A framework for auditing mobile devices - Baker framework for auditing mobile devices . Learning objectives ˃ Understand different approaches for managing mobile devices including centralized, ...

  • Published on
    06-Feb-2018

  • View
    217

  • Download
    3

Transcript

Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. 2010 Baker Tilly Virchow Krause, LLP A framework for auditing mobile devices Learning objectives Understand different approaches for managing mobile devices including centralized, decentralized, and BYOD management Identify the impacts of mobile devices at organization Critically analyze mobile device risks using a framework focused on people, devices, applications/websites, and data Define key mobile device controls to incorporate into audit work plans 2 Contents Define mobile & BYOD Impacts of mobile devices at organizations Risks and internal audit considerations Key mobile device management controls A framework for mobile device auditing Examples of environment Resources Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International 2010 Baker Tilly Virchow Krause, LLP Define mobile & BYOD 4 Why do we care? Mobile is here, no going back to being tethered to a desk Mobile allows great productivity and flexibility to achieve organizational objectives Mobile employees are happier (so they say) Mobile can save money (maybe?) Why is mobile the future? A Cisco study says in 2014 the average number of connected devices per knowledge worker will reach an average of 3.3 devices, up from 2.8 in 2012 Gartner predicts by 2017, half of employers will require employees to supply their own device for work purposes What is a mobile device? NIST (SP 800-124) characteristics: Small form factor Wireless network interface for internet access Local built-in (non-removable) data storage Operating system that is not a full-fledged desktop/laptop operating system Apps available through multiple methods Built-in features for synchronizing local data What is a mobile device? NIST optional characteristics: Wireless personal area network interfaces (e.g., Bluetooth, near-field communications) Cellular network interfaces GPS Digital camera Microphone Support for removable media Support for using the device itself as removable storage What is a mobile device? Any easily portable technology that allows for the storage and transmittal of your organizations data Examples: Phones Tablets Laptops External hard drives (e.g., USB thumb drives) Cameras (e.g., point and shoot) Logistics devices (e.g., GPS Tracking devices, RFID) eReaders Digital music players (e.g., iPods) Medical devices (e.g., pacemakers) Smartwatches and glasses What is BYOD? Bring Your Own Device Supported by organization systems and applications that allow multiple type of devices to access those services Powered by the internet BYOD pros & cons Pros: Reduced upfront costs Employee satisfaction Potentially greater functionality for users Cons: Unmanaged devices with your organizations data Mingling of personal and organizational data Managing legal requirements (e.g., eDiscovery) BYOD in the EnterpriseA Holistic Approach, ISACA JOURNAL, Volume 1, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International 2010 Baker Tilly Virchow Krause, LLP Risks and internal audit considerations 13 Major security concerns (NIST) Lack of physical security controls Use of untrusted mobile devices Use of untrusted networks Use of apps created by unknown parties Interaction with other systems Use of untrusted content Use of location services What are the mobile device risks? NIST characteristics Illustrative risks Small form factor Loss or theft of data Wireless network interface for internet access Exposure to untrusted and unsecured networks Local built-in (non-removable) data storage Loss or theft of data Operating system that is not a full-fledged desktop/laptop operating system Reduced technical controls Apps available through multiple methods Exposure to untrusted and malicious apps Built-in features for synchronizing local data Interactions with other untrusted and unsecured systems What are the mobile device risks? NIST characteristics Illustrative risks Wireless personal area network interfaces (e.g., Bluetooth, near-field communications) Exposure to untrusted and unsecured networks Cellular network interfaces Exposure to untrusted and unsecured networks GPS Exposure of private information Digital camera Exposure of private information Microphone Exposure of private information Support for removable media Loss or theft of data Support for using the device itself as removable storage Interactions with other untrusted and unsecured systems IA considerations scoping Does your organization have a mobile device strategy, including: Alignment with organizational strategy/objectives Risk assessment(s) for mobility Definition of devices Policies governing the use of devices (with penalties) Security standards based on data IA considerations scoping (cont.) Who owns these devices, organization or employee? Who is responsible for managing and securing the devices? Incident response procedures Antivirus / antimalware software Who is paying for devices and service plans? Does that change responsibilities? What are the legal and regulatory requirements for your organization and the jurisdictions you operate in? Identifying owners and stakeholders Who is your client? Who are the stakeholders? General Counsel Chief Information Officer Chief Information Security Officer Chief Operations Officer Chief Compliance Officer Chief Privacy Officer Chief Risk Officer Other functions with a stake in privacy and security (e.g., human resources, sales) Understanding the organization Mission and objectives Organization and responsibilities Customers Types of data Exchanges of data Interdepartmental Third parties Interstate or international Data collection, usage, retention, and disclosure Systems (e.g., websites, apps) Assessing risk Leveraging managements risk assessments Consultation with legal counsel Regulatory risk Legal/contractual risk Industry self-regulatory initiatives Constituency relations and perceptions Public relations Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International 2010 Baker Tilly Virchow Krause, LLP Wheres the GRC? 22 Old model Protect everything in my office network with physical and logical controls over access Then we added laptops and pushed the network out of the office using VPNs That doesnt work any more with phones and tablets, especially when they are owned by the employee Framework benefits Flexible audit all at once or in parts Adaptable scope it how you want it Inclusive make use of other standards/frameworks (e.g., COBIT, ISO 27002, NIST) ISACAs Bring Your Own Device (BYOD) Security Audit/Assurance Program Mobile device framework Data Websites & Apps Devices People Mobile device framework Data Websites & apps Devices People Mobile device framework data Data (i.e., data generated, accessed, modified, transmitted, stored or used electronically by the organization) is essential to the organization's objectives and requires protection for a variety of reasons, including legal and regulatory requirements. Examples: Messages (e.g., emails, text messages, instant messages) Voice Pictures Files (e.g., attachments) Hidden (e.g., GPS) Building the framework data types DATA Data Data Data Data Data WEB & APPS PEOPLE DEVICES Baker Tilly Virchow Krause, LLP Mobile device framework data Classification tiers Data owners/stewards Data inventory Mobile device framework data audit considerations Determine the types of data that can be accessed or stored on mobile devices. Assess restrictions in place to safeguard data. Review the data classification security policy to ensure specificity to the various types of data, based on sensitivity. Use/create an inventory of data, identify the applications and websites where it can be accessed, and determine who will take ownership of the data moving forward. Mobile device framework data audit considerations Determine if authentication and security requirements or restrictions are or should be established for each data type Determine if Legal Hold requirements are documented and align with data classification and then mobile device security Building the framework data: classification Baker Tilly Virchow Krause, LLP DATA Data Data Data Data Data WEB & APPS PEOPLE DEVICES Confidential Restricted Internal Use Public Data audit considerations from ISACAs work program 8.1.2 Data Access 8.1.4 Encryption and Data Protection Mobile device framework websites & apps Websites and applications (i.e., tools used to process electronic data) require security controls, regardless of the device used for access, to protect the confidentiality, integrity, and availability of data. Mobile device framework websites & apps examples Types Business Personal Websites/portals Outlook web access Business intranet Google Yahoo ESPN Cloud services Google services Salesforce.com Microsoft Office 365 Gmail Flickr Facebook App stores Apple app store Google marketplace Amazon app store Custom corporate stores Apple app store Google marketplace Amazon app store Custom built apps & sites Business specific Entertainment Hacking/malicious Virtual desktop environments/remote desktop tools Citrix VMware GoToMyPC VNC Building the framework web & apps Baker Tilly Virchow Krause, LLP DATA Data Data Data Data Data WEB & APPS PEOPLE DEVICES App Web App Web App Confidential Restricted Internal Use Public Mobile device framework web/apps audit considerations Determine the websites and applications that are used on mobile devices to access data, and determine whether they are approved. Assess how websites and applications are secured to protect data. Review all applications and websites accessible via mobile devices to ensure they comply with security policies (e.g., encryption requirements, storage restrictions, access permissions). Building the framework web & apps Confidential Restricted Internal Use Public DATA Data Data Data Data Data WEB & APPS App Web App Web App PEOPLE DEVICES Baker Tilly Virchow Krause, LLP Web/App audit considerations from ISACAs work program 8.1.6 Malware Protection 9.1.3 Secure Software Distribution Mobile device framework devices Devices (i.e., hardware used to access websites and applications for data processing) require an increasing variety of security controls due to the increased mobility, choice, functionality, and replacement of these products. Mobile device framework devices Managed vs. unmanaged Business vs. employee owned Mobile device framework devices Encryption Data transfers (e.g., sending and syncing) Logical security (e.g., linkage to HR, passwords, access management) Physical security Network architecture (e.g., configuration, monitoring) Mobile device management (***more later) Mobile device framework devices audit considerations Determine the types of mobiles devices that are used to access data, and whether each mobile device is supported. Assess how mobile devices are secured to protect data. Ensure that both organization managed and personally owned mobile devices that access confidential or high-risk data are secured with appropriate security controls. Building the framework devices Confidential Restricted Internal Use Public DATA Data Data Data Data Data WEB & APPS App Web App Web App PEOPLE DEVICES Phone Tablet Laptop Baker Tilly Virchow Krause, LLP Device audit considerations from ISACAs work program 8.1.1 Device Access Restrictions 8.1.3 Explicit Permission to Wipe Data 8.1.4 Encryption and Data Protection 8.1.5 Remote Access 8.2.1 Network Access Device audit considerations from ISACAs work program 9.1.1 Mobile Device Management (MDM) is Deployed 9.1.2 Central Management of BYOD Devices 9.1.4 Monitoring of BYOD Usage 9.1.5 Interfaces to Other Systems 9.1.6 Remote Management Mobile device framework people People (i.e., employees that process data via websites and applications through a variety of devices) require frequent communications and trainings on the risks, policies, practices, and tools for protecting the confidentiality, integrity, and availability of data. Mobile device framework people Risk assessment Policies, procedures, standards Training and awareness programs with acknowledged roles and responsibilities Monitoring Mobile device framework people audit considerations Determine if an overarching mobile device security policy exists. Assess existing policies and procedures that guide the procurement, use, support, and management of mobile devices. Determine who uses mobile devices to access data, and who supports and manages those mobile devices that access data. Mobile device framework people audit considerations Advise departments on creating supplementary mobile device security practices as needed. Assess formalized training and awareness programs that inform mobile device users of the risks involved and their personal responsibilities when accessing information. Are employees OK with you wiping their device? What happens to personal data on the device? Mobile device framework people audit considerations Labor laws (Exempt vs. Non-exempt, union) Employment contracts OSHA Tax laws (reimbursements for devices, services) Export control laws (travel) Record management laws Fair Credit Reporting Act Local jurisdiction laws (of employees residence) Mobile device framework people employee agreement Eligibility Applicable company policies Data storage and backup Data and device management Legal hold notice Hardware support (theft, loss, damage) Software support Travel and physical security Mobile device framework people employee training Define BYOD/MDM for your organization Onboarding device process Roles/responsibilities Expense reimbursements/stipends Security policies Data ownership policies Practical app use with organization data Tech support From Techrepublic.com Building the framework people Practices Confidential Restricted Internal Use Public DATA Data Data Data Data Data WEB & APPS App Web App Web App PEOPLE Policy Agreement Procedures Practices Risk Assessment DEVICES Phone Tablet Laptop Baker Tilly Virchow Krause, LLP People audit considerations from ISACAs work program 2.1.1 BYOD Initial Risk Assessment 2.1.2 BYOD Ongoing Risk Assessment 3.1.1 Employee BYOD Agreement 3.1.2 Mobile Acceptable Use Policy (MAUP) 3.1.3 Human Resources (HR) Support for BYOD 3.1.4 Contractors 3.2.1 Exemptions from BYOD policies People audit considerations from ISACAs work program 4.1.1 Legal Involvement in BYOD Policies and Procedures 4.1.2 Legal Hold 5.1.1 Help Desk 6.1.1 Policy Approval 6.1.2 Monitoring BYOD Execution 7.1.1 Initial Training 7.1.2 Security and Awareness Training What is mobile device management? Process for managing mobile devices, including policies, procedures, training, and systems and Industry term for software tools used to centrally administer mobile devices, specifically for security purposes Types of mobile device management processes (Gartner) Control-oriented Choice-oriented Innovation-oriented Hands-off What do MDM tools do? (Gartner) Software management Network service management Hardware management Security management **Focus of these tools is phones and tablets; some support laptops, but other device types are not typically supported MDM tools market (Gartner) MDM tools market estimated $784 million market About 128 or more firms in the market MDM tools projected to be $1.6-billion market by 2014 Market penetration estimated at less than 30 percent MDM tools prices (Gartner) Three years ago = $60 to $150 per device Today = under $30 per device Traditional endpoint protection = $10 to $15 per seat Mobile device management and the framework Cuts across all four parts of the framework Data some ability to restrict access Websites & apps blacklisting, whitelisting, deployment Devices implement system controls People use of MDM must align with policies (especially HR and legal areas) Key features of MDM tools Centralize device management through policy and configuration management Control both corporate owned and personally owned devices SaaS and on-premises delivery models Key features of MDM tools Still require thorough testing: Connectivity Protection Authentication Application functionality Logging Performance management Two main flavors of MDM tools Messaging server based (e.g., Microsoft Exchange) Limited control enforcement Limited support for devices Third party provided (e.g., Airwatch, Mobileiron, Good) Additional costs and licenses required Another application to support and manage When would you use MDM? BYOD Data encryption Multiple device operating systems Security breach impact Existing end point tools dont work for mobile devices MDM audit considerations from ISACAs work program (9.1.2) A secure portal for BYOD users to enroll and provision their devices Centralized security policy enforcement Remotely lock and wipe data and installed apps Inventory devices, operating systems (OSs), patch levels, organization and third-party apps, and revision levels Distribution whitelists and blacklists MDM audit considerations from ISACAs work program Permission-based access controls for access to the organizations networks and data Selective wipe and privacy policies for organization apps and data, i.e., sandboxing Distribution and management of digital certificates (to encrypt and digitally sign emails and sensitive documents) Role-based access groups with fine-grained access control policies and enforcement Over-the-air (OTA) distribution of software (apps, patches, updates) and policy changes MDM audit considerations from ISACAs work program Postpone automatic updates from Internet service providers (ISPs), e.g., in cases where an automatic OS update may cause critical apps to fail Secure logs and audit trails of all sensitive BYOD activities Capability to locate and map lost phones for recovery Backup and restore BYOD device data Remove or install profiles based on geographic location, to ensure compliance with relevant foreign legislation, e.g., data privacy and security MDM audit considerations from ISACAs work program When BYOD devices attempt to connect to the organizations networks, the MDM system automatically checks: Patch levels for OSs and apps Required security software is active and current, i.e., antivirus, firewall, full-disk encryption, etc. Device is not jailbroken (Apple) or rooted (Android) Presence of unapproved devices (if any) Presence of blacklisted apps If any of the above login checks fail, the MDM can automatically update the device concerned (e.g., patch levels) or disallow access. MDM audit considerations from ISACAs work program Dont forget to the secure the MDM system itself 9.2.1 MDM Application Security Building the framework complete MDM MDM Practices Confidential Restricted Internal Use Public DATA Data Data Data Data Data WEB & APPS App Web App Web App PEOPLE Policy Agreement Procedures Practices Risk Assessment DEVICES Phone Tablet Laptop Baker Tilly Virchow Krause, LLP Major security concerns (NIST) mapped to framework area Security Concern Data Websites & Apps Devices People Physical security controls X X Untrusted mobile devices X X Untrusted networks X X Untrusted apps X X X Interaction with other systems X X X X Untrusted content X X X Location services X X X X Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International 2010 Baker Tilly Virchow Krause, LLP Examples of environments 74 Example no BYOD MDM MDM - Process & Technology Practices Confidential Restricted Internal Use Public DATA HR IF Customer Other WEB & APPS HR Financial CRM Web Email PEOPLE Policy Agreement Procedures Training Risk Assessment DEVICES Phone Tablet Laptop Baker Tilly Virchow Krause, LLP Example mixed devices, controls by type Practices Internal Use Public Confidential Restricted Internal Use Public PEOPLE Confidential Restricted Internal Use Public DEVICES MDM MDM - Tech Practices DATA Customer Employee Trade Secrets Marketing WEB & APPS CRM Custom Built Ops HR/FIN Web Email Policy Agreement Procedures Training Risk Assessment Phone Tablet Laptop Phone Tablet Baker Tilly Virchow Krause, LLP Example owned & BYOD with controls Baker Tilly Virchow Krause, LLP MDM Practices Confidential Restricted Public Public Confidential Restricted Public PEOPLE Confidential Restricted BYOD OWNED MDM MDM - Tech Practices DATA Customer Employee Other WEB & APPS HR FIN Document Management Email Policy Agreement Procedures Training Risk Assessment Phone Tablet Phone Tablet MDM - Tech Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International 2010 Baker Tilly Virchow Krause, LLP Resources 78 Resources BankInfoSecurity, BYOD: Get Ahead of the Risk, Intel CISO: Policy, Accountability Created Positive Results, January 2012 Digital Services Advisory Group and Federal Chief Information Officers Council, Bring Your Own Device, A Toolkit to Support Federal Agencies Implementing Bring Your Own Device (BYOD) Programs, August 2012 Gartner, Magic Quadrant for Mobile Device Management, May 2012 Gartner, Gartner Says Consumerization Will Drive At Least Four Mobile Management Styles, November 2011 Resources National Institute of Standards and Technology, Special Publication 800-124 Revision 1 (Draft), Guidelines for Managing and Securing Mobile Devices in the Enterprise, July 2012 National Institute of Standards and Technology, Special Publication 800-144, Guidelines on Security and Privacy in Public Cloud Computing, December 2011 Resources BYOD audit/assurance program www.isaca.org/auditprograms Securing mobile devices using COBIT 5 for information security www.isaca.org/Securing-Mobile-Devices

Recommended

View more >