CIS Controls

v8
Mobile Companion
Guide
Version 8
CIS Controls v8
Mobile Companion Guide
Acknowledgments The Center for Internet
Security, Inc. (CIS) is
CIS would like to thank the many security experts who volunteer their time and talent a 501(c)(3) nonprofit
to support the CIS Controls® and other CIS work. CIS products represent the effort of organization whose
a veritable army of volunteers from across the industry, generously giving their time mission is to make the
and talent in the name of a more secure online experience for everyone. connected world a safer
place by developing,
Editors validating, and promoting
Chris Crowley, Montace®, Sean Frazier, Okta, and Joshua M Franklin, CIS timely best practice
solutions that help
Contributors people, businesses, and
Eric Green, HSBC; Tim LeMaster, Lookout; Tyler Desjardins, CISSP, Arctic Wolf; governments protect
Stephen Campbell, Non-State Threat Intelligence, LLC; Thomas Sager, CIS; Robin themselves against
Regnier, CIS pervasive cyber threats.

For additional information,

Creative Commons License visit www.cisecurity.org.

This work is licensed under a Creative Commons Attribution-NonCommercial-

No Derivatives 4.0 International Public License (the link can be found at www.
creativecommons.org/licenses/by-nc-nd/4.0/legalcode.

To further clarify the Creative Commons license related to the CIS Controls® content,
you are authorized to copy and redistribute the content as a framework for use by
you, within your organization and outside of your organization, for non-commercial
purposes only, provided that (i) appropriate credit is given to CIS, and (ii) a link to
the license is provided. Additionally, if you remix, transform, or build upon the CIS
Controls, you may not distribute the modified materials. Users of the CIS Controls
framework are also required to refer to (http://www.cisecurity.org/controls/) when
referring to the CIS Controls in order to ensure that users are employing the most up-
to-date guidance. Commercial use of the CIS Controls is subject to the prior approval
of the Center for Internet Security, Inc. (CIS®).

May 2021
Contents
Overview
Introduction...........................................................................................................2
Methodology..........................................................................................................4
Relevant Enterprise Technology 4
Mobility Deployment Model Descriptions 5
Definition and Scope 6
EMM Configuration 6
Applicability Overview 6

CIS Controls for Mobile Deployment

Control 01. Inventory and Control of Enterprise Assets. . ...........................................................8
Mobile Applicability 8
Mobile Deployment Considerations 8
Mobile Additional Discussion 9

Control 02. Inventory and Control of Software Assets............................................................. 11

Mobile Applicability 11
Mobile Deployment Considerations 11
Mobile Additional Discussion 12

Control 03. Data Protection.................................................................................................... 14

Mobile Applicability 14
Mobile Deployment Considerations 14
Mobile Additional Discussion 15

Control 04. Secure Configuration of Enterprise Assets and Software...................................... 18

Mobile Applicability 18
Mobile Deployment Considerations 18
Mobile Additional Discussion 19

Control 05. Account Management.......................................................................................... 21

Mobile Applicability 21
Mobile Deployment Considerations 21
Mobile Additional Discussion 22

Control 06. Access Control Management. . .............................................................................. 23

Mobile Applicability 23
Mobile Deployment Considerations 23
Mobile Additional Discussion 23

Mobile Companion Guide Contents Page i

CIS Controls v8
 Control 07. Continuous Vulnerability Management................................................................. 26
Mobile Applicability 26
Mobile Deployment Considerations 26
Mobile Additional Discussion 27

Control 08. Audit Log Management........................................................................................ 30

Mobile Applicability 30
Mobile Deployment Considerations 30
Mobile Additional Discussion 30

Control 09. Email and Web Browser Protections..................................................................... 33

Mobile Applicability 33
Mobile Deployment Considerations 33
Mobile Additional Discussion 33

Control 10. Malware Defenses................................................................................................ 36

Mobile Applicability 36
Mobile Deployment Considerations 36
Mobile Additional Discussion 37

Control 11. Data Recovery...................................................................................................... 39

Mobile Applicability 39
Mobile Deployment Considerations 39
Mobile Additional Discussion 39

Control 12. Network Infrastructure Management.................................................................... 41

Mobile Applicability 41
Mobile Deployment Considerations 41
Mobile Additional Discussion 41

Control 13. Network Monitoring and Defense......................................................................... 43

Mobile Applicability 43
Mobile Deployment Considerations 43
Mobile Additional Discussion 44

Control 14. Security Awareness and Skills Training................................................................ 46

Mobile Applicability 46
Mobile Deployment Considerations 46
Mobile Additional Discussion 46

Control 15. Service Provider Management. . ............................................................................ 49

Mobile Applicability 49
Mobile Deployment Considerations 49
Mobile Additional Discussion 49

Mobile Companion Guide Contents Page ii

CIS Controls v8