A framework for auditing mobile devices Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. 2010 Baker Tilly Virchow Krause, LLP
Learning objectives Understand different approaches for managing mobile devices including centralized, decentralized, and BYOD management Identify the impacts of mobile devices at organization Critically analyze mobile device risks using a framework focused on people, devices, applications/websites, and data Define key mobile device controls to incorporate into audit work plans 2
Contents Define mobile & BYOD Impacts of mobile devices at organizations Risks and internal audit considerations Key mobile device management controls A framework for mobile device auditing Examples of environment Resources
Define mobile & BYOD Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International 2010 Baker Tilly Virchow Krause, LLP 4
Why do we care? Mobile is here, no going back to being tethered to a desk Mobile allows great productivity and flexibility to achieve organizational objectives Mobile employees are happier (so they say) Mobile can save money (maybe?)
Why is mobile the future? A Cisco study says in 2014 the average number of connected devices per knowledge worker will reach an average of 3.3 devices, up from 2.8 in 2012 Gartner predicts by 2017, half of employers will require employees to supply their own device for work purposes
What is a mobile device? NIST (SP 800-124) characteristics: Small form factor Wireless network interface for internet access Local built-in (non-removable) data storage Operating system that is not a full-fledged desktop/laptop operating system Apps available through multiple methods Built-in features for synchronizing local data
What is a mobile device? NIST optional characteristics: Wireless personal area network interfaces (e.g., Bluetooth, near-field communications) Cellular network interfaces GPS Digital camera Microphone Support for removable media Support for using the device itself as removable storage
What is a mobile device? Any easily portable technology that allows for the storage and transmittal of your organization s data Examples: Phones Tablets Laptops External hard drives (e.g., USB thumb drives) Cameras (e.g., point and shoot) Logistics devices (e.g., GPS Tracking devices, RFID) ereaders Digital music players (e.g., ipods) Medical devices (e.g., pacemakers) Smartwatches and glasses
What is BYOD? Bring Your Own Device Supported by organization systems and applications that allow multiple type of devices to access those services Powered by the internet
BYOD pros & cons Pros: Reduced upfront costs Employee satisfaction Potentially greater functionality for users Cons: Unmanaged devices with your organization s data Mingling of personal and organizational data Managing legal requirements (e.g., ediscovery)
BYOD in the Enterprise A Holistic Approach, ISACA JOURNAL, Volume 1, 2013
Risks and internal audit considerations Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International 2010 Baker Tilly Virchow Krause, LLP 13
Major security concerns (NIST) Lack of physical security controls Use of untrusted mobile devices Use of untrusted networks Use of apps created by unknown parties Interaction with other systems Use of untrusted content Use of location services
What are the mobile device risks? NIST characteristics Small form factor Wireless network interface for internet access Local built-in (non-removable) data storage Operating system that is not a fullfledged desktop/laptop operating system Apps available through multiple methods Built-in features for synchronizing local data Illustrative risks Loss or theft of data Exposure to untrusted and unsecured networks Loss or theft of data Reduced technical controls Exposure to untrusted and malicious apps Interactions with other untrusted and unsecured systems
What are the mobile device risks? NIST characteristics Wireless personal area network interfaces (e.g., Bluetooth, near-field communications) Cellular network interfaces GPS Digital camera Microphone Support for removable media Support for using the device itself as removable storage Illustrative risks Exposure to untrusted and unsecured networks Exposure to untrusted and unsecured networks Exposure of private information Exposure of private information Exposure of private information Loss or theft of data Interactions with other untrusted and unsecured systems
IA considerations scoping Does your organization have a mobile device strategy, including: Alignment with organizational strategy/objectives Risk assessment(s) for mobility Definition of devices Policies governing the use of devices (with penalties) Security standards based on data
IA considerations scoping (cont.) Who owns these devices, organization or employee? Who is responsible for managing and securing the devices? Incident response procedures Antivirus / antimalware software Who is paying for devices and service plans? Does that change responsibilities? What are the legal and regulatory requirements for your organization and the jurisdictions you operate in?
Identifying owners and stakeholders Who is your client? Who are the stakeholders? General Counsel Chief Information Officer Chief Information Security Officer Chief Operations Officer Chief Compliance Officer Chief Privacy Officer Chief Risk Officer Other functions with a stake in privacy and security (e.g., human resources, sales)
Understanding the organization Mission and objectives Organization and responsibilities Customers Types of data Exchanges of data Interdepartmental Third parties Interstate or international Data collection, usage, retention, and disclosure Systems (e.g., websites, apps)
Assessing risk Leveraging management s risk assessments Consultation with legal counsel Regulatory risk Legal/contractual risk Industry self-regulatory initiatives Constituency relations and perceptions Public relations
Where s the GRC? Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International 2010 Baker Tilly Virchow Krause, LLP 22
Old model Protect everything in my office network with physical and logical controls over access Then we added laptops and pushed the network out of the office using VPNs That doesn t work any more with phones and tablets, especially when they are owned by the employee
Framework benefits Flexible audit all at once or in parts Adaptable scope it how you want it Inclusive make use of other standards/frameworks (e.g., COBIT, ISO 27002, NIST) ISACA s Bring Your Own Device (BYOD) Security Audit/Assurance Program
Mobile device framework Data Websites & Apps Devices People
Mobile device framework Data Websites & apps Devices People
Mobile device framework data Data (i.e., data generated, accessed, modified, transmitted, stored or used electronically by the organization) is essential to the organization's objectives and requires protection for a variety of reasons, including legal and regulatory requirements. Examples: Messages (e.g., emails, text messages, instant messages) Voice Pictures Files (e.g., attachments) Hidden (e.g., GPS)
Building the framework data types DATA WEB & APPS DEVICES PEOPLE Data Data Data Data Data Baker Tilly Virchow Krause, LLP
Mobile device framework data Classification tiers Data owners/stewards Data inventory
Mobile device framework data audit considerations Determine the types of data that can be accessed or stored on mobile devices. Assess restrictions in place to safeguard data. Review the data classification security policy to ensure specificity to the various types of data, based on sensitivity. Use/create an inventory of data, identify the applications and websites where it can be accessed, and determine who will take ownership of the data moving forward.
Mobile device framework data audit considerations Determine if authentication and security requirements or restrictions are or should be established for each data type Determine if Legal Hold requirements are documented and align with data classification and then mobile device security
Building the framework data: classification DATA WEB & APPS DEVICES PEOPLE Data Confidential Data Restricted Data Data Internal Use Data Public Baker Tilly Virchow Krause, LLP
Data audit considerations from ISACA s work program 8.1.2 Data Access 8.1.4 Encryption and Data Protection
Mobile device framework websites & apps Websites and applications (i.e., tools used to process electronic data) require security controls, regardless of the device used for access, to protect the confidentiality, integrity, and availability of data.
Mobile device framework websites & apps examples Types Business Personal Websites/portals Cloud services App stores Custom built apps & sites Virtual desktop environments/remote desktop tools Outlook web access Business intranet Google services Salesforce.com Microsoft Office 365 Apple app store Google marketplace Amazon app store Custom corporate stores Business specific Citrix VMware Google Yahoo ESPN Gmail Flickr Facebook Apple app store Google marketplace Amazon app store Entertainment Hacking/malicious GoToMyPC VNC
Building the framework web & apps DATA WEB & APPS DEVICES PEOPLE Data Confidential App Data Restricted Web Data Data Data Internal Use Public App Web App Baker Tilly Virchow Krause, LLP
Mobile device framework web/apps audit considerations Determine the websites and applications that are used on mobile devices to access data, and determine whether they are approved. Assess how websites and applications are secured to protect data. Review all applications and websites accessible via mobile devices to ensure they comply with security policies (e.g., encryption requirements, storage restrictions, access permissions).
Building the framework web & apps DATA WEB & APPS DEVICES PEOPLE Data Data Data Data Data Confidential Restricted Internal Use Public App Web App Web App Baker Tilly Virchow Krause, LLP
Web/App audit considerations from ISACA s work program 8.1.6 Malware Protection 9.1.3 Secure Software Distribution
Mobile device framework devices Devices (i.e., hardware used to access websites and applications for data processing) require an increasing variety of security controls due to the increased mobility, choice, functionality, and replacement of these products.
Mobile device framework devices Managed vs. unmanaged Business vs. employee owned
Mobile device framework devices Encryption Data transfers (e.g., sending and syncing) Logical security (e.g., linkage to HR, passwords, access management) Physical security Network architecture (e.g., configuration, monitoring) Mobile device management (***more later)
Mobile device framework devices audit considerations Determine the types of mobiles devices that are used to access data, and whether each mobile device is supported. Assess how mobile devices are secured to protect data. Ensure that both organization managed and personally owned mobile devices that access confidential or high-risk data are secured with appropriate security controls.
Building the framework devices DATA WEB & APPS DEVICES PEOPLE Data App Phone Confidential Data Web Tablet Restricted Data App Laptop Internal Use Data Web Public Data App Baker Tilly Virchow Krause, LLP
Device audit considerations from ISACA s work program 8.1.1 Device Access Restrictions 8.1.3 Explicit Permission to Wipe Data 8.1.4 Encryption and Data Protection 8.1.5 Remote Access 8.2.1 Network Access
Device audit considerations from ISACA s work program 9.1.1 Mobile Device Management (MDM) is Deployed 9.1.2 Central Management of BYOD Devices 9.1.4 Monitoring of BYOD Usage 9.1.5 Interfaces to Other Systems 9.1.6 Remote Management
Mobile device framework people People (i.e., employees that process data via websites and applications through a variety of devices) require frequent communications and trainings on the risks, policies, practices, and tools for protecting the confidentiality, integrity, and availability of data.
Mobile device framework people Risk assessment Policies, procedures, standards Training and awareness programs with acknowledged roles and responsibilities Monitoring
Mobile device framework people audit considerations Determine if an overarching mobile device security policy exists. Assess existing policies and procedures that guide the procurement, use, support, and management of mobile devices. Determine who uses mobile devices to access data, and who supports and manages those mobile devices that access data.
Mobile device framework people audit considerations Advise departments on creating supplementary mobile device security practices as needed. Assess formalized training and awareness programs that inform mobile device users of the risks involved and their personal responsibilities when accessing information. Are employees OK with you wiping their device? What happens to personal data on the device?
Mobile device framework people audit considerations Labor laws (Exempt vs. Non-exempt, union) Employment contracts OSHA Tax laws (reimbursements for devices, services) Export control laws (travel) Record management laws Fair Credit Reporting Act Local jurisdiction laws (of employee s residence)
Mobile device framework people employee agreement Eligibility Applicable company policies Data storage and backup Data and device management Legal hold notice Hardware support (theft, loss, damage) Software support Travel and physical security
Mobile device framework people employee training Define BYOD/MDM for your organization Onboarding device process Roles/responsibilities Expense reimbursements/stipends Security policies Data ownership policies Practical app use with organization data Tech support From Techrepublic.com
Building the framework people DATA WEB & APPS DEVICES PEOPLE Data App Phone Policy Confidential Data Web Tablet Agreement Restricted Practices Data App Laptop Procedures Internal Use Data Web Practices Data Public App Risk Assessment Baker Tilly Virchow Krause, LLP
People audit considerations from ISACA s work program 2.1.1 BYOD Initial Risk Assessment 2.1.2 BYOD Ongoing Risk Assessment 3.1.1 Employee BYOD Agreement 3.1.2 Mobile Acceptable Use Policy (MAUP) 3.1.3 Human Resources (HR) Support for BYOD 3.1.4 Contractors 3.2.1 Exemptions from BYOD policies
People audit considerations from ISACA s work program 4.1.1 Legal Involvement in BYOD Policies and Procedures 4.1.2 Legal Hold 5.1.1 Help Desk 6.1.1 Policy Approval 6.1.2 Monitoring BYOD Execution 7.1.1 Initial Training 7.1.2 Security and Awareness Training
What is mobile device management? Process for managing mobile devices, including policies, procedures, training, and systems and Industry term for software tools used to centrally administer mobile devices, specifically for security purposes
Types of mobile device management processes (Gartner) Control-oriented Choice-oriented Innovation-oriented Hands-off
What do MDM tools do? (Gartner) Software management Network service management Hardware management Security management **Focus of these tools is phones and tablets; some support laptops, but other device types are not typically supported
MDM tools market (Gartner) MDM tools market estimated $784 million market About 128 or more firms in the market MDM tools projected to be $1.6-billion market by 2014 Market penetration estimated at less than 30 percent
MDM tools prices (Gartner) Three years ago = $60 to $150 per device Today = under $30 per device Traditional endpoint protection = $10 to $15 per seat
Mobile device management and the framework Cuts across all four parts of the framework Data some ability to restrict access Websites & apps blacklisting, whitelisting, deployment Devices implement system controls People use of MDM must align with policies (especially HR and legal areas)
Key features of MDM tools Centralize device management through policy and configuration management Control both corporate owned and personally owned devices SaaS and on-premises delivery models
Key features of MDM tools Still require thorough testing: Connectivity Protection Authentication Application functionality Logging Performance management
Two main flavors of MDM tools Messaging server based (e.g., Microsoft Exchange) Limited control enforcement Limited support for devices Third party provided (e.g., Airwatch, Mobileiron, Good) Additional costs and licenses required Another application to support and manage
When would you use MDM? BYOD Data encryption Multiple device operating systems Security breach impact Existing end point tools don t work for mobile devices
MDM audit considerations from ISACA s work program (9.1.2) A secure portal for BYOD users to enroll and provision their devices Centralized security policy enforcement Remotely lock and wipe data and installed apps Inventory devices, operating systems (OSs), patch levels, organization and third-party apps, and revision levels Distribution whitelists and blacklists
MDM audit considerations from ISACA s work program Permission-based access controls for access to the organization s networks and data Selective wipe and privacy policies for organization apps and data, i.e., sandboxing Distribution and management of digital certificates (to encrypt and digitally sign emails and sensitive documents) Role-based access groups with fine-grained access control policies and enforcement Over-the-air (OTA) distribution of software (apps, patches, updates) and policy changes
MDM audit considerations from ISACA s work program Postpone automatic updates from Internet service providers (ISPs), e.g., in cases where an automatic OS update may cause critical apps to fail Secure logs and audit trails of all sensitive BYOD activities Capability to locate and map lost phones for recovery Backup and restore BYOD device data Remove or install profiles based on geographic location, to ensure compliance with relevant foreign legislation, e.g., data privacy and security
MDM audit considerations from ISACA s work program When BYOD devices attempt to connect to the organization s networks, the MDM system automatically checks: Patch levels for OSs and apps Required security software is active and current, i.e., antivirus, firewall, full-disk encryption, etc. Device is not jailbroken (Apple) or rooted (Android) Presence of unapproved devices (if any) Presence of blacklisted apps If any of the above login checks fail, the MDM can automatically update the device concerned (e.g., patch levels) or disallow access.
MDM audit considerations from ISACA s work program Don t forget to the secure the MDM system itself 9.2.1 MDM Application Security
Building the framework complete DATA WEB & APPS DEVICES PEOPLE Data Confidential App Phone Policy Data Web Tablet Agreement Restricted Practices Data App Laptop Procedures Internal Use MDM Data Web Practices Data Public App Risk Assessment MDM Baker Tilly Virchow Krause, LLP
Major security concerns (NIST) mapped to framework area Security Concern Data Websites & Apps Device s People Physical security controls X X Untrusted mobile devices X X Untrusted networks X X Untrusted apps X X X Interaction with other systems X X X X Untrusted content X X X Location services X X X X
Examples of environments Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International 2010 Baker Tilly Virchow Krause, LLP 74
Example no BYOD DATA WEB & APPS DEVICES PEOPLE HR HR Phone Policy Confidential IF Financial Tablet Agreement Restricted Practices Customer CRM Laptop Procedures Internal Use MDM Other Web Training Public Email MDM - Process & Technology Risk Assessment Baker Tilly Virchow Krause, LLP
Example mixed devices, controls by type DATA WEB & APPS MDM - Tech DEVICES PEOPLE Customer Confidential CRM Confidential Phone Practices Policy Employee Restricted Custom Built Ops Restricted Internal Use Tablet MDM Agreement Trade Secrets Internal Use HR/FIN Public Laptop Procedures Marketing Public Web Internal Use Phone Practices Training Email Public Tablet Risk Assessment Baker Tilly Virchow Krause, LLP
Example owned & BYOD with controls DATA WEB & APPS MDM - Tech OWNED PEOPLE Customer Confidential HR Confidential Phone Practices Policy Restricted Employee Restricted FIN Public Tablet MDM Agreement Other Public Document Management MDM - Tech BYOD Procedures Email Confidential Phone Practices Training Restricted Public Tablet MDM Risk Assessment Baker Tilly Virchow Krause, LLP
Resources Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International 2010 Baker Tilly Virchow Krause, LLP 78
Resources BankInfoSecurity, BYOD: Get Ahead of the Risk, Intel CISO: Policy, Accountability Created Positive Results, January 2012 Digital Services Advisory Group and Federal Chief Information Officers Council, Bring Your Own Device, A Toolkit to Support Federal Agencies Implementing Bring Your Own Device (BYOD) Programs, August 2012 Gartner, Magic Quadrant for Mobile Device Management, May 2012 Gartner, Gartner Says Consumerization Will Drive At Least Four Mobile Management Styles, November 2011
Resources National Institute of Standards and Technology, Special Publication 800-124 Revision 1 (Draft), Guidelines for Managing and Securing Mobile Devices in the Enterprise, July 2012 National Institute of Standards and Technology, Special Publication 800-144, Guidelines on Security and Privacy in Public Cloud Computing, December 2011
Resources BYOD audit/assurance program www.isaca.org/auditprograms Securing mobile devices using COBIT 5 for information security www.isaca.org/securing-mobile-devices