Toolkit Instructions:

Mobile Device Assessment

Purpose
This toolkit provides a documented approach for evaluating Agency controls to determine if they sufficiently mitigate the risks associated with Agency owned and managed
mobile devices. Specifically to determine if controls safeguard the confidentiality, integrity, and availability of Agency data and information technology resources. Questions
and inquiries within the tool-kit address high level control objectives as identified from applicable controlling laws, rules, and regulations as well as identified best practices.

The auditor completes the assessment utilizing interviews of individuals performing tasks to satisfy the policy statements, best practices, and regulatory requirements. Once
complete, the appropriate management will confirm the accuracy of the assessment. Corrections/revisions should be incorporated into the assessment as necessitated through
a confirmation process.

An automatically calculated percentage will gauge the impact magnitude of the control objectives and scoring will be provided in summary form in the final report.

Minimum Audit Skills/Define Audit Resources Required

Mobile computing security focuses on general IT controls and should be performed by an auditor with a general IT background or knowledge base. Intermediate Microsoct
Excel skills are highly recommended to complete the toolkit.

Planning and Scoping the Assurance Activity

Modify the audit/assurance scope and objectives to align with the audit/assurance universe and associated risk identified during the enterprise survey process, annual plan, and
charter.

Contact List
Allows you to capture contact information and to identify those who assisted with the completion of the toolkit. This worksheet is not required to complete an assessment, but
provided as a convenience.

Impact Zones
Policy, Risk Management and Governance - The risk management and governance impact zone covers awareness by senior management, understanding of the
organization's risk appetite for risk, understanding of compliance requirements, embedding risk management responsibilities into the organization, alignment with the business,
maximizing benefits to the organiztion, and resource management.

Device Configuration and Change Management - The device configuration and change management impact zone covers data classification and access control, identification
and authentication, encryption, firewalls and virus protection controls to protect the confidentiality, integrity, and availability of Department data on mobile devices, as well as
processes that ensure the system software (operating systems and suppporting applications), application software, and configuration files are introduced into production in an
orderly and controlled manner.
Media Protection - The media protection impact zone covers loss, theft, data sanitization, destruction, and disposal controls to protect the confidentiality, integrity, and
availibility of Department data on mobile devices.

Network and Device Connectivity - The network and device connectivity impact zone covers connectivity of mobile devices to non-Department networks, as well as to other
devices that are not managed or owned by the Department.

Definitions

Policy -The formal guidance needed to coordinate and execute activity throughout the Agency. When effectively deployed, policy statements help focus attention and
resources on high priority issues - aligning and merging efforts to achieve the Agency's vision. Policy provides the operational framework within which the Agency functions.
Procedure -The operational processes required to implement Agency policies. Operating practices can be formal or informal, specific to an organizational unit or applicable
across the entire Agency. If policy is "what" the Agency does operationally, then its procedures are "how" it intends to carry out those operating policy expressions.

Controls - Any action taken by management and/or other parties or systems to manage and mitigate the negative impact of risk and increase the likelihood that established
objectives and goals will be achieved. Controls include manual processes, automated processes, policies and procedures, reviews and approvals, security, information
processing, monitoring, quality assurance, etc.

The control environment includes the following elements: integrity and ethical values; management's philosophy and operating style; organizational structure; assignment of
authority and responsibility; human resource policies and practices; and competence of personnel. The control environment is directed by top-level objectives and policies. It
reduces risk, improves efficiency, leads to fewer errors, leads to more predictable processes and efficient use of resources.

There are many ways to categorize controls. For the purpose of this review, the following control definitions from Florida Administrative Code, Chapter 71A-1, Security Policies
and Standards will be applied:
▪ Technical controls – security controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by the information
system through mechanisms contained in the hardware, software, or firmware components of the system.
▪ Compensating Control – a management, operational, or technical control (i.e., safeguard or countermeasure) employed by an organization in lieu of a recommended
security control that provides an equivalent or greater level of protection for an information system and the information processed, stored, or transmitted by that system.
▪ Security controls – the management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed to protect the confidentiality, integrity, and
availability of information technology resources.

Fields
ID - Indicates a unique identification within the category tab specific to this toolkit; It's purpose is to aid in sorting and referencing.
Criteria / Guidance - Citation or summary of a control objective or rule requirement
71A F.A.C. Reference - Chapter 71A-1 Security Policies and Standards reference
COBIT 4.1 Reference - COBIT 4.1 control objective reference
Policy - Name and reference all applicable policy documents that address the criteria/guidance.
Procedures - Name and reference procedures document that address the criteria/guidance.
Implemented Controls - Briefly summarize or reference implemented controls. Indicate any control practices that have been implemented to address the criteria/guidance,
even if they have not been documented.
Comments - Any documentation or control clarifications or additional remarks deemed necessary.
Doc - Select a valid score to reflect if documented policy, procedure, or other guidance exists to address the criteria/guidance.
Ctrl - Select a valid score to reflect if controls exists to address the criteria/guidance.
Total - Field automatically adds the "Doc" and "Ctrl" scores.
%Comp - Field automatically calculates the percentage of compliance for the requirement based upon the "Doc" and "Ctrl" scores.
Compliance Rating - Automatically highlights green (Addressed) if the %Comp is >80%, yellow (Partially Addressed) if the %Comp is <39%, and red (Not Addressed) if the
%Comp is <39%.
Control Verification - Summarize or reference control verification performed for the related criteria/guidance.
Auditor Comments - Any compliance rating clarifications or additional remarks deemed necessary by the auditor.

Scoring
Documentation (Policy and Procedures) Controls
0 = NO (Documented policy, procedure, or other guidance does not exist) 0 = NO (Controls do not exist)
1 = DEV (Documented policy, procedure, or other guidance is in development 'e.g.
1 = DEV (Controls are in development 'e.g. current initiative in progress')
draft form')
2 = PAR (The existing policy, procedure, or other guidance partially addresses the
2 = PAR (The controls partially address the requirement)
requirement)
3 = YES (The existing documented policy, procedure, or other guidance is fully 3 = YES (Controls are fully implemented and appear to adequately address the
implemented and meets the requirement) requirement)
NA = Not Applicable (Will be used when a requirement does not apply to a specific NA = Not Applicable (Will be used when a requirement does not apply to a specific
rule, criteria, or device) rule, criteria, or device)

Summary Report

1 of 27
 Toolkit Instructions:
Mobile Device Assessment
Once completed, the Tool-kit will indicate where the strongest remediation efforts will need to occur.

2 of 27
 Contact List

Name Title Organization Unit Function Email Address

3 of 27
 Contact List

Phone Number

4 of 27
 71A F.A.C. COBIT 4.1 Policy Procedure Implemented Controls
ID Criteria / Guidance Reference Reference (IIAMS Ref., hyperlink, etc.) (IIAMS Ref., hyperlink, etc.) (Summarize and/or IIAMS Ref. or hyperlink) Doc Ctrl Total %Comp

The Security Program and supporting policies have been defined to 71A-1.003(1) DS5.2
1 support a controlled implementation of mobile devices. 0 0%

Policy requires a risk assessment before a device is approved for PO4.8

use and a risk assessment update at least annually to determine
2 that new threats are assessed and new technologies considered for 0 0%
deployment.
Policy requires a centrally managed asset management system for DS9.1
3 0 0%
appropriate devices.
Policy defines the types of permitted mobile devices. For example: PO3.4
• Smartphones
• Laptops, notebooks and netbooks
• PDAs
• USB devices for storage (thumb drives and MP3/4 devices) and
4 for connectivity (Wi-Fi, Bluetooth, etc.) 0 0%
• Digital cameras

Policy addresses the approved applications by device based on PO2.3

5 0 0%
data classification and data loss risk. PO4.9
The agency shall implement a documented risk management 71A-1.020(2) PO4.8
program, including risk analysis for high-impact information
6 resources. 0 0%

The agency shall implement risk mitigation plans to reduce 71A-1.020(5)

7 identified risks to agency information technology resources and 0 0%
data.
The agency Information Security Manager shall monitor and 71A-1.020(6) PO9.6
8 0 0%
document risk mitigation implementation.
The agency shall perform an impact analysis prior to introducing a
new technology. The purpose of this analysis is to assess effects of
9 the new technology on the existing environment. 71A-1.021(1) 0 0%

The agency shall develop procedures to ensure that security PO9

10 requirements are specified throughout the procurement process for 71A-1.021(4) 0 0%
information technology resources.
Mobile computing awareness training is ongoing and is based on 71A-1.008(2) PO4.6
11 the sensitive nature of the mobile computing devices assigned to PO4.15 0 0%
the employee or contractor.
Mobile computing awareness includes processes for management 71A-1.008(8) PO4.6
feedback to understand the usage and risks identified by device PO4.15
12 users. DS7.1 0 0%
DS7.2
Policy defines the data classification permitted on each type of 71A-1.020(1) PO2.3
13 mobile device and the control mechanisms required based on the 0 0%
data classification.
Mobile computing awareness includes processes for management PO4
14 feedback to understand the usage and risks identified by device ME2 0 0%
users.
Compliance Rating

Not_Addressed

Not_Addressed

Not_Addressed

Not_Addressed

Not_Addressed

Not_Addressed

Not_Addressed

Not_Addressed

Not_Addressed

Not_Addressed

Not_Addressed

Not_Addressed

Not_Addressed

Not_Addressed
Control Verification Auditor Comments
 Device Configuration

71A F.A.C. COBIT 4.1 Policy Procedure Implemented Controls

ID Criteria / Guidance Reference Reference (IIAMS Ref., hyperlink, etc.) (IIAMS Ref., hyperlink, etc.) (Summarize and/or IIAMS Ref. or hyperlink) Comments Doc Ctrl Total %Comp

Each agency shall maintain a reference list of exempt, and 71A-1.003(1) 0 0%

confidential and exempt agency information or software and the
1 associated applicable state and federal statutes and rules.

Each agency shall identify agency information and software that is 71A-1.006(3) 0 0%
2 exempt, or confidential and exempt, under provisions of
applicable Florida law or federal law and rules.

Procedures for handling and protecting exempt, and confidential 71A-1.006(6) DS11.6 0 0%
and exempt information shall be referenced in the agency
3 operational information security plan and documented in a policy
that is reviewed and acknowledged by all agency staff.

Mobile computing devices used with exempt, or confidential and 71A-1.006(9) DS11.6 0 0%
4
exempt information are encrypted, (b)
Mobile storage devices with exempt, or confidential and exempt 71A-1.006(9) DS11.6 0 0%
5 agency data have encryption technology enabled such that all (c)
content resides encrypted.
Only agency-owned or agency-managed mobile storage devices 71A-1.007(13) DS11.6 0 0%
6 are authorized to store agency data.

No privately-owned devices (e.g., MP3 players, thumb drives, 71A-1.007(14) 0 0%

printers) shall be connected to agency information technology
7 resources without documented agency authorization.

Mobile computing devices shall be issued to and used only by 71A-1.007(15) DS5.4 0 0%
8 agency-authorized users.

Mobile computing devices shall require user authentication. 71A-1.007(16) DS5.3 0 0%

9

Agency workstations and mobile computing devices shall have 71A-1.007(17) 0 0%

enabled a screensaver secured with a complex password and with
10 the automatic activation feature set at no more than 15 minutes.

The agency shall identify and document information technology 71A-1.011(1) 0 0%

11 resources and associated owners and custodians.
The agency shall specify and document standard configurations 71A-1.011(3) DS9.1 0 0%
used to harden software and hardware and assure the
12 configurations address known security vulnerabilities

13 Agencies shall track agency mobile computing devices. 71A-1.011(5) 0 0%

Mobile computing devices and mobile storage devices shall conform 71A-1.011(6) 0 0%
to the following configurations: (a)
14 Mobile computing devices used with exempt, or confidential and
exempt information require encryption.

Mobile computing devices and mobile storage devices shall conform 71A-1.011(6) 0 0%
to the following configurations: (b)
Mobile storage devices with exempt, or confidential and exempt
15 agency data shall have encryption technology enabled such that all
content resides encrypted.

8 of 27
 Device Configuration

71A F.A.C. COBIT 4.1 Policy Procedure Implemented Controls

ID Criteria / Guidance Reference Reference (IIAMS Ref., hyperlink, etc.) (IIAMS Ref., hyperlink, etc.) (Summarize and/or IIAMS Ref. or hyperlink) Comments Doc Ctrl Total %Comp
Mobile computing devices connecting to the agency internal 71A-1.011(6) DS5.9 0 0%
16 network shall use current and up-to-date anti-malware software (c)
(where technology permits).
Mobile computing devices and mobile storage devices shall conform 71A-1.011(6) DS5.10 0 0%
to the following configurations: (d)
Agency mobile computing devices shall activate an agency-
17
approved personal firewall (where technology permits) when
connected to a non-agency internal network.

Mobile computing devices and mobile storage devices shall conform 71A-1.011(6) 0 0%
to the following configurations: (e)
18 Only agency-approved software shall be installed on state mobile
computing devices.

Data Classification Scheme PO2.3 0 0%

Establish a classification scheme that applies throughout the
enterprise, based on the criticality and sensitivity (e.g., public,
confidential, top secret) of enterprise data. This scheme should
include details about data ownership; definition of appropriate
security levels and protection controls; and a brief description of
19
data retention and destruction requirements, criticality and
sensitivity. It should be used as the basis for applying controls such
as access controls, archiving or encryption.

Implement internal control, security and auditability measures during AI3.2 0 0%

configuration, integration and maintenance of hardware and
infrastructural software to protect resources and ensure availability
and integrity. Responsibilities for using sensitive infrastructure
20 components should be clearly defined and understood by those who
develop and integrate infrastructure components. Their use should
be monitored and evaluated.

Ensure that all users (internal, external and temporary) and their DS5.3 0 0%
activity on IT systems (business application, IT environment, system
operations, development and maintenance) are uniquely
identifiable. Enable user identities via authentication mechanisms.
Confirm that user access rights to systems and data are in line with
defined and documented business needs and that job requirements
are attached to user identities. Ensure that user access rights are
21 requested by user management, approved by system owners and
implemented by the security-responsible person. Maintain user
identities and access rights in a central repository. Deploy cost-
effective technical and procedural measures, and keep them current
to establish user identification, implement authentication and
enforce access rights.

Determine that policies and procedures are in place to organise the DS5.8 0 0%
generation, change, revocation, destruction, distribution,
22 certification, storage, entry, use and archiving of cryptographic keys
to ensure the protection of keys against modification and
unauthorised disclosure.

9 of 27
 Device Configuration

71A F.A.C. COBIT 4.1 Policy Procedure Implemented Controls

ID Criteria / Guidance Reference Reference (IIAMS Ref., hyperlink, etc.) (IIAMS Ref., hyperlink, etc.) (Summarize and/or IIAMS Ref. or hyperlink) Comments Doc Ctrl Total %Comp
Implement preventive, detective and corrective measures in place DS5.9 0 0%
(especially up-to-date security patches and virus control) as
23 applicable to mobile devices to protect information systems and
technology from malware (e.g., viruses, worms, spyware, spam).

Use security techniques and related management procedures (e.g., DS5.10 0 0%

firewalls, security appliances, network segmentation, intrusion
24 detection) to authorise access and control information flows from
and to networks.

Establish a supporting tool and a central repository to contain all DS9.1 0 0%

relevant information on configuration items. Monitor and record all
assets and changes to assets. Maintain a baseline of configuration
25 items for every system and service as a checkpoint to which to
return after changes.

Establish configuration procedures to support management and DS9.2 0 0%

logging of all changes to the configuration repository. Integrate
26 these procedures with change management, incident management
and problem management procedures.

Periodically review the configuration data to verify and confirm the DS9.3 0 0%
integrity of the current and historical configuration. Periodically
review installed software against the policy for software usage to
identify personal or unlicensed software or any software instances
27
in excess of current license agreements. Report, act on and correct
errors and deviations.

Define and implement procedures to maintain an inventory of stored DS11.3 0 0%

28 and archived media to ensure their usability and integrity.

Define and implement procedures to ensure that business DS11.4 0 0%

requirements for protection of sensitive data and software are met
29 when data and hardware are disposed or transferred.

The agency shall implement a change management process for 71A-1.011(4) 0 0%

modifications to production information technology
30 resources.

Set up formal change management procedures to handle in a AI6.1 0 0%

standardised manner all requests (including maintenance and
31 patches) for changes to applications, procedures, processes,
system and service parameters, and the underlying platforms.

Assess all requests for change in a structured way to determine the AI6.2 0 0%
impact on the operational system and its functionality. Ensure that
changes are categorised, prioritised and authorised.
32

Establish a process for defining, raising, testing, documenting, AI6.3 0 0%

33 assessing and authorising emergency changes that do not follow
the established change process.

10 of 27
 Device Configuration

71A F.A.C. COBIT 4.1 Policy Procedure Implemented Controls

ID Criteria / Guidance Reference Reference (IIAMS Ref., hyperlink, etc.) (IIAMS Ref., hyperlink, etc.) (Summarize and/or IIAMS Ref. or hyperlink) Comments Doc Ctrl Total %Comp
Establish a tracking and reporting system to document rejected AI6.4 0 0%
changes, communicate the status of approved and
34 in-process changes, and complete changes. Make certain that
approved changes are implemented as planned.

Whenever changes are implemented, update the associated system AI6.5 0 0%

35 and user documentation and procedures accordingly.

Integrate the related processes of configuration, incident and DS10.3 0 0%

36 problem management to ensure effective management of problems
and enable improvements.
Device management process exist and are centrally administered. If PO4.6 0 0%
37 distributed, determine the procedures to ensure compliance with
policies.
Centrally controlled processes restrict data synchronization to DS10.3 0 0%
38 mobile devices.

11 of 27
Device Configuration

Compliance Rating

Not_Addressed

Not_Addressed

Not_Addressed

Not_Addressed

Not_Addressed

Not_Addressed

Not_Addressed

Not_Addressed

Not_Addressed

Not_Addressed

Not_Addressed

Not_Addressed

Not_Addressed

Not_Addressed

Not_Addressed

12 of 27
Device Configuration

Compliance Rating

Not_Addressed

Not_Addressed

Not_Addressed

Not_Addressed

Not_Addressed

Not_Addressed

Not_Addressed

13 of 27
Device Configuration

Compliance Rating

Not_Addressed

Not_Addressed

Not_Addressed

Not_Addressed

Not_Addressed

Not_Addressed

Not_Addressed

Not_Addressed

Not_Addressed

Not_Addressed

Not_Addressed

14 of 27
Device Configuration

Compliance Rating

Not_Addressed

Not_Addressed

Not_Addressed

Not_Addressed

Not_Addressed

15 of 27
 Device Configuration

Control Verification Auditor Comments

16 of 27
 Device Configuration

Control Verification Auditor Comments

17 of 27
 Device Configuration

Control Verification Auditor Comments

18 of 27
 Device Configuration

Control Verification Auditor Comments

19 of 27
 Media Protection

71A F.A.C. COBIT 4.1 Policy Procedure Implemented Controls

ID Criteria / Guidance Reference Reference (Name and IIAMS Ref.) (Name and IIAMS Ref.) (Summarize and/or IIAMS Ref.) Comments Doc Ctrl Total %Comp Compliance Rating

The agency shall implement procedures to protect agency 71A-1.003(1) DS11.6 0 0%

information from loss, destruction, and unauthorized or improper
1 disclosure or modification. Devices are managed and secured Not_Addressed
according to the risk of enterprise data loss.
The agency shall maintain electronic data in accordance with the 71A-1.016(2) PO2.3 0 0%
2 same retention requirements that apply to agency data in DS11.2 Not_Addressed
non-electronic formats.

The agency shall sanitize or destroy information media according to 71A-1.016(3) DS11.4 0 0%
3 the applicable retention schedule and before disposal or release for Not_Addressed
reuse.
The agency shall document procedures for sanitization of agency- 71A-1.016(4) 0 0%
4 owned computer equipment prior to reassignment or Not_Addressed
disposal.

Equipment sanitization shall be performed such that there is 71A-1.016(5) 0 0%

reasonable assurance that the data may not be easily retrieved and
5 reconstructed. File deletion and media formatting are not acceptable Not_Addressed
methods of sanitization.
Acceptable methods of sanitization include using software to 71A-1.016(6) 0 0%
6 overwrite data on computer media, degaussing, or physically Not_Addressed
destroying media.
Users shall take reasonable precautions, based upon applicable 71A-1.016(7) 0 0%
facts and circumstances, to protect mobile computing devices in
7 their possession from loss, theft, tampering, unauthorized access, Not_Addressed
and damage.
Procedures address lost or stolen devices and whether the data DS11.6 0 0%
8 Not_Addressed
stored on these devices can be remotely wiped.

20 of 27
 Media Protection

Control Verification Auditor Comments

21 of 27
 Network Device Connectivity

71A F.A.C. COBIT 4.1 Policy Procedure Implemented Controls

ID Criteria / Guidance Reference Reference (Name and IIAMS Ref.) (Name and IIAMS Ref.) (Summarize and/or IIAMS Ref.) Comments Doc Ctrl Total %Comp Compliance Rating

Only agency-approved wireless devices, services, and technologies 71A-1.003(1) 0 0%

may be connected to the agency internal network.
1 Not_Addressed

Users may remotely connect computing devices to the agency 71A-1.007(10) 0 0%

2 internal network only through agency-approved, secured remote Not_Addressed
access methods.

Only agency-owned or agency-managed information technology 71A-1.007(12) 0 0%

3 resources may connect to the agency internal network. Not_Addressed

No privately-owned devices (e.g., MP3 players, thumb drives, 71A-1.007(14) 0 0%

printers) shall be connected to agency information technology
4 resources without documented agency authorization. Not_Addressed

The agency shall monitor for unauthorized information technology 71A-1.007(18) 0 0%

5 resources connected to the agency internal network. Not_Addressed

Virtual private network (VPN), Internet Protocol Security (IPSec), PO4

0 0%
and other secure transmission technologies are implemented for DS5
6 devices receiving and/or transmitting sensitive enterprise data. Not_Addressed
DS11
ME3

22 of 27
 Network Device Connectivity

Control Verification Auditor Comments

23 of 27
 Policy, Risk Management, and Governance

Documentation Implemented Control

ID Criteria / Guidance Documentation %COMP Compliance Rating Controls %COMP Compliance Rating Total Score %COMP Compliance Rating
The Security Program and supporting policies have been defined to 0 0% 0 0% 0 0
support a controlled implementation of mobile devices. Not_Addressed Not_Addressed Not_Addressed
1
Policy requires a risk assessment before a device is approved for use and 0 0% 0 0% 0 0
a risk assessment update at least annually to determine that new threats
are assessed and new technologies considered for deployment. Not_Addressed Not_Addressed Not_Addressed
2
Policy requires a centrally managed asset management system for 0 0% 0 0% 0 0
3 appropriate devices. Not_Addressed Not_Addressed Not_Addressed
Policy defines the types of permitted mobile devices. For example: 0 0% 0 0% 0 0
• Smartphones
• Laptops, notebooks and netbooks
• PDAs
• USB devices for storage (thumb drives and MP3/4 devices) and for
connectivity (Wi-Fi, Bluetooth, etc.) Not_Addressed Not_Addressed Not_Addressed
• Digital cameras

4
Policy addresses the approved applications by device based on data 0 0% 0 0% 0 0
5 classification and data loss risk. Not_Addressed Not_Addressed Not_Addressed
The agency shall implement a documented risk management program, 0 0% 0 0% 0 0
including risk analysis for high-impact information
resources. Not_Addressed Not_Addressed Not_Addressed
6
The agency shall implement risk mitigation plans to reduce identified risks 0 0% 0 0% 0 0
to agency information technology resources and data. Not_Addressed Not_Addressed Not_Addressed
7
The agency Information Security Manager shall monitor and document risk 0 0% 0 0% 0 0
8 mitigation implementation. Not_Addressed Not_Addressed Not_Addressed
The agency shall perform an impact analysis prior to introducing a new 0 0% 0 0% 0 0
technology. The purpose of this analysis is to assess effects of the new
technology on the existing environment. Not_Addressed Not_Addressed Not_Addressed
9
The agency shall develop procedures to ensure that security requirements 0 0% 0 0% 0 0
are specified throughout the procurement process for information
technology resources. Not_Addressed Not_Addressed Not_Addressed
10
Mobile computing awareness training is ongoing and is based on the 0 0% 0 0% 0 0
sensitive nature of the mobile computing devices assigned to the Not_Addressed Not_Addressed Not_Addressed
11 employee or contractor.
Mobile computing awareness includes processes for management 0 0% 0 0% 0 0
feedback to understand the usage and risks identified by device users. Not_Addressed Not_Addressed Not_Addressed
12
Policy defines the data classification permitted on each type of mobile 0 0% 0 0% 0 0
device and the control mechanisms required based on the data Not_Addressed Not_Addressed Not_Addressed
13 classification.
Mobile computing awareness includes processes for management 0 0% 0 0% 0 0
feedback to understand the usage and risks identified by device users. Not_Addressed Not_Addressed Not_Addressed
14

Total Compliance Rating for Policy, Risk Management, and Governance 0 0% Not_Addressed 0 0% Not_Addressed 0 0% Not_Addressed

24 of 27
 Device Configuration and Change Management

Documentation Control
ID Criteria / Guidance Documentation %COMP Compliance Rating Controls %COMP Compliance Rating Total Score %COMP Compliance Rating
Each agency shall maintain a reference list of exempt, and confidential and 0 0% 0 0% 0 0%
exempt agency information or software and the associated applicable state
and federal statutes and rules. Not_Addressed Not_Addressed Not_Addressed
1
Each agency shall identify agency information and software that is exempt, 0 0% 0 0% 0 0%
or confidential and exempt, under provisions of
applicable Florida law or federal law and rules. Not_Addressed Not_Addressed Not_Addressed
2
Procedures for handling and protecting exempt, and confidential and 0 0% 0 0% 0 0%
exempt information shall be referenced in the agency operational
information security plan and documented in a policy that is reviewed and
Not_Addressed Not_Addressed Not_Addressed
acknowledged by all agency staff.

3
Mobile computing devices used with exempt, or confidential and exempt 0 0% 0 0% 0 0%
4 information are encrypted, Not_Addressed Not_Addressed Not_Addressed
Mobile storage devices with exempt, or confidential and exempt agency 0 0% 0 0% 0 0%
data have encryption technology enabled such that all content resides Not_Addressed Not_Addressed Not_Addressed
5 encrypted.
Only agency-owned or agency-managed mobile storage devices are 0 0% 0 0% 0 0%
6 authorized to store agency data. Not_Addressed Not_Addressed Not_Addressed
No privately-owned devices (e.g., MP3 players, thumb drives, printers) shall 0 0% 0 0% 0 0%
be connected to agency information technology resources without
documented agency authorization. Not_Addressed Not_Addressed Not_Addressed
7
Mobile computing devices shall be issued to and used only by agency- 0 0% 0 0% 0 0%
8 authorized users. Not_Addressed Not_Addressed Not_Addressed
9 Mobile computing devices shall require user authentication. 0 0% Not_Addressed 0 0% Not_Addressed 0 0% Not_Addressed
Agency workstations and mobile computing devices shall have enabled a 0 0% 0 0% 0 0%
screensaver secured with a complex password and with the automatic
activation feature set at no more than 15 minutes. Not_Addressed Not_Addressed Not_Addressed
10
The agency shall identify and document information technology resources 0 0% 0 0% 0 0%
and associated owners and custodians. Not_Addressed Not_Addressed Not_Addressed
11
The agency shall specify and document standard configurations used to 0 0% 0 0% 0 0%
harden software and hardware and assure the configurations address
known security vulnerabilities Not_Addressed Not_Addressed Not_Addressed
12
13 Agencies shall track agency mobile computing devices. 0 0% Not_Addressed 0 0% Not_Addressed 0 0% Not_Addressed
Mobile computing devices and mobile storage devices shall conform to the 0 0% 0 0% 0 0%
following configurations:
Mobile computing devices used with exempt, or confidential and exempt Not_Addressed Not_Addressed Not_Addressed
information require encryption.
14
Mobile computing devices and mobile storage devices shall conform to the 0 0% 0 0% 0 0%
following configurations:
Mobile storage devices with exempt, or confidential and exempt agency
Not_Addressed Not_Addressed Not_Addressed
data shall have encryption technology enabled such that all content
resides encrypted.
15
Mobile computing devices connecting to the agency internal network shall 0 0% 0 0% 0 0%
use current and up-to-date anti-malware software (where technology Not_Addressed Not_Addressed Not_Addressed
16 permits).
Mobile computing devices and mobile storage devices shall conform to the 0 0% 0 0% 0 0%
following configurations:
Agency mobile computing devices shall activate an agency-approved
personal firewall (where technology permits) when Not_Addressed Not_Addressed Not_Addressed
connected to a non-agency internal network.

17
Mobile computing devices and mobile storage devices shall conform to the 0 0% 0 0% 0 0%
following configurations:
Only agency-approved software shall be installed on state mobile Not_Addressed Not_Addressed Not_Addressed
computing devices.
18
Data Classification Scheme 0 0% 0 0% 0 0%
Establish a classification scheme that applies throughout the enterprise,
based on the criticality and sensitivity (e.g., public,
confidential, top secret) of enterprise data. This scheme should include
details about data ownership; definition of appropriate
security levels and protection controls; and a brief description of data
retention and destruction requirements, criticality and
sensitivity. It should be used as the basis for applying controls such as Not_Addressed Not_Addressed Not_Addressed
access controls, archiving or encryption.

19
Implement internal control, security and auditability measures during 0 0% 0 0% 0 0%
configuration, integration and maintenance of hardware and infrastructural
software to protect resources and ensure availability and integrity.
Responsibilities for using sensitive infrastructure components should be
clearly defined and understood by those who develop and integrate Not_Addressed Not_Addressed Not_Addressed
infrastructure components. Their use should be monitored and evaluated.

20
Ensure that all users (internal, external and temporary) and their activity on 0 0% 0 0% 0 0%
IT systems (business application, IT environment, system operations,
development and maintenance) are uniquely identifiable. Enable user
identities via authentication mechanisms. Confirm that user access rights
to systems and data are in line with defined and documented business
needs and that job requirements are attached to user identities. Ensure
that user access rights are requested by user management, approved by
system owners and implemented by the security-responsible person.
Maintain user identities and access rights in a central repository. Deploy
cost-effective technical and procedural measures, and keep them current Not_Addressed Not_Addressed Not_Addressed
to establish user identification, implement authentication and enforce
access rights.

21
Determine that policies and procedures are in place to organise the 0 0% 0 0% 0 0%
generation, change, revocation, destruction, distribution, certification,
storage, entry, use and archiving of cryptographic keys to ensure the
Not_Addressed Not_Addressed Not_Addressed
protection of keys against modification and unauthorised disclosure.

22
Implement preventive, detective and corrective measures in place 0 0% 0 0% 0 0%
(especially up-to-date security patches and virus control) as applicable to
mobile devices to protect information systems and technology from
Not_Addressed Not_Addressed Not_Addressed
malware (e.g., viruses, worms, spyware, spam).

23
Use security techniques and related management procedures (e.g., 0 0% 0 0% 0 0%
firewalls, security appliances, network segmentation, intrusion detection)
to authorise access and control information flows from and to networks. Not_Addressed Not_Addressed Not_Addressed
24

25 of 27
 Device Configuration and Change Management (Cont.)

Documentation Control
ID Criteria / Guidance Documentation %COMP Compliance Rating Controls %COMP Compliance Rating Total Score %COMP Compliance Rating
Establish a supporting tool and a central repository to contain all relevant 0 0% 0 0% 0 0%
information on configuration items. Monitor and record all assets and
changes to assets. Maintain a baseline of configuration items for every
system and service as a checkpoint to which to return after changes. Not_Addressed Not_Addressed Not_Addressed

25
Establish configuration procedures to support management and logging of 0 0% 0 0% 0 0%
all changes to the configuration repository. Integrate these procedures
with change management, incident management and problem management
Not_Addressed Not_Addressed Not_Addressed
procedures.

26
Periodically review the configuration data to verify and confirm the 0 0% 0 0% 0 0%
integrity of the current and historical configuration. Periodically review
installed software against the policy for software usage to identify personal
or unlicensed software or any software instances in excess of current
license agreements. Report, act on and correct errors and deviations. Not_Addressed Not_Addressed Not_Addressed

27
Define and implement procedures to maintain an inventory of stored and 0 0% 0 0% 0 0%
archived media to ensure their usability and integrity. Not_Addressed Not_Addressed Not_Addressed
28
Define and implement procedures to ensure that business requirements for 0 0% 0 0% 0 0%
protection of sensitive data and software are met when data and hardware
are disposed or transferred. Not_Addressed Not_Addressed Not_Addressed
29
The agency shall implement a change management process for 0 0% 0 0% 0 0%
modifications to production information technology Not_Addressed Not_Addressed Not_Addressed
30 resources.
Set up formal change management procedures to handle in a standardised 0 0% 0 0% 0 0%
manner all requests (including maintenance and patches) for changes to
applications, procedures, processes, system and service parameters, and
Not_Addressed Not_Addressed Not_Addressed
the underlying platforms.

31
Assess all requests for change in a structured way to determine the impact 0 0% 0 0% 0 0%
on the operational system and its functionality. Ensure that changes are
categorised, prioritised and authorised. Not_Addressed Not_Addressed Not_Addressed
32
Establish a process for defining, raising, testing, documenting, assessing 0 0% 0 0% 0 0%
and authorising emergency changes that do not follow the established Not_Addressed Not_Addressed Not_Addressed
33 change process.
Establish a tracking and reporting system to document rejected changes, 0 0% 0 0% 0 0%
communicate the status of approved and
in-process changes, and complete changes. Make certain that approved Not_Addressed Not_Addressed Not_Addressed
changes are implemented as planned.
34
Whenever changes are implemented, update the associated system and 0 0% 0 0% 0 0%
user documentation and procedures accordingly. Not_Addressed Not_Addressed Not_Addressed
35
Integrate the related processes of configuration, incident and problem 0 0% 0 0% 0 0%
management to ensure effective management of problems and enable Not_Addressed Not_Addressed Not_Addressed
36 improvements.
Device management process exist and are centrally administered. If 0 0% 0 0% 0 0%
distributed, determine the procedures to ensure compliance with policies. Not_Addressed Not_Addressed Not_Addressed
37
Centrally controlled processes restrict data synchronization to mobile 0 0% 0 0% 0 0%
devices. Not_Addressed Not_Addressed Not_Addressed
38

Total Compliance Rating for Device Configuration and Change Management 0 0% Not_Addressed 0 0% Not_Addressed 0 0% Not_Addressed

26 of 27
 Media Protection

Documentation Control
ID Criteria / Guidance Documentation %COMP Compliance Rating Controls %COMP Compliance Rating Total Score %COMP Compliance Rating
The agency shall implement procedures to protect agency information 0 0% 0 0% 0 0%
from loss, destruction, and unauthorized or improper disclosure or
modification. Devices are managed and secured according to the risk of Not_Addressed Not_Addressed Not_Addressed
enterprise data loss.
1
The agency shall maintain electronic data in accordance with the same 0 0% 0 0% 0 0%
retention requirements that apply to agency data in
non-electronic formats. Not_Addressed Not_Addressed Not_Addressed
2
The agency shall sanitize or destroy information media according to the 0 0% 0 0% 0 0%
applicable retention schedule and before disposal or release for reuse. Not_Addressed Not_Addressed Not_Addressed
3
The agency shall document procedures for sanitization of agency-owned 0 0% 0 0% 0 0%
computer equipment prior to reassignment or
disposal. Not_Addressed Not_Addressed Not_Addressed
4
Equipment sanitization shall be performed such that there is reasonable 0 0% 0 0% 0 0%
assurance that the data may not be easily retrieved and reconstructed. File
deletion and media formatting are not acceptable methods of sanitization. Not_Addressed Not_Addressed Not_Addressed
5
Acceptable methods of sanitization include using software to overwrite 0 0% 0 0% 0 0%
data on computer media, degaussing, or physically
destroying media. Not_Addressed Not_Addressed Not_Addressed
6
Users shall take reasonable precautions, based upon applicable facts and 0 0% 0 0% 0 0%
circumstances, to protect mobile computing devices in their possession
from loss, theft, tampering, unauthorized access, and damage. Not_Addressed Not_Addressed Not_Addressed
7
Procedures address lost or stolen devices and whether the data stored on 0 0% 0 0% 0 0%
these devices can be remotely wiped. Not_Addressed Not_Addressed Not_Addressed
8

Total Compliance Rating for Media Protection 0 0% Not_Addressed 0 0% Not_Addressed 0 0% Not_Addressed

Network and Device Connnectivity

Documentation Control
ID Criteria / Guidance Documentation %COMP Compliance Rating Controls %COMP Compliance Rating Total Score %COMP Compliance Rating
Only agency-approved wireless devices, services, and technologies may 0 0% 0 0% 0 0%
be connected to the agency internal network. Not_Addressed Not_Addressed Not_Addressed
1
Users may remotely connect computing devices to the agency internal 0 0% 0 0% 0 0%
network only through agency-approved, secured remote access methods. Not_Addressed Not_Addressed Not_Addressed
2
Only agency-owned or agency-managed information technology resources 0 0% 0 0% 0 0%
may connect to the agency internal network. Not_Addressed Not_Addressed Not_Addressed
3
No privately-owned devices (e.g., MP3 players, thumb drives, printers) shall 0 0% 0 0% 0 0%
be connected to agency information technology resources without
Not_Addressed Not_Addressed Not_Addressed
documented agency authorization.
4
The agency shall monitor for unauthorized information technology 0 0% 0 0% 0 0%
resources connected to the agency internal network. Not_Addressed Not_Addressed Not_Addressed
5
Virtual private network (VPN), Internet Protocol Security (IPSec), and other 0 0% 0 0% 0 0%
secure transmission technologies are implemented for devices receiving
and/or transmitting sensitive enterprise data. Not_Addressed Not_Addressed Not_Addressed
6

Total Compliance Rating for Network and Device Connectivity 0 0% Not_Addressed 0 0% Not_Addressed 0 0% Not_Addressed

Implemented Overall Compliance

Total Mobile Device Compliance Documentation %COMP Compliance Rating Controls %COMP Compliance Rating Total Score %COMP Rating

0 0% 0 0% 0 0%
Not_Addressed Not_Addressed Not_Addressed

27 of 27