03/06/2014. Bring Your Own Device: A Framework for Audit. Acknowledgement



Similar documents
How To Protect Your Organization From Liability From A Cell Phone (For Business)

A framework for auditing mobile devices

ONE DEVICE TO RULE THEM ALL! AUDITING MOBILE DEVICES / BYOD NSAA IT CONFERENCE OCTOBER 2, 2014

Mobile Device Security Is there an app for that?

Hot Topics in IT. CUAV Conference May 2012

Mobile Device Security and Audit

Jim Donaldson, M.S., MPA, CHC, CIPP/US, CISSP. Director of Compliance, Chief Privacy and Information Security Officer. Pensacola, Florida

BYOD: End-to-End Security

Auditing the Security and Management of Smart Devices. ISACA Dallas Meeting February 13, 2014

Mobile Security & BYOD Policy

Guideline on Safe BYOD Management

BYOD. and Mobile Device Security. Shirley Erp, CISSP CISA November 28, 2012

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING

Managing Mobile Device Security

Laptops, Tablets, Smartphones and HIPAA: An Action Plan to Protect your Practice

Mobile Device Management

Bring Your Own Device Policy

BYOD BEST PRACTICES GUIDE

trends and audit considerations

Chapter 7: Trends in technology impacting SDLC Learning objective Introduction Technology Trends

Information Security It s Everyone s Responsibility

Developing a Policy for Bring Your Own Device. Report to the Joint Legislative Oversight Committee on Information Technology

IT Cloud / Data Security Vendor Risk Management Associated with Data Security. September 9, 2014

Securely Yours LLC IT Hot Topics. Sajay Rai, CPA, CISSP, CISM

North Carolina Health Information Management Association February 20, 2013 Chris Apgar, CISSP

Vision on Mobile Security and BYOD BYOD Seminar

Mobile Device Management for CFAES

Audit Report. Mobile Device Security

BYOD THE SMALL BUSINESS GUIDE TO BRING YOUR OWN DEVICE

Consumerization. Managing the BYOD trend successfully. Harish Krishnan, General Manager, Wipro Mobility Solutions

Research Information Security Guideline

SUBJECT: Effective Date Policy Number Security of Mobile Computing, Data Storage, and Communication Devices

Mobile Protection. Driving Productivity Without Compromising Protection. Brian Duckering. Mobile Trend Marketing

Altius IT Policy Collection Compliance and Standards Matrix

IT TECHNOLOGY ACCESS POLICY

SECURING ENTERPRISE NETWORK 3 LAYER APPROACH FOR BYOD

Addressing NIST and DOD Requirements for Mobile Device Management

Systems Manager Cloud Based Mobile Device Management

SYNCSHIELD FEATURES. Preset a certain task to be executed. specific time.

Cloud Computing. What is Cloud Computing?

Control Issues and Mobile Devices

Mobile Devices Policy

Mobile First Government

Corporate-level device management for BlackBerry, ios and Android

Chris Boykin VP of Professional Services

plantemoran.com What School Personnel Administrators Need to know

Top. Reasons Federal Government Agencies Select kiteworks by Accellion

ADMINISTRATORS SERIES PRIVACY AND SECURITY AT UF. Cheryl Granto Information Security Manager, UFIT Information Security

Encyclopedia of Information Assurance Suggested Titles: March 25, 2013 The following titles have not been contracted.

= AUDIO. The Importance of Mobile Device Management in HIT. An Important Reminder. Mission of OFMQ 12/9/2015

Bring Your Own Device (BYOD) & Customer Data Protection Are You Ready?

GOVERNMENT USE OF MOBILE TECHNOLOGY

BYOD PARTNER QUESTIONS YOU SHOULD ASK BEFORE CHOOSING A. businessresources.t-mobile.com/resources. A Buyer s Guide for Today s IT Decision Maker

Device Independence - BYOD -

ENTERPRISE BYOD BEST PRACTICES POLICY AND SECURITY BEST PRACTICES FOR A SOUND ENTERPRISE MOBILITY PROGRAM

Running Head: AWARENESS OF BYOD SECURITY CONCERNS 1. Awareness of BYOD Security Concerns. Benjamin Tillett-Wakeley. East Carolina University

Data Protection Act Bring your own device (BYOD)

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

SIMPLIFY MULTI-PLATFORM ENTERPRISE MOBILITY MANAGEMENT

Windows Phone 8.1 Mobile Device Management Overview

10 best practice suggestions for common smartphone threats

White Paper. Identifying Network Security and Compliance Challenges in Healthcare Organizations

Industry Trends An Introduction to Security Breach Prevention, BYOD, & ERP System Implementation

WHITE PAPER THE CIO S GUIDE TO BUILDING A MOBILE DEVICE MANAGEMENT STRATEGY AND HOW TO EXECUTE ON IT

Mobile Security Lessons Learned from a Global Company. Jim Huddleston, CISSP, CISM, CIPP, CGEIT Director, Global IT Risk Management

Samsung Mobile Security

Introduction. Purpose. Reference. Applicability. HIPAA Policy 7.1. Safeguards to Protect the Privacy of PHI

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

Best practices and insight to protect your firm today against tomorrow s cybersecurity breach

Transcription:

Bring Your Own Device: A Framework for Audit Emily A Knopp, CPA, CISA Audit Director Angelo State University, Member of Texas Tech University System March 6, 2014 Texas Association of College of University Auditor 2014 Conference Emily A Knopp, CPA, CISA Audit Director for Angelo State University Assists is developing and expanding the IT audit activities at Texas Tech University System and its component institutions Performs and supervises IT audits across the Texas Tech University System and its component institutions Presents at various conferences across higher education Acknowledgement Mike Cullen, Senior Manager, CISA, CISSP, CIPP/US Baker Tilly Virchow Krause, LLP Baker Tilly Beers & Cutler, PLLC 1

Objectives Briefly define mobile devices and BYOD Identify the impact of mobile devices on campus Define key mobile device risks and control activities to incorporate into audit work plans Describe a audit framework that can be adopted to address the risks and controls specific to mobile devices Define Mobile & BYOD Why do we care? Mobile is here, no going back to being tethered to a desk Mobile allows great productivity and flexibility to achieve institutional objectives Mobile employees are happier (so they say) Mobile can save money (maybe?) 2

Why is mobile the future? A Cisco study says the average number of connected devices per knowledge worker in 2014 will reach 3.3 devices, up from 2.8 in 2012 Gartner predicts by 2017, half of employers will require employees to supply their own device for work purposes BYOE What are they bringing? Device % Own Laptop 89.1 Smartphone 75.7 Desktop 42.9 Tablet 30.9 Dedicated e reader 16.2 2013 Almanac, Chronicle of Higher Education What is a mobile device? Any easily portable technology that allows for the storage and transmittal of your organization s sensitive data Examples: Smartphones Tablets External Hard Drives (e.g., USB thumb drives) Laptops Cameras (e.g., point and shoot) Logistics devices (e.g., GPS Tracking Devices, RFID) ereaders Digital Music Players (e.g., ipods) 3

What is a mobile device? NIST (SP 800-124) Characteristics: Small form factor Wireless network interface for Internet access Local built-in (non-removable) data storage Operating system that is not a full-fledged desktop/laptop operating system Apps available through multiple methods Built-in features for synchronizing local data What is a mobile device? NIST Optional characteristics: Wireless personal area network interfaces (e.g., wireless networks, Bluetooth, etc. ) Cellular network interfaces (e.g., 3G, 4G, LTE) GPS Digital camera Microphone Support for removable media Support for using the device itself as removable storage What is BYOD? Bring Your Own Device Higher Ed has been doing this for years Students, of course Faculty, in spite of policies to the contrary Supported by organization systems and applications that allow multiple type of devices to access those services Powered by the need for immediate access and freedom from a physical office 4

BYOD Pros & Cons Pros: Reduced upfront costs Employee satisfaction Cons: Unmanaged devices Mingling of personal and institutional data Managing legal requirements (e.g., ediscovery) Risks and Considerations Major Security Concerns (NIST) Lack of Physical Security Controls Use of Untrusted Mobile Devices Use of Untrusted Networks Use of Apps Created by Unknown Parties Interaction with Other Systems Use of Untrusted Content Use of Location Services 5

What are the mobile device risks? NIST Characteristics Illustrative Risks Small form factor Loss or theft of data Wireless network interface for Internet Exposure to untrusted and unsecured access networks Local built in (non removable) data Loss or theft of data storage Operating system that is not a fullfledged desktop/laptop operating Reduced technical controls system Apps available through multiple methods Built in features for synchronizing local data Exposure to untrusted and malicious apps Interactions with other untrusted and unsecured systems What are the mobile device risks? NIST Characteristics Wireless personal area network interfaces (e.g., Bluetooth, near field communications) Cellular network interfaces GPS / Location Services Digital camera Microphone Support for removable media Support for using the device itself as removable storage Illustrative Risks Exposure to untrusted and unsecured networks Exposure to untrusted and unsecured networks Exposure of private information Exposure of private information Exposure of private information Loss or theft of data Interactions with other untrusted and unsecured systems Scoping Considerations Does your organization have a mobile device strategy, including: Alignment with institutional strategy/objectives Risk assessment(s) for mobility Definition of devices Policies governing the use of devices (with penalties) Security standards based on data 6

Scoping Considerations (cont.) Who owns these devices? Who is responsible for managing and securing the devices? Recommended basic security Incident response procedures Antivirus / Antimalware software Who is paying for devices and service plans? What are the legal and regulatory requirements for your organization and the jurisdictions you operate in? Understanding the Institution Mission and objectives Organization and responsibilities Constituents Types of data Exchanges of data Interdepartmental Third parties Interstate or international Data collection, usage, retention, and disclosure Systems (e.g., websites, apps) Identifying Owners and Stakeholders Client Stakeholders General Counsel Chief Information Officer Chief Information Security Officer Chief Operations Officer Chief Compliance Officer Chief Privacy Officer Chief Risk Officer 7

Assessing Risk Leverage management s risk assessments Understand the Regulatory risk Legal/contractual risk Industry self-regulatory initiatives Consult general counsel Public relations A Framework for Mobile Device Auditing Mobile Device Framework Data Websites & Apps Devices People 8

Data Data generated, accessed, modified, transmitted, stored or used electronically by the organization essential to the organization's objectives requires protection for a variety of reasons, including legal and regulatory requirements Examples: Messages (e.g., emails, text messages, IMs) Voice Pictures Files (e.g., attachments) Hidden (e.g., GPS) Data Classification Tiers Data Inventory Data Owners/Steward Authentication & Security Requirements Data Determine the types of data that can be accessed or stored on mobile devices. Assess restrictions in place to safeguard data. Review the Data Classification Security Policy to ensure specificity to the various types of data, based on sensitivity. Create an inventory of data, identify the applications and websites where it can be accessed, and determine who will take ownership of the data moving forward. 9

Data Determine what authentication and security requirements or restrictions are / should be established for each data type. Determine if Legal Hold requirements are documented and aligned with data classification and mobile device security. Websites & Apps Websites and applications require security controls, regardless of the device used for access, to protect the confidentiality, integrity, and availability of data. Websites & Apps Examples Types Institution Personal Websites/Portals Email Intranet/Portal Financial and HR Systems Student Information System Learning Management System Google Yahoo ESPN Apps Cloud Services App Stores Virtual Desktop Environments Learning Management System Financial and HR Systems Google Services Salesforce.com Microsoft Office 365 Apple App Store Google marketplace Amazon App Store Custom Corporate Stores Citrix VMware Angry Birds Instagram Gmail Flickr Facebook Apple App Store Google marketplace Amazon App Store GoToMyPC VNC 10

Websites & Apps Determine the websites and applications that are used on mobile devices to access data, and determine whether they are approved. Assess how the websites and applications are secured to protect data. Review all applications and websites accessible via mobile devices to ensure they comply with security policies (e.g., encryption requirements, storage restrictions, access permissions). Devices Devices require an increasing variety of security controls due to the increased mobility, choice, functionality, and replacement of these products. Institution vs. Employee Owned Managed vs. Unmanaged Devices Encryption Data transfers (e.g., sending and syncing) Logical security (e.g., linkage to HR, passwords, access management) Physical security Network Architecture (e.g., configuration, monitoring) Mobile Device Management 11

Devices Assess how mobile devices are secured to protect data. Determine the types of mobiles devices that are used to access data and whether each mobile device is supported by the institution. Ensure that both institutionally-owned and personally-owned mobile devices that access confidential data are secured with appropriate security controls. People People require frequent communications and trainings on the risks, adopted policies, best practices, and tools for protecting the confidentiality, integrity, and availability of data. People Organization-wide Mobile Device Policy Based on the Institution s strategy for mobile devices Policies and Procedures Training and Awareness Programs Content Communication Acknowledged Roles and Responsibilities BYOD Agreement Monitoring 12

People Determine who uses mobile devices to access data, and who supports and manages those mobile devices that access data. Assess training and awareness programs that inform mobile device users of the risks involved and their personal responsibilities when accessing information. What is the responsibility of the employees? Does the content align with adopted policies and procedures? Are employees okay with the institution wiping their device? What happens to the personal data on the device? People Additional Considerations: Labor laws (exempt v. non-exempt; overtime) Tax laws (reimbursement for services, devices) Export Control laws Record Management laws Local Jurisdiction laws Policy Considerations Determine if an overarching Mobile Device Security Policy exists. Flexible across all platforms and devices Covers basic security measures such as Passcodes Auto-lock Local memory wipe Wi-Fi settings Antivirus / Antimalware 13

Policy Considerations Assess existing policies and procedures that guide the procurement, use, support, and management of mobile devices. In addition to a mobile device policy, other institutional policies also need to address the use of mobile devices: Acceptable Use Data Classification Antivirus/Antimalware Security Incident Response Business Continuity Sample Student Employee Research/IP Confidential Restricted SIS LMS HR/Fin Institution Owned Devices Institution Owned Device Practices & MDM Assess Risk Policies Standards Pedagogy Other Data Internal Use Public Email Web Web & Apps Personally Owned Devices Personally Owned Device Practices Monitoring Training People Major Security Concerns (NIST) Mapped to Framework Area Security Concern Data Websites Devices People & Apps Physical Security Controls X X Untrusted Mobile Devices X X Untrusted Networks X X Untrusted Apps X X X Interaction w/ Other Systems X X X X Untrusted Content X X X Unprotected Data Storage X X X X Location Services X X X X 14

Angelo State s Approach BYOD, unmanaged environment First & Foremost PROTECT THE DATA Authentication and Authorization Secure transport (e.g., SSL) Developing policies and procedures Network designed to mitigate risk of running out of IPs Most students and staff have 3 to 4 devices on the network at any given time. Resources ISACA Mobile Computing Security Audit/Assurance Program What is it? Work program to execute a controls review of mobile computing Focused in two areas: planning and scoping, security Also includes a framework for control maturity assessment` How to use it? Use as a base work program to conduct a controls review of your mobile device environment Challenges to IA Access to data how to audit personal devices More policy controls over technical controls Publisher ISACA (http://www.isaca.org/knowledge Center/Research/ResearchDeliverables/Pages/Mobile Computing Security Audit Assurance Program.aspx) 15

Resources National Institute of Standards and Technology, Special Publication 800-124 Revision 1 (Final), Guidelines for Managing and Securing Mobile Devices in the Enterprise, June 2013 National Institute of Standards and Technology, Special Publication 800-144, Guidelines on Security and Privacy in Public Cloud Computing, December 2011 Digital Services Advisory Group and Federal Chief Information Officers Council, Bring Your Own Device, A Toolkit to Support Federal Agencies Implementing Bring Your Own Device (BYOD) Programs, August 2012 Contact Info Emily A Knopp emily.knopp@angelo.edu 325-942-2261 16

17

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information