4.11
IG2 IG3

Enforce Remote Wipe Capability on Portable End>User Devices

Asset Type: Devices
Security Function: Protect

Description

Remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed appropriate such as lost or stolen devices, or when an individual no longer supports the enterprise.

Implementation Checklist

1
Assess current protection controls in place
2
Configure and deploy required security controls
3
Test control effectiveness in non-production environment
4
Deploy to production and verify functionality
5
Document configuration and operational procedures

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Prolonged Data Exposure from Lost Enterprise Device

Confidentiality

A lost or stolen enterprise device containing sensitive data remains accessible indefinitely because the organization cannot remotely erase its contents.

Departing Employee Retains Enterprise Data

Confidentiality

When an employee leaves the organization, enterprise data on their portable device persists because there is no capability to remotely wipe the device before or after departure.

Vulnerabilities (When Safeguard Absent)

No Remote Wipe Capability for Enterprise Devices

Without remote wipe functionality, the organization has no mechanism to erase enterprise data from lost, stolen, or no-longer-authorized portable devices.

No MDM Enrollment for Portable Enterprise Assets

Portable devices lacking MDM enrollment cannot receive remote wipe commands, leaving data recovery dependent on physical retrieval of the device.

Evidence Requirements

Type Evidence Item Collection Frequency
Technical Configuration screenshots or exports showing protection controls enabled Captured quarterly
Document Procedure documentation for protection measures Reviewed annually
Document Governing policy document (current, approved, communicated) Reviewed annually