Agenda. BYOD, Texting & Social Media How to Keep BYODFrom Becoming OMG! Introduction: Summit Security Group 2/3/2014

Transcription

1 BYOD, Texting & Social Media How to Keep BYODFrom Becoming OMG! Daniel M. Briley, CISSP, CIPP Managing Director Summit Security Group Agenda Introduction BYOD Defined Trends By the Numbers Common Risks Cultural Considerations Safeguards Q&A Introduction: Summit Security Group Local Information Security Advisory Firm HQ: Beaverton, Oregon Deep expertise in IT Security, Governance, Risk Management & Compliance We can help if you Would like a third party risk or vulnerability assessment to discover gaps Are concerned about a data breach Would like help securing your , addressing HIPAA Omnibus compliance, etc. We participate in training events similar to this one to support DIY a approach but please give us a call if you would like some help 1

2 BYOD Defined Bring your own device (BYOD)is an alternative strategy allowing employees, business partners and other users to utilize a personally selected and purchased client device to execute enterprise applications and access data. Typically, it spans smartphonesand tablets, but the strategy may also be used for PCs. It may include a subsidy. BYOD Trends 1. Gartner: 2. ReadWrite: BYOD By the Numbers What Drives BYOD? Productivity and satisfaction are primary; not cost savings 74% of IT leaders believe BYOD can help our employees be more productive 1 58% of surveyed employees list EE satisfaction and productivity as prime benefits 2 23% of surveyed employees list cost savings as a benefit 2 1. Quest: 2. ReadWrite: 2

3 BYOD By the Numbers What Drives BYOD? But there is some cost savings 1 Companies pay for employee devices at less than 10% of the companies surveyed. 27% of surveyed companies share the cost with employees 56% of companies leave support costs up to employees 1. ReadWrite: The Big Question BYOD Leadership loves it Employees love it There are some potential cost savings So Why are we having this discussion? BYOD Concerns Security is the biggest BYOD Concern Almost half (49%) of survey respondents listed security as the primary concern. Regulatory issues came in 2 nd place Customization / OS Support tied for 3 rd place 3

4 The Big Answer So That s why we are having this discussion Security and regulatory compliance requirements drive mobile device governance BYOD Security Risks Device Risks Malware Unauthorized Access Data Loss Theft of Device Inappropriate Use BYOD Security Risks Device Risks Malware Unauthorized Access Data Loss Theft of Device Inappropriate Use Device Safeguards Antivirus & Patching Passwords Backup Encryption / Remote Wipe Content Filter / User Access Policy 4

5 BYOD Security Risks Device Risks Malware Unauthorized Access Data Loss Theft of Device Inappropriate Use Device Safeguards Antivirus & Patching Passwords Backup Encryption / Remote Wipe Content Filter / User Access Policy The Crux of the BYOD Issue This is where BYOD gets messy Securing mobile devices isn t a huge problem; securing personally owned mobiledevices is challenging Typically the organization does not / cannot control personally owned devices Personal data comingled with work data Data owner has responsibility but often not control Cultural Considerations Risk and control spectrum Risk level often has a direct relationship to amount of control over device Organizational risk tolerance Low / Medium / High Balance: Data owners need for control of the data Device owners need for control of their device Sidebar: Trust Not about trust About ability to attest that security controls are in place 5

6 Administrative Safeguard Considerations Acceptable use policy - Foundation of BYOD program Which employees are eligible Describe what data will be permitted on mobile devices Describe behavioral expectations with mobile devices Storage, sharing, security configurations and patching Image/audio capture Social Media Texting Loss/theft reporting requirements Administrative Safeguard Considerations Acceptable use policy -Foundation of BYOD program (continued) Describe the level of control the organization will have over the device Will your organization provide tech support? Comingling of personal and corporate data Employees must agree in writing (consider EULA model) Technical Safeguard Considerations Encryption The only safe harbor against data breach notification (other than data destruction) References: NIST SP : Guideline for Implementing Cryptography NIST SP : Guide to Storage Encryption Technologies for End User Devices NIST SP : Guidelines for Managing and Securing Mobile Devices in the Enterprise (Draft) FIPS 197: Advanced Encryption Standard (AES) User enforced vs. organizationally enforced 6

7 Technical Safeguard Considerations Passwords / PINs Required for access? Complexity? If encrypted password required Password protected encrypted Device inventory or device registry Deny all; permit registered devices Inactivity lockout How long until lock? Failed login attempts what happens? Technical Safeguard Considerations Security patches Required? How often? Will image capture be technically disabled? Bluetooth Consider discoverability settings Secure Texting (TigerText, etc.) Anti-virus Required? Update frequency? Local storage vs. portal approach Don t forget SD Cards VPN allowed to production network? Technical Safeguard Considerations Remote data wipe Permitted? Under what circumstances? Remote device location Geolocation privacy concerns? Notes: Technical safeguards are generally the most diverse, effective, and auditable Technical safeguards configured and managed by a device owner should be considered administrative safeguards from the perspective of the organization 7

8 Physical Safeguard Considerations Protective cases Cable locks Car trunks Privacy Screens Rotational challenges Privacy sweater Summary Blend of safeguards deployed will be unique to each organization based on culture and risk tolerance Don t forget usability; balance security posture Choose safeguard configuration based on risk assessment Use defense in depth approach Questions Remember Proper Planning & Preparation Prevents Pandemonium 8

9 Thank you! Daniel M. Briley, CISSP, CIPP M: Phone: DATA (3282) Web: 9