www.pwchk.com Bring Your Own Device (BYOD) & Customer Data Protection Are You Ready?



Similar documents
Data Protection Act Bring your own device (BYOD)

Guideline on Safe BYOD Management

BYOD: End-to-End Security

Securing Mobile Apps in a BYOD World

Information security controls. Briefing for clients on Experian information security controls

Supplier Information Security Addendum for GE Restricted Data

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Newcastle University Information Security Procedures Version 3

Access Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL

Auditing the Security and Management of Smart Devices. ISACA Dallas Meeting February 13, 2014

White Paper. Data Security. journeyapps.com

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

IT OUTSOURCING SECURITY

Hands on, field experiences with BYOD. BYOD Seminar

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

BYOD in the Enterprise

Appendix 1b. DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA. Review of Mobile Portable Devices Management

Mobile Device Management

Regulations on Information Systems Security. I. General Provisions

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING

Information Technology Branch Access Control Technical Standard

Mobility, Security Concerns, and Avoidance

BYOD Guidance: BlackBerry Secure Work Space

IT Security Vendor Compliance Assessment

Information Security Policies. Version 6.1

Information Shield Solution Matrix for CIP Security Standards

05.0 Application Development

Symantec Mobile Management 7.2

Central Agency for Information Technology

Supplier Security Assessment Questionnaire

Bring Your Own Device

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

Secure Mobile Solutions

WHITE PAPER: MASSACHUSETTS DATA SECURITY REGULATIONS

BlackBerry 10.3 Work and Personal Corporate

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

NERC Cyber Security. Compliance Consulting. Services. HCL Governance, Risk & Compliance Practice

INFORMATION TECHNOLOGY SECURITY STANDARDS

Mobile Protection. Driving Productivity Without Compromising Protection. Brian Duckering. Mobile Trend Marketing

HIPAA Security COMPLIANCE Checklist For Employers

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session One Information Security and Challenges

How To Secure Your Mobile Devices

Cybersecurity and internal audit. August 15, 2014

Empowering Your Business in the Cloud Without Compromising Security

Cloud Security Trust Cisco to Protect Your Data

Mobile Device Security Is there an app for that?

Splunk Enterprise Log Management Role Supporting the ISO Framework EXECUTIVE BRIEF

A Rackspace White Paper Spring 2010

Symantec Mobile Management 7.2

SECURITY ORGANISATION Security Awareness and the Five Aspects of Security

THE BLUENOSE SECURITY FRAMEWORK

RFI Template for Enterprise MDM Solutions

INFOCOMM DEVELOPMENT AUTHORITY OF SINGAPORE

End User Devices Security Guidance: Apple OS X 10.10

EA-ISP-012-Network Management Policy

How to Secure Your Environment

PATCH MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

10 best practice suggestions for common smartphone threats

Document Type Doc ID Status Version Page/Pages. Policy LDMS_001_ Effective of 7 Title: Corporate Information Technology Usage Policy

Emerging threats for the healthcare industry: The BYOD. By Luca Sambucci

Mobile First Government

Security Controls What Works. Southside Virginia Community College: Security Awareness

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Mobile Security BYOD and Consumer Apps

INCIDENT RESPONSE CHECKLIST

What Is BYOD? Challenges and Opportunities

Mobile Device Management for CFAES

CITY UNIVERSITY OF HONG KONG. Information System Acquisition, PUBLIC Development and Maintenance Standard

ONE DEVICE TO RULE THEM ALL! AUDITING MOBILE DEVICES / BYOD NSAA IT CONFERENCE OCTOBER 2, 2014

Supporting Workforce Mobility: Best Practices in Enterprise Mobility Management

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING

Conducting a Risk Assessment for Mobile Devices

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Guidance on the Use of Portable Storage Devices 1

trends and audit considerations

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Addressing NIST and DOD Requirements for Mobile Device Management

Estate Agents Authority

ISO Controls and Objectives

Use of tablet devices in NHS environments: Good Practice Guideline

MOBILE DEVICE SECURITY FOR ENTERPRISES

Managing and Securing the Mobile Device Invasion IBM Corporation

Technology Risk Management

Defending Behind The Device Mobile Application Risks

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training - Session One

The Workplace of the Future and Mobile Device Risk ISACA Pittsburgh. May 20 th, 2013

Appendix A: Mapping Baseline Statements to FFIEC IT Examination Handbook

Appendix. Key Areas of Concern. i. Inadequate coverage of cybersecurity risk assessment exercises

If you can't beat them - secure them

Managing internet security

Mobile Security Standard

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

Security and Compliance challenges in Mobile environment

Industry Trends An Introduction to Security Breach Prevention, BYOD, & ERP System Implementation

How To Protect Your Mobile Devices From Security Threats

Five Steps to Android Readiness

Transcription:

www.pwchk.com Bring Your Own Device (BYOD) & Customer Data Protection Are You Ready?

Why is this important to you? Background Enterprise mobility through Bring-Your-Own-Device (BYOD) has been around for at least 3 years and there have been lots of lessons learnt in many organisations in relation to leakage and loss of customer data and sensitive information. In October 2014, the restriction of implementing BYOD for banks in Hong Kong was removed by the Hong Kong Monetary Authority (HKMA) through the issuance of an updated circular Customer Data Protection (first introduced in 2008). While this updated circular has tightened the enterprise-wide control requirements to protect the confidentiality of customer data, it includes new guidance over the implementation of BYOD, with reference to the control requirements specified in the paper entitled Recommended Standards of Bring Your Own Devices for Work by Bank Staff in Hong Kong issued by the Hong Kong Association of Banks (HKAB). As there are more compliance requirements to follow, is your bank ready to enjoy the business benefit brought by enterprise mobility and BYOD? Are you comfortable that you have adequate enterprise-wide controls over the protection of customer data to ensure compliance? What are your new challenges? Time is short, hands are tight: Complete a critical review of your customer data protection controls by Q1 2015 You have been safeguarding and protecting customer data. However, there is an additional requirement now - you are expected to conduct a comprehensive review over the adequacy of customer data protection controls by Q1 2015 and perform periodic independent audits going forward. Within such a short time span, you will need to identify right resources to conduct an effective review in accordance with the new requirements. New skills required: Review your BYOD program to ensure that it meets the new requirements Your bank may have already identified several use cases with BYOD which are promising in boosting productivity within the working environment. In light of the new HKAB standards, what are the reasonable approaches to implement controls required for each of the identified use cases? What is your plan to deploy appropriate solutions to reduce risks and ensure regulatory compliance? Do you have adequate expertise to review and validate the control effectiveness? The Big Picture: Some highlights in the updated Customer Data Protection Circular (October 2014) A. Data classification & risk assessment: all data should be classified into different levels of sensitivity or risk; appropriate level of protection should be built, deployed and assessed accordingly. B. Data security policies and awareness: policies and procedures should be reviewed and enhanced in line with the relevant supervisory guidance from time to time; annual awareness programme should be extended to cover safeguards against customer data loss/ leakage. C. Logical access controls: controls should be data-oriented ; apply controls along the data flow and its lifecycle with layered security measures; high risk scenarios (e.g., data exchange with external parties, massive data download) should be identified and monitored. D. Transmission of consumer data: effective controls should be implemented to prohibit unauthorised transmission between internal and external systems via Internet services or high-risk software, and monitor unusual or suspicious activities. E. Storage of customer data: in addition to portable storage media, banks should establish capabilities in identifying unusual downloading activities (or data exfiltration); various safeguards such as data encryption, key management, log monitoring should be considered; sample checks should be conducted to ensure that controls have been operating effectively. F. Personally-owned computing devices: comply with the new standards established by HKAB for both BYOD and bank s own computing devices. G. Physical security controls: perform adequate reconciliation or inventory check after relocation / transportation. H. Periodic audits: banks should conduct regular audits to assess the adequacy and compliance status of controls on customer data protection by an independent party. I. Controls over service providers: demand service providers to comply with bank s data security policies and procedures in outsourcing arrangements; monitor and validate the service providers compliance. Bring Your Own Device (BYOD) & Customer Data Protection 1

Emerging risks associated with BYOD Area of focus What can happen New challenges User Users may share their mobile devices containing customer and corporate data with friends and family members. How to safeguard sensitive data and prevent unauthorised access? Data Users may use their mobile devices for illegitimate purposes or downloading inappropriate / copyrightinfringing materials. How to segregate personal and enterprise data? How to achieve the right balance between convenience and security? Device Security Network Users may not use and maintain their mobile devices in a secured manner, such as jailbreaking / rooting the devices, downloading illicit apps, not installing critical updates, disabling security features, etc. Users may connect their mobile devices to insecure Internet access points in public areas, such as cafes, airports, hotels, shopping centres, etc. How to control and align security configurations among different devices running on various platforms (e.g., Android, ios, etc.) and service releases? How to protect the integrity of devices? How to mitigate the risk of data loss / leakage through insure access points in public areas? BYOD leading practices to consider (examples) Robust governance Access controls Application vetting Data protection and other security measures Data classification including personal data collected from BYOD users Policies, terms and conditions to include BYOD scenarios Regular risk assessment on the supportable operating systems and devices Periodic independent audit Access rights granted on a need-to-have basis Device registration and enrolment 2-factor authentication on mobile for remote access (e.g., VPN) Password, account lockout and session timeout controls Encryption of data throughout the lifecycle (at-rest, in-transit and in-use) Audit trail integrated with the existing information and event management process Blacklist malicious apps and timely update the list Ensure apps downloaded via approved app sources (e.g., Apple s Apps Store, Google Play, enterprise s own apps stores, etc.) Prevent and detect jailbreaking / rooting activities Prevent data sharing between enterprise and personal apps (e.g., prohibit copy and paste, disallow storage of corporate data on removable storage media) Delete temporary data upon session termination Wipe the company and customer data immediately after detecting violations of security policies Timely report and handle lost devices Ensure security patches / operating system updates are installed and remind staff where they are available Sandbox architecture Anti-virus software Encryption of data stored in mobile devices 2 PwC

How PwC can help? What is the maturity level of the customer data protection capability within your bank? PwC s Customer Data Protection Health-check can assist you and cover the following aspects (including but not limited to): Enforcement of data classification Access controls commensurate with data classification Device registration and enrolment Asset management Incident response Data exchange with third party service providers Physical security controls Third-party vendor management People Process Technology Security awareness programme Organisation and management Motives and incentives Familiarity with data loss / leakage prevention & detection practices Data loss / leakage prevention and detection tools Logging and monitoring System configuration In your journey of implementing a BYOD program, we can advise you in each of the various implementation stages to align your solution with security best practices and regulatory requirements: Stage 1: Plan for success Use case analysis Customer data impact analysis Stage 2: Gather requirements Security requirements analysis Compliance requirements analysis Stage 3: Select technologies Security assessments over technologies (e.g., Mobile device/ application management tool)* Technologies comparison and selection Stage 4: Implement solution Mobile application security assessment* Configuration review Access control review Stage 5: Maintainence Vulnerability assessment Data loss / leakage assessment Periodic audits * This service will be facilitated by PwC Proprietary Tools and Methodology to identify design weaknesses / vulnerabilities hidden in the technology solution including key areas such as device memory, system files and application that could result in the leakage of customer data and sensitive corporate information. Bring Your Own Device (BYOD) & Customer Data Protection 3

Contacts For more information, please contact: Kenneth Wong Partner Kenneth.ks.wong@hk.pwc.com +852 2289 2719 Gary Ng Partner Gary.kh.ng@hk.pwc.com +852 2289 2967 Kok Tin Gan Senior Manager kok.t.gan@hk.pwc.com +852 2289 1935 www.pwchk.com This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors. 2014 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information