Mobile Computing Security Audit/Assurance Program 


Mobile Computing Security Audit/Assurance Program  Download (Member Only, 1.3M)
Bookstore Purchase the Book

  Provide feedback on this document
Knowledge Center  Visit the Mobile Computing Knowledge Center community
Knowledge Center  Visit the Audit Tools and Techniques Knowledge Center community

The audit/assurance program is a tool and template to be used as a road map for the completion of a specific assurance process. ISACA has commissioned audit/assurance programs to be developed for use by IT audit and assurance practitioners. This audit/assurance program is intended to be utilized by IT audit and assurance professionals with the requisite knowledge of the subject matter under review, as described in ITAF section 2200—General Standards. The audit/assurance programs are part of ITAF section 4000—IT Assurance Tools and Techniques.

Objective—The mobile computing security audit/assurance review will:

  • Provide management with an assessment of mobile computing security policies and procedures and their operating effectiveness.
  • Identify internal control and regulatory deficiencies that could affect the organization.
  • Identify information security control concerns that could affect the reliability, accuracy and security of enterprise data due to weaknesses in mobile computing controls.

Scope—The review will focus on:

  • Mobile devices connected to the enterprise network or containing enterprise data
  • Mobile devices in scope include:
     - Smartphones
     - Laptops, notebooks and netbooks
     - Portable digital assistants (PDAs)
     - Portable Universal Serial Bus (USB) devices for storage (such as thumb drives and MP3/4 devices) and for connectivity (such as Wi-Fi, Bluetooth® and HSDPA/UMTS/EDGE/GPRS modem cards)
     - Digital cameras
     - Radio frequency identification (RFID) and mobile RFID (M-RFID) devices for data storage, identification and asset management
     - Infrared-enabled (IrDA) devices such as printers and smart cards

Asset effectiveness, suitability of the specific devices for the processes implemented and purchase practices related to the mobile devices are out of scope for this review.

IT audit and assurance professionals are expected to customize this document to the environment in which they are performing an assurance process. This document is to be used as a review tool and starting point. It may be modified by the IT audit and assurance professional; it is not intended to be a checklist or questionnaire. It is assumed that the IT audit and assurance professional has the necessary subject matter expertise required to conduct the work and is supervised by a professional with the Certified Information Systems Auditor (CISA) designation and/or necessary subject matter expertise to adequately review the work performed.