Protecting Sensitive Data on BYOD Devices: Best Technical Controls for CASP+ Exam | CompTIA CAS-003

Best Technical Controls for Protecting Sensitive Data on BYOD Devices

Question

An organization enables BYOD but wants to allow users to access the corporate email, calendar, and contacts from their devices.

The data associated with the user's accounts is sensitive, and therefore, the organization wants to comply with the following requirements: -> Active full-device encryption -> Enabled remote-device wipe -> Blocking unsigned applications -> Containerization of email, calendar, and contacts Which of the following technical controls would BEST protect the data from attack or loss and meet the above requirements?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

D.

The best technical controls to protect sensitive data accessed from employee-owned devices while meeting the stated requirements are device encryption, remote wipe, blocking unsigned applications, and containerization of email, calendar, and contacts.

Option A, requiring frequent password changes and disabling network file sharing, does not address the specific requirements outlined by the organization. Frequent password changes can cause users to select weak passwords or write them down, which can increase the risk of unauthorized access. Disabling network file sharing is also unlikely to provide any significant protection for sensitive data accessed from mobile devices.

Option B, enforcing device encryption and activating mobile application management (MAM), is a reasonable approach to meet the requirements. Full-device encryption provides an additional layer of protection to the data stored on the device, and MAM can provide a secure container for email, calendar, and contacts data. MAM can help to prevent data leakage, as well as control and manage corporate applications on employee-owned devices.

Option C, installing a mobile antivirus application, is a useful tool for preventing malware infections on employee-owned devices. However, it does not address all of the requirements stated in the question, such as the need for remote wipe or containerization of sensitive data.

Option D, configuring and monitoring devices with mobile device management (MDM), is a good approach to ensure compliance with organizational policies and enforce security controls. MDM can be used to enforce password policies, encrypt devices, enforce application blacklisting, and remotely wipe devices that are lost or stolen. MDM can also provide detailed visibility into device and application usage, helping the organization to identify potential security threats.

In summary, option B (enforcing device encryption and activating MAM) and option D (configuring and monitoring devices with MDM) are both reasonable approaches to protect sensitive data accessed from employee-owned devices. However, option D may be the better option since it covers a broader range of security controls and can provide more comprehensive visibility into device usage.