compliances , security

Modile Device – Information Technology Security, Risk and Compliance

May 13, 2013

Mobile Device Issues

  • According to the a large Wireless ISP, data breach reports 47% of all records breached in 2011 were on end-user devices.
    • Recent examples of mobile device security issues / breaches include:
      • Android – Sensitive SOX, PCI, HIPAA, or personally identifiable information (PII) was stolen from Skype users by malicious third-party applications
      • BlackBerry – JavaScript vulnerability allowed hackers to steal user data
      • Android Marketplace – Two dozen infected applications containing Malware were removed
      • Symbian and Windows – Zeus malware captured sensitive financial information from thousands of mobile user
      • Apple iOS – Jailbroke phones and password encryption hack lead to vulnerable devices
    • Mobile devices pose significant risk
      • Sensitive SOX, PCI, HIPAA, or PII or data loss through lost or stolen hardware
      • Virus or malware injection into the corporate network
      • Social engineering
      • Exploitation of social networking, mobile applications, m-commerce
        • Mobile botnets
        • Location Trackin
        • Unauthorized modification, monitoring and disclosure of SOX, PCI, HIPAA or PII
    • It’s not a matter of if the lack of mobile device security controls will lead to a data breach but a matter of when.

Current Mobile Device Status

  • Corporate does not have an enterprise mobile device strategy
    • No standardization on whether to allow personal devices
    • Current standard, Windows Mobile operating system, is not enforceable and is outdated
    • No standard deployment methodology of mobile devices across Corporate
      • No formal technical or security controls in plac
      • No device management proces
      • Unknown number of personal devices connecting to the network
      • No centralized tracking of corporate owned devices
      • No mechanism or process in place for updates – Applications, OS, and Firmwar
      • No method of enforcing Corporate policies and standards
  • iPads are capable of implementing formal security controls

Current Initiatives

  • Mobile Device Workgroup
    • Representation from: Server Team, Architecture, Voice and Data Networking, Corporate Responsibility, Client Computing, Security Architecture, Security Governance & Risk
    • Mobile Device scope for this group includes Smartphone’s, handhelds, and pad devices.  USB storage, removable media and laptops are excluded.
  • Reviewed current business needs and uses
  • Identified required Security controls
    • Selection of 20 security controls using Security standards and business needs

Recommendations

  • Creation of a mobile device security standard ensuring the appropriate infrastructure, security controls and ability for enforcement are implemented.
  • All devices must follow the existing System Security, Encryption and Wireless Communications standards
  • Create a division of support duties
    • Security – Maintain security control software and configuration
    • Voice and Data Networking – Phone provisioning
    • Client Computing – Endpoint, OS and application support

www.bestitdocuments.com