Modern compliance programs often have a mix of SaaS services and physical devices (laptops, phones) that need to be protected.
Comply comes with a baseline set of security policies and controls to get you started quickly. Many midsize companies may not have any physical data processing on site, anywhere, so Comply's baseline policies recommend you use Mobile Device Management software (which controls logical risks) to mitigate physical risks (like a laptop or phone being lost or stolen).
Logical risks are addressed in the Identity and Access Management domain for company employees, and the Vendor Management domain for outsourced services and cloud vendors. Common risks here are the weak passwords are chosen and easily guessed, users are granted too high of a permission level giving them access to data not needed for complete their role, and employee access is not removed during the onboarding process. Procedures in Aptible Comply will help you to automate triggers and reminders to check that these critical controls and functioning as expected. Reviewing third party attestation and certification reports from cloud service providers will help you to understand if they are adequately addressing these logical risks.
Physical risks will be addressed in the Physical and Environmental Security and Mobile Device Security domains for company owned assets and the Vendor Management domain for outsourced services. For company owned and managed assets these controls include securing who enters into the company spaces, how employees handle their mobile phones and laptops, and how physical servers are protected if that is in scope for you company. Reviewing third party attestation and certification reports from cloud service providers will help you to understand if they are adequately addressing physical risks surrounding access to servers hosting sensitive information. Another way to think about this is Mobile Device Security domain pertains to enforcing internal security requirements for mobile devices (e.g., laptops, tablets, phones, etc.) on the other hand, Physical and Environmental Security domain pertains mainly (but not limited to) to enforcing external security requirements for mobile devices. Data can ultimately be processed on all of these devices and it is important to consider what data can and should be processed on certain devices based on the geographic location and nature of the data being processed.
A security configuration like Multi Factor Authentication helps with the intersection of logical and physical risks: if someone loses their device a malicious actor will not be able to logically access critical systems that have this additional control even if passwords are stored on the device. Please see our Security Management Guide for additional resources.
Updated almost 2 years ago