that
changes are categorised, prioritised and authorised.
32
10 of 27
Device Configuration
11 of 27
Device Configuration
Compliance Rating
Not_Addressed
Not_Addressed
Not_Addressed
Not_Addressed
Not_Addressed
Not_Addressed
Not_Addressed
Not_Addressed
Not_Addressed
Not_Addressed
Not_Addressed
Not_Addressed
Not_Addressed
Not_Addressed
Not_Addressed
12 of 27
Device Configuration
Compliance Rating
Not_Addressed
Not_Addressed
Not_Addressed
Not_Addressed
Not_Addressed
Not_Addressed
Not_Addressed
13 of 27
Device Configuration
Compliance Rating
Not_Addressed
Not_Addressed
Not_Addressed
Not_Addressed
Not_Addressed
Not_Addressed
Not_Addressed
Not_Addressed
Not_Addressed
Not_Addressed
Not_Addressed
14 of 27
Device Configuration
Compliance Rating
Not_Addressed
Not_Addressed
Not_Addressed
Not_Addressed
Not_Addressed
15 of 27
Device Configuration
16 of 27
Device Configuration
17 of 27
Device Configuration
18 of 27
Device Configuration
19 of 27
Media Protection
The agency shall sanitize or destroy information media according to 71A-1.016(3) DS11.4 0 0%
3 the applicable retention schedule and before disposal or release for Not_Addressed
reuse.
The agency shall document procedures for sanitization of agency- 71A-1.016(4) 0 0%
4 owned computer equipment prior to reassignment or Not_Addressed
disposal.
20 of 27
Media Protection
21 of 27
Network Device Connectivity
22 of 27
Network Device Connectivity
23 of 27
Policy, Risk Management, and Governance
4
Policy addresses the approved applications by device based on data 0 0% 0 0% 0 0
5 classification and data loss risk. Not_Addressed Not_Addressed Not_Addressed
The agency shall implement a documented risk management program, 0 0% 0 0% 0 0
including risk analysis for high-impact information
resources. Not_Addressed Not_Addressed Not_Addressed
6
The agency shall implement risk mitigation plans to reduce identified risks 0 0% 0 0% 0 0
to agency information technology resources and data. Not_Addressed Not_Addressed Not_Addressed
7
The agency Information Security Manager shall monitor and document risk 0 0% 0 0% 0 0
8 mitigation implementation. Not_Addressed Not_Addressed Not_Addressed
The agency shall perform an impact analysis prior to introducing a new 0 0% 0 0% 0 0
technology. The purpose of this analysis is to assess effects of the new
technology on the existing environment. Not_Addressed Not_Addressed Not_Addressed
9
The agency shall develop procedures to ensure that security requirements 0 0% 0 0% 0 0
are specified throughout the procurement process for information
technology resources. Not_Addressed Not_Addressed Not_Addressed
10
Mobile computing awareness training is ongoing and is based on the 0 0% 0 0% 0 0
sensitive nature of the mobile computing devices assigned to the Not_Addressed Not_Addressed Not_Addressed
11 employee or contractor.
Mobile computing awareness includes processes for management 0 0% 0 0% 0 0
feedback to understand the usage and risks identified by device users. Not_Addressed Not_Addressed Not_Addressed
12
Policy defines the data classification permitted on each type of mobile 0 0% 0 0% 0 0
device and the control mechanisms required based on the data Not_Addressed Not_Addressed Not_Addressed
13 classification.
Mobile computing awareness includes processes for management 0 0% 0 0% 0 0
feedback to understand the usage and risks identified by device users. Not_Addressed Not_Addressed Not_Addressed
14
Total Compliance Rating for Policy, Risk Management, and Governance 0 0% Not_Addressed 0 0% Not_Addressed 0 0% Not_Addressed
24 of 27
Device Configuration and Change Management
Documentation Control
ID Criteria / Guidance Documentation %COMP Compliance Rating Controls %COMP Compliance Rating Total Score %COMP Compliance Rating
Each agency shall maintain a reference list of exempt, and confidential and 0 0% 0 0% 0 0%
exempt agency information or software and the associated applicable state
and federal statutes and rules. Not_Addressed Not_Addressed Not_Addressed
1
Each agency shall identify agency information and software that is exempt, 0 0% 0 0% 0 0%
or confidential and exempt, under provisions of
applicable Florida law or federal law and rules. Not_Addressed Not_Addressed Not_Addressed
2
Procedures for handling and protecting exempt, and confidential and 0 0% 0 0% 0 0%
exempt information shall be referenced in the agency operational
information security plan and documented in a policy that is reviewed and
Not_Addressed Not_Addressed Not_Addressed
acknowledged by all agency staff.
3
Mobile computing devices used with exempt, or confidential and exempt 0 0% 0 0% 0 0%
4 information are encrypted, Not_Addressed Not_Addressed Not_Addressed
Mobile storage devices with exempt, or confidential and exempt agency 0 0% 0 0% 0 0%
data have encryption technology enabled such that all content resides Not_Addressed Not_Addressed Not_Addressed
5 encrypted.
Only agency-owned or agency-managed mobile storage devices are 0 0% 0 0% 0 0%
6 authorized to store agency data. Not_Addressed Not_Addressed Not_Addressed
No privately-owned devices (e.g., MP3 players, thumb drives, printers) shall 0 0% 0 0% 0 0%
be connected to agency information technology resources without
documented agency authorization. Not_Addressed Not_Addressed Not_Addressed
7
Mobile computing devices shall be issued to and used only by agency- 0 0% 0 0% 0 0%
8 authorized users. Not_Addressed Not_Addressed Not_Addressed
9 Mobile computing devices shall require user authentication. 0 0% Not_Addressed 0 0% Not_Addressed 0 0% Not_Addressed
Agency workstations and mobile computing devices shall have enabled a 0 0% 0 0% 0 0%
screensaver secured with a complex password and with the automatic
activation feature set at no more than 15 minutes. Not_Addressed Not_Addressed Not_Addressed
10
The agency shall identify and document information technology resources 0 0% 0 0% 0 0%
and associated owners and custodians. Not_Addressed Not_Addressed Not_Addressed
11
The agency shall specify and document standard configurations used to 0 0% 0 0% 0 0%
harden software and hardware and assure the configurations address
known security vulnerabilities Not_Addressed Not_Addressed Not_Addressed
12
13 Agencies shall track agency mobile computing devices. 0 0% Not_Addressed 0 0% Not_Addressed 0 0% Not_Addressed
Mobile computing devices and mobile storage devices shall conform to the 0 0% 0 0% 0 0%
following configurations:
Mobile computing devices used with exempt, or confidential and exempt Not_Addressed Not_Addressed Not_Addressed
information require encryption.
14
Mobile computing devices and mobile storage devices shall conform to the 0 0% 0 0% 0 0%
following configurations:
Mobile storage devices with exempt, or confidential and exempt agency
Not_Addressed Not_Addressed Not_Addressed
data shall have encryption technology enabled such that all content
resides encrypted.
15
Mobile computing devices connecting to the agency internal network shall 0 0% 0 0% 0 0%
use current and up-to-date anti-malware software (where technology Not_Addressed Not_Addressed Not_Addressed
16 permits).
Mobile computing devices and mobile storage devices shall conform to the 0 0% 0 0% 0 0%
following configurations:
Agency mobile computing devices shall activate an agency-approved
personal firewall (where technology permits) when Not_Addressed Not_Addressed Not_Addressed
connected to a non-agency internal network.
17
Mobile computing devices and mobile storage devices shall conform to the 0 0% 0 0% 0 0%
following configurations:
Only agency-approved software shall be installed on state mobile Not_Addressed Not_Addressed Not_Addressed
computing devices.
18
Data Classification Scheme 0 0% 0 0% 0 0%
Establish a classification scheme that applies throughout the enterprise,
based on the criticality and sensitivity (e.g., public,
confidential, top secret) of enterprise data. This scheme should include
details about data ownership; definition of appropriate
security levels and protection controls; and a brief description of data
retention and destruction requirements, criticality and
sensitivity. It should be used as the basis for applying controls such as Not_Addressed Not_Addressed Not_Addressed
access controls, archiving or encryption.
19
Implement internal control, security and auditability measures during 0 0% 0 0% 0 0%
configuration, integration and maintenance of hardware and infrastructural
software to protect resources and ensure availability and integrity.
Responsibilities for using sensitive infrastructure components should be
clearly defined and understood by those who develop and integrate Not_Addressed Not_Addressed Not_Addressed
infrastructure components. Their use should be monitored and evaluated.
20
Ensure that all users (internal, external and temporary) and their activity on 0 0% 0 0% 0 0%
IT systems (business application, IT environment, system operations,
development and maintenance) are uniquely identifiable. Enable user
identities via authentication mechanisms. Confirm that user access rights
to systems and data are in line with defined and documented business
needs and that job requirements are attached to user identities. Ensure
that user access rights are requested by user management, approved by
system owners and implemented by the security-responsible person.
Maintain user identities and access rights in a central repository. Deploy
cost-effective technical and procedural measures, and keep them current Not_Addressed Not_Addressed Not_Addressed
to establish user identification, implement authentication and enforce
access rights.
21
Determine that policies and procedures are in place to organise the 0 0% 0 0% 0 0%
generation, change, revocation, destruction, distribution, certification,
storage, entry, use and archiving of cryptographic keys to ensure the
Not_Addressed Not_Addressed Not_Addressed
protection of keys against modification and unauthorised disclosure.
22
Implement preventive, detective and corrective measures in place 0 0% 0 0% 0 0%
(especially up-to-date security patches and virus control) as applicable to
mobile devices to protect information systems and technology from
Not_Addressed Not_Addressed Not_Addressed
malware (e.g., viruses, worms, spyware, spam).
23
Use security techniques and related management procedures (e.g., 0 0% 0 0% 0 0%
firewalls, security appliances, network segmentation, intrusion detection)
to authorise access and control information flows from and to networks. Not_Addressed Not_Addressed Not_Addressed
24
25 of 27
Device Configuration and Change Management (Cont.)
Documentation Control
ID Criteria / Guidance Documentation %COMP Compliance Rating Controls %COMP Compliance Rating Total Score %COMP Compliance Rating
Establish a supporting tool and a central repository to contain all relevant 0 0% 0 0% 0 0%
information on configuration items. Monitor and record all assets and
changes to assets. Maintain a baseline of configuration items for every
system and service as a checkpoint to which to return after changes. Not_Addressed Not_Addressed Not_Addressed
25
Establish configuration procedures to support management and logging of 0 0% 0 0% 0 0%
all changes to the configuration repository. Integrate these procedures
with change management, incident management and problem management
Not_Addressed Not_Addressed Not_Addressed
procedures.
26
Periodically review the configuration data to verify and confirm the 0 0% 0 0% 0 0%
integrity of the current and historical configuration. Periodically review
installed software against the policy for software usage to identify personal
or unlicensed software or any software instances in excess of current
license agreements. Report, act on and correct errors and deviations. Not_Addressed Not_Addressed Not_Addressed
27
Define and implement procedures to maintain an inventory of stored and 0 0% 0 0% 0 0%
archived media to ensure their usability and integrity. Not_Addressed Not_Addressed Not_Addressed
28
Define and implement procedures to ensure that business requirements for 0 0% 0 0% 0 0%
protection of sensitive data and software are met when data and hardware
are disposed or transferred. Not_Addressed Not_Addressed Not_Addressed
29
The agency shall implement a change management process for 0 0% 0 0% 0 0%
modifications to production information technology Not_Addressed Not_Addressed Not_Addressed
30 resources.
Set up formal change management procedures to handle in a standardised 0 0% 0 0% 0 0%
manner all requests (including maintenance and patches) for changes to
applications, procedures, processes, system and service parameters, and
Not_Addressed Not_Addressed Not_Addressed
the underlying platforms.
31
Assess all requests for change in a structured way to determine the impact 0 0% 0 0% 0 0%
on the operational system and its functionality. Ensure that changes are
categorised, prioritised and authorised. Not_Addressed Not_Addressed Not_Addressed
32
Establish a process for defining, raising, testing, documenting, assessing 0 0% 0 0% 0 0%
and authorising emergency changes that do not follow the established Not_Addressed Not_Addressed Not_Addressed
33 change process.
Establish a tracking and reporting system to document rejected changes, 0 0% 0 0% 0 0%
communicate the status of approved and
in-process changes, and complete changes. Make certain that approved Not_Addressed Not_Addressed Not_Addressed
changes are implemented as planned.
34
Whenever changes are implemented, update the associated system and 0 0% 0 0% 0 0%
user documentation and procedures accordingly. Not_Addressed Not_Addressed Not_Addressed
35
Integrate the related processes of configuration, incident and problem 0 0% 0 0% 0 0%
management to ensure effective management of problems and enable Not_Addressed Not_Addressed Not_Addressed
36 improvements.
Device management process exist and are centrally administered. If 0 0% 0 0% 0 0%
distributed, determine the procedures to ensure compliance with policies. Not_Addressed Not_Addressed Not_Addressed
37
Centrally controlled processes restrict data synchronization to mobile 0 0% 0 0% 0 0%
devices. Not_Addressed Not_Addressed Not_Addressed
38
Total Compliance Rating for Device Configuration and Change Management 0 0% Not_Addressed 0 0% Not_Addressed 0 0% Not_Addressed
26 of 27
Media Protection
Documentation Control
ID Criteria / Guidance Documentation %COMP Compliance Rating Controls %COMP Compliance Rating Total Score %COMP Compliance Rating
The agency shall implement procedures to protect agency information 0 0% 0 0% 0 0%
from loss, destruction, and unauthorized or improper disclosure or
modification. Devices are managed and secured according to the risk of Not_Addressed Not_Addressed Not_Addressed
enterprise data loss.
1
The agency shall maintain electronic data in accordance with the same 0 0% 0 0% 0 0%
retention requirements that apply to agency data in
non-electronic formats. Not_Addressed Not_Addressed Not_Addressed
2
The agency shall sanitize or destroy information media according to the 0 0% 0 0% 0 0%
applicable retention schedule and before disposal or release for reuse. Not_Addressed Not_Addressed Not_Addressed
3
The agency shall document procedures for sanitization of agency-owned 0 0% 0 0% 0 0%
computer equipment prior to reassignment or
disposal. Not_Addressed Not_Addressed Not_Addressed
4
Equipment sanitization shall be performed such that there is reasonable 0 0% 0 0% 0 0%
assurance that the data may not be easily retrieved and reconstructed. File
deletion and media formatting are not acceptable methods of sanitization. Not_Addressed Not_Addressed Not_Addressed
5
Acceptable methods of sanitization include using software to overwrite 0 0% 0 0% 0 0%
data on computer media, degaussing, or physically
destroying media. Not_Addressed Not_Addressed Not_Addressed
6
Users shall take reasonable precautions, based upon applicable facts and 0 0% 0 0% 0 0%
circumstances, to protect mobile computing devices in their possession
from loss, theft, tampering, unauthorized access, and damage. Not_Addressed Not_Addressed Not_Addressed
7
Procedures address lost or stolen devices and whether the data stored on 0 0% 0 0% 0 0%
these devices can be remotely wiped. Not_Addressed Not_Addressed Not_Addressed
8
Documentation Control
ID Criteria / Guidance Documentation %COMP Compliance Rating Controls %COMP Compliance Rating Total Score %COMP Compliance Rating
Only agency-approved wireless devices, services, and technologies may 0 0% 0 0% 0 0%
be connected to the agency internal network. Not_Addressed Not_Addressed Not_Addressed
1
Users may remotely connect computing devices to the agency internal 0 0% 0 0% 0 0%
network only through agency-approved, secured remote access methods. Not_Addressed Not_Addressed Not_Addressed
2
Only agency-owned or agency-managed information technology resources 0 0% 0 0% 0 0%
may connect to the agency internal network. Not_Addressed Not_Addressed Not_Addressed
3
No privately-owned devices (e.g., MP3 players, thumb drives, printers) shall 0 0% 0 0% 0 0%
be connected to agency information technology resources without
Not_Addressed Not_Addressed Not_Addressed
documented agency authorization.
4
The agency shall monitor for unauthorized information technology 0 0% 0 0% 0 0%
resources connected to the agency internal network. Not_Addressed Not_Addressed Not_Addressed
5
Virtual private network (VPN), Internet Protocol Security (IPSec), and other 0 0% 0 0% 0 0%
secure transmission technologies are implemented for devices receiving
and/or transmitting sensitive enterprise data. Not_Addressed Not_Addressed Not_Addressed
6
Total Compliance Rating for Network and Device Connectivity 0 0% Not_Addressed 0 0% Not_Addressed 0 0% Not_Addressed
0 0% 0 0% 0 0%
Not_Addressed Not_Addressed Not_Addressed
27 of 27