• No results found

LESSONS LEARNED. Agenda

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "LESSONS LEARNED. Agenda"

Copied!
27
0
0

Loading.... (view fulltext now)

Download now ( 27 Page )

Full text

(1)

Implementing Mobile Device

Implementing Mobile Device

Encryption: A Case Study

Encryption: A Case Study

Encryption: A Case Study

Encryption: A Case Study

Bridget

Bridget Aman, CISSP, CISA,

Aman, CISSP, CISA, CPA

CPA

John Blackley, CISSP

(2)
(3)

Agenda

• Management Support

• Proof Of Concept (POC) Process • Important Questions to Ask Vendors • Project Management

L

E

S

S

O

N

S

L

E

A

R

N

E

D

• Project Management • Testing • Implementation • User Impact

• Communications and Training

L

E

S

S

O

N

S

L

E

A

R

N

E

D

(4)

Poll

Poll

Drivers for encryption?

Hurdles? Hurdles?

(5)

• Laptops • USB • CD/DVD (write-restriction)

Children’s Scope

Children’s Scope

• Blackberries • iDevices

(6)

• Pre-requisite • Alignment helps • ROI: • Reputation

Management Support

Management Support

• Reputation • Trust • Brand/image

• Research studies on costs of losing devices with unencrypted sensitive data

(7)

• Most important step of project

• Critical Lesson Learned:

“SHOW ME”

• Spent 3 months total

POC Process

POC Process

• Narrow down field

• Gartner Magic Quadrant • Industry standards

(8)

• Narrowed down to final two

• White boarding exercise listing pros/cons helped flush some things out

• Lesson Learned: Reference calls!!!

POC Process

POC Process

• Lesson Learned: Reference calls!!!

• Best practice: Technical rep and policy maker are both in the same room during POC

(9)

• How does the patching process work with pre-boot authentication?

• What is process for moving data from one encrypted laptop to another?

Technical Scenarios to Demo

Technical Scenarios to Demo

• What is data recovery process when an encryption key gets lost/corrupted or user forgets key?

(10)

• What does USB encryption look like at work and at home? (including initial use)

• What does CD encryption look like at work and at home? (including initial use)

Technical Scenarios to Demo

Technical Scenarios to Demo

• How does USB/CD encryption work in multi-user/ single-workstation scenario?

• File based encryption: how do I ensure everything that should be encrypted actually got encrypted?

(11)

• Multi-disciplinary • Project Manager • Desktop Support • Testing Lead • Training

Project Management

Project Management

• Technical Lead • Help Desk • Information Security • Communications

• Requires strong leader to keep all in lock step • Weekly meetings throughout

• Steering Committee = Involved • Implementation dates

(12)

• WOW, we did a lot of testing – 6-8 weeks!

• Unit testing covered everything we could think of to break the system

• Tested every make/model of device in our environment

Testing

Testing

Laptop Encryption Laptop Encryption

• Tested every make/model of device in our environment • Tested with 75 applications

• Three pilot groups

• 2 Information Technology groups with a focus on remote access methods

(13)

• Big bang ~ 350

• Four character PIN

• Data wipe after 10 failed attempts

Implementation

Implementation -- Blackberry

Blackberry

• Enterprise AND personally-owned • Lesson Learned:

• Train on how to make/accept calls without entering PIN

(14)

• Staged approach • 1,100 over 4 weeks

• Automatically pushed the agent

Implementation

Implementation -- Laptops

Laptops

• Scripted the following:

• Checked for minimum memory • Installed .net 2.0

• Performed defrag

• Installed encryption agent • Chk dsk

(15)

• Main issues:

• Older images, like everyone else • Panasonics

Implementation

Implementation -- Laptops

Laptops

• Windows 7

• One series of standard laptop inconsistently hangs upon reboot; required update

• Small amount of laptops would not automatically identify and connect to home wireless

(16)

• Lessons Learned

• Have a good handle on your asset inventory • “Shifting denominator”

• Have a strategy for pooled or loaner laptops or

Implementation

Implementation -- Laptops

Laptops

• Have a strategy for pooled or loaner laptops or anything that doesn’t get logged into regularly • Require quantification of boot/login times before

and after encryption, or else you’ll get “it takes forever” (WHINE…..)

(17)

• Forced Active Sync encryption and password profile

• Enterprise AND personally-owned • Began with 150, now over 500

Implementation

Implementation -- iDevices

iDevices

• Began with 150, now over 500

(18)

• Lessons Learned

• Active Sync is a good first step, but really need MDM tool

• Active Sync forces encryption, prevents lower iOS’s

Implementation

Implementation -- iDevices

iDevices

• Active Sync forces encryption, prevents lower iOS’s and non-encryptable devices from connecting, and provides reports that evidence encryption

• Issues still to be addressed:

• Preventing jailbroken devices from connecting • Managing multiple devices per person

(19)

• Testing identified that original strategy did not work

• Environment requires an important population of users not be tied to “primary” machine. Software-based

approach did not support this.

Implementation

Implementation –

– USB

USB

• Alternative implementation strategy: one authorized pre-encrypted USB available for purchase through normal supply ordering process

(20)

• Lessons Learned

• USB transfers between Microsoft and MAC O/S • Need encrypted alternative for large external drive

storage

Implementation

Implementation –

– USB

USB

storage

• Better training guide for users (specifically the two partitions)

(21)

• No encryption

• Restricted WRITE access via port control • Lessons Learned:

• Identify equipment (non-workstations) that require

Implementation

Implementation –

– CD/DVD

CD/DVD

• Identify equipment (non-workstations) that require CD/DVD write

• Identify and evaluate cost/benefit of encrypting media provided to customers (e.g., patients)

(22)

• Exception Process!

Biggest Implementation Lesson Learned

Biggest Implementation Lesson Learned

• Have a good exception approval process utilizing the Help Desk, with a timely service level agreement and emergency procedures.

(23)

• Blackberry

• Few calls to complain this totally interfered with their texting while driving

• Laptops

• Boot/login time went from an average of 2 - 2 ½

User Impact

User Impact

• Boot/login time went from an average of 2 - 2 ½ minutes to 4 – 4 ½ minutes

• Pre-boot authentication • iDevices

• Totally quiet • USB/CD/DVD

(24)

• This effort will single-handedly determine how smooth your roll-out will be

• No such thing as overcommunication • Communication Plan:

Communication and Training

Communication and Training

• Communication Plan:

• Normal corporate communication vehicles • Dog and pony shows (CMIO was helpful) • Themed posters: “Encryption is coming!” • Walkarounds/Giveaways

(25)

• Training:

• Help Desk

• Formal lessons

• Additional training by supporting pilot groups

Communication and Training

Communication and Training

• Encryption Website • Project Summary • FAQ’s

• Tip Sheets per device • Rollout schedules

(26)

Final Thoughts…

Final Thoughts…

• If appropriate, offering to be a reference for your vendor is valuable to you and your peers

• Don’t be afraid to reach out and see what others are doing

• Don’t diminish POC or testing processes just to make a • Don’t diminish POC or testing processes just to make a

(27)

Questions??

Questions??

John Blackley

References

Download now ( PDF - 27 Page - 676.55 KB )

Related documents

Big Island. Nakahara Dental Office

Vision Care Center Waianae Mall Shopping Center Wahiawa. DeRussy Chapel Fort

Public Health Implications of Oil Pollution in Koluama: Nigeria

Few researchers have explored the physical health consequences of environmental degradation caused by oil spills and fires in the Niger Delta region (Aroh et al., 2010;

JUPITER_ATP.pdf

Display the data in different Chart types by right click on the Chart type in the lower left pane of the Inspector and the choose Change Chart from the appearing drop down menu.. By

FIVE YEAR CONSOLIDATED PLAN FY FY ANNUAL ACTION PLAN 10/1/13 9/30/14 PREPARED BY

BROWARD COUNTY HOUSING FINANCE AND COMMUNITY DEVELOPMENT DIVISION // Purchase Assistance Program // $87,368 – The provision of down payment assistance to

The everchanging epidemiology of meningococcal disease worldwide and the potential for prevention through vaccination.

The MenAfriVac programme has been greatly successful in con- trolling MenA disease but has highlighted the need for low-cost, multivalent meningococcal conjugate vaccines

Improved SuperDARN radar signal processing: A first principles statistical approach for reliable measurement uncertainties and enhanced data products

SuperDARN ACF fitting software obtains best-fit values for power, velocity, and spectral width by applying error-weighted least-squares regression techniques that require

The Executive Management of the Company has a vast experience of more than 17 years of Pakistani

 Furthermore on advices of different Shariah advisors, we decided to form a separate Shariah Complaint Company by the name of DIYANAH ISLAMIC FINANCIAL SERVICES rather

Chillgard LE Refrigerant Monitor

Once the Chillgard LE Refrigerant Monitor is operating, perform periodic calibration checks to ensure proper instrument operation.. Perform calibration to monitor long-term