Best Recommendation for Corporate Mobile Device Password Settings

D.

As an IS auditor, finding varying levels of password settings on corporate mobile devices used by employees is a concern, as it may create security vulnerabilities that could be exploited by unauthorized individuals to gain access to sensitive corporate data. Therefore, a recommendation is needed to address this issue.

Option A, updating the acceptable use policy for mobile devices, may not necessarily solve the problem since employees may not be aware of the changes made, or they may choose to ignore it. Furthermore, even if they read and acknowledge the policy, they may still choose to use weak passwords, which would make the policy ineffective.

Option B, notifying employees to set passwords to a specified length, may be helpful in ensuring that employees use strong passwords. However, it would not address other password-related issues such as password expiration or complexity requirements.

Option C, encrypting data between corporate gateway and devices, would not necessarily solve the password-related issue, but it would provide an additional layer of security by protecting the data in transit from unauthorized access.

Option D, applying a security policy to the mobile devices, would be the best recommendation. This policy would establish rules and requirements for passwords, such as length, complexity, and expiration. It would also provide guidance on other security-related issues, such as the use of biometrics, the prohibition of password sharing, and the need for regular password changes. This policy would ensure that all employees adhere to the same password standards and reduce the risk of security breaches resulting from weak passwords.

In conclusion, the BEST recommendation for an IS auditor who finds that corporate mobile devices used by employees have varying levels of password settings is to apply a security policy to the mobile devices.