Control Issues and Mobile Devices

Control Issues and Mobile Devices ACC 626 Term Paper Ramandip Kaur June 27, 2014 Page

Table of Contents Executive Summary...ii 1.0 Introduction... 1 2.0 Current Trends... 1 2.1 Employee Owned Devices and BYOD Programs... 1 2.2 Mobile Device Management Solutions... 2 3.0 Risks and Recommended Controls... 2 3.1 Security Risks... 2 3.1.1 Lost and Stolen Devices... 2 3.1.2 Wireless Transmission Interception... 3 3.2 Application and Software Risk... 4 3.2.1 Malware... 4 3.2.2 Application and Software Vulnerabilities... 5 3.2.3 Controls for Application and Software Risk... 6 3.3 General Risks and Controls... 6 3.3.1 Platform Management Risk... 6 3.3.2 Company Mobile Device Policy... 7 4.0 Control Frameworks... 9 4.1 COSO... 9 4.2 COBIT 5... 9 5.0 Mobile Computing Security Audit/Assurance... 10 6.0 Conclusion... 13 Appendixes... 14 Appendix I Comparison of Mobile Device Platforms... 14 Appendix II Managing Mobile Devices and Relevant Framework Processes... 15 Works Cited... 16 Page i

Executive Summary Mobile devices have transformed the corporate environment in just a matter of a few years. They have done this through allowing for flexibility for employees to work anywhere and anytime with access to company data. Bring your own device (BYOD) programs are a growing trend that have increased employee satisfaction and productivity through allowing employees to use their own devices for work related purposes. However, BYOD programs also pose additional security risks since different operating systems contain unique features and require different safeguards. Mobile device management (MDM) solutions can help manage these risks through their ability to secure and control devices. This report will focus on the security, application and software risks and the related controls of using mobile devices in the workplace. Security risks involve the data loss than can occur when an individual gains unauthorized access to the device. Data loss can transpire through a lost or stolen device, but with strong controls in place such as passwords on devices and encryption of data, this risk can be mitigated. Another security risk involves an unauthorized individual intercepting an unsecured wireless connection. However, this risk can also be managed with controls such as firewalls and encryption of the wireless transmission. There are also application and software risks involved in allowing mobile devices to access corporate data. Mobile malware is a growing concern as malicious software continues to be released in record numbers, most of which target Androids. There are also application and software vulnerabilities which can result in data leaks through malicious attacks. These threats increase the importance of implementing controls such as installing anti-malware software on mobile devices as well as creating an enterprise app store. The usage of employee owned mobile devices at work also increases the importance of assessing different mobile platforms and implementing companywide policies on mobile device use. There are governance and compliance frameworks, such as COSO and COBIT 5, which can be used as guidance for management in establishing controls for information security over mobile devices within a corporate environment. Furthermore, since mobile devices can process, transfer and store corporate data, auditors have to take this into consideration when assessing the risks and controls for a particular company. In order to assist auditors and assurance practitioners with Page ii

evaluating mobile devices for audit and assurance purposes, ISACA developed a mobile computing audit/assurance program. The program contains 8 audit/assurance objectives, 12 controls and approximately 54 audit/assurance steps. Page iii

1.0 Introduction Mobile devices have exploded into the global market at a rapid pace in recent years. These devices include smartphones, tablets, portable digital assistants (PDAs) and more. By the end of 2013, one in every 5 people in the world owned a smartphone and one in every 17 people owned a tablet. 1 The emergence and popularity of mobile devices have penetrated the corporate environment due to their portability, accessibility and ubiquity. The usage of mobile devices in the workplace provides numerous benefits to the organization such as increased productivity, improved customer service and higher employee engagement. However, there also drawbacks of allowing mobile devices to store and have access to corporate data such as security, application and software risks, which can leave companies vulnerable to various external threats. These risks are further magnified due to the growing popularity of bring your own device (BYOD) programs. Considering the potential damage these threats can have on a company, C-Suite executives need to be aware of the risks and how they can be managed. Implementing the appropriate controls and policies can minimize the risks, while taking full advantage of the benefits mobile devices have to offer. 2.0 Current Trends 2.1 Employee Owned Devices and BYOD Programs Bring your own device (BYOD) programs are becoming an increasingly popular trend in today s business environment due to the benefits of cost savings and increasing connectivity. Forrester Research found that 53% of employees bring their own devices to work and 64% of organizations allow and encourage employee-owned mobile devices to be used for work purposes. 2 A study conducted by Gartner Inc. predicts that by 2017, 50% of employers will require their employees to provide their own device for work. 3 The issues with BYOD programs are the security risks they create since companies do not tend to centrally manage these mobile devices. This allows the devices to become susceptible to various security and software risks. 1 Heggestuen, John. "One In Every 5 People In The World Own A Smartphone, One In Every 17 Own A Tablet." Business Insider., 15 Dec. 2013. Web. 12 June 2014. <http://www.businessinsider.com/smartphone-andtablet-penetration-2013-10>. 2 "The Rise and Risk of Mobile Devices in the Workplace." Rapid7 (Aug. 2013). Web. 13 June 2014. <http://www.rapid7.com/docs/mobile_aug_2013.pdf>. 3 "Gartner Predicts by 2017, Half of Employers Will Require Employees to Supply Their Own Device for Work Purposes." Gartner., 1 May 2013. Web. 12 June 2014. <http://www.gartner.com/newsroom/id/2466615>. Page 1

Rapid7 reported that more than 40% of companies do not implement adequate controls for managing risks related to employees using their devices for accessing and storing corporate data. 4 2.2 Mobile Device Management Solutions The growing adoption of BYOD programs has increased the attractiveness of implementing mobile device management (MDM) solutions. MDM software is used by the IT department within an enterprise to monitor, manage and secure mobile devices used by employees. According to Gartner, an IT research firm, it is expected that 65% of companies will implement a MDM solution within the next 5 years. 5 Most MDM solutions can be used to support both employee-owned and corporate-owned devices. They also accommodate a number of different mobile operating systems and offer varying levels of support, management, integration and usability. Each MDM tool within a solution handles privacy and data security in different ways. Leading vendors offering MDM solutions include AirWatch, Blackberry, SAP, Symantec and more. 6 A recent trend has been the growth in the number of cloud-based versions of MDM solutions. IBM s MaaS360 is an MDM solution that offers software as a service (SaaS) as well as an on-premise model. 7 3.0 Risks and Recommended Controls 3.1 Security Risks The risk of an unauthorized individual gaining access to a mobile device that contains sensitive information can result in a huge security breach. The two most prominent security risks are discussed below. 3.1.1 Lost and Stolen Devices Lost and stolen mobile devices pose the risk of an unauthorized individual gaining access to sensitive data stored on the device as well as corporate data access channels where there is potential for more data loss. It is expected that approximately 22% of all mobile devices will be lost or stolen at one point in their life and 50% of these lost or stolen devices will never be 4 Ibid 5 Lorenc, Kasia. "Mobile Device Management: 2014 Vendors and Comparison Guide." Tom's IT Pro. N.p., 10 June 2014. Web. 15 June 2014. <http://www.tomsitpro.com/articles/mdm-vendor-comparison,2-681.html>. 6 Ibid 7 "Cloud Ease." MaaS360. Fiberlink, Web. 14 June 2014. <http://www.maas360.com/why-maas360/cloud-ease/>. Page 2

recovered. 8 With the growing usage of cloud storage and cloud-based file sharing applications, the risk of data leakage increases. A study of The Risk of Regulated Data on Mobile Devices found that a significant number of organizations do not take the proper steps to protect corporate data stored in the cloud and on devices. 9 The study also found that 54% of respondents had an average of five cases of data breaches which included the loss or theft of a device that contained regulated data. 10 Recommended Controls: Strong passwords or PINs on all devices as well as multiple logins when accessing company data, e-mail and company apps for added protection. An MDM solution can allow the IT department to track mobile devices and receive a notification in the case that the device is lost or stolen. They can then use remote access to the device to wipe out all company related data from the device. 11 All sensitive company information stored on mobile devices should be encrypted to ensure the data is unreadable. Two-factor authentication system which requires users to use at least two different factors based on something they know, something they have, or something they are. Access to the device will not be granted unless both these factors can be authenticated. 12 Cloud-based security solutions can help manage the risks of data storage in the cloud through enforcing logins as well as monitoring and protecting the device from possible hacks. 13 3.1.2 Wireless Transmission Interception Mobile devices are able to connect with other devices and the internet thereby providing hackers with the opportunity to access an unsecured device. This risk is particularly concerning for 8 "Bring Your Own Device." Insights on Governance, Risk and Compliance. Ernst & Young Global Limited, Sept. 2013. Web. 13 June 2014. <http://www.ey.com/publication/vwluassets/ey_- _Bring_your_own_device:_mobile_security_and_risk/$FILE/Bring_your_own_device.pdf>. 9 "The Risk of Regulated Data on Mobile Devices & in the Cloud." Ponemon Institute. WatchDox, June 2013. Web. 15 June 2014. <http://info.watchdox.com/rs/watchdox/images/watchdoxwhite%20paperfinal2.pdf>. 10 Ibid 11 Semer, Lance. "Auditing the BYOD Program." The Institute of Internal Auditors, Feb. 2013. Web. 15 June 2014. <http://www.theiia.org/intauditor/in-the-profession/2013/auditing-the-byod-program/?search=byod>. 12 Rosenblatt, Seth. "Two-factor Authentication: What You Need to Know (FAQ)." CNET. N.p., 23 May 2013. Web. 14 June 2014. <http://www.cnet.com/news/two-factor-authentication-what-you-need-to-know-faq/>. 13 "Cloud Security." McAfee. Web. 15 June 2014. <http://www.mcafee.com/ca/solutions/cloud-security/cloudsecurity.aspx>. Page 3

mobile device users who transmit corporate data using their devices. Data loss can occur if an unauthorized individual intercepts the wireless connection when the transmission is not encrypted. If this occurs, it is possible for the hacker to retrieve sensitive information such as email login information and even eavesdrop on a Voice over Internet Protocol (VoIP) call. Therefore, the ability to connect to unsecured Wi-Fi connections can lead to a security breach and other consequences which can impact the company s information infrastructure. Recommended Controls: Educate employees to strictly use a corporate secured network for online banking and other activities conducted on mobile devices. Secure the wireless transmission through encryption and require employees to access corporate data only through a secure transmission such as Secure Sockets Layers (SSL), Internet Protocol Security (IPSec) or a Virtual Private Network (VPN). 14 Install a firewall such as AnthaFirewall on mobile devices to provide secure communication with the corporate network system, which can help reduce the risk of security threats. Unauthorized users trying to access the corporate system will be blocked. 15 3.2 Application and Software Risk As organizations are increasingly allowing employees to bring their own devices to work, application and software risks become more prominent. 3.2.1 Malware Mobile malware are applications that contain malicious code embedded in them. They are created for the purpose of compromising the security of a device or its data. Although downloaded applications are the most prevalent way malware can infect a mobile device, there are also various other points of access. These include spam, malicious websites, SMS messages and ads. As the number of applications on mobile devices increase, the chance of an application containing malicious code increases. According to the McAfee report, a total of 3.73 million 14 "Unsecured WiFi Network Access." Beta Telelink. Web. 15 June 2014. <http://www.itsecurity.telelink.com/unsecured-wifi-network-access/>. 15 "How a Mobile Firewall Works." Spam Laws. Web. 15 June 2014. <http://www.spamlaws.com/how-mobilefirewalls-work.html>. Page 4

samples of mobile malware were found in 2013, up 197% from 2012. 16 These include viruses, spam, Trojans, spyware and more. Malware is a growing issue with Androids as they account for an astonishing 97% of all mobile malware. 17 Another finding revealed that 92% of the top 500 Android applications carry either a security or privacy risk. 18 In 2013, mobile banking Trojans increased rapidly. These malicious attacks included mobile phishing and theft of credit card information. 19 3.2.2 Application and Software Vulnerabilities Application vulnerabilities involve issues in the software of a mobile device that may result in data leakage within the application or assistance provided to cybercriminals for attacking the device. These vulnerabilities can result in compromising the device s security as well as any stored corporate data or to a greater extent, cause an impact to the company s infrastructure. According to Cenzic, 96% of all applications that were tested in 2013 revealed to have at least one security vulnerability. 20 Application vulnerabilities are particularly a concern when the mobile device is not owned or centrally managed by the IT department of the company as the devices do not undergo the appropriate administrative procedures and related controls. Applications developed by the company for the purpose of accessing corporate data can also exhibit weaknesses in its security system. Androids, in particular, are the most popular devices for malicious attacks due to their vulnerabilities. These vulnerabilities are used by cybercriminals to bypass the integrity of the code during the installation of an application, expand the capabilities of a malicious application and make it increasingly difficult to remove malware. 21 16 "McAFee Labs Threats Report." McAfee. 2014. Web. 16 June 2014. <http://www.mcafee.com/sg/resources/reports/rp-quarterly-threat-q4-2013.pdf>. 17 Kelly, Gordon. "Report: 97% Of Mobile Malware Is On Android. This Is The Easy Way You Stay Safe." Forbes. Forbes Magazine, 24 Mar. 2014. Web. 16 June 2014. <http://www.forbes.com/sites/gordonkelly/2014/03/24/report-97-of-mobile-malware-is-on-android-this-is-theeasy-way-you-stay-safe/> 18 Francis, Jeff. "11 Reasons Why Your Company Could Be In Danger (Part 1 of 2)."CopperMobile. 21 Feb. 2014. Web. 16 June 2014. <http://www.coppermobile.com/blog/all-post/11-reasons-company-danger/>. 19 Ibid 20 "Application Vulnerability Trends Report: 2014." Cenzic. 2014. Web. 16 June 2014. <http://www.cenzic.com/downloads/cenzic_vulnerability_report_2014.pdf>. 21 "Mobile Malware Evolution: 2013." Securelist. Web. 17 June 2014. <https://www.securelist.com/en/analysis/204792326/mobile_malware_evolution_2013>. Page 5

3.2.3 Controls for Application and Software Risk Encourage up-to-date operating systems and anti-malware software installed on all mobile devices. Mobile security technology such as Kaspersky Internet Security can be installed to routinely scan the system and protect against viruses, malware and theft. 22 Installation of endpoint security protection software such as those offered by McAfee or Symantec. 23 Only install applications from trusted sources. Third party application stores should not be trusted. Create customized corporate applications which are downloaded from a separate enterprise application store. Building an in-house app store would allow separation between company apps and non-company apps. Applications can be managed through a mobile app management product. Install and regularly perform patch management. This includes scanning for missing security patches, installing the patch and performing remediation to update systems with the latest patches. 24 Ensure that jail broken or rooted devices are not being used as they can remove security features on the device and allow potentially malicious applications to be installed. 3.3 General Risks and Controls There are additional risks and controls for mobile devices that need to be addressed on a company-wide basis. 3.3.1 Platform Management Risk Different mobile platforms providers offer varying levels of controls over their mobile systems. Each mobile operating system design is based on whether its target audience are consumers or corporate users and this will also help determine which security features are included on the platform. Each platform has different vulnerabilities and these must be considered when deciding 22 Hachman, Mark. "Kaspersky, Six Others Top Malware Removal Tests." PCWorld. 3 Dec. 2013. Web. 16 June 2014. <http://www.pcworld.com/article/2068485/kaspersky-six-others-top-malware-removal-tests.html>. 23 "Endpoint Security Protection." McAfee. Web. 16 June 2014. <http://www.mcafee.com/ca/products/endpointprotection/index.aspx>. 24 Mack, Bernard. "Patch Management Overview, Challenges, and Recommendations." Cisco Blogs. 28 Oct. 2013. Web. 17 June 2014. <https://blogs.cisco.com/security/patch-management-overview-challenges-andrecommendations/>. Page 6

which mobile platform(s) will be supported by the organization. Please refer to Appendix I for a comparison of the three most popular devices used in a corporate environment. Recommended Controls: Companies should enforce and disclose a policy on what level of platform security is required and the acceptable mobile platforms. Evaluate new and developing threats to the different mobile platforms on a continuous basis. 25 3.3.2 Company Mobile Device Policy Mobile device policies are becoming increasingly important due to the widespread usage of these devices. An effective mobile device management strategy requires well written and well implemented policies. Issues related to encryption, PINs, remote wiping, remote access and jail breaking should be addressed in the mobile device policies. Enforcing these policies can help divert a company from many potential problems. The mobile device policy should also include a general code of conduct related to user responsibilities. The code of conduct should cover the required physical security, software configuration of the operating system and applications, proper security settings, and reporting of lost or stolen devices. 26 The following table outlines the user responsibilities that should be included in the end user policy. 27 Employee-Owned Devices Purchasing required software that is not already provided by the manufacturer of the device Registration of the device with the vendor as well as with the company s IT department Software updates and patch installation Maintenance of warranty information Data, settings and applications backups Corporate-Owned Devices Software updates installation Reporting of lost or stolen mobile devices as soon as possible 25 "Mobile Device Security." Ernst & Young. Jan. 2012. Web. 17 June 2014. <http://www.ey.com/publication/vwluassets/mobile_device_security/$file/mobile-securitydevices_au1070.pdf>. 26 "Sample Corporate Mobile Device Acceptable Use and Security Policy." Wisegate. 2013. Web. 17 June 2014. <http://www.wisegateit.com/resources/downloads/wisegate-sample-byod-policy.pdf>. 27 Ibid Page 7

Policy Recommendations: Create a secure configuration policy which addresses application and security risks such as data leak prevention, patch management, and malware control. 28 Formation and disclosure of an acceptable mobile device usage policy will help prevent security issues related to mobile devices. Implement a revoke access policy which states that when an employee is no longer with the company, their access to the company network is revoked. 29 Create a BYOD policy which outlines the level of support to be provided by the IT department for devices owned by employees. 30 Other Recommendations: Educate employees on the security risks and make them aware of when they should be updating their firmware. Monitor employees who access and use corporate data on their mobile devices. Employ a mobile device management solution. Perform regular backups of data stored on mobile devices. Cloud-based online services offer automatic backups, which add convenience for employees. 31 Limit the amount of sensitive data transferred to mobile devices, or consider giving employees view-only access. Implement a company social network system and wiki blog, which can help resolve issues employees are having with mobile devices. Separate personal and business use of mobile devices as it leads to higher risk of malware and data loss. 28 Ibid 29 Ibid 30 "How Mobile Device Policies Make IT's Job Easier." Search Consumerization. Web. 16 June 2014. <http://searchconsumerization.techtarget.com/guides/mobile-device-policy-guide-how-byod-policies-help-itmanage-devices>. 31 "Cloud-based Online Backups for Your Mobile Device." IDrive. Web. 18 June 2014. <https://www.idrive.com/online-backup-stackup/cloud-based-online-backups-for-your-mobile-device-loweringyour-susceptibility-to-security-infringements.htm>. Page 8

4.0 Control Frameworks Implementing the appropriate compliance and governance frameworks is crucial for mobile devices. The following frameworks are useful for management when developing policies and mitigating the risks related to mobile devices. 4.1 COSO The Sarbanes-Oxley Act of 2002 (SOX), Section 404, requires a management assessment of internal controls. The Committee of Sponsoring Organizations (COSO) became a widely used internal control standard framework for SOX compliance. The emergence of mobile devices and related security issues has an impact on the following COSO components: 32 1. Control Environment - Mobile devices are a crucial aspect of the control environment and therefore need to be recognized as a component of the control framework by management in an organization. 2. Risk Assessment - An assessment of the risks relevant to mobile devices, such as risk of data loss, should be identified and analyzed. 3. Control Activities - Control activities need to be established to manage the risks that the usage of mobile devices brings to the organization. These include encryption of sensitive data and application of security features on all mobile devices. 4. Information and Communication - Security policies that are set regarding the usage of mobile devices need to be communicated by top management. 5. Monitoring - Regular monitoring of the usage and compliance of mobile devices, 4.2 COBIT 5 including employee-owned devices, with the policy and whether controls over information on the devices are effective. After the passage of SOX, COBIT gained popularity in the enterprise. COBIT 4 was used to govern SOX compliance and was used by auditors although it offered limited guidelines. It lacked the comprehensive coverage of information security which is now covered by COBIT 5. Using the COBIT 5 framework, the risks of using mobile devices can be managed with the application of proper risk management procedures along with the implementation of adequate 32 "SOX, GLB, SB 1386 and Mobile Devices - Are You at Risk for Noncompliance?" Credant. 2010. Web. 17 June 2014. <http://www.credant.com/docs/cre00563-compliance%20white%20paper.pdf>. Page 9

security controls. COBIT 5 consists of 5 principles allowing for effective governance and management of enterprise IT and 7 enablers for optimizing information and technology investment. 33 ISACA developed a guide called Securing Mobile Devices Using COBIT 5 for Information Security. The publication is aimed at users of mobile devices including IT administrators, information security managers, IT auditors, mobile device service providers and end users. The application of COBIT 5 to mobile device security is for the purpose of establishing a uniform management framework and providing guidance on planning, implementing and maintaining complete security over mobile devices within a corporate environment. A secondary purpose of COBIT 5 is to provide an overarching framework in regards to embedding security on mobile devices within a corporate governance, risk management and compliance (GRC) strategy. 34 Please refer to Appendix II for the challenges, controls and relevant ISACA framework processes relating to mobile devices. 5.0 Mobile Computing Security Audit/Assurance ISACA developed a mobile computing audit/assurance program tool to be used by IT audit and assurance practitioners. The audit/assurance program is a part of the Information Technology Assurance Framework (ITAF) section 4000 IT Assurance Tools and Techniques. The scope covers mobile devices that are connected to the enterprise network or contain enterprise data. The mobile devices that are in scope include smartphones, laptops and netbooks, PDAs, portable USBs, digital cameras, radio frequency identification (RFID) devices, and infrared-enabled (IrDA) devices. The objective of the mobile computing security audit/assurance program is to: 35 Assess the mobile computing security policies and procedures along with their operating effectiveness and provide the results to management, Identify any deficiencies in internal controls that could potentially impact the company, and 33 "COBIT 5: A Business Framework for the Governance and Management of Enterprise IT."ISACA. Web. 19 June 2014. <http://www.isaca.org/cobit/pages/default.aspx>. 34 "Securing Mobile Devices Using COBIT 5 for Information Security." ISACA. Web. 19 June 2014. <http://www.isaca.org/knowledge-center/research/researchdeliverables/pages/securing-mobile-devices-using- COBIT-5-for-Information-Security.aspx>. 35 "Mobile Computing Security Audit/Assurance Program." ISACA. Web. 19 June 2014. <http://www.isaca.org/knowledge-center/research/researchdeliverables/pages/mobile-computing-security- Audit-Assurance-Program.aspx>. Page 10

Identify concerns regarding information security controls that could impact the reliability, accuracy and security of company data caused by weaknesses in mobile computing controls. There are 8 audit/assurance objectives in the mobile computing security audit/assurance program. Under these objectives there are 12 controls and approximately 54 audit/assurance steps. The following table outlines these objectives and controls and offers audit/assurance steps that an auditor would take. 36 Audit/Assurance Objective 1. Mobile computing security policy 2. Risk management of mobile devices Control 1. Policies are defined to support a controlled implementation of mobile devices 2. Risk assessments are performed before implementation of new mobile security devices as well as a risk monitoring program for continuous evaluations of emerging risks with mobile devices Audit/Assurance Steps Determine if: A security policy for mobile devices exists The policy defines the data classification permitted, etc. Determine if: If initial risk assessment is performed for each type of device and subsequent assessment How risk assessment results are to be integrated into the current audit 3. Device management 3. Executive sponsor is actively involved in managing risks of mobile devices 4. Mobile devices that contain sensitive company data are managed and administered centrally 5. Mobile devices containing sensitive company data are set up properly for each user based on job function and managed as their job function changes or they are terminated 4. Access controls 6. Access controls established for each type of mobile device and controls address risk of data loss Determine if executive sponsor reviews risk assessment for devices Determine if: There is an asset management process for tracking devices There are procedures that remotely wipe data stored on lost or stolen devices, etc. Determine if there is a process for provisioning and de-provisioning devices upon hiring, transfer or termination of employees Determine: The access controls for each type of mobile device If access authentication and complexity are appropriate, etc. 36 Stamps, Alex. "Mobile Device Security and Audit." Deloitte. Feb. 2012. Web. 18 June 2014. <http://isacaomaha.webs.com/deloitte%20mobile%20device%20security%20isaca%20pres%20(final).pdf>. Page 11

5. Stored data 7. Encryption technology protects company data on devices and is administered centrally 8. Policies on data transfer to mobile devices and access controls to protect sensitive data are established 9. Data retention policies for mobile devices are defined and monitored and aligned with company data retention policies Determine if: Encryption technology is applied to devices Encryption keys are secured and administered centrally, etc. Determine if: Policies and access controls rules are established for data transfer to mobile devices by device type and required access controls to protect data There are monitoring procedures to ensure only authorized data is transferred and access controls are working Determine if: Data retention policy exists for mobile devices Data is destroyed according to policy once retention period expires retention processes are monitored and enforced 6. Malware avoidance 7. Secure transmission 8. Awareness training 10. Malware protection software has been implemented based on device risk 11. Virtual private network (VPN), Internet Protocol Security (IPSec), and other technologies for secure transmission are implemented for devices receiving and/or transmitting sensitive company data 12. Mobile computing awareness training is ongoing and based on sensitive nature of mobile devices and processes for management feedback are in place Determine: That mobile devices are equipped with malware technology That malware technology cannot be disabled, is updated regularly, disc drives are routinely scanned and compliance with malware detection is monitored centrally and managed Determine if: Secure connections are required for specific devices based on data classification and data stored or transmitted to and from devices Controls are present to require use of secure transmission Determine if: Mobile security awareness training programs exist Training programs are revised to reflect current technologies and company policies, etc. Awareness programs address accountability, responsibility and communication with users of devices through management feedback Page 12

6.0 Conclusion Mobile devices have provided organizations with numerous benefits such as an increase in productivity, employee commitment and cost savings. However, the usage of mobile devices for work purposes has also introduced many risks, which need to be addressed by a company in order to prevent a potential information security breach from occurring. Companies need to develop and implement IT controls as well as comprehensive policies that can help minimize the threats brought upon by mobile devices. There are also governance and compliance frameworks developed for the purpose of effectively managing controls related to information security in a corporate environment. Audit and assurance practitioners are also impacted by the emergence of mobile devices as they are now expected to be included in the scope of the audit program. It is safe to say that the corporate world will continue to accept and encourage the use of mobile devices in the foreseeable future. Considering the speed at which technology changes, the opportunities for companies to utilize new and emerging devices are endless. Page 13

Appendixes Appendix I Comparison of Mobile Device Platforms 37 37 "Mobile Device Security." Ernst & Young. Jan. 2012. Web. 17 June 2014. <http://www.ey.com/publication/vwluassets/mobile_device_security/$file/mobile-securitydevices_au1070.pdf>. Page 14

Appendix II Managing Mobile Devices and Relevant Framework Processes 38 38 "Managing Mobile Devices and Relevant Framework Processes." ISACA. Web. 18 June 2014. <http://www.isaca.org/knowledge-center/research/documents/securemobiledevice-chart-21july2010- Research.pdf>. Page 15

Works Cited "Application Vulnerability Trends Report: 2014." Cenzic. 2014. Web. 16 June 2014. <http://www.cenzic.com/downloads/cenzic_vulnerability_report_2014.pdf>. "Bring Your Own Device." Insights on Governance, Risk and Compliance. Ernst & Young Global Limited, Sept. 2013. Web. 13 June 2014. <http://www.ey.com/publication/vwluassets/ey_- _Bring_your_own_device:_mobile_security_and_risk/$FILE/Bring_your_own_device.pdf>. "Cloud Ease." MaaS360. Fiberlink. Web. 14 June 2014. <http://www.maas360.com/whymaas360/cloud-ease/>. "Cloud-based Online Backups for Your Mobile Device." IDrive. Web. 18 June 2014. "Cloud Security." McAfee. Web. 15 June 2014. <http://www.mcafee.com/ca/solutions/cloudsecurity/cloud-security.aspx>. <https://www.idrive.com/online-backup-stackup/cloud-based-online-backups-foryour-mobile-device-lowering-your-susceptibility-to-security-infringements.htm>. "COBIT 5: A Business Framework for the Governance and Management of Enterprise IT." ISACA. Web. 19 June 2014. <http://www.isaca.org/cobit/pages/default.aspx>. "Endpoint Security Protection." McAfee. Web. 16 June 2014. <http://www.mcafee.com/ca/products/endpoint-protection/index.aspx>. Francis, Jeff. "11 Reasons Why Your Company Could Be In Danger (Part 1 of 2)." CopperMobile. 21 Feb. 2014. Web. 16 June 2014. <http://www.coppermobile.com/blog/all-post/11-reasons-company-danger/>. "Gartner Predicts by 2017, Half of Employers Will Require Employees to Supply Their Own Device for Work Purposes." Gartner. 1 May 2013. Web. 12 June 2014. <http://www.gartner.com/newsroom/id/2466615>. Hachman, Mark. "Kaspersky, Six Others Top Malware Removal Tests." PCWorld. 3 Dec. 2013. Web. 16 June 2014. <http://www.pcworld.com/article/2068485/kaspersky-six-otherstop-malware-removal-tests.html>. Heggestuen, John. "One In Every 5 People In The World Own A Smartphone, One In Every 17 Own A Tablet." Business Insider. 15 Dec. 2013. Web. 12 June 2014. <http://www.businessinsider.com/smartphone-and-tablet-penetration-2013-10>. Page 16

"How a Mobile Firewall Works." Spam Laws. Web. 15 June 2014. <http://www.spamlaws.com/how-mobile-firewalls-work.html>. "How Mobile Device Policies Make IT's Job Easier." Search Consumerization. Web. 16 June 2014. <http://searchconsumerization.techtarget.com/guides/mobile-device-policyguide-how-byod-policies-help-it-manage-devices>. Kelly, Gordon. "Report: 97% Of Mobile Malware Is On Android. This Is The Easy Way You Stay Safe." Forbes. Forbes Magazine, 24 Mar. 2014. Web. 16 June 2014. <http://www.forbes.com/sites/gordonkelly/2014/03/24/report-97-of-mobile-malwareis-on-android-this-is-the-easy-way-you-stay-safe/>. Lorenc, Kasia. "Mobile Device Management: 2014 Vendors and Comparison Guide." Tom's IT Pro. 10 June 2014. Web. 15 June 2014. <http://www.tomsitpro.com/articles/mdmvendor-comparison,2-681.html>. Mack, Bernard. "Patch Management Overview, Challenges, and Recommendations." Cisco Blogs. 28 Oct. 2013. Web. 17 June 2014. <https://blogs.cisco.com/security/patchmanagement-overview-challenges-and-recommendations/>. "Managing Mobile Devices and Relevant Framework Processes." ISACA. Web. 18 June 2014. <http://www.isaca.org/knowledge-center/research/documents/securemobiledevice- Chart-21July2010-Research.pdf>. "McAFee Labs Threats Report." McAfee. 2014. Web. 16 June 2014. <http://www.mcafee.com/sg/resources/reports/rp-quarterly-threat-q4-2013.pdf>. "Mobile Computing Security Audit/Assurance Program." ISACA. Web. 19 June 2014. <http://www.isaca.org/knowledge- Center/Research/ResearchDeliverables/Pages/Mobile-Computing-Security-Audit- Assurance-Program.aspx>. "Mobile Device Security." Ernst & Young. Jan. 2012. Web. 17 June 2014. <http://www.ey.com/publication/vwluassets/mobile_device_security/$file/mobil e-security-devices_au1070.pdf>. "Mobile Malware Evolution: 2013." Securelist. Web. 17 June 2014. <https://www.securelist.com/en/analysis/204792326/mobile_malware_evolution_201 3>. Page 17

"The Rise and Risk of Mobile Devices in the Workplace." Rapid7. Aug. 2013. Web. 13 June 2014. <http://www.rapid7.com/docs/mobile_aug_2013.pdf>. "The Risk of Regulated Data on Mobile Devices & in the Cloud." Ponemon Institute. WatchDox, June 2013. Web. 15 June 2014. <http://info.watchdox.com/rs/watchdox/images/watchdoxwhite%20paperfinal2.pd f>. Rosenblatt, Seth. "Two-factor Authentication: What You Need to Know (FAQ)." CNET. 23 May 2013. Web. 14 June 2014. <http://www.cnet.com/news/two-factor-authenticationwhat-you-need-to-know-faq/>. "Sample Corporate Mobile Device Acceptable Use and Security Policy." Wisegate. 2013. Web. 17 June 2014. <http://www.wisegateit.com/resources/downloads/wisegate-samplebyod-policy.pdf>. "Securing Mobile Devices Using COBIT 5 for Information Security." ISACA. Web. 19 June 2014. <http://www.isaca.org/knowledge- Center/Research/ResearchDeliverables/Pages/Securing-Mobile-Devices-Using- COBIT-5-for-Information-Security.aspx>. "Securing Mobile Devices Using COBIT 5 for Information Security." ISACA. Web. 19 June 2014. <http://www.isaca.org/knowledge- Center/Research/ResearchDeliverables/Pages/Securing-Mobile-Devices-Using- COBIT-5-for-Information-Security.aspx>. Semer, Lance. "Auditing the BYOD Program." The Institute of Internal Auditors, Feb. 2013. Web. 15 June 2014. <http://www.theiia.org/intauditor/in-theprofession/2013/auditing-the-byod-program/?search=byod>. Semer, Lance. "Auditing the BYOD Program." The Institute of Internal Auditors, Feb. 2013. Web. 15 June 2014. <http://www.theiia.org/intauditor/in-theprofession/2013/auditing-the-byod-program/?search=byod>. "SOX, GLB, SB 1386 and Mobile Devices - Are You at Risk for Noncompliance?" Credant. 2010. Web. 17 June 2014. <http://www.credant.com/docs/cre00563- Compliance%20White%20Paper.pdf>. Stamps, Alex. "Mobile Device Security and Audit." Deloitte. Feb. 2012. Web. 18 June 2014. <http://isaca- Page 18

omaha.webs.com/deloitte%20mobile%20device%20security%20isaca%20pres%2 0(Final).pdf>. "Unsecured WiFi Network Access." Beta Telelink. Web. 15 June 2014. <http://itsecurity.telelink.com/unsecured-wifi-network-access/>. Page 19