maxkabakov - Fotolia

What are the CIS benchmarks for iOS security?

Devices are only as secure as end users enable them to be. Here's how IT can use CIS benchmarks to enforce strong iOS security standards across an organization.

Apple iOS devices are typically more secure than Google Android devices, but that doesn't mean they are without security risks.

Mobile devices can present significant security risks, especially as users store sensitive company data and perform work-related tasks on their personal devices.

Fortunately, resources such as the Center for Internet Security (CIS) benchmarks -- best practices that prevent unauthorized access to IT systems and malicious attacks -- can help mitigate security risks for both corporate-owned and personal devices. IT can use these benchmarks as a checklist to secure and roll out basic security configurations for iOS devices.

All about CIS

The CIS community, which is comprised of IT security professionals, continually updates and remediates its standards to ensure that its security measures are relevant. CIS scores its benchmarks from 0-100% to indicate how well an organization complies with each restriction. Failure to comply will decrease the overall score; compliance will increase the overall score. CIS doesn't score certain recommendations, which means that compliance or noncompliance with them will not affect the organization's score.

CIS categorizes its benchmarks into two levels. IT admins can quickly implement a Level 1 profile recommendation with little to no effect on the performance of their organizations. CIS designs Level 2 profile recommendations, on the other hand, for environments in which security is a high priority. These recommendations are more difficult to implement and can affect an organization negatively if done incorrectly.

CIS benchmarks include particular settings for functionalities, applications, passcodes, notifications, domains, virtual private networks and email. Each recommendation typically includes profile applicability, which states whether the benchmark applies to COPE or BYOD devices; a description of the benchmark; a rationale that delves into the security consequences; an audit that describes which steps admins should take; and a remediation that includes any OS updates and patches.

CIS benchmarks for iOS security

CIS recommends that end users disable Siri when their devices are locked. The rationale is that an unauthorized user can use Siri to access information beyond the lock screen, such as contacts and messaging. The audit includes a set of directions to change this setting via the device settings or a configuration profile.

CIS also recommends that IT use encrypted backups and enable automatic updates and the Find My iPhone functionality. IT should disable the ability to display the control center and notification center on a locked screen, as well as the ability to screenshot and use screen recording.

CIS also recommends enforcing the following iOS settings:

  • Set the cookies from Websites I visit to From current website only.
  • Set the auto-lock feature to two minutes or less.
  • Set the grace period for devices to lock to immediately.
  • Set the maximum number of failed attempts to enter the passcode to six.

Dig Deeper on Mobile security