Bring Your Own Device: A Framework for Audit March 6, 2013 1
Webinar Moderator Phil Hurd ACUA President 2
Your Presenters Mike Cullen, Senior Manager CISA, CISSP, CIPP/US > Leads the firm s Technology Risk Services team in Washington, DC, focused on IT risk consulting and internal auditing. > Performs IT risk assessments and audits, developed information privacy and security programs, performed ethical hacking of IT systems, and conducted digital forensic investigations. > Presents to a variety of audiences, including ACUA, various IIA chapters and regional conferences, and at multiple universities. 3
Your Presenters Stephanie Marino, Manager CISA, CIA > Performs IT process improvement reviews, risk assessments, and IT audits for higher education and research institutions. > Utilizes industry best standards to assess internal control effectiveness around IT information privacy and security, governance, IT general controls, network and IT infrastructure management, and regulatory compliance. > Actively involved in training, seminars, and thought leadership initiatives with ACUA, IIA, and ISACA. 4
Contents/Agenda > Define Mobile & BYOD > Risks and Internal Audit Considerations > A Framework for Mobile Device Auditing > Resources 5
Objectives > Overview of the technologies that make mobile possible > Provide an overview of certain mobile risks > Describe a framework that can be adopted to help companies address the risks of mobile technologies and used to perform audits 6
Polling Question #1 Who do you blame for our new mobile life (e.g., people answering the phone in public restrooms)? A. Star Trek (or any science fiction) B. Martin Cooper (Motorola engineer invented the cell phone) C. Steve Jobs D. Internet 7
Define Mobile & BYOD 8
Why do we care? > Mobile is here, no going back to being tethered to a desk > Mobile allows great productivity and flexibility to achieve institutional objectives > Mobile employees are happier (so they say) > Mobile can save money (maybe?) 9
Why do we care? > Consumerization of technology is not a fad, the benefits outweigh the costs > emarketer estimates 115.8 million smartphone users in US by the end of 2012 > Gartner estimates 118.9 million worldwide tablet sales in 2012 > Gartner estimates that 31 billion apps will be downloaded in 2012 10
What is a mobile device? NIST (SP 800-124) Characteristics: > Small form factor > Wireless network interface for Internet access > Local built-in (non-removable) data storage > Operating system that is not a full-fledged desktop/laptop operating system > Apps available through multiple methods > Built-in features for synchronizing local data 11
What is a mobile device? NIST Optional characteristics: > Wireless personal area network interfaces (e.g., Bluetooth, nearfield communications) > Cellular network interfaces > GPS > Digital camera > Microphone > Support for removable media > Support for using the device itself as removable storage 12
What is a mobile device? > Any easily portable technology that allows for the storage and transmittal of your organization s sensitive data > Examples: > Phones > Tablets > External Hard Drives (e.g., USB thumb drives) > Laptops > Cameras (e.g., point and shoot) > Logistics devices (e.g., GPS Tracking Devices, RFID) > ereaders > Digital Music Players (e.g., ipods) 13
What is BYOD? > Bring Your Own Device > Higher Ed has been doing this for years > Students, of course > Faculty, in spite of policies to the contrary > Supported by organization systems and applications that allow multiple type of devices to access those services > Powered by the Internet 14
Polling Question #2 Does your institution have a BYOD program? A. Yes B. No C. Unsure 15
Risks and Internal Audit Considerations 16
Major Security Concerns (NIST) > Lack of Physical Security Controls > Use of Untrusted Mobile Devices > Use of Untrusted Networks > Use of Apps Created by Unknown Parties > Interaction with Other Systems > Use of Untrusted Content > Use of Location Services 17
What are the mobile device risks? NIST Characteristics Small form factor Wireless network interface for Internet access Local built-in (non-removable) data storage Operating system that is not a fullfledged desktop/laptop operating system Apps available through multiple methods Built-in features for synchronizing local data Illustrative Risks Loss or theft of data Exposure to untrusted and unsecured networks Loss or theft of data Reduced technical controls Exposure to untrusted and malicious apps Interactions with other untrusted and unsecured systems 18
What are the mobile device risks? NIST Characteristics Wireless personal area network interfaces (e.g., Bluetooth, near-field communications) Cellular network interfaces GPS Digital camera Microphone Support for removable media Support for using the device itself as removable storage Illustrative Risks Exposure to untrusted and unsecured networks Exposure to untrusted and unsecured networks Exposure of private information Exposure of private information Exposure of private information Loss or theft of data Interactions with other untrusted and unsecured systems 19
IA Considerations Scoping > Does your organization have a mobile device strategy, including: > Alignment with institutional strategy/objectives > Risk assessment(s) for mobility > Definition of devices > Policies governing the use of devices (with penalties) > Security standards based on data 20
IA Considerations Scoping (cont) > Who owns these devices, org or employee? > Who is responsible for managing and securing the devices? > Incident response procedures > Who is paying for devices and service plans? > Does that change responsibilities? > What are the legal and regulatory requirements for your organization and the jurisdictions you operate in? 21
Identifying Owners and Stakeholders > Who is your client? > Who are the stakeholders? > General Counsel > Chief Information Officer > Chief Information Security Officer > Chief Operations Officer > Chief Compliance Officer > Chief Privacy Officer > Chief Risk Officer > Other functions with a stake in privacy and security (e.g., human resources, sales) 22
Understanding the Institution > Mission and objectives > Organization and responsibilities > Customers > Types of data > Exchanges of data > Interdepartmental > Third parties > Interstate or international > Data collection, usage, retention, and disclosure > Systems (e.g., websites, apps) 23
Assessing Risk > Leveraging management s risk assessments > Consultation with legal counsel > Regulatory risk > Legal/contractual risk > Industry self-regulatory initiatives > Constituency relations and perceptions > Public relations 24
Polling Question #3 Has your institution completed any mobile device audits/reviews? A. Yes B. No C. Not yet, but planning to in 2013 25
A Framework for Mobile Device Auditing 26
Mobile Device Framework Data Websites & Apps Devices People 27
Mobile Device Framework Data > Data (i.e., data generated, accessed, modified, transmitted, stored or used electronically by the organization) is essential to the organization's objectives and requires protection for a variety of reasons, including legal and regulatory requirements. > Examples: > Messages (e.g., emails, text messages, instant messages) > Voice > Pictures > Files (e.g., attachments) > Hidden (e.g., GPS) 28
Mobile Device Framework Data > Classification Tiers > Data Owners > Data Stewards > Authentication & Security Requirements 29
Mobile Device Framework Data IA Considerations > Determine the types of data that can be accessed or stored on mobile devices. Assess restrictions in place to safeguard data. > Review the Data Classification Security Policy to ensure specificity to the various types of data, based on sensitivity. > Create an inventory of data, identify the applications and websites where it can be accessed, and determine who will take ownership of the data moving forward. 30
Mobile Device Framework Websites & Apps > Websites and applications (i.e., tools used to process electronic data) require security controls, regardless of the device used for access, to protect the confidentiality, integrity, and availability of data. 31
Mobile Device Framework Websites & Apps Examples Types Institution Personal Websites/Portals Apps Cloud Services App Stores Virtual Desktop Environments Email Intranet/Portal Financial and HR Systems Student Information System Learning Management System Learning Management System Financial and HR Systems Google Services Salesforce.com Microsoft Office 365 Apple App Store Google marketplace Amazon App Store Custom Corporate Stores Citrix VMware Google Yahoo ESPN Angry Birds Instagram Gmail Flickr Facebook Apple App Store Google marketplace Amazon App Store GoToMyPC VNC 32
Mobile Device Framework Websites & Apps IA Considerations > Determine the websites and applications that are used on mobile devices to access data, and determine whether they are approved. Assess how websites and applications are secured to protect data. > Review all applications and websites accessible via mobile devices to ensure they comply with security policies (e.g., encryption requirements, storage restrictions, access permissions). 33
Mobile Device Framework Devices > Devices (i.e., hardware used to access websites and applications for data processing) require an increasing variety of security controls due to the increased mobility, choice, functionality, and replacement of these products. 34
Mobile Device Framework Devices > Managed vs. Unmanaged > Institution vs. Employee Owned 35
Mobile Device Framework Devices > Encryption > Data transfers (e.g., sending and syncing) > Logical security (e.g., linkage to HR, passwords, access management) > Physical security > Network Architecture (e.g., configuration, monitoring) > Mobile Device Management 36
Mobile Device Framework Devices IA Considerations > Determine the types of mobiles devices that are used to access data, and whether each mobile device is supported. Assess how mobile devices are secured to protect data. > Ensure that both organization managed and personally owned mobile devices that access confidential or highrisk data are secured with appropriate security controls. 37
Mobile Device Framework People > People (i.e., employees that process data via websites and applications through a variety of devices) require frequent communications and trainings on the risks, policies, practices, and tools for protecting the confidentiality, integrity, and availability of data. 38
Mobile Device Framework People > Organization-wide Mobile Device Policy > Mobile Device Practices > Knowledge, skills, and abilities > Training and Awareness Programs > Acknowledged Roles and Responsibilities > Risk assessments > Policies and procedures > Process maturity > Monitoring > Communication 39
Mobile Device Framework People IA Considerations > Determine who uses mobile devices to access data, and who supports and manages those mobile devices that access data. > Determine if an overarching Mobile Device Security Policy exists. > Assess existing policies and procedures that guide the procurement, use, support, and management of mobile devices. > Advise departments on creating supplementary mobile device security practices as needed. > Asses formalized training and awareness programs that inform mobile device users of the risks involved and their personal responsibilities when accessing information. 40
Mobile Device Framework Sample Data Confidential Restricted Internal Use Web & Apps Institution Owned Devices Institution Owned Device Practices & Mobile Device Management People Public Personally Owned Device Practices Personally Owned Devices 41
Polling Question #4 What area of the mobile device framework will be the most challenging to audit/review at your institution? A. Data B. Websites & Applications C. Devices D. People (e.g., policies) 42
Resources 43
ISACA Mobile Computing Security Audit/Assurance Program What is it? Work program to execute a controls review of mobile computing Focused in two areas: planning and scoping, security Also includes a framework for control maturity assessment How to use it? Use as a base work program to conduct a controls review of your mobile device environment Challenges to IA Access to data how to audit personal devices More policy controls over technical controls Publisher ISACA (http://www.isaca.org/knowledge- Center/Research/ResearchDeliverables/Pages/Mobile-Computing- Security-Audit-Assurance-Program.aspx) 44
ISO 27001 What is it? Requirements for information security management system PDCA process based model Establish, Implement, Monitor, Improve It aims toward the preservation of confidentiality, integrity and availability of information; in addition, other properties such as authenticity, accountability, non-repudiation and reliability can also be involved Management standard, so organizations can be certified How to use it? Understand the process requirements contained within the standard and map to your organization s requirements for incident management Challenges to IA It doesn t guarantee that a company is secure Limited applicability to application changes Not to be confused with ISO 27002 Publisher International Organization for Standardization (http://www.iso.org/iso/home.htm) 45
Resources > BankInfoSecurity, BYOD: Get Ahead of the Risk, Intel CISO: Policy, Accountability Created Positive Results, January 2012 > Digital Services Advisory Group and Federal Chief Information Officers Council, Bring Your Own Device, A Toolkit to Support Federal Agencies Implementing Bring Your Own Device (BYOD) Programs, August 2012 > Gartner, Magic Quadrant for Mobile Device Management, May 2012 > Gartner, Gartner Says Consumerization Will Drive At Least Four Mobile Management Styles, November 2011 46
Resources > National Institute of Standards and Technology, Special Publication 800-124 Revision 1 (Draft), Guidelines for Managing and Securing Mobile Devices in the Enterprise, July 2012 > National Institute of Standards and Technology, Special Publication 800-144, Guidelines on Security and Privacy in Public Cloud Computing, December 2011 47
Upcoming Webinars Joint webinar with URMIA May 2013 Cyber Auditing Data Privacy Legislation / Regulatory Update + Cyber Risk June 2013 48
ACUA MidYear ACUA MidYear Conference April 7-10, 2013 Renaissance Seattle Hotel Seattle, Washington Registration closes March 15 Register TODAY! acua.org 49
Resources ACUA > Promoting Internal Audit: www.acua.org/movie > Listserv: acua-l@associationlists.com > Forums: www.acua.org Baker Tilly > www.bakertilly.com/acua 50
Presenter Contact Info Thank you for participating today! Remember CPE certificates will be emailed to you by ACUA Headquarters in about three weeks. Mike Cullen mike.cullen@bakertilly.com 703-923-8339 Stephanie Marino stephanie.marino@bakertilly.com 703-923-8506 51
Required disclosure and Circular 230 Prominent Disclosure The information provided here is of a general nature and is not intended to address the specific circumstances of any individual or entity. In specific circumstances, the services of a professional should be sought. Pursuant to the rules of professional conduct set forth in Circular 230, as promulgated by the United States Department of the Treasury, nothing contained in this communication was intended or written to be used by any taxpayer for the purpose of avoiding penalties that may be imposed on the taxpayer by the Internal Revenue Service, and it cannot be used by any taxpayer for such purpose. No one, without our express prior written permission, may use or refer to any tax advice in this communication in promoting, marketing, or recommending a partnership or other entity, investment plan or arrangement to any other party. Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. 2012 Baker Tilly Virchow Krause, LLP. 52