4.12
IG3

Separate Enterprise Workspaces on Mobile End>User Devices

Control Group: 4. Secure Configuration of Enterprise Assets and Software
Asset Type: Devices
Security Function: Protect

Description

Ensure separate enterprise workspaces are used on mobile end-user devices, where supported. Example implementations include using an Apple® Configuration Profile or Android™ Work Profile to separate enterprise applications and data from personal applications and data.

Implementation Checklist

1
Assess current protection controls in place
2
Configure and deploy required security controls
3
Test control effectiveness in non-production environment
4
Deploy to production and verify functionality
5
Document configuration and operational procedures
6
Select hardening benchmark (CIS Benchmarks, DISA STIGs)
7
Create baseline configuration templates
8
Deploy configurations using automation tools
9
Schedule compliance scanning to detect drift

Tool Recommendations

Tripwire Enterprise Gartner Peer Insights, Security Configuration Management 2024

Security configuration management and file integrity monitoring platform with policy compliance and drift detection

Fortra (Tripwire) · Per-node subscription
Qualys Policy Compliance Gartner MQ Leader, Vulnerability Management 2024

Cloud-based configuration assessment and compliance platform with CIS Benchmark support and continuous monitoring

Qualys · Per-asset subscription
CIS-CAT Pro CIS Official Benchmark Tool; Industry Standard

Automated CIS Benchmark assessment tool for configuration compliance scanning across OS, applications, and cloud

Center for Internet Security · CIS SecureSuite membership

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Personal App Compromise Exposing Enterprise Data

Confidentiality

Malware or vulnerabilities in personal applications on a mobile device access enterprise data because no workspace separation exists between personal and business contexts.

Enterprise Data Leakage Through Personal Apps

Confidentiality

Users inadvertently share enterprise data through personal messaging, social media, or cloud apps because business and personal data are co-mingled on the same device without separation.

Vulnerabilities (When Safeguard Absent)

No Enterprise Workspace Separation on Mobile Devices

Without separate enterprise workspaces, business data and personal data share the same device context, allowing personal apps unrestricted access to enterprise information.

Inability to Selectively Wipe Enterprise Data

Without workspace separation, removing enterprise data from a device requires a full wipe, making it impractical to remove only business data when an employee departs.

Evidence Requirements

Type Evidence Item Collection Frequency
Technical Configuration screenshots or exports showing protection controls enabled Captured quarterly
Document Procedure documentation for protection measures Reviewed annually
Technical Configuration compliance scan results against approved baseline Scanned monthly
Document Approved baseline configuration documentation Reviewed quarterly
Document Governing policy document (current, approved, communicated) Reviewed annually

Related Safeguards in Control 4

4.1 Establish and Maintain a Secure Configuration Process
4.2 Establish and Maintain a Secure Configuration Process for Network Infrastructure
4.3 Configure Automatic Session Locking on Enterprise Assets
4.4 Implement and Manage a Firewall on Servers
4.5 Implement and Manage a Firewall on End>User Devices
4.6 Securely Manage Enterprise Assets and Software
4.7 Manage Default Accounts on Enterprise Assets and Software
4.8 Uninstall or Disable Unnecessary Services on Enterprise Assets and Software
4.9 Configure Trusted DNS Servers on Enterprise Assets
4.10 Enforce Automatic Device Lockout on Portable End>User Devices
4.11 Enforce Remote Wipe Capability on Portable End>User Devices
4.11