MDM-10: Separate Mobile Device Profiles

There is no evidence of a capability to enforce a separate device workspace on applicable mobile devices to separate work-related and personal-related applications and data.

C|P-CMM1 is N/A, since a structured process is required to enforce a separate device workspace on applicable mobile devices to separate work-related and personal-related applications and data.

C|P-CMM2 is N/A, since a well-defined process is required to enforce a separate device workspace on applicable mobile devices to separate work-related and personal-related applications and data.

Mobile Device Management (MDM) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

• An Identity & Access Management (IAM) function, or similar function, performs the implementation of access controls for mobile devices that restricts the connectivity of mobile devices from communicating with systems, applications and services.
• Organization-owned mobile devices are configured to protect data with the strength and integrity commensurate with the classification or sensitivity of the information stored on the device, and conform to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides), including cryptographic protections for sensitive/regulated data.
• MDM software is used to restrict the data that is stored/processed/transmitted on organization-owned and/ or applicable Bring Your Own Device (BYOD) (e.g., personal devices) across the entire organization.
• MDM enforces a separate device workspace on applicable mobile devices to separate work-related and personal-related applications and data.
• Technologies are configured to use cryptographic mechanisms to protect the confidentiality and integrity of information on mobile devices through full-device or container encryption.

See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to enforce a separate device workspace on applicable mobile devices to separate work-related and personal-related applications and data.

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to enforce a separate device workspace on applicable mobile devices to separate work-related and personal-related applications and data.