A framework for auditing mobile devices - Baker framework for auditing mobile devices . Learning objectives ˃ Understand different approaches for managing mobile devices including centralized, ...

  • Published on
    06-Feb-2018

  • View
    217

  • Download
    3

Embed Size (px)

Transcript

  • Baker Tilly refers to Baker Tilly Virchow Krause, LLP,

    an independently owned and managed member of Baker Tilly International. 2010 Baker Tilly Virchow Krause, LLP

    A framework for auditing mobile devices

  • Learning objectives

    Understand different approaches for managing

    mobile devices including centralized, decentralized,

    and BYOD management

    Identify the impacts of mobile devices at

    organization

    Critically analyze mobile device risks using a

    framework focused on people, devices,

    applications/websites, and data

    Define key mobile device controls to incorporate

    into audit work plans

    2

  • Contents

    Define mobile & BYOD

    Impacts of mobile devices at organizations

    Risks and internal audit considerations

    Key mobile device management controls

    A framework for mobile device auditing

    Examples of environment

    Resources

  • Baker Tilly refers to Baker Tilly Virchow Krause, LLP,

    an independently owned and managed member of Baker Tilly International

    2010 Baker Tilly Virchow Krause, LLP

    Define mobile & BYOD

    4

  • Why do we care?

    Mobile is here, no going back to being tethered to a

    desk

    Mobile allows great productivity and flexibility to

    achieve organizational objectives

    Mobile employees are happier (so they say)

    Mobile can save money (maybe?)

  • Why is mobile the future?

    A Cisco study says in 2014 the average number of

    connected devices per knowledge worker will reach

    an average of 3.3 devices, up from 2.8 in 2012

    Gartner predicts by 2017, half of employers will

    require employees to supply their own device for

    work purposes

  • What is a mobile device?

    NIST (SP 800-124) characteristics: Small form factor

    Wireless network interface for internet access

    Local built-in (non-removable) data storage

    Operating system that is not a full-fledged desktop/laptop

    operating system

    Apps available through multiple methods

    Built-in features for synchronizing local data

  • What is a mobile device?

    NIST optional characteristics: Wireless personal area network interfaces (e.g., Bluetooth,

    near-field communications)

    Cellular network interfaces

    GPS

    Digital camera

    Microphone

    Support for removable media

    Support for using the device itself as removable storage

  • What is a mobile device?

    Any easily portable technology that allows for the

    storage and transmittal of your organizations data

    Examples:

    Phones

    Tablets

    Laptops

    External hard

    drives (e.g., USB

    thumb drives)

    Cameras (e.g.,

    point and shoot)

    Logistics devices (e.g., GPS

    Tracking devices, RFID)

    eReaders

    Digital music players (e.g.,

    iPods)

    Medical devices (e.g.,

    pacemakers)

    Smartwatches and glasses

  • What is BYOD?

    Bring Your Own Device

    Supported by organization systems and

    applications that allow multiple type of devices to

    access those services

    Powered by the internet

  • BYOD pros & cons

    Pros: Reduced upfront costs

    Employee satisfaction

    Potentially greater functionality for users

    Cons: Unmanaged devices with your organizations data

    Mingling of personal and organizational data

    Managing legal requirements (e.g., eDiscovery)

  • BYOD in the EnterpriseA Holistic Approach, ISACA JOURNAL, Volume 1, 2013

  • Baker Tilly refers to Baker Tilly Virchow Krause, LLP,

    an independently owned and managed member of Baker Tilly International

    2010 Baker Tilly Virchow Krause, LLP

    Risks and internal audit considerations

    13

  • Major security concerns (NIST)

    Lack of physical security controls

    Use of untrusted mobile devices

    Use of untrusted networks

    Use of apps created by unknown parties

    Interaction with other systems

    Use of untrusted content

    Use of location services

  • What are the mobile device risks?

    NIST characteristics Illustrative risks

    Small form factor Loss or theft of data

    Wireless network interface for internet

    access

    Exposure to untrusted and unsecured

    networks

    Local built-in (non-removable) data

    storage

    Loss or theft of data

    Operating system that is not a full-

    fledged desktop/laptop operating

    system

    Reduced technical controls

    Apps available through multiple

    methods

    Exposure to untrusted and malicious

    apps

    Built-in features for synchronizing

    local data

    Interactions with other untrusted and

    unsecured systems

  • What are the mobile device risks?

    NIST characteristics Illustrative risks

    Wireless personal area network

    interfaces (e.g., Bluetooth, near-field

    communications)

    Exposure to untrusted and unsecured

    networks

    Cellular network interfaces Exposure to untrusted and unsecured

    networks

    GPS Exposure of private information

    Digital camera Exposure of private information

    Microphone Exposure of private information

    Support for removable media Loss or theft of data

    Support for using the device itself as

    removable storage

    Interactions with other untrusted and

    unsecured systems

  • IA considerations scoping

    Does your organization have a mobile device

    strategy, including: Alignment with organizational strategy/objectives

    Risk assessment(s) for mobility

    Definition of devices

    Policies governing the use of devices (with penalties)

    Security standards based on data

  • IA considerations scoping (cont.)

    Who owns these devices, organization or

    employee?

    Who is responsible for managing and securing the

    devices?

    Incident response procedures

    Antivirus / antimalware software

    Who is paying for devices and service plans?

    Does that change responsibilities?

    What are the legal and regulatory requirements for

    your organization and the jurisdictions you operate

    in?

  • Identifying owners and stakeholders

    Who is your client?

    Who are the stakeholders?

    General Counsel

    Chief Information Officer

    Chief Information Security Officer

    Chief Operations Officer

    Chief Compliance Officer

    Chief Privacy Officer

    Chief Risk Officer

    Other functions with a stake in privacy and security

    (e.g., human resources, sales)

  • Understanding the organization

    Mission and objectives

    Organization and responsibilities

    Customers

    Types of data

    Exchanges of data

    Interdepartmental

    Third parties

    Interstate or international

    Data collection, usage, retention, and disclosure

    Systems (e.g., websites, apps)

  • Assessing risk

    Leveraging managements risk assessments

    Consultation with legal counsel

    Regulatory risk

    Legal/contractual risk

    Industry self-regulatory initiatives

    Constituency relations and perceptions

    Public relations

  • Baker Tilly refers to Baker Tilly Virchow Krause, LLP,

    an independently owned and managed member of Baker Tilly International

    2010 Baker Tilly Virchow Krause, LLP

    Wheres the GRC?

    22

  • Old model

    Protect everything in my office network with

    physical and logical controls over access

    Then we added laptops and pushed the network

    out of the office using VPNs

    That doesnt work any more with phones and

    tablets, especially when they are owned by the

    employee

  • Framework benefits

    Flexible audit all at once or in parts

    Adaptable scope it how you want it

    Inclusive make use of other

    standards/frameworks (e.g., COBIT, ISO 27002,

    NIST)

    ISACAs Bring Your Own Device (BYOD) Security Audit/Assurance Program

  • Mobile device framework

    Data Websites & Apps

    Devices People

  • Mobile device framework

    Data

    Websites & apps

    Devices

    People

  • Mobile device framework data

    Data (i.e., data generated, accessed, modified,

    transmitted, stored or used electronically by the

    organization) is essential to the organization's

    objectives and requires protection for a variety of

    reasons, including legal and regulatory

    requirements.

    Examples:

    Messages (e.g., emails, text messages, instant messages)

    Voice

    Pictures

    Files (e.g., attachments)

    Hidden (e.g., GPS)

  • Building the framework data types

    DATA

    Data

    Data

    Data

    Data

    Data

    WEB & APPS PEOPLE DEVICES

    Baker Tilly Virchow Krause, LLP

  • Mobile device framework data

    Classification tiers

    Data owners/stewards

    Data inventory

  • Mobile device framework data

    audit considerations

    Determine the types of data that can be accessed

    or stored on mobile devices. Assess restrictions in

    place to safeguard data.

    Review the data classification security policy to

    ensure specificity to the various types of data,

    based on sensitivity.

    Use/create an inventory of data, identify the

    applications and websites where it can be

    accessed, and determine who will take ownership

    of the data moving forward.

  • Mobile device framework data

    audit considerations

    Determine if authentication and security

    requirements or restrictions are or should be

    established for each data type

    Determine if Legal Hold requirements are

    documented and align with data classification and

    then mobile device security

  • Building the framework data:

    classification

    Baker Tilly Virchow Krause, LLP

    DATA

    Data

    Data

    Data

    Data

    Data

    WEB & APPS PEOPLE DEVICES

    Confidential

    Restricted

    Internal Use

    Public

  • Data audit considerations

    from ISACAs work program

    8.1.2 Data Access

    8.1.4 Encryption and Data Protection

  • Mobile device framework websites &

    apps

    Websites and applications (i.e., tools used to

    process electronic data) require security controls,

    regardless of the device used for access, to protect

    the confidentiality, integrity, and availability of data.

  • Mobile device framework

    websites & apps examples

    Types Business Personal

    Websites/portals Outlook web access

    Business intranet

    Google

    Yahoo

    ESPN

    Cloud services Google services

    Salesforce.com

    Microsoft Office 365

    Gmail

    Flickr

    Facebook

    App stores Apple app store

    Google marketplace

    Amazon app store

    Custom corporate

    stores

    Apple app store

    Google marketplace

    Amazon app store

    Custom built apps &

    sites

    Business specific Entertainment

    Hacking/malicious

    Virtual desktop

    environments/remote

    desktop tools

    Citrix

    VMware

    GoToMyPC

    VNC

  • Building the framework web & apps

    Baker Tilly Virchow Krause, LLP

    DATA

    Data

    Data

    Data

    Data

    Data

    WEB & APPS PEOPLE DEVICES

    App

    Web

    App

    Web

    App

    Confidential

    Restricted

    Internal Use

    Public

  • Mobile device framework

    web/apps audit considerations

    Determine the websites and applications that are

    used on mobile devices to access data, and

    determine whether they are approved. Assess how

    websites and applications are secured to protect

    data.

    Review all applications and websites accessible via

    mobile devices to ensure they comply with security

    policies (e.g., encryption requirements, storage

    restrictions, access permissions).

  • Building the framework web & apps

    Confidential

    Restricted

    Internal Use

    Public

    DATA

    Data

    Data

    Data

    Data

    Data

    WEB & APPS

    App

    Web

    App

    Web

    App

    PEOPLE DEVICES

    Baker Tilly Virchow Krause, LLP

  • Web/App audit considerations

    from ISACAs work program

    8.1.6 Malware Protection

    9.1.3 Secure Software Distribution

  • Mobile device framework devices

    Devices (i.e., hardware used to access websites

    and applications for data processing) require an

    increasing variety of security controls due to the

    increased mobility, choice, functionality, and

    replacement of these products.

  • Mobile device framework devices

    Managed vs. unmanaged

    Business vs. employee owned

  • Mobile device framework devices

    Encryption

    Data transfers (e.g., sending and syncing)

    Logical security (e.g., linkage to HR, passwords,

    access management)

    Physical security

    Network architecture (e.g., configuration,

    monitoring)

    Mobile device management (***more later)

  • Mobile device framework devices

    audit considerations

    Determine the types of mobiles devices that are

    used to access data, and whether each mobile

    device is supported. Assess how mobile devices

    are secured to protect data.

    Ensure that both organization managed and

    personally owned mobile devices that access

    confidential or high-risk data are secured with

    appropriate security controls.

  • Building the framework devices

    Confidential

    Restricted

    Internal Use

    Public

    DATA

    Data

    Data

    Data

    Data

    Data

    WEB & APPS

    App

    Web

    App

    Web

    App

    PEOPLE DEVICES

    Phone

    Tablet

    Laptop

    Baker Tilly Virchow Krause, LLP

  • Device audit considerations

    from ISACAs work program

    8.1.1 Device Access Restrictions

    8.1.3 Explicit Permission to Wipe Data

    8.1.4 Encryption and Data Protection

    8.1.5 Remote Access

    8.2.1 Network Access

  • Device audit considerations

    from ISACAs work program

    9.1.1 Mobile Device Management (MDM) is

    Deployed

    9.1.2 Central Management of BYOD Devices

    9.1.4 Monitoring of BYOD Usage

    9.1.5 Interfaces to Other Systems

    9.1.6 Remote Management

  • Mobile device framework people

    People (i.e., employees that process data via

    websites and applications through a variety of

    devices) require frequent communications and

    trainings on the risks, policies, practices, and tools

    for protecting the confidentiality, integrity, and

    availability of data.

  • Mobile device framework people

    Risk assessment

    Policies, procedures, standards

    Training and awareness programs with

    acknowledged roles and responsibilities

    Monitoring

  • Mobile device framework people audit

    considerations

    Determine if an overarching mobile device security

    policy exists.

    Assess existing policies and procedures that guide

    the procurement, use, support, and management of

    mobile devices.

    Determine who uses mobile devices to access

    data, and who supports and manages those mobile

    devices that access data.

  • Mobile device framework people audit

    considerations

    Advise departments on creating supplementary

    mobile device security practices as needed.

    Assess formalized training and awareness

    programs that inform mobile device users of the

    risks involved and their personal responsibilities

    when accessing information. Are employees OK with you wiping their device?

    What happens to personal data on the device?

  • Mobile device framework people audit

    considerations

    Labor laws (Exempt vs. Non-exempt, union)

    Employment contracts

    OSHA

    Tax laws (reimbursements for devices, services)

    Export control laws (travel)

    Record management laws

    Fair Credit Reporting Act

    Local jurisdiction laws (of employees residence)

  • Mobile device framework people

    employee agreement

    Eligibility

    Applicable company policies

    Data storage and backup

    Data and device management

    Legal hold notice

    Hardware support (theft, loss, damage)

    Software support

    Travel and physical security

  • Mobile device framework people

    employee training

    Define BYOD/MDM for your organization

    Onboarding device process

    Roles/responsibilities

    Expense reimbursements/stipends

    Security policies

    Data ownership policies

    Practical app use with organization data

    Tech support

    From Techrepublic.com

  • Building the framework people

    Practices

    Confidential

    Restricted

    Internal Use

    Public

    DATA

    Data

    Data

    Data

    Data

    Data

    WEB & APPS

    App

    Web

    App

    Web

    App

    PEOPLE

    Policy

    Agreement

    Procedures

    Practices

    Risk Assessment

    DEVICES

    Phone

    Tablet

    Laptop

    Baker Tilly Virchow Kra...