Adams County, Colorado

Transcription

1 Colorado Independent Consultants Network, LLC Adams County, Colorado Bring-Your-Own-Device Policy Prepared by: Colorado Independent Consultants Network, LLC Denver, Colorado March 20, 2014

2 Table of Contents Executive Summary... 1 Background... 2 Objective, Scope, and Procedures Performed... 2 Interviews Conducted... 3 Observations and Recommendations... 3 Appendix A- Current Draft Personal Computing Device Security Policy... 9

3 Executive Summary Like many organizations, Adams County allows employees to access County data (primarily , calendar, and contacts) through non-county owned mobile devices (mobile phones, tablets, and laptop computers). The County has mitigated associated risks of this technology through the use of a mobile device management application (MobileIron), development of a mobile device usage policy, and requirement for all employees accessing County data on mobile devices to sign an acknowledgement of the usage policy. Internal Audit performed a review of this policy, examination of the mobile device management application settings, and testing of the signed usage acknowledgement forms. Our findings and conclusions are summarized as follows: 1. BYOD policy improvement recommendations. The current BYOD policy is in draft form and has not yet been rolled out to County personnel. Within the body of our report, we recommend policy enhancements in 5 areas. Items recommended include prohibiting the storage of personally identifiable information or other sensitive data on mobile devices, and validating that County data has actually been removed from a user s device upon termination or disposal of device. Additional recommendations are noted in the body of our report. 2. Ability to bypass mobile device management. While the County has implemented mobile device management enabling the selective remote wiping of user s devices, many users are accessing Adams County data without the mobile device management application installed on their devices. Additionally, the requirement that all devices be password protected is currently in the BYOD policy, but has not been pushed out to user devices. 3. Unsigned mobile device usage acknowledgements. Although individuals accessing Adams County data on mobile devices are required to sign a form to acknowledge their acceptance of usage terms and conditions, such forms could not be located in 3 of the 5 individuals selected for testing. 4. Data Classification Policy. A key element of data security, including mobile security, is a data classification policy, which the County does not currently have. Such a policy would define handling requirements based on data sensitivity. End of Executive Summary Section Page 1 of 12

4 Background Bring your own Device (BYOD) is the increasing trend toward employee-owned devices within an organization. Smartphones are the most common example but employees are also using their own tablets and laptops in the workplace. BYOD is part of the larger trend of IT consumerization, in which consumer software and hardware are being brought into the organization. The County has created a new program for employees at the Director level and above (as well as other employees at the discretion of their Director/Elected Official) to provide a $900 stipend to purchase ipads which become the employee s personal property. The county has allowed the use of employee-owned devices including both Apple ios (iphones and ipads) and Android devices. Without the proper policy and procedures, employee-owned hardware can pose security risks to the County when they connect to the network or access County data. To minimize the risk and accommodate consumer technologies, the County has implemented a mobile device management (MDM) solution called MobileIron. MobileIron is considered to be the industry leader in MDM software solutions. MobileIron allows only authorized personal devices (smart phones and tablets) to connect to the County network. The County first started allowing personally owned devices to access network services in 2009, where employees could connect to through Outlook Active Sync, though this was not formally rolled out/communicated). Currently, users can access County , calendar, contacts, and tasks through their mobile devices. A Personal Computing Device Security policy covering all mobile devices and personal computers is currently in draft form, and MobileIron has been in place as of Q The ability to connect to the County s network through mobile devices requires acknowledgement of the BYOD policy through an employee s signature on a standardized acknowledgement form. Objective, Scope, and Procedures Performed Colorado Independent Consultants Network, LLC (CICN) was engaged to perform a review of Adams County s Personal Computing Device Security Policy (Bring-Your-Own-Device - BYOD) Policy. The objective of this review was to evaluate the existing BYOD policy for potential areas to strengthen controls while balancing the need to easily and efficiently access County resources. The scope of this audit covers evaluation of the BYOD policy as of 9/30/13.. Procedures performed during this review included the following: Review of the BYOD policy Interviews with IT personnel to understand and evaluate policy implementation, potential issues, and other factors impacting the BYOD policy. Reviewed adequacy of MobileIron software implementation (policies & settings) Page 2 of 12

5 Interviews Conducted One of the components of our review involved the interview of key process owners. We conducted interviews with the two individuals listed below: Kevin Beach, Information Technology Director Brandon Archer, Information Security Architect These interviews allowed us to understand the current process used to control the access of personal devices and the current status of the policies in place. Observations and Recommendations Specific areas for improvement are outlined in the observations that follow. Our recommendations are based on our experience in internal audit, as well as best practices in business operations. Our observations are summarized in the table below and presented in detail on the following pages. Topic of Observation Detail on Page # 1. BYOD policy improvement recommendations 4 2. Ability to bypass mobile device management 6 3. Unsigned mobile device usage acknowledgements 7 4. Development of a data classification policy 8 Page 3 of 12

6 1. BYOD policy improvement recommendations Issue: The County does not have a BYOD policy in place. A draft BYOD policy (included as Appendix A) is in the development stage. We reviewed this draft policy and noted several recommendations to strengthen the policy s effectiveness which should be included in the approved policy. Risk: Without a comprehensive policy which identifies the types of data that can be accessed, the types of devices which are allowed, and the employee personal device agreement the County may face security breaches allowing inappropriate access to restricted County data. Recommendations: To enhance the controls over the BYOD policy, we recommend the following: 1. Scope - The Policy should be applicable to all employees, consultants, contractors, vendors and any other personnel that access non-public County systems and/or data using non-county owned technology. 2. General Requirements We recommended the following: Any exception to the policy should be evidenced in writing and approved by the Directory of Information Technology. Access to the County s network data from personal devices is only allowed via approved and secure access methods (i.e. use of the County s secured employee wireless network). While this is currently included in the draft version of the policy, we are highlighting this as a recommendation, as this is an especially critical component of any BYOD policy. 3. Data Security We recommended the following: Once a data classification policy is developed (See issue #4), the BYOD policy should cross reference the data classification policy to enforce appropriate security measures based on the sensitivity of the data. Storing information that is considered personally identifiable information, credit card information, personal health information or other sensitive data on a mobile device or removable media should be prohibited. 4. Support - We recommended the County require evidence that data has been properly removed for any BYOD device before it is released from an employees possession (e.g. recycling, selling, or donating). The current policy requires the device s owner to remove County data upon termination of employment, but does not require evidence that such data has been removed. 5. Adams County Personal Device Usage Agreement - We recommended the following be included for acknowledgement by employees using a personal device (BYOD): Page 4 of 12

7 Understand and accept the terms of the County s Acceptable Use Policy. Understand that they do not have a reasonable expectation of privacy beyond those granted under Colorado statute. Agree to use a password or PIN to lock my device and set an automatic lock-out after the device has been idle (e.g. 5 minutes). Management Response: Adams County IT has developed a draft BYOD policy that incorporates the auditor s suggestions. Policy will be reviewed by IT governance for approval and adoption. Responsible Party: Kevin Beach, IT Director Completion Date: 6/1/14 Page 5 of 12

8 2. Ability to bypass mobile device management Issue: As previously stated, the County has implemented MobileIron as their mobile device management solution. While the settings of MobileIron are appropriate, including enforcement of all devices to be password protected and enabling of mobile encryption, these requirements have not been turned on, reducing the security benefits afforded by the software. Additionally, through the use of ActiveSync, a user could bypass MobileIron and connect to County without the security benefits afforded through the MobileIron application. As of 1/27/14, nearly 100 user accounts were accessing County directly through ActiveSync, rather than using the MobileIron MDM solution. While the current draft BYOD policy prohibits this, preventative controls could be enhanced. Risk: Without enforcement of established security parameters through enactment of MobileIron settings, as well as enforcing the use of the MobileIron application itself, county data could be at risk. As an example, while the BYOD policy requires all devices to be password protected, this is not enforced through the MobileIron technology. County s containing sensitive data (such as Personally Identifiable Information (PII), HR/legal information, etc.) could be stored on an unprotected mobile device. If this device were to be lost or stolen, the integrity of this data would be compromised. Recommendations: The County should activate current MobileIron settings, pushing established requirements to user devices. Additionally, the ability to access County data through ActiveSync should be disabled, requiring users to install the MobileIron application on their devices in order to access this data. Management Response: All approved personal devices will be migrated to MobileIron Mobile Device Management (MDM) and direct access to will be disallowed. Current MobileIron settings will be activated as recommended. Responsible Party: Kevin Beach, IT Director Completion Date: 4/1/14 Page 6 of 12

9 3. Unsigned mobile device usage acknowledgements Issue: The current version of the draft personal computing device security policy states: Personal computing devices must be authorized by management order to access/store Adams County data. In practice, the County is requiring users of mobile devices accessing Adams County data to sign an acknowledgement form agreeing to the terms of mobile device usage. Authorizations from an employee s Manager are not required in practice. In 3 of the 5 users selected for testing, IT was not able to produce the acknowledgement form or provide any documentation in support of the user s acknowledgement of terms. It is unclear whether such acknowledgement was misplaced or never attained. Risk: The mobile device usage acknowledgement form serves to remind the end user of the security requirements around accessing Adams County data from a personal mobile device. This form also serves to avoid potential litigation surrounding the wiping of an employee s personal data from their personal mobile device. Absent signed acknowledgement forms, the County risks greater non-compliance with the mobile device usage policy and potential litigation. Recommendations: The County should ensure all employees accessing Adams County data on mobile devices have signed the Adams County Personal Device Usage Agreement and that this document is retained in a common location accessible to IT personnel. The current draft personal computing device security policy language should be revised to require acknowledgement of the policy rather than managerial approval of mobile device users if this is the County s intent. Management Response: All future agreement forms will be stored in edocs as well as the Helpdesk account to ensure that IT is able to retrieve signed forms. An audit will be performed by IT to ensure that all personal device users have returned signed agreement forms. Responsible Party: Kevin Beach, IT Director Completion Date: 6/1/14 Page 7 of 12

10 4. Development of a data classification policy Issue: A key element of data security, including mobile security, is a data classification policy, which the County does not currently have. Risk: Data elements carry varying levels of risk, depending on their sensitivity. For example, an employee s disciplinary record or legal advice provided under attorney-client privilege would be considered highly sensitive data. In contrast, the County s audited financial statements, which are posted on the public facing web site, would not be considered sensitive, as they are a matter of public record. Absent a policy to clearly highlight sensitive data elements and the expected treatment of this data, employees and vendors are left to their own judgment as to what would be considered sensitive and how such sensitive data should be handled. Individual employee judgment may be incongruent with expectations of County Management. Measures to protect data considered sensitive may be inadequate, if they exist at all. Recommendations: The County should develop a Data Classification Policy that defines handling requirements for data based on their sensitivity. The policy may contain both general guidelines applicable County-wide, as well as department specific guidelines. Common classification levels should be developed with associated minimum security parameters. Illustrative examples of data types should be included in the policy. Management Response: Although we agree Data Classification would be a worthwhile endeavor, IT has checked with three of the larger Colorado counties, Arapahoe, Douglas and Jefferson and none of them have gone down this path. We will submit a budgetary request in the 2015 budget for this project. Responsible Party: Kevin Beach, IT Director Completion Date: 12/31/14 (For submission of budgetary request) Page 8 of 12

11 Appendix A- Current Draft Personal Computing Device Security Policy Personal Computing Device Security Policy (BYOD) Purpose The purpose of this policy is to document the minimum security requirements and management decisions regarding the use of personal computing devices used to transmit, access, and/or store Adams County data. Scope All personal computing devices used to access Adams County data must comply with this policy and all applicable Adams County security policies, standards, and processes. For the purposes of this policy personal computing devices are divided into two categories: 1) personal computers including desktops and laptops and 2) personal mobile devices such as smartphones, PDAs, and tablet computers which do not run a workstation-grade operating system. Personal devices that only access and/or store County data that is generally available to the public (such as on the Adams County website) are exempt from this policy. This policy does not supersede any other laws, or regulations. Authorization Personal computing devices must be authorized by management order to access/store Adams County data. General Requirements At management s discretion, employees may use personal computing devices to access County data providing that the following requirements are met: Failure to comply with this policy may result in termination of service to the personal device. Authorization 1. User has signed the Adams County Personal Device Agreement form and returned to IT 2. The user s manager has authorized the use of the personal device(s) by ing the IT helpdesk Page 9 of 12

12 Network Access 3. Access from personal devices is only allowed via approved access methods as defined by the IT department (e.g. Citrix). 4. Users are prohibited from connecting personal devices directly to the Adams County Network. 5. Users may use their personal home wireless networks only if the network is secured using WPA or WPA2 and a strong passphrase. A strong passphrase is one that is at least 8 characters long and includes a combination of upper case and lower case letters, numbers and symbols. Open unencrypted networks and WEP encrypted networks are prohibited. 6. Open public wireless hotspots (e.g. Hotels, Coffee Shops) should be avoided whenever possible. If an unsecured public network must be used, users must use IT approved secure protocols to access County data (e.g. Citrix). Personal Device Security 7. Device owners are responsible for taking measures to protect County data on their personal devices. Examples of recommended security controls include : Workstations and laptops: Anti-malware software, personal firewall, disk encryption, account passwords, password protected screen saver, creation of separate accounts for work & personal use, and limiting the use of administrative rights on the device. Mobile devices such as smartphones and tablets: Password or PIN to unlock the device, device encryption, and automatic lock after idle period (e.g. 5 minutes). 8. Device owners are required to ensure that all vendor security updates are applied within 30 days of release 9. Lost/Stolen devices must be reported to IT no more than 24 hours after discovered lost/stolen. Page 10 of 12

13 Data Security 10. Storing sensitive and/or non-public County ;data on personal external cloud services (e.g DropBox, Google Drive, Evernote, etc.) is prohibited unless part of a management approved initiative 11. Storing County data on external storage (e.g. SD card, USB thumbdrive, external harddrive, etc.) is prohibited unless encrypted 12. The device user must protect County data from unauthorized access or disclosure and will notify Adams County management immediately if data is suspected to have been lost or compromised 13. Adams County reserves the right to erase all data from personal devices used for County business Support 14. IT staff may only provide limited assistance for personally owned devices and will not be able to assist with problems unrelated to County business. 15. The owner of the device is responsible for securely erasing all County data from the device before releasing the device from their possession (e.g. recycling, selling, or donating). Page 11 of 12

14 Personal Mobile Devices Requirements The requirements below are additional requirements for personal mobile devices such as smartphones, and tablets. 1. Mobile devices may access and/or store County data only where managed by an IT approved mobile device management (MDM) solution (MobileIron) 2. Where will be accessed from the device, support for Microsoft ActiveSync is required 3. Mobile device must support device level encryption 4. Devices must be wiped of any County data in the event of employee termination, or suspension 5. Users must not attempt to circumvent or disable any security controls applied to the device while the device contains County data. 6. The owner of the device is responsible for backing up all personal items (including but not limited to: photos, videos, music, contacts, paid apps, and notes). Adams County is not responsible for the loss of any personal data and/or applications and will not reimburse the cost to recover personal data. 7. Security policies may be pushed to my device (such as a personal identification number (PIN), or encryption) at the County s discretion as long as County data is stored on the device. 8. The County may collect information about the device for support reasons. Information collection may include but is not limited to: device model, software/firmware versions, network information, and installed applications. 9. Devices that have been intentionally compromised e.g. jailbroken or rooted to modify or replace the manufacturer s software/firmware on the device will not be allowed to access or store County data. Page 12 of 12