As security threats and mobile devices evolve, IT departments and organizations constantly need to audit their mobile security needs and internal policies. Depending on the size of the company, as well as the number of corporate devices and enterprise apps in use, this might seem somewhat daunting.

However, security risk assessments can be broken down into three key stages to streamline the process. Overall, IT managers should be aware of important or sensitive data, current and future risks, and how they’re going to mitigate threats.

With these questions in mind, organizations can develop an enterprise mobility infrastructure that will actively address device security and establish successful long-term security measures. Here’s what each stage should involve:

1. What Are the Important Data?

The first question to answer when conducting a security risk assessment is: What are the assets the company is concerned with? This may include financial, legal or operational data.

The biggest mistake IT managers make at this stage is failing to engage the executive team. Running around gathering network maps, system inventories and devices may seem like a useful place to start, but this type of assessment is incredibly time-consuming and may not be necessary. The organization’s executive team can tell IT what their assets are, how important they are and what the costs of loss or disclosure might be.

Sometimes, this is called “determining the risk appetite,” meaning that each important asset has different consequences if security is breached. It will also outline which of these consequences are acceptable to the organization and which are not.

In including mobile technology as part of the overall security policy, now is the time to observe how company data will appear on mobile devices. If the most important information assets of an organization are invisible to most staff, then measures will be very different from an environment where everything important is available with a few taps on a smartphone screen.

Executives and admins should consider: How accessible are the devices? Which mobile devices have access to data? What types of roles need access to certain information?

These questions will help outline a basic structure for types of security measures that IT can implement.

2. What Are the Risks to Company Assets?

Here, the assessment must look at vulnerabilities and threats specific to the mobile devices employees are using. Common examples include device loss or failure, shoulder surfing, intercepted or interrupted communications and malware.

As threats and vulnerabilities are identified, they should be matched up with impact and likelihood ratings that estimate how much impact would occur if a vulnerability were exploited or a threat was realized, as well as how likely it is that this would occur: Once a day? Once a year? A decade?

The end result at this stage is an ordered list, with highest impact and most common vulnerabilities and threats first, going down to lowest impact and least likely.

3. How Will IT Mitigate Risks?

The last stage is simple: Go down the aggregated list of risks, from the top, and outline how IT plans to mitigate each of these, or whether it is acceptable to the organization. Most mitigations will take the form of controls. These are something admins do to mitigate a risk, such as installing anti-malware software or reviewing logs.

For mobile devices, mitigations will likely include both “soft” and “hard” mitigations. An example of a soft mitigation is a BYOD policy or user education program. Hard mitigations are actual changes to the environment, such as installation of particular policies from the mobile device management (MDM) or enterprise mobility management (EMM) tool.

IT managers trying to identify mitigations as part of a mobile security risk assessment should spend considerable time looking at the capabilities of their chosen MDM or EMM tool because this is a primary security control point.

If admins are unable to actually enforce a risk or mitigation within an MDM or EMM software, identifying it is a waste of time. This process can also justify upgrading to a better management tool, or a more secure smartphone platform.

In any case, the risk assessment must have reasonable controls, and IT managers must be pragmatic in balancing what can be done against what must be done. If there is too large a gap, it’s important to communicate that information, so that executive stakeholders know about unmitigated risks and can take action.

Overall, mobile security assessments should include a holistic view of the organization’s data and devices, input from upper-level executives and realistic goals for mitigation. By implementing this multi-layered approach, IT departments can ensure long-term security.

Are unpatched security vulnerabilities worth the risk? A recent report shows just how much known vulnerabilities can cost your business.