22
Old model
˃ Protect everything in my office network with physical and logical controls over access
˃ Then we added laptops and pushed the network out of the office using VPNs
˃ That doesn’t work any more with phones and tablets, especially when they are owned by the employee
Framework – benefits
˃ Flexible – audit all at once or in parts
˃ Adaptable – scope it how you want it
˃ Inclusive – make use of other
standards/frameworks (e.g., COBIT, ISO 27002, NIST)
˃
ISACA’s Bring Your Own Device (BYOD) Security Audit/Assurance Program
Mobile device framework
Data Websites
& Apps Devices People
Mobile device framework
˃ Data
˃ Websites & apps
˃ Devices
˃ People
Mobile device framework – data
˃ Data (i.e., data generated, accessed, modified, transmitted, stored or used electronically by the organization) is essential to the organization's objectives and requires protection for a variety of reasons, including legal and regulatory
requirements.
˃ Examples:
˃ Messages (e.g., emails, text messages, instant messages)
˃ Voice
˃ Pictures
˃ Files (e.g., attachments)
˃ Hidden (e.g., GPS)
Building the framework – data types
DATA
Data
Data
Data
Data
Data
WEB & APPS DEVICES PEOPLE
© Baker Tilly Virchow Krause, LLP
Mobile device framework – data
˃ Classification tiers
˃ Data owners/stewards
˃ Data inventory
Mobile device framework – data – audit considerations
˃ Determine the types of data that can be accessed or stored on mobile devices. Assess restrictions in place to safeguard data.
˃ Review the data classification security policy to ensure specificity to the various types of data, based on sensitivity.
˃ Use/create an inventory of data, identify the applications and websites where it can be
accessed, and determine who will take ownership of the data moving forward.
Mobile device framework – data – audit considerations
˃ Determine if authentication and security
requirements or restrictions are or should be established for each data type
˃ Determine if “Legal Hold” requirements are
documented and align with data classification and then mobile device security
Building the framework – data:
classification
© Baker Tilly Virchow Krause, LLP
DATA
Internal Use
Public
Data – audit considerations from ISACA’s work program
˃ 8.1.2 Data Access
˃ 8.1.4 Encryption and Data Protection
Mobile device framework – websites &
apps
˃ Websites and applications (i.e., tools used to
process electronic data) require security controls, regardless of the device used for access, to protect the confidentiality, integrity, and availability of data.
Mobile device framework – websites & apps examples
Types Business Personal
Websites/portals •Outlook web access
•Business intranet
•Yahoo
•ESPN Cloud services •Google services
•Salesforce.com
•Microsoft Office 365
•Gmail
•Flickr
•Facebook App stores •Apple app store
•Google marketplace
•Amazon app store
•Custom corporate stores
•Apple app store
•Google marketplace
•Amazon app store
Custom built apps &
sites
•Business specific •Entertainment
•Hacking/malicious Virtual desktop
environments/remote desktop tools
•Citrix
•VMware
•GoToMyPC
•VNC
Building the framework – web & apps
© Baker Tilly Virchow Krause, LLP
DATA
Internal Use
Public
Mobile device framework –
web/apps – audit considerations
˃ Determine the websites and applications that are used on mobile devices to access data, and
determine whether they are approved. Assess how websites and applications are secured to protect data.
˃ Review all applications and websites accessible via mobile devices to ensure they comply with security policies (e.g., encryption requirements, storage
restrictions, access permissions).
Building the framework – web & apps
Confidential
Restricted
Internal Use
Public
© Baker Tilly Virchow Krause, LLP
Web/App – audit considerations from ISACA’s work program
˃ 8.1.6 Malware Protection
˃ 9.1.3 Secure Software Distribution
Mobile device framework – devices
˃ Devices (i.e., hardware used to access websites and applications for data processing) require an increasing variety of security controls due to the increased mobility, choice, functionality, and
replacement of these products.
Mobile device framework – devices
˃ Managed vs. unmanaged
˃ Business vs. employee owned
Mobile device framework – devices
˃ Encryption
˃ Data transfers (e.g., sending and syncing)
˃ Logical security (e.g., linkage to HR, passwords, access management)
˃ Physical security
˃ Network architecture (e.g., configuration, monitoring)
˃ Mobile device management (***more later)
Mobile device framework – devices – audit considerations
˃ Determine the types of mobiles devices that are used to access data, and whether each mobile device is supported. Assess how mobile devices are secured to protect data.
˃ Ensure that both organization managed and personally owned mobile devices that access confidential or high-risk data are secured with appropriate security controls.
Building the framework – devices
Confidential
Restricted
Internal Use
Public
© Baker Tilly Virchow Krause, LLP
Device – audit considerations from ISACA’s work program
˃ 8.1.1 Device Access Restrictions
˃ 8.1.3 Explicit Permission to Wipe Data
˃ 8.1.4 Encryption and Data Protection
˃ 8.1.5 Remote Access
˃ 8.2.1 Network Access
Device – audit considerations from ISACA’s work program
˃ 9.1.1 Mobile Device Management (MDM) is Deployed
˃ 9.1.2 Central Management of BYOD Devices
˃ 9.1.4 Monitoring of BYOD Usage
˃ 9.1.5 Interfaces to Other Systems
˃ 9.1.6 Remote Management
Mobile device framework – people
˃ People (i.e., employees that process data via websites and applications through a variety of devices) require frequent communications and
trainings on the risks, policies, practices, and tools for protecting the confidentiality, integrity, and
availability of data.
Mobile device framework – people
˃ Risk assessment
˃ Policies, procedures, standards
˃ Training and awareness programs with acknowledged roles and responsibilities
˃ Monitoring
Mobile device framework – people – audit considerations
˃ Determine if an overarching mobile device security policy exists.
˃ Assess existing policies and procedures that guide the procurement, use, support, and management of mobile devices.
˃ Determine who uses mobile devices to access
data, and who supports and manages those mobile devices that access data.
Mobile device framework – people – audit considerations
˃ Advise departments on creating supplementary mobile device security practices as needed.
˃ Assess formalized training and awareness
programs that inform mobile device users of the risks involved and their personal responsibilities when accessing information
.
˃ Are employees OK with you wiping their device?
˃ What happens to personal data on the device?
Mobile device framework – people – audit considerations
˃ Labor laws (Exempt vs. Non-exempt, union)
˃ Employment contracts
˃ OSHA
˃ Tax laws (reimbursements for devices, services)
˃ Export control laws (travel)
˃ Record management laws
˃ Fair Credit Reporting Act
˃ Local jurisdiction laws (of employee’s residence)
Mobile device framework – people – employee agreement
˃ Eligibility
˃ Applicable company policies
˃ Data storage and backup
˃ Data and device management
˃ Legal hold notice
˃ Hardware support (theft, loss, damage)
˃ Software support
˃ Travel and physical security
Mobile device framework – people – employee training
˃ Define BYOD/MDM for your organization
˃ Onboarding device process
˃ Roles/responsibilities
˃ Expense reimbursements/stipends
˃ Security policies
˃ Data ownership policies
˃ Practical app use with organization data
˃ Tech support
From Techrepublic.com
Building the framework – people
Practices Confidential
Restricted
Internal Use
Public
© Baker Tilly Virchow Krause, LLP
People – audit considerations from ISACA’s work program
˃ 2.1.1 BYOD Initial Risk Assessment
˃ 2.1.2 BYOD Ongoing Risk Assessment
˃ 3.1.1 Employee BYOD Agreement
˃ 3.1.2 Mobile Acceptable Use Policy (MAUP)
˃ 3.1.3 Human Resources (HR) Support for BYOD
˃ 3.1.4 Contractors
˃ 3.2.1 Exemptions from BYOD policies
People – audit considerations from ISACA’s work program
˃ 4.1.1 Legal Involvement in BYOD Policies and Procedures
˃ 4.1.2 Legal Hold
˃ 5.1.1 Help Desk
˃ 6.1.1 Policy Approval
˃ 6.1.2 Monitoring BYOD Execution
˃ 7.1.1 Initial Training
˃ 7.1.2 Security and Awareness Training
What is mobile device management?
˃ Process for managing mobile devices, including policies, procedures, training, and systems
and
˃ Industry term for software tools used to centrally administer mobile devices, specifically for security purposes
Types of mobile device management processes (Gartner)
˃ Control-oriented
˃ Choice-oriented
˃ Innovation-oriented
˃ Hands-off
What do MDM tools do? (Gartner)
˃ Software management
˃ Network service management
˃ Hardware management
˃ Security management
**Focus of these tools is phones and tablets; some support laptops, but other device types are not
typically supported
MDM tools market (Gartner)
˃ MDM tools market estimated $784 million market
˃ About 128 or more firms in the market
˃ MDM tools projected to be $1.6-billion market by 2014
˃ Market penetration estimated at less than 30 percent
MDM tools prices (Gartner)
˃ Three years ago = $60 to $150 per device
˃ Today = under $30 per device
˃ Traditional endpoint protection = $10 to $15 per seat
Mobile device management and the framework
˃ Cuts across all four parts of the framework
˃
Data – some ability to restrict access˃
Websites & apps – blacklisting, whitelisting, deployment˃
Devices – implement system controls˃
People – use of MDM must align with policies (especially HR and legal areas)
Key features of MDM tools
˃ Centralize device management through policy and configuration management
˃ Control both corporate owned and personally owned devices
˃ SaaS and on-premises delivery models
Key features of MDM tools
˃ Still require thorough testing:
˃
Connectivity˃
Protection˃
Authentication˃
Application functionality˃
Logging˃
Performance management
Two main flavors of MDM tools
˃ Messaging server based (e.g., Microsoft Exchange)
˃
Limited control enforcement˃
Limited support for devices˃ Third party provided (e.g., Airwatch, Mobileiron, Good)
˃
Additional costs and licenses required˃
Another application to support and manage
When would you use MDM?
˃ BYOD
˃ Data encryption
˃ Multiple device operating systems
˃ Security breach impact
˃ Existing end point tools don’t work for mobile devices
MDM – audit considerations
from ISACA’s work program (9.1.2)
˃ A secure portal for BYOD users to enroll and provision their devices
˃ Centralized security policy enforcement
˃ Remotely lock and wipe data and installed apps
˃ Inventory devices, operating systems (OSs), patch levels, organization and third-party apps, and
revision levels
˃ Distribution whitelists and blacklists
MDM – audit considerations from ISACA’s work program
˃ Permission-based access controls for access to the organization’s networks and data
˃ Selective wipe and privacy policies for organization apps and data, i.e., sandboxing
˃ Distribution and management of digital certificates (to encrypt and digitally sign emails and sensitive documents)
˃ Role-based access groups with fine-grained access control policies and enforcement
˃ Over-the-air (OTA) distribution of software (apps, patches, updates) and policy changes
MDM – audit considerations from ISACA’s work program
˃ Postpone automatic updates from Internet service providers (ISPs), e.g., in cases where an automatic OS update may cause critical apps to fail
˃ Secure logs and audit trails of all sensitive BYOD activities
˃ Capability to locate and map lost phones for recovery
˃ Backup and restore BYOD device data
˃ Remove or install profiles based on geographic
location, to ensure compliance with relevant foreign legislation, e.g., data privacy and security
MDM – audit considerations from ISACA’s work program
˃ When BYOD devices attempt to connect to the organization’s networks, the MDM system
automatically checks:
˃
Patch levels for OSs and apps˃
Required security software is active and current, i.e., antivirus, firewall, full-disk encryption, etc.˃
Device is not jailbroken (Apple) or rooted (Android)˃
Presence of unapproved devices (if any)˃
Presence of blacklisted apps˃
If any of the above login checks fail, the MDM can automatically update the device concerned (e.g., patch levels) or disallow access.
MDM – audit considerations from ISACA’s work program
˃ Don’t forget to the secure the MDM system itself
˃
9.2.1 MDM Application Security
Building the framework – complete
Internal Use
Public
© Baker Tilly Virchow Krause, LLP
Major security concerns (NIST) – mapped to framework area
Security Concern Data Websites &
Apps
Device s
People
Physical security controls X X
Untrusted mobile devices X X
Untrusted networks X X
Untrusted apps X X X
Interaction with other systems
X X X X
Untrusted content X X X
Location services X X X X
Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International
© 2010 Baker Tilly Virchow Krause, LLP