Title

The results and mitigation actions from Mobile OS device integrity validation tool scans on site managed Mobile OS devices must be maintained by the site for at least 6 months (1 year recommended). (Cat II impact)

Discussion

Scan results must be maintained so that auditors can verify mitigation actions have been completed, so that a scan can be compared to a previous scan, and to determine if there is any security vulnerability trends for site managed mobile OS devices.

Check Content

Detailed Policy Requirements: Each site must maintain the results of scans on site managed Android devices as follows: - The results of all Android device integrity validation tool scans will be maintained by either the site Android Administrator or IAO. - The site IAM should designate the length of time a site maintains the results of individual scans (6 months required, at least 1 year is recommended). The most recent control or baseline scan should be maintained until an Android device is decommissioned. Check Procedures: Interview the IAO and Android Administrator. Verify the IAO or Android Administrator is saving records of scan results and mitigation actions for the length of time designated by the site IAM. Select 4-5 Android site managed Android devices to review. -For each device, have the Android device Administrator show scan logs for each device for the period of time designated by the IAM (at least 6 months). Mark as a finding if the scan interval is not set as required.

Fix Text

Maintain the results and mitigation actions from Mobile OS device integrity validation tool scans on site managed Mobile OS devices for at least 6 months (1 year recommended).

Additional Identifiers

Rule ID: SV-39869r1_rule

Vulnerability ID: V-30249

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.