Most cybersecurity professionals in Australia are well-acquainted with the Information Security Manual (ISM) cyber security framework, the Essential 8 (E8) and how they apply to traditional endpoints. In addition to these controls, there are mobile-specific controls that are critical to securing iOS, Android and ChromeOS devices. In this blog, we will analyze the ISM’s mobile controls, explore the risks they aim to mitigate, and outline practical approaches for addressing each control.
Firstly, let’s recap on some key concepts, which are important to understanding Zimperium’s mapping.
Management vs Security
A common theme in the mobile ISM controls is the use of Mobile Device Management (MDM) and endpoint hardening. At Zimperium, we complement management tools by providing End Point Detection and Response (EDR), Anti-malware (AV), network intrusion detection & prevention (IDS & IPS) and application vetting capabilities.
Although there can be overlap between these solution sets, they are complementary and focus on addressing different problems:
- Mobile Management – Provides a seamless onboarding experience, automated deployment of apps and services, provides hardening against some known attack vectors.
- Mobile Security – Beyond hardening, it detects and prevents SMS and other vectors of phishing, non-compliant categories of data, and assesses shortcuts and downloads. It also detects advanced known and unknown zero-day exploit attempts, performs system anomaly detection, identifies and manages vulnerabilities, vets applications, forensically analyses devices for compromise and more.
For more on this topic, see our Management is Not Security whitepaper.
What does the ISM say about mobile devices?
Not only does it cover mobile, but there are 6+ publications and 44+ mobile-specific ISM controls. These aim at helping organisations take foundational steps to develop mobile policy, harden mobile endpoints, and better develop mobile apps.
There are documents from the ISM, this blog will focus on:
- Guidelines for Enterprise Mobility here
- General Enterprise Mobility, with policy for corporate and personal devices.
- Mobile device management, and the role of management.
- Mobile device usage policy during travel, and other scenarios.
- Risk Management of Enterprise Mobility here
A full list of mobile-related ISM documentation can be found here.
Do the Essential Eight (E8) apply to mobile?
The Essential Eight (E8) security controls were designed for traditional Windows-based devices. Although some of these control concepts may align to mobile devices, the ISM’s Guidelines for Enterprise Mobility and hardening guides better address mobile devices and their risks. To define mobile, we are referring to iOS, Android, ChromeOS, Samsung Tactical, ViaSat solutions, Android ATAK and other mobile platforms.
Who do these controls apply to?
The ISM primarily applies to Australian government departments and agencies, but is applicable to any organisation that uses mobile devices for their operations. It provides a framework for managing security risks to the confidentiality, integrity, and availability of information. Additionally, the ISM is used by any organisation handling government information or systems, ensuring that they maintain appropriate levels of security. This includes contractors, service providers, and other third parties engaged in government-related work.
ISM Controls & MTD Mapping
Below is a comprehensive analysis of the ISM controls, the risks Zimperium believe they are addressing, and solutions. Although this is the full mapping, see Zimperium’s Top-10 analysis here.
| Compliant | MTD can directly ensure compliance with the control. |
| Mitigate | The risk the control intends to mitigate, can be mitigated by Zimperium MTD. |
| Contribute | The MTD solution plays a role mitigating the overall risk. |
| ISM Control | ISM Control Date | ISM Description | What is the risk? | Solution |
| ISM-1867 | Mar-24 | Mobile devices that access OFFICIAL: Sensitive or PROTECTED systems or data use mobile platforms that have completed a Common Criteria evaluation against the Protection Profile for Mobile Device Fundamentals, version 3.3 or later, and are operated in accordance with the latest version of their associated ASD security configuration guide. | Devices that are not assessed against the Common Criteria Protection Profile for Mobile Device Fundamentals (v3.3+) may contain system vulnerabilities, and expose data to being compromised. | Mitigate – Zimperium performs deep system analysis to evaluation processes, mount points, daemons, libraries, a wide range of system logs and many other system components to confirm the device’s posture. Additionally, machine-learning based anomaly detection can alert users to perform a manual DeepScan forensic analysis, providing MTD deeper access to system logs and OS for more complete assurance. |
| ISM-0870 | Apr-19 | Mobile devices are carried or stored in a secured state when not being actively used. | Devices carried or stored insecurely could be tampered with or compromised, resulting in Spying, Data Exfiltration or other malicious behaviours. | Mitigate – Zimperium provides on-device security capabilities, which continue to operate without internet connectivity. It can detect system tampering or abnormal activities, operating system exploitation, sideloaded and malicious apps, deviation from the device’s original build certification state and malicious connections to command-and-control (C&C) servers. With Samsung KNOX, additional system-level visibility permissions are provided to Zimperium. These allow for deeper inspection of the device, processes, and networking – allowing Zimperium to provide an even higher assurance assessment of the devices state. |
| ISM-0871 | Apr-19 | Mobile devices are kept under continual direct supervision when being actively used. | If bad actors get physical access to a device, it can be tampered with or compromised, resulting in Spying, Data Exfiltration or other malicious behaviours. | Mitigate – Zimperium provides on-device security capabilities, which continue to operate without internet connectivity. MTD can detect system tampering or abnormal activities, operating system exploitation, sideloaded and malicious apps, deviation from the device’s original build certification state and malicious connections to command-and-control (C&C) servers. With Samsung KNOX, additional system-level visibility permissions are provided to Zimperium. These allow for deeper inspection of the device, processes, and networking – allowing Zimperium to provide an even higher assurance assessment of the devices state. |
| ISM-0866 | Jun-21 | Sensitive or classified data is not viewed or communicated in public locations unless care is taken to reduce the chance of the screen of a mobile device being observed. | Sensitive information could be viewed, overheard or collected by unauthorised, or unintended persons nearby. | Staff must be trained to appropriately handle mobile devices in public, and reduce the likelihood of ‘shoulder surfing’ or data being visually compromised. |
| ISM-1644 | Jun-21 | Sensitive or classified phone calls are not conducted in public locations unless care is taken to reduce the chance of conversations being overheard. | Physical Eavesdropping by nearby people, resulting in exfiltration of sensitive data. | Staff must be trained to appropriately handle mobile devices in public, to reduce the likelihood of ‘eavesdropping’ or data being verbally compromised. |
| ISM-1083 | Sep-18 | Personnel are advised of the sensitivity or classification permitted for voice and data communications when using mobile devices. | Sensitive or classified information could be intercepted when broadcasted over voice and data infrastructure. | Contribute – The connected Wi-Fi networks are constantly monitored, along with specific protections against rogue cellular or SIM changes. With Samsung KNOX, additional system-level visibility permissions are provided to Zimperium for deeper inspection of device components, such as networking – allowing Zimperium to provide an even higher assurance assessment of the device’s network. |
| ISM-0874 | Sep-23 | Mobile devices and desktop computers access the internet via a VPN connection to an organisation’s internet gateway rather than via a direct connection to the internet. | Devices connected directly to the internet can be exposed to network initiated attacks, and cannot take advantage of perimeter-based filtering. Devices can also leak corporate data, without passing through the corporate gateway. | Mitigate – MTD Web Content Filtering and on-device Network Based Security intercepts bad traffic, and doman-level/URL DLP. Combined, the risk of devices directly connecting to the internet can be mitigated. With Samsung KNOX, Zimperium is provided even deeper access to device network interfaces for monitoring and analysis to prevent, detect and stop network attacks. |
| ISM-0687 | Sep-23 | Mobile devices that access SECRET or TOP SECRET systems or data use mobile platforms that have been issued an Approval for Use by ASD and are operated in accordance with the latest version of their associated Australian Communications Security Instruction. | N/A – This is evaluated by the department. However, a risk posture is provided for each device, allowing departments to evaluate if a device is compromised or maintains an unacceptable level of risk. This allows departments to make informed, risk-based decisions on whether devices should be able to hold/access relevant data. | Mitigate – Risk posture is provided for each device, allowing departments to evaluate if a device is compromised or maintains an unacceptable level of risk. This allows departments to make informed, risk-based decisions on whether devices should be able to hold/access relevant data. |
| ISM-1868 | Sep-23 | SECRET and TOP SECRET mobile devices do not use removable media unless approved beforehand by ASD. | Removable media on iOS and Android devices can introduce malware, or cause the execution of exploits. | Mitigate – MTD assesses the system for compromise, including any exploits or tampering that may occur from removable media. Additionally, MTD can scan removable media. |
| ISM-1866 | Sep-23 | Personnel accessing OFFICIAL: Sensitive or PROTECTED systems or data using privately-owned mobile devices or desktop computers are prevented from storing classified data on their privately-owned mobile devices and desktop computers. | Personal iOS and Android devices cannot be managed or controlled to the same extent as Supervised/Fully Managed mode devices. | Mitigate – MTD can inform systems, such as an MDM or conditional access policy, of the device’s current risk level. This allows organisations to take an automated, risk-based approach to allowing mobile devices to access data. |
| ISM-0694 | Sep-23 | Privately-owned mobile devices and desktop computers do not access SECRET and TOP SECRET systems or data. | N/A – This is evaluated by the department. | Mitigate – Risk posture is provided for each device, allowing departments to evaluate if a device is compromised or maintains an unacceptable level of risk. This allows departments to make informed, risk-based decisions on whether devices should be able to hold/access relevant data. With Samsung KNOX, additional system-level visibility permissions are provided to Zimperium. These allow for deeper inspection of device aspects, such as running processes – allowing Zimperium to provide an even higher assurance assessment of the device’s subsystem. |
| ISM-1088 | Sep-23 | Personnel report the potential compromise of mobile devices, removable media or credentials to their organisation as soon as possible, especially if they: (1) Provide credentials to foreign government officials. (2) Decrypt mobile devices for foreign government officials.(3) Have mobile devices taken out of sight by foreign government officials.(4) Have mobile devices or removable media stolen, including if later returned.(5) Lose mobile devices or removable media, including if later found(6) Observe unusual behaviour of mobile devices. | If bad actors can physically access a device, decrypt it, or be given credentials to the device, it can be tampered with or compromised. Additionally, even without physical access, bad actors can remotely exploit devices. This may result in Spying, Data Exfiltration or other malicious behaviours. | Compliant – If the device is decrypted (Encryption disabled and/or PIN removed), tampered with, or experiences abnormal behaviours as a result of exploits, MTD can detect and report these events with forensic data to a department’s security team. With Samsung KNOX, additional system-level visibility permissions are provided to Zimperium. These allow for deeper inspection of the device, processes, and networking – allowing Zimperium to provide an even higher assurance assessment of the device’s state. In the event of compromise, Zimperium can invoke KNOX actions to stop data leakage, restrict SD Card transfer, and sanitise/wipe app data (on both internal storage and external SD card). |
| ISM-1297 | Sep-23 | Legal advice is sought prior to allowing privately-owned mobile devices and desktop computers to access systems or data. | There are legal implications surrounding user privacy, data collection and tracking. These must be considered and addressed before a solution is implemented. | Contribute – Zimperium provides an on-device, privacy-centric security approach. Additionally, MTD does not collect PII, and can operate in anonymous-mode, where any user data from an MDM is obfuscated and randomised. |
| ISM-1195 | Sep-23 | Mobile Device Management solutions that have completed a Common Criteria evaluation against the Protection Profile for Mobile Device Management, version 4.0 or later, are used to enforce mobile device management policy. | Without an MDM, common security settings may not be enabled, and security teams will lack central asset management. | Contribute – Mobile Device management solutions may reduce limited risk by enforcing a baseline configuration. However, Zimperium is still required to detect attacks (IDS), stop attacks (IPS), manage OS vulnerabilities, detect IOCs, and extract security forensics. With Samsung KNOX, additional system-level visibility permissions are provided to Zimperium. These allow for deeper inspection of the device, processes, and networking – allowing Zimperium to provide an even higher assurance assessment of the device’s state. Further, Zimperium can invoke KNOX actions to disable the device’s Bluetooth interface, Bluetooth file sharing, NFC. Beam. Wi-Fi and Cellular. These are combined with KNOX DLP controls to restrict device-wide copy/paste, restricting SD Card transfer, restricting screen capture and sanitise/wipe app data (on both internal storage and external SD card). |
| ISM-1196 | Sep-23 | OFFICIAL: Sensitive and PROTECTED mobile devices are configured to remain undiscoverable to other Bluetooth devices except during Bluetooth pairing. | Devices with Bluetooth left in Discoverable mode could be compromised via the bluetooth protocol, unauthorized bluetooth devices could harvest information, or data could be shared in an unauthorised manner. | Mitigate – MTD can disable Bluetooth. In addition, it can vet applications that leverage Bluetooth, and assess the risk of those apps. With Samsung KNOX, Zimperium can further invoke KNOX actions to disable the device’s Bluetooth interface, Bluetooth file sharing, NFC, Beam, Wi-Fi and Cellular. |
| ISM-1198 | Sep-23 | Bluetooth pairing for OFFICIAL: Sensitive and PROTECTED mobile devices is performed in a manner such that connections are only made between intended Bluetooth devices. | If paired to an unintended bluetooth device, the unauthorized bluetooth devices could harvest information, or compromise the host mobile. | Mitigate – MTD can disable Bluetooth. In addition, it can vet applications that leverage Bluetooth, and assess the risk of those apps. With Samsung KNOX, Zimperium can further invoke KNOX actions to disable the device’s Bluetooth interface, Bluetooth file sharing, NFC, Beam, Wi-Fi and Cellular. |
| ISM-1199 | Sep-23 | Bluetooth pairings for OFFICIAL: Sensitive and PROTECTED mobile devices are removed when there is no longer a requirement for their use. | If old bluetooth device pairings are saved, an attacker could compromise a previously trusted bluetooth device in effort to harvest information, or compromise the host mobile. | Mitigate – MTD can disable Bluetooth. In addition, it can vet applications that leverage Bluetooth, and assess the risk of those apps. With Samsung KNOX, Zimperium can further invoke KNOX actions to disable the device’s Bluetooth interface, Bluetooth file sharing, NFC, Beam, Wi-Fi and Cellular. |
| ISM-1200 | Sep-23 | Bluetooth pairing for OFFICIAL: Sensitive and PROTECTED mobile devices is performed using Secure Connections, preferably with Numeric Comparison if supported. | Insecure bluetooth pairing could result in an unauthorised bluetooth device being paired. Unauthorized bluetooth devices could harvest information, or the host mobile device could be compromised. | Mitigate – MTD can disable Bluetooth. In addition, it can vet applications that leverage Bluetooth, and assess the risk of those apps. With Samsung KNOX, Zimperium can further invoke KNOX actions to disable the device’s Bluetooth interface, Bluetooth file sharing, NFC, Beam, Wi-Fi and Cellular. |
| ISM-1299 | Sep-23 | Personnel take the following precautions when traveling overseas with mobile devices: (1) Never leave mobile devices or removable media unattended, including by placing them in checked-in luggage or leaving them in hotel safes(2) Never store credentials with mobile devices that they grant access to, such as in laptop computer bags(3) Never lend mobile devices or removable media to untrusted people, even if briefly(4) Never allow untrusted people to connect their mobile devices or removable media to your mobile devices, including for charging(5) Never connect mobile devices to designated charging stations or wall outlet charging ports(6) Never use gifted or unauthorised peripherals, chargers or removable media with mobile devices(7) Never use removable media for data transfers or backups that have not been checked for malicious code beforehand(8) Avoid reuse of removable media once used with other parties’ systems or mobile devices(9) Avoid connecting mobile devices to open or untrusted Wi-Fi networks(10) Consider disabling any communications capabilities of mobile devices when not in use, such as Wi-Fi, Bluetooth, Near Field Communication and ultra-wideband(11) Consider periodically rebooting mobile devices(12) Consider using a VPN connection to encrypt all cellular and wireless communications(13) Consider using encrypted email or messaging apps for all communications. | Devices left unattended, including in checked-in luggage or hotel safes can be tampered, either physically or using protocols like Wi-Fi, Bluetooth, NFC etc. Chargers, USB wall outlets, laptops, or other removable media can be used to execute scripts, install files or apps, harvest data or otherwise compromise the device. Untrusted or compromised Wi-Fi and physical network connections can force the install of exploit files, malicious web certificates or malware. They can redirect to, or inject maliciously crafted pages. Users can also be socially engineered to input credentials, personal data or have other information harvested via drive-by-download. Untrusted networks can decrypt HTTPS traffic, monitor activity and more easily intercept sensitive data if there are no additional layers of VPN tunnel encryption. Untrusted telecommunication networks can more easily log and intercept cellular communications, opposed to encrypted messaging apps with additional layers of security. All communication capabilities are vulnerable entry points for attacks, including cellular, wireless, Bluetooth and Near Field Communication (NFC). Leaving them always enabled increases the risk of exploitation. Removable media can be compromised, tampered with or injected with malicious code or software. There is a risk that the removable media could spread malicious code or software, further compromising devices. Gifted mobile devices may have covert software installed to spy, intercept traffic, monitor activities and more. Gifted devices may be compromised and used for malicious purposes. | Mitigate – To mitigate risks while traveling, MTD monitors the devices interfaces for attacks and indicators of compromise (IOCs). If an attacker leverages one of those interfaces, such as Wi-Fi, Bluetooth, NFC, removable media, USB or otherwise, MTD will detect any resulting IOCs such as exploit code, file system changes, system library changes, abnormal processes, escalation of privileges, SELinux disabling, malware installation, or other related network signals such as Command and Control servers being interacted with. MTD will also proactively scan nearby networks to notify users of risky Wi-Fi Danger zones, and scan networks for risks once joined. MTD will also detect active attacks, such as Man-in-The-middle attacks, fake certificates, SSL/TLS downgrades, network changes, DNS changes, gateway changes, network recon scanning and other malicious network signals. MTD can further detect SIM card changes, cellular network changes, gateway changes, network handoffs and other related network signals. With Samsung KNOX, additional system-level visibility permissions are provided to Zimperium. These allow for deeper inspection of the device, processes, and networking – allowing Zimperium to provide an even higher assurance assessment of the device’s state. Further, Zimperium can invoke KNOX actions to disable the device’s Bluetooth interface, Bluetooth file sharing, NFC. Beam. Wi-Fi and Cellular. These are combined with KNOX DLP controls to restrict device-wide copy/paste, restricting SD Card transfer, restricting screen capture and sanitise/wipe app data (on both internal storage and external SD card). |
| ISM-1400 | Sep-23 | Personnel accessing OFFICIAL: Sensitive or PROTECTED systems or data using privately-owned mobile devices or desktop computers have enforced separation of work data from personal data. | Compromises that result in data leakage are more likely to occur on insecurely designed devices, devices that are not securely configured and hardened, and BYO devices that do not separate work and personal data. | Mitigate – Zimperium inspects devices, their networks, Web Traffic, installed applications and the overall security configuration state. To protect Privacy without sacrificing security, security detection is performed on devices and events are reported without any PII. Additional Controls exist to enforce end users to install Zimperium within the Work Profile, where Conditional Access can be invoked if the user does not comply. Compliant – With Samsung hardware, Samsung KNOX and use of the Samsung ACSC Hardening Guides, departments have an ASD-approved solution. This includes high assurance of work/personal data separation via Android Enterprise Work Profiles. Zimperium further provides attestation of the device, the operating system and compliance state. |
| ISM-1482 | Sep-23 | Personnel accessing systems or data using an organisation-owned mobile device or desktop computer are either prohibited from using it for personal purposes or have enforced separation of work data from any personal data. | Compromises that result in data leakage are more likely to occur on insecurely designed devices, devices that are not securely configured and hardened, and devices that do not separate work and personal data. | Mitigate – Zimperium can deep-inspect Samsung devices, their networks, Web Traffic, installed applications and the overall security configuration state. If a device deviates from a secure state, detailed forensics and IOCs are reported to security. Compliant – With Samsung hardware, Samsung KNOX and use of the Samsung ACSC Hardening Guides, departments have an ASD-approved solution. This includes high assurance of work/personal data separation via Android Enterprise Work Profiles. Zimperium further provides attestation of the device, the operating system and compliance state. |
| ISM-1298 | Oct-19 | Personnel are advised of privacy and security risks when traveling overseas with mobile devices. | While traveling overseas, users can encounter malicious Wi-Fi and cellular networks, state-backed interception of data/traffic, phishing or malicious sites, malware or privacy infringing apps and more. | Compliant – Zimperium provides in-app security features and admin controls to proactively warn people of mobile risks. These enable users to improve their own cyber hygiene, and reduce the risk of cyber attacks while traveling or at home. These tools allow people to check URLs before they click, vet apps before they install, and view in-app threat maps of risky networks around them before they join Wi-Fi. |
| ISM-0240 | Dec-21 | Paging, Multimedia Message Service, Short Message Service and messaging apps are not used to communicate sensitive or classified data. | Sensitive Data could be shared or leaked on unapproved, 3rd party messaging apps or services. | Compliant – MTD Web Content Filtering can be leveraged to allow or block unapproved services and app traffic, by specific domain or category. With Samsung KNOX, apps can further be automatically disabled and uninstalled. |
| ISM-0705 | Dec-21 | When assessing an organisation’s network via a VPN connection, split tunneling is disabled. | Data can be exfiltrated from the corporate network, via other untrusted network connections. | Mitigate – MTD Web Content Filtering and on-device Network Based Security intercepts bad traffic, and provides domain-level/URL DLP. Combined, the risk of data exfiltration can be mitigated. With Samsung KNOX, further DLP controls can be invoked to stop exfiltration from corporate networks and the device. These controls include disabling device interfaces, restricting device-wide copy/paste, restricting SD Card transfer, and restricting screen capture. |
| ISM-1085 | Dec-21 | Mobile devices encrypt all sensitive or classified data communicated over public network infrastructure. | Unencrypted data can be intercepted by bad actors committing network-based attacks, resulting in a data leak. | Compliant – MTD can force-tunnel unsecure traffic, when on Unsecured networks. With Samsung KNOX, additional system-level visibility permissions are provided to Zimperium for deeper inspection of device components, such as networking – allowing Zimperium to provide an even higher assurance assessment of the device’s network. |
| ISM-0702 | Dec-21 | If a cryptographic zeroise or sanitise function is provided for cryptographic keys on a SECRET or TOP SECRET mobile device, the function is used as part of mobile device emergency sanitisation processes and procedures. | N/A – Human processes must be developed by the department. | Contribute – In the event of an emergency (such as a critical attack event), MTD can automatically invoke emergency sanitisation (Enterprise Wipe via MDM). Admins can also invoke any other MDM action, directly from the MTD console. Compliant – With Samsung KNOX, Zimperium can automatically invoke sanitisation (wiping) of app data and SD card app data based on threats being detected. |
| ISM-1554 | Dec-21 | If traveling overseas with mobile devices to high or extreme risk countries, personnel are: (1) issued with newly provisioned accounts, mobile devices and removable media from a pool of dedicated travel devices which are used solely for work-related activities(2) advised on how to apply and inspect tamper seals to key areas of mobile devices(3) advised to avoid taking any personal mobile devices, especially if rooted or jailbroken. | Non-dedicated devices may lack sufficient security configuration, and have sensitive apps or data that should not reside on a device traveling to risky countries. There is a risk of devices being tampered, without being immediately obvious to the user. Resulting in Spying, Data Exfiltration or other malicious behaviours. Personal devices, or rooted/jailbroken devices can be more susceptible to compromise – Due to a lack of security configuration, having a vulnerable OS, running in a compromised state, or having exploitable apps. | Mitigate – Zimperium can evaluate and report on system configuration state, alerting on any security risks. It can also detect system tampering or abnormal activities, operating system exploitation, sideloaded and malicious apps, deviation from the device’s original build certification state and malicious connections to command-and-control (C&C) servers. Zimperium can further provide vulnerability management to understand the risk of vulnerable OSs, and determine if a device is Jailbroken, Rooted or Compromised. These collectively allow security to continuously assess any device’s security state, streamlining the travel process and reducing the need for dedicated travel devices. In the event of a device being compromised, alerts are provided to both the user and security. Additionally, with Zimperium’s DeepScan forensic analysis capability, Departments and organisations can mandate users to perform a “Pre-travel scan” of their device to receive a high-assurance security assessment. With Samsung KNOX, additional system-level visibility permissions are provided to Zimperium. These allow for deeper inspection of the device, processes, and networking – allowing Zimperium to provide an even higher assurance assessment of the device’s state. |
| ISM-1084 | Dec-21 | If unable to carry or store mobile devices in a secured state, they are physically transferred in a security briefcase or an approved multi-use satchel, pouch or transit bag. | Devices carried or stored insecurely could be tampered with or compromised, resulting in Spying, Data Exfiltration or other malicious behaviours. | Mitigate – Zimperium provides on-device security capabilities, which continue to operate without internet connectivity. It can detect system tampering or abnormal activities, operating system exploitation, sideloaded and malicious apps, deviation from the device’s original build certification state and malicious connections to command-and-control (C&C) servers. With Samsung KNOX, additional system-level visibility permissions are provided to Zimperium. These allow for deeper inspection of the device, processes, and networking – allowing Zimperium to provide an even higher assurance assessment of the devices state. |
| ISM-1145 | Dec-21 | Privacy filters are applied to the screens of SECRET and TOP SECRET mobile devices. | Sensitive information could be viewed or collected by unauthorised, or unintended persons nearby. | Staff must be trained to appropriately handle mobile devices in public, to reduce the likelihood of ‘shoulder surfing’ or data being visually compromised. |
| ISM-0682 | Dec-21 | Bluetooth functionality is not enabled on SECRET and TOP SECRET mobile devices. | Devices could be compromised via the bluetooth protocol, unauthorized bluetooth devices could harvest information, or data could be shared in an unauthorised manner. | Compliant – MTD can disable Bluetooth in settings. In addition, it can vet applications that leverage Bluetooth, and assess the risk of those apps. Limitations – If Bluetooth is not disabled, unauthorised sharing via Airdrop (iOS) or Bluetooth direct (Android) cannot be detected. With Samsung KNOX, the additional control to directly disable the device’s Bluetooth interface can be invoked. In addition, Bluetooth file sharing, NFC and Beam device interfaces can be disabled. |
| ISM-0864 | Dec-21 | Mobile devices prevent personnel from disabling or modifying security functionality once provisioned. | Users can disable security functionality, exposing the device to a higher risk of compromise or data exfiltration | Mitigate – Zimperium detects when either users have disabled security functionality (E.g. SELinux), or if the device has deviated from its original state (E.g. System Library Change). In addition to detecting if a device has been exploited as a result of disabled security. |
| ISM-0869 | Dec-21 | Mobile devices encrypt their internal storage and any removable media. | Data leakage via external storage | Contribute – Zimperium can detect if the internal device storage is encrypted, and create a threat if it is not. Through conditional Access, users can be blocked from accessing corporate data until they fully encrypt their internal storage on the device. Mitigate – With Samsung KNOX, SD Card transfer can be disabled to prevent leakage via insecure external storage. |
| ISM-1366 | Dec-21 | Security updates are applied to mobile devices as soon as they become available. | Known vulnerabilities can be exploited on unpatched mobile devices. | Mitigate – While ZImperium does provide Vulnerability Management Capabilities, Security Updates only address known vulnerabilities. MTD also detects unknown, zero day exploits and risks regardless of if a patch is available. MTD also provides granular reporting on IOCs and risky events. |
| ISM-0701 | Dec-22 | Mobile device emergency sanitisation processes, and supporting mobile device emergency sanitation procedures, are developed, implemented and maintained. | N/A – Human processes must be developed by the department. | Contribute – In the event of an emergency (such as a critical attack event), MTD can automatically invoke emergency sanitisation (Enterprise Wipe via MDM). Admins can also invoke any other MDM action, directly from the MTD console. Compliant – With Samsung KNOX, Zimperium can automatically invoke sanitisation (wiping) of app data and SD card app data based on threats being detected. |
| ISM-1082 | Dec-22 | A mobile device usage policy is developed, implemented and maintained. | Without defined mobile usage guidelines, users may not be aware of the risky behaviours they should avoid. | Contribute – If a device becomes too risky, or users commit unapproved behaviours, alerts can be sent to both security and the end user. |
| ISM-1533 | Dec-22 | A mobile device management policy is developed, implemented and maintained. | Without an MDM Policy, security teams may lack guidance on policy configuration and risk mitigation goals. Users may also not have guidance on appropriate usage. | Contribute – Mobile Device Management solutions are fundamental to the first stage (Level 1) of mobile risk management, by setting a baseline device configuration. In parallel, Zimperium ingests MDM device data to provide Risk-Based OS vulnerability management. Level 2: Zimperium extends a mobile security strategy then by alerting when a device deviates from its configuration, and when indicators of compromise are present (Intrusion detection system – IDS) Level 3: Zimperium also allows for the next stage of security maturity, by providing the tools to stop and prevent breaches as they happen (Intrusion prevention system – IPS) using multiple IPS techniques. Level 4: Zimperium then provides extended application analysis capabilities, to vet apps for Security, Privacy and Malware indicators. This capability informs the organisation on what apps should be allowed or denied for usage within an organisation. Level 5: Finally, Zimperium provides device forensics capabilities to inspect, detect and investigate advanced attacks. |
| ISM-1556 | Dec-22 | If returning from traveling overseas with mobile devices to high or extreme risk countries, personnel take the following additional actions: (1) Reset credentials used with mobile devices, including those used for remote access to their organisation’s systems.(2) Monitor accounts for any indicators of compromise, such as failed logon attempts. | The risk of Rogue Access Points, malicious network attacks, malware and other attacks that could result in credential theft is elevated in certain high risk countries. If credentials are successfully stolen, the organisation could be breached. | Mitigate – Zimperium can detect device compromise, which could result in password theft. It also monitors traffic, to block phishing or Command and Control sites that could harvest credentials. Additionally, with Zimperium’s DeepScan forensic analysis capability, Departments and organisations can mandate users to perform a “Post-travel scan” of their device to receive a high-assurance security assessment. With Samsung KNOX, additional system-level visibility permissions are provided to Zimperium. These allow for deeper inspection of device aspects, such as networking – allowing Zimperium to provide an even higher assurance assessment of the device’s network. |
| ISM-1300 | Dec-22 | Upon returning from traveling overseas with mobile devices, personnel take the following actions: (1) Sanitise and reset mobile devices, including all removable media.(2) Decommission any credentials that left their possession during their travel.(3) Report if significant doubt exists as to the integrity of any mobile devices or removable media. | Devices that have traveled to foreign countries could have been compromised, by malicious networks, physical tampering, malware or otherwise. Factory resetting, flashing or disposing of these devices can remove the risk of persistent attacks and data leakage. | Mitigate – MTD is always on, constantly evaluating the device using-on device security regardless of location and internet connectivity. It can detect System tampering or abnormal activities, operating system exploitation, sideloaded and malicious apps, deviation from the device’s original build certification state and malicious connections to command-and-control (C&C) servers. With Samsung KNOX, Zimperium can invoke KNOX actions to restrict external media SD Card transfer, and sanitise/wipe app data (on both internal storage and external SD card). |
| ISM-1886 | Dec-23 | Mobile devices are configured to operate in a supervised (or equivalent) mode. | Devices not in a supervised or equivalent mode cannot be hardened against known types of behaviours. | Mitigate – If a device is not in a supervised (or equivalent) mode, MTD provides the same level of detection and prevention capabilities. This allows for the detection of advanced threats on non-supervised devices, and the ability to block attacks via network filtering. MTD can also inform systems, such as an MDM or Conditional Access Policy, to restrict access to sensitive data if the device has become risky. |
| ISM-1887 | Dec-23 | Mobile devices are configured with remote locate and wipe functionality. | The ability to wipe a device provides an emergency sanitisation capability, in the event the device is compromised or lost. | Contribute – MTD Integrates with all major MDM platforms to continuously provide a compliance status update, informing the MDM when to take actions such as wipe, lock, quarantine, etc. |
| ISM-1888 | Dec-23 | Mobile devices are configured with secure lock screens. | Secure lockscreens on iOS & Android devices enforce encryption, and will add additional protection against data exfiltration by a threat actor. The lock screen and system must be exploited to bypass the lock screen. | Contribute – MTD alerts when devices do not have a secure lock screen, or their lock screen has been disabled. |
| ISM-1555 | Dec-23 | Before traveling overseas with mobile devices, personnel take the following actions: (1) Record all details of the mobile devices being taken, such as product types, serial numbers and International Mobile Equipment Identity numbers(2) Update all operating systems and applications(3) Remove all non-essential data, applications and accounts(4) Backup all remaining data, applications and settings. | Devices traveling to high risk countries can be more easily compromised if they are not appropriately hardened (OS and app updates), configured (Security configuration) and encrypted. In the event of compromise, having non-essential accounts, apps and data could also be exfiltrated. Without appropriate tracking, the device could also be lost and not recovered. Additionally, a breakdown in process could result in compromised devices returning from travel not being correctly processed (e.g. factory reset or destroyed). Finally, without a device backup before travel, any investigation of device compromise may be difficult or impossible – as before/after device backups cannot be compared for IOCs. | Mitigate – MTD proactively evaluates device compliance, including the OS and CVEs, device encryption, installed apps and CVEs, device security settings, and other device risks. MTD provides web content filtering, to detect connections to Command and control (C&C) Servers, malware sites, phishing and other suspicious sites to stop exfiltration in the event of compromise. If events are detected, the geo-location is collected to assist with investigations. MTD also provides forensic data related to detected IOCs, with linking of multi-stage kill-chains/attacks. |
| ISM-0863 | Dec-23 | Mobile devices prevent personnel from installing non-approved applications once provisioned. | Non-Approved applications can pose the risk of malware, spying, data exfiltration or compliance risk. | Mitigate – MTD can assess each device’s inventory for any sideloaded, malicious, risky, or non-approved apps. If any are detected, the device can be marked as Risky and blocked from accessing corporate data (conditional Access) until resolved. Compliant – With Samsung KNOX, non-Approved applications are automatically Uninstalled. Alternatively, MTD can assess each device’s inventory for any sideloaded, malicious, risky, or non-approved apps. If any are detected, the device can be marked as Risky and blocked from accessing corporate data (conditional Access) until resolved. |
| ISM-0401 | Secure-by-design and secure-by-default principles, use of memory-safe programming languages where possible, and secure programming practices are used as part of application development. | Poorly designed apps, resulting in insecure apps. | Compliant – Multiple zScan findings, in addition to zShield for code/resource hardening and zKeyBox for crypto. | |
| ISM-1780 | SecDevOps practices are used for application development. | Compliant – The Zimperium MAPS platform provides a set of tools to form the foundation for automated, frictionless and consistent SecDevOps. | ||
| ISM-1238 | Threat modeling is used in support of application development. | Compliant – Zimperium zDefend and zScan provide both development-level and run-time level findings, alignment to vulnerabilities/risks, and prioritisation of risk for threat modeling. | ||
| ISM-1796 | Files containing executable content are digitally signed as part of application development. | Compliant – Zimperium zShield encrypts the applications code and resources, then adds checks for anti-tampering, during the development of mobile apps. | ||
| ISM-1798 | Secure configuration guidance is produced as part of application development. | Compliant – Zimperium zScan provides guidance on app security practices during the app’s development stage. | ||
| ISM-1730 | A software bill of materials is produced and made available to consumers of software. | Compliant – Zimperium zScan provides developers an output of the frameworks and components used in the development of mobile apps. | ||
| ISM-0402 | Applications are comprehensively tested for vulnerabilities, using both static application security testing and dynamic application security testing, prior to their initial release and any subsequent releases. | Compliant – Zimperium zScan uses both static and dynamic app security testing techniques. It also provides baseline interactive testing, with the ability to upload custom interactive testing values. | ||
| ISM-1754 | Vulnerabilities identified in applications are resolved by software developers in a timely manner. | Contribute – Zimperium zScan provides full integration into CI/CD, in addition to ticketing and security tools like Jira. This allows for timely resolution of findings. |
What about IRAP?
The Zimperium MTD platform has completed an IRAP assessment (assessed to PROTECTED), reach out to the Zimperium Australia team via the Contact Us form.
Other ISM Resources
- Webinar recording here.
- Zimperium launches Australia’s first and only sovereign-hosted Mobile Threat Defence (MTD) capability here.
- Top-10 ISM Compliance for Mobile with Zimperium MTD here.
How Can Zimperium Help
Zimperium MTD closes the visibility gap on mobile, providing advanced detection capabilities beyond mobile device management (MDM) to identify and prevent mobile cyberattacks. Zimperium MTD enables organisations to better understand risk exposure and detect advanced exploits and attacks in a mobile-centric world. Powered by
Zimperium’s On-Device Dynamic Engine, Zimperium MTD proactively:
- Analyses an organisation’s fleet of devices for misconfigurations (risk) and compromises
- Assesses all networks that personnel are connecting to
- Filters out unwanted or unapproved content categories and blocks phishing attacks from any vector (e.g., SMS, WhatsApp, Messenger) – not just email
- Vets iOS and Android mobile apps for security, privacy, and malware.
These capabilities allow for alignment to the ISM’s 40+ mobility security controls and for a structured risk-based approach to ACSC mobile compliance.
For more on this topic, read: Zimperium MTD ISM Compliance and IRAP PROTECTED Status
