Access Control for Portable and Mobile Devices Checklist

Objectives
- The organization establishes usage restrictions and implementation guidance for organization-controlled portable and mobile devices; and
- The organization authorizes, monitors, and controls device access to organizational information systems.

Controls
- Examine access control policy and procedures, security plan, or other relevant documents; reviewing for the usage restrictions and implementation guidance for organization-controlled portable and mobile devices.
- Examine access control policy and procedures, security plan, or other relevant documents; reviewing for the measures, and for any measures that are automated mechanism their configuration settings, to be employed to authorize, monitor, and controlling device access to organizational information systems in accordance with the usage restrictions and implementation guidance.
- Examine documentation describing the current configuration settings for an agreed-upon representative sample of mechanisms; reviewing for indication that the mechanisms are configureds.
- Interview an agreed-upon representative sample of organizational personnel responsible for authorizing, monitoring, and controlling device access to the information system; conducting generalized discussions for evidence that the measures are implemented as intended.
- Test an agreed-upon representative sample of automated mechanisms; conducting generalized testing for evidence that the mechanisms operate as intended.