Mobile Device Security and Audit ISACA Chapter Meeting February 2012 Alex Stamps Manager Security & Privacy Services Deloitte & Touche LLP astamps@deloitte.com
Session Objectives Define mobile devices and the mobility ecosystem Provide an overview of mobility risks and challenges Walk through of a mobile computing security audit/assurance program 1
The Mobility Ecosystem and Associated Risks
What are Mobile Devices Mobile devices can mean many different things to people. For this presentation, we will define mobile devices as: Laptops and netbooks Full-featured mobile phones/ smartphones Tablet computers Portable digital assistants (PDAs) USB storage devices (such as thumb drives, MP3 devices, and network connectivity devices) Digital cameras Radio frequency identification (RFID) and mobile RFID (M-RFID) devices for data storage, identification and asset management Infrared-enabled (IrDA) devices such as printers and smart cards The focus of this session will be on handheld mobile devices (Smartphones, tablets, PDAs, etc.) 3
The mobility ecosystem Today s mobile ecosystem is a complex, rapidly developing environment consisting of different types of mobile devices, data communication channels, connectivity methods and various ecosystem actors. Fundamentally, the ecosystem can be viewed as being segmented in to four (4) primary components - - mobile devices, used by actors, who connect to various networks in order to transmit data to other devices/systems. The mobility ecosystem Mobile device (Smart Phone, GPS, tablet, scanner, reader, medical devices, Wireless POS) Networks (Satellite, Wi-Fi, Cellular (3 rd generation (3G) or 4 th generation(4g)) Data communication (Internet, Next Generation Network (NGN), IP Multimedia Subsystem (IMS) Actors (Device Owners, mobile interfaces & application development enterprises) 4
Threat overlay on mobility ecosystem 5
Mobility risk categories Enabling mobility is a balance of technology, return on investment and risk. These need to be aligned with business needs and strategies. When considering developing mobile solutions, or fine tuning an existing solution, it is necessary to gain an understanding of the risks associated with mobility. These risks fall into four main categories: Mobility risk categories 4. Infrastructure & Device 3. Legal & Regulatory 1. Operational 2. Technology & Data Protection What makes mobile devices valuable from a business perspective portability, usability and connectivity to the internet and corporate infrastructure also presents significant risk. New risks have been introduced at the device, application and infrastructure levels requiring changes in corporate security policy and strategy. 6
1. Operational 4. Infrastructure & Device 3. Legal & Regulatory 1. Operational 2. Technology & Data Protection Mobility poses unique risks and existing security and IT support resources and infrastructure cannot be extended to cover mobile devices and applications without significant investment - in developing new skills, technical capabilities, operational processes and deployment of a mobility infrastructure. A. Executives, users and customers are driving mobility decisions; operational risk considerations are not driving mobile security strategy B. Security controls can negatively impact usability, causing friction with employees and slowing adoption C. Increasing support demands may in turn outpace resource skill sets and technical capabilities D. Varied mobile OS implementations make it difficult to deploy singular security solution E. Existing operational processes may not be efficiently designed or mobile-ready which can hinder expected productivity 7
2. Technology and Data Protection 4. Infrastructure & Device 3. Legal & Regulatory 1. Operational 2. Technology & Data Protection Mobile devices are valuable from a business perspective due to internet connectivity, access to corporate infrastructure as well as mobile/cloud based applications. These benefits also result in greater potential exposure for the enterprise with risks introduced at the device, application and infrastructure levels. A. End users may have the ability to modify device security parameters thus weakening the security controls B. Devices and memory cards are not encrypted by default or configured appropriately thus leading to data leakage/loss C. With use of cloud based applications, data protection becomes increasingly complex D. Many organizations are not able to enforce mobile OS patching and updating which may result in vulnerable devices E. Users often install unapproved applications or applications containing malware which poses information security risks 8
3. Legal & Regulatory 4. Infrastructure & Device 3. Legal & Regulatory 1. Operational 2. Technology & Data Protection The device/carrier distributors may not be able to meet corporate security requirements, particularly if the company is regulated and subject to local jurisdictional laws. Legal considerations such as employment labor laws, e-discovery requirements, etc. may impact the overall mobile strategy. A. Employees using use corporate devices for personal purposes and vice versa may give rise to significant data privacy issues B. The bring your own device trend raises ethical and legal questions around monitoring, device wiping, etc., upon employee termination C. Corporate usage of mobile devices by hourly employees can/will raise concerns around overtime labor law considerations D. Regulatory requirements to address e-discovery, monitoring, data archiving etc., can be complex and difficult to implement E. Data ownership and liability for corporate and employee owned devices used for business purposes is yet to determined 9
4. Infrastructure and Device 4. Infrastructure & Device 3. Legal & Regulatory 1. Operational 2. Technology & Data Protection The diversity of device options and underlying operating system/application platforms introduces a myriad of security risks and challenges. Extended enterprise risk (e.g., lost or stolen mobile device serving as a back channel), network security vulnerabilities in mobile communication systems and service providers, and vulnerabilities in third party applications are all challenges organizations are struggling to tackle. A. Mobile device attacks and varying attack vectors increases the overall risk exposure B. Multiple choices in the devices, OS platforms, apps, etc., requires companies to employ diverse technologies expanding the attack surface C. Third party apps installed on corporate devices may contain vulnerabilities caused by developer mistakes or re-packaged malware D. Securing of mobile transmissions and channels is complex given a varied protocol landscape & the newer communication channels E. Mobile devices are easily lost or stolen in comparison with other IT assets (e.g. laptops) and remote wipe efforts frequently fail 10
A word on Mobile Device Application Platforms (MEAPs) Mobile enterprise application platforms (MEAPs) simplify the development, deployment and management of mobile enterprise applications. They also address the difficult mobile application challenges of back office integration, secure access for mobile devices into the enterprise, offer reliable push data synchronization and support for multiple device types. Enterprise Applications Mobile Enterprise Application Platform Connections MEAP Vendors 11 SAP - Sybase Spring Wireless Oracle - Antenna Software Microsoft Pyxis Syclo
Assessing Risk: Auditing Mobility Controls
The ISACA Mobile Computing Security Audit/Assurance Program Available through ISACA is the Mobile Computing Security Audit/Assurance Program (Oct 2010) * Available on ISACA Website Cross Referenced to the COBIT Framework and the ISACA IT Assurance Framework and Standards (ITAF) The scope covers mobile devices connected to the enterprise network or containing enterprise data, including: Smartphones Digital cameras Laptops, notebooks and netbooks Radio frequency identification (RFID) devices Portable digital assistants (PDAs) Infrared-enabled (IrDA) devices such as printers and smart cards Portable USB devices for storage and for connectivity *The ISACA Mobile Computing Security Audit/Assurance Program (Oct 2010) and related content is 2010 ISACA 13
ISACA Mobile Computing Security Audit/Assurance Program Objective Objective The mobile computing security audit/assurance program will: Provide management with an assessment of mobile computing security policies and procedures and their operating effectiveness. Identify internal control and regulatory deficiencies that could affect the organization. Identify information security control concerns that could affect the reliability, accuracy and security of enterprise data due to weaknesses in mobile computing controls. 14
ISACA Mobile Computing Security Audit/Assurance Program Outline Introduction Using This Document Controls Maturity Analysis Assurance and Control Framework Executive Summary of Mobile Computing Security Audit/Assurance Focus Audit/Assurance Program Planning and Scoping the Audit Mobile Computing Security Maturity Assessment Maturity Model for Internal Control 0 Nonexistent -------------------------- Complete lack of any recognizable process. 1 Initial -------------------------- Capabilities are characteristic of individuals, not of the organization. 2 Repeatable -------------------------- Process is established and repeating; reliance on people reduced. 3 Defined -------------------------- Policies, processes, and standards defined and formalized across the organization. 4 Managed -------------------------- Process is managed and measured quantitatively; and aggregated on an enterprise-wide basis. 5 Optimized -------------------------- Organization focused on continuous improvement of security and privacy risk management. 15
Mobile Computing Security Audit/Assurance Objectives Core of the Audit/Assurance Program Structure: 8 Audit/Assurance Objectives 12 Controls ~54 Audit/Assurance Steps: Mobility risk categories Audit/Assurance Objectives 4. Infrastructure & Device 3. Legal & Regulatory 1. Operational 2. Technology & Data Protection 2.1 Mobile Computing Security Policy 2.2 Risk Management 2.3 Device Management 2.4 Access Controls 2.5 Stored Data 2.6 Malware Avoidance 2.7 Secure Transmission 2.8 Awareness Training 16
1. Planning and Scoping the Audit Follows standard Audit Planning Steps: Define the audit/assurance objectives Define the boundaries of review Identify and document risks Define assignment success Define the audit/assurance resources required Define deliverables Communicate the process 17
2.1 Mobile Computing Security Policy Audit/Assurance Objective: Policies have been defined and implemented to assure protection of enterprise assets. 2.1.1 Policy Definition Control: Policies have been defined to support a controlled implementation of mobile devices. Audit/Assurance Steps: Determine if a security policy exists for mobile devices. Determine if the mobile device security policy defines the data classification permitted on each type of mobile device and the control mechanisms required based on the data classification. Determine if the mobile device security policy utilizes the data classification policy, if one exists. Determine if the mobile device security policy defines the types of permitted mobile devices Determine if the mobile device security policy addresses the approved applications by device based on data classification and data loss risk. Determine if the mobile device security policy defines the authentication method for each mobile device based on the data classification policy. 18
2.1 Mobile Computing Security Policy (Cont.) Audit/Assurance Steps (Cont.): Determine if the mobile device security policy requires enterprise-issued devices if the device receives enterprise data. Determine if the mobile device security policy requires a centrally managed asset management system for appropriate devices. Determine if the mobile device security policy prescribes authentication and encryption storage/transmission (data in transit or at rest) requirements by device type. Determine if the mobile device security policy requires a risk assessment before a device is approved for use and a risk assessment update at least annually to determine that new threats are assessed and new technologies considered for deployment. 19
2.2 Risk Management Audit/Assurance Objective: Management processes assure that risks associated with mobile computing are thoroughly evaluated and that mobile security risk is minimized. 2.2.1 Risk Assessments Control: Risk assessments are performed prior to implementation of new mobile security devices, and a continuous risk monitoring program evaluates changes in or new risks associated with mobile computing devices. Audit/Assurance Steps: Determine if a risk assessment has been performed for each device type, including assessment of device trustworthiness. Obtain the initial risk assessment for each device and subsequent assessments. Determine how the risk assessment results should be integrated into the current audit. 2.2.2 Risk Assessment Governance Control: The executive sponsor is actively involved in the risk management of mobile devices. Audit/Assurance Steps: Determine if there is evidence of the executive sponsor reviewing the risk assessment for each 20 device program.
2.3 Device Management Audit/Assurance Objective: Mobile devices are managed and secured according to the risk of enterprise data loss. 2.3.1 Device Management Tracking Control: Mobile devices containing sensitive enterprise data are managed and administered centrally Audit/Assurance Steps: 21 Determine if there is an asset management process in place for tracking mobile devices. Determine the procedures for lost or stolen devices and whether the data stored on these devices can be remotely wiped. Determine if locator technology is used to monitor and retrieve lost devices. Determine if the device management process is centrally administered. If distributed, determine the procedures to ensure compliance with policies. Determine if devices are approved by an authorized manager based on the job function requirements. Determine if there are exception approval processes for corporate devices to be managed outside the enterprise management system. Determine if foreign mobile devices belonging to external personnel (contractors, individual employees, etc.) are permitted to receive enterprise data. Determine what authorizations are required by enterprise management prior to adding the foreign device to the enterprise mobile network.
2.3 Device Management (Cont.) Audit/Assurance Objective: Mobile devices are managed and secured according to the risk of enterprise data loss. 2.3.2 Device Provisioning/De-provisioning Control: Mobile devices containing sensitive enterprise data are set up for each user according to their job description and managed as their job function changes or they are terminated. Audit/Assurance Steps: Determine if there is a process for provisioning and de-provisioning employee smartphones upon hiring, transfer or termination. 22
2.4 Access Controls Audit/Assurance Objective: Access control is assigned to and managed for mobile security devices according to their risk of enterprise data loss. 2.4.1 Access Control Rules Control: Access control rules are established for each mobile device type, and the control characteristics address the risk of data loss. Audit/Assurance Steps: Determine the access control rules for each mobile device type. Determine if access authentication (single or multilevel) and complexity are appropriate for the device and data classification of the data stored. Determine if access control rules and access rights are established for each device by job function and applications installed. Determine if mobile devices containing network, infrared or Bluetooth technology have sharing configured according to policy, based on the classification of data stored or in transit to the device. Determine if access can be administered and disabled centrally. Determine if mobile devices having storage have restrictions as to the applications that can be installed and the data content that can be stored on the devices. Determine if centrally controlled processes restrict data synchronization to mobile devices. Determine if mobile devices require disabling of USB, infrared, esata or firewire ports according to the data classification policy. 23
2.5 Stored Data Audit/Assurance Objective: Access control is assigned to and managed for mobile security devices according to their risk of enterprise data loss. 2.5.1 Encryption Protects Sensitive Data Control: Encryption technology protects enterprise data on mobile devices and is administered centrally to prevent the loss of information due to bypassing encryption procedures or loss of data due to misplaced encryption keys. Audit/Assurance Steps: Determine if encryption technology has been applied to the devices based on the data classification of data at rest or in transit to and from the mobile device. If encryption is required, determine that it is appropriate for the device and data sensitivity and that it cannot be disabled. Determine if the encryption keys are secured and administered centrally. 24
2.5 Stored Data (Cont.) Audit/Assurance Objective: Access control is assigned to and managed for mobile security devices according to their risk of enterprise data loss. 2.5.2 Data Transfer Control: Data transfer policies are established that define the types of data that may be transferred to mobile devices and the access controls required to protected sensitive data. Audit/Assurance Steps: Determine if policies and access controls rules are established that define the data that are permitted to be transferred to mobile devices by device type and the required access controls to protect the data. Determine if there are monitoring procedures in effect to assure only authorized data may be transferred and if the required access controls are in effect. 25
2.5 Stored Data (Cont.) Audit/Assurance Objective: Access control is assigned to and managed for mobile security devices according to their risk of enterprise data loss. 2.5.3 Data Retention Control: Data retention polices are defined for mobile devices and are monitored and aligned with enterprise data retention policies, and data retention is executed according to policy. Audit/Assurance Steps: Determine if a data retention policy exists for applicable mobile devices. Determine if data is destroyed according to policy once the retention period has expired. Determine if retention processes are monitored and enforced. 26
2.6 Malware Avoidance Audit/Assurance Objective: Mobile computing will not be disrupted by malware nor will mobile devices introduce malware into the enterprise. 2.6.1 Malware Technology Control: Malware prevention software has been implemented according to device risk. Audit/Assurance Steps: Determine, as appropriate, that mobile devices are equipped with malware technology. Determine that malware technology cannot be disabled, definition files are updated regularly, all disc drives are routinely scanned, and compliance with malware detection is centrally monitored and managed. 27
2.7 Secure Transmission Audit/Assurance Objective: Sensitive enterprise data are protected from unauthorized access during transmission. 2.7.1 Secure Connections Control: Virtual private network (VPN), Internet Protocol Security (IPSec), and other secure transmission technologies are implemented for devices receiving and/or transmitting sensitive enterprise data. Audit/Assurance Steps: Determine if secure connections are required for specific mobile devices based on the data classification policy and the data stored or transmitted to and from the mobile device. Determine if controls are in place to require use of the secure transmission. 28
2.8 Awareness Training Audit/Assurance Objective: Employees and contractors utilizing enterprise equipment or receiving or transmitting enterprise sensitive information receive initial and ongoing training relevant to the technology assigned to them. 2.8.1 Mobile Computing Awareness Training Control: Mobile computing awareness training is ongoing and is based on the sensitive nature of the mobile computing devices assigned to the employee or contractor. Audit/Assurance Steps: Determine if mobile security awareness training programs exist. Determine if the mobile security topics within the awareness training are customized for the risks and policies associated with the specific device and its security components. Determine if the training programs are revised to reflect current technologies and enterprise policies. Determine if policies and practices require security awareness training before receiving the device. Determine if participation in the mobile awareness training is documented, monitored and reviewed. 29
2.8 Awareness Training (Cont.) Audit/Assurance Objective: Employees and contractors utilizing enterprise equipment or receiving or transmitting enterprise sensitive information receive initial and ongoing training relevant to the technology assigned to them. 2.8.2 Mobile Computing Awareness Governance Control: Mobile computing awareness includes processes for management feedback to understand the usage and risks identified by device users. Audit/Assurance Steps: Determine if awareness programs address accountability, responsibility and communication with device users through feedback to management. 30
Additional Considerations As organizations move beyond basic Email/Calendar integration with mobile devices and into more customized and complex applications, the risk profile goes beyond just the mobile device itself: Depending on how your organization utilizes mobile devices, you may need to look at the entire Mobility Ecosystem including MEAP applications If your organization has custom application development, you may also need to include a review of controls around the Systems Development Lifecycle related to Mobile Application Development For example, a custom application for Time and Expense reporting that utilizes SAP Sybase MEAP to integrate an iphone based T&E app into your back end SAP system 31
Additional Resources ISACA Mobile Computing Security Audit/Assurance Program (Oct 2010) http://wwwisacaorg/knowledge-center/itaf-it-assurance-audit-/audit- Programs/Documents/Mobile-Computing-Security-Audit-Prgm-21Oct2010-Research.doc ISACA Securing Mobile Devices White Paper http://www.isaca.org/knowledge-center/research/documents/securemobiledevices-wht- Paper-20July2010-Research.pdf ISACA esymposium BYOD Opportunities and Risks Securing Mobile Devices and Remote Access Technology in your Enterprise http://www.isaca.org/education/online-learning/pages/esymposium-byod-opportunitiesand-risks.aspx NIST Special Publication 800-124: Guidelines on Cell Phone and PDA Security http://csrc.nist.gov/publications/nistpubs/800-124/sp800-124.pdf 32
Recap: Session Objectives Define mobile devices and the mobility ecosystem: Devices: Laptops/netbooks, smartphones, tablets, PDAs, USB devices, Digital Cameras, RFID devices, IrDA devices Ecosystem: Mobile device, Networks, Data Communication and Actors Provide an overview of mobility risks and challenges: The greatest benefit of mobile devices also increases their threat/risk profile: Their size and portability and available wireless interfaces and associated services Walk through of a mobile computing security audit/assurance program: The ISACA Mobile Computing Security Audit/Assurance Program is a good starting point in building a mobile computing audit plan 33
Q&A 34
For More Information Dan Kinsella Partner Deloitte & Touche LLP dkinsella@deloitte.com 402-997-7851 Alex Stamps Manager Deloitte & Touche LLP astamps@deloitte.com 402-541-4130 This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this publication. About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting. Copyright 2012 Deloitte Development LLC. All rights reserved. Member of Deloitte Touche Tohmatsu Limited 35