IG2 IG3

Enforce Remote Wipe Capability on Portable End>User Devices

Control Group: 4. Secure Configuration of Enterprise Assets and Software

Asset Type: Devices

Security Function: Protect

Description

Remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed appropriate such as lost or stolen devices, or when an individual no longer supports the enterprise.

Implementation Checklist

1

Assess current protection controls in place

2

Configure and deploy required security controls

3

Test control effectiveness in non-production environment

4

Deploy to production and verify functionality

5

Document configuration and operational procedures

Tool Recommendations

Palo Alto Networks NGFW Gartner MQ Leader, Network Firewalls 2024

Next-generation firewall platform with application-aware policies, threat prevention, URL filtering, and SD-WAN

Palo Alto Networks · Appliance + subscription

Fortinet FortiGate Gartner MQ Leader, Network Firewalls 2024

Enterprise firewall and security fabric with NGFW, SD-WAN, IPS, and integrated security services

Fortinet · Appliance + subscription

Cisco Secure Firewall Gartner MQ Leader, Network Firewalls 2024

Enterprise firewall with application visibility, IPS, malware defense, and encrypted traffic analytics

Cisco · Appliance + subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Prolonged Data Exposure from Lost Enterprise Device

Confidentiality

A lost or stolen enterprise device containing sensitive data remains accessible indefinitely because the organization cannot remotely erase its contents.

Departing Employee Retains Enterprise Data

Confidentiality

When an employee leaves the organization, enterprise data on their portable device persists because there is no capability to remotely wipe the device before or after departure.

Vulnerabilities (When Safeguard Absent)

No Remote Wipe Capability for Enterprise Devices

Without remote wipe functionality, the organization has no mechanism to erase enterprise data from lost, stolen, or no-longer-authorized portable devices.

No MDM Enrollment for Portable Enterprise Assets

Portable devices lacking MDM enrollment cannot receive remote wipe commands, leaving data recovery dependent on physical retrieval of the device.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Technical	Configuration screenshots or exports showing protection controls enabled	Captured quarterly
Document	Procedure documentation for protection measures	Reviewed annually
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Safeguards in Control 4

4.1 Establish and Maintain a Secure Configuration Process

4.2 Establish and Maintain a Secure Configuration Process for Network Infrastructure

4.3 Configure Automatic Session Locking on Enterprise Assets

4.4 Implement and Manage a Firewall on Servers

4.5 Implement and Manage a Firewall on End>User Devices

4.6 Securely Manage Enterprise Assets and Software

4.7 Manage Default Accounts on Enterprise Assets and Software

4.8 Uninstall or Disable Unnecessary Services on Enterprise Assets and Software

4.9 Configure Trusted DNS Servers on Enterprise Assets

4.10 Enforce Automatic Device Lockout on Portable End>User Devices

4.12 Separate Enterprise Workspaces on Mobile End>User Devices