Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector
A Thesis For The Postgraduate Degree Of Register IT Auditor
Author : Ryan W.K. Chin (Security Consultant Deloitte)
Supervisors : Abbas Shahim (Partner Atos)
Thesis Number : 1080
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 2
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 3
MANAGEMENT SUMMARY This thesis is established to acquire the Postgraduate degree of Register IT Auditor at the
Vrije University Amsterdam (VUA). It encompasses the results of a research conducted to
investigate effective controls that could be used for consumerization of mobile devices in
the bank sector. This thesis therefore aims at providing a risk based framework which IT
auditors can use for auditing and also for corporations to define effective security controls
for mobile platforms
The fundamentals of mobile devices and consumerization have been examined in order to
establish insight into this matter prior to the formulation of a security control framework.
Consumerization of mobile devices is the process or phenomenon in which consumer
products are made suitable for ‘dual use’. Dual use in this context is referred to privately
owned consumer devices being used or made suitable for business purposes next to private
use. Using privately owned mobile devices is generally referred as Bring Your Own Device
(BYOD). Recent surveys performed by Gartner and ISACA showed that global information
technology leaders recognize risks related to consumerization of mobile devices. However,
the pros related to this concept are too attractive to ignore nowadays. In total, 10 risk
categories are identified related to the use of mobile devices: R1: Data leakage, R2: Improper
decommissioning, R3: Unintentional data disclosure, R4 Phishing, R5: Spyware, R6: Network spoofing
attacks, R7: Surveillance, R8: Diallerware, R9: Financial malware & R10: Network congestion.
These risk catagories are the results of a combination of vulnerabilities. Through mapping of
Cobit controls, a risk based security control framework for mobile devices is established
which contains 19 distinctive controls to mitigate risks related to vulnerabilities. Cobit
provides a set of standards and processes that can be used to ensure that IT is working as
effectively as possible and to minimize IT-related risks. As each control is defined to mitigate
particular risk, selecting the appropriate controls from Cobit should allow assessors to define
a customized framework according to risks profiles. Ultimately, this research resulted in a
security control framework for Consumerization of mobile devices in the bank sector which
consists of 19 distinctive Cobit controls. This framework is established based on research
performed on the related risks, vulnerability and the compliancy requirements within the
Dutch bank sector.
o PO7.8 - Job change and Termination o PO4.9 - Data and System Ownership o DS5.9 - Malicious Software Prevention, Detection and Correction o DS5.8 - Cryptographic Key Management o DS5.6 - Security Incident Definition o DS5.5 - Security Testing, Surveillance and Monitoring o DS5.4 - User Account Management o DS5.3 - Identity Management o DS5.2 - IT Security Plan o DS5.11 - Exchange of Sensitive Data o DS5.10 - Network Security o DS4.5 - Testing of the IT Continuity Plan o DS4.2 - IT Continuity Plans o DS11.6 - Security Requirements for Data Management o DS11.4 - Disposal o DS11.2 - Storage and Retention Arrangements o DS1.5 - Monitoring and Reporting of Service Level Achievements o AI3.2 - Infrastructure Resource Protection and Availability
Please refer to Appendix A: The Security Framework for Consumerization for the final
framework. Implementing the suggested security controls should mitigate the risks related
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 4
to consumerization of mobile devices and also provide auditors a framework for risk based
auditing.
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 5
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 6
Contents 1 INTRODUCTION .............................................................................................................. 10
1.1 Context of this research ...................................................................................... 10
1.2 Introduction to consumerization of Mobile Devices & Problems ....................... 10
1.3 Research questions ............................................................................................. 11
1.4 Academic relevance ............................................................................................ 12
1.5 Scope & Focus ..................................................................................................... 12
2 RESEARCH METHODOLOGY ............................................................................................ 13
2.1 Research Design .................................................................................................. 13
2.2 Research Process ................................................................................................. 13
2.3 Document Structure ............................................................................................ 14
3 LITERATURE STUDY: MOBILE DEVICES & CONSUMERIZATION IN THE BANK SECTOR .... 15
3.1 Literature Study................................................................................................... 15
3.2 Trend of Consumerization on IT Risk Landscape ................................................. 16
3.3 Consumerization of mobile devices: Answer to SQ1 ........................................... 18
4 RISK ASSESSMENT MOBILE DEVICE CONSUMERIZATION WITHIN BANK SECTOR ........... 20
4.1 Identified Risks categories of Bank Sector........................................................... 20
4.2 CIA Triad for Information Security (Confidentiality, Integrity & Availability) ...... 21
4.3 Risk Assessment results....................................................................................... 21
4.4 Security risks and impact consumerization mobile devices: Answer to SQ2....... 26
5 SECURITY CONTROL FRAMEWORK ................................................................................. 28
5.1 Security Control Framework Theoretical Process ............................................... 28
5.2 Cobit Framework ................................................................................................. 28
5.3 The Bank sector & Compliancy Requirement For The Bank Sector ..................... 29
5.4 Security Control Framework Theoretical Model ................................................. 30
5.5 The Framework: The selection process ............................................................... 30
5.6 How implementing controls can ensure better security: Answer to SQ3 ........... 43
6 CONCLUSION & FUTURE RESEARCH ............................................................................... 44
6.1 Further research .................................................................................................. 45
7 REFERENCES.................................................................................................................... 47
8 APPENDICES .................................................................................................................... 48
Appendix A: The Security Framework for Consumerization .............................................. 48
Appendix B: Vulnerabilities by ENISA ................................................................................ 57
Appendix C: DNB Information Security Assessment Framework ....................................... 60
Appendix D: ENISA Risk Assessment .................................................................................. 69
Appendix E: Survey Form ................................................................................................... 73
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 7
Appendix F: Survey Results ................................................................................................ 74
Figures Figure 1: Global Security And Risk Council Challenge Assessment Online Survey .................. 11 Figure 2: Research Design ...................................................................................................... 13 Figure 3: Research Process ..................................................................................................... 14 Figure 4: Which device poses the greatest risk to your organization? ................................... 16 Figure 5: Support of Mobile Devices in Enterprises ............................................................... 17 Figure 6: Addressing risk associated with Mobile Devices ..................................................... 18 Figure 7: Deployment of mobile devices in the next 12 months ............................................ 18 Figure 8: External breaches occurrences in the past 12 months ............................................ 18 Figure 9: Attacks exploiting mobile network vulnerability ..................................................... 19 Figure 10: Explanation Risk Assessment ................................................................................. 22 Figure 11: Theoretical Process ............................................................................................... 28 Figure 12: Domains of Cobit ................................................................................................... 28 Figure 13: Theoretical Model ................................................................................................. 30 Figure 14: Explanation Security Control Framework .............................................................. 31
Tables Table 1: Usage Scenario ......................................................................................................... 22 Table 2: R1 - Data leakage ...................................................................................................... 23 Table 3: R2 - Improper decommissioning ............................................................................... 23 Table 4: R3 - Unintentional disclosure of data ....................................................................... 23 Table 5: R4 - Phishing ............................................................................................................. 24 Table 6: R5 - Spyware ............................................................................................................. 24 Table 7: R6 - Network spoofing attacks .................................................................................. 25 Table 8: R7 - Surveillance ....................................................................................................... 25 Table 9: R8 - Diallerware ........................................................................................................ 25 Table 10: R9 - Financial malware ............................................................................................ 26 Table 11: R10 - Network congestion ...................................................................................... 26 Table 12: R1: Data leakage Risk Mapping ............................................................................... 32 Table 13: R1: Data leakage Framework .................................................................................. 33 Table 14: R2: Improper decommissioning Risk Mapping ....................................................... 34 Table 15: R2: Improper decommissioning Framework ........................................................... 35 Table 16: R3: Unintentional data disclosure Risk Mapping .................................................... 36 Table 17: R3: Unintentional data disclosure Framework ....................................................... 36 Table 18:R4: Phishing Risk Mapping ....................................................................................... 37 Table 19:R4: Phishing Framework .......................................................................................... 38 Table 20: R5: Spyware Risk Mapping ...................................................................................... 39 Table 21: R5: Spyware Framework ......................................................................................... 39 Table 22: R6: Network spoofing attacks Risk Mapping .......................................................... 40 Table 23: R6: Network spoofing attacks Framework .............................................................. 40 Table 24: R7: Surveillance, R8: Diallerware & R9: Financial malware Risk Mapping .............. 41 Table 25: R7: Surveillance, R8: Diallerware & R9: Financial malware Framework ................. 42 Table 26: R10: Network congestion Risk Mapping ................................................................. 42 Table 27: R10: Network congestion Framework .................................................................... 43
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 8
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 9
Vrije Universiteit Amsterdam (VUA)
Faculteit der Economische Wetenschappen en Bedrijfskunde (FEWEB)
THESIS FOR THE POSTGRADUATE DEGREE
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector
February 2012 – June 2012
AUTHOR
R.W.K. Chin (1649086)
Astronautenweg 153
1622DK Hoorn, The Netherlands
[email protected] / [email protected]
THESIS SUPERVISOR
Abbas Shahim
Partner Atos
De Boelelaan 1081A
1081 HV Amsterdam, The Netherlands
SECOND SUPERVISOR
Benessa Defend
Laan van Kronenburg 2, Amstelveen
1183 AS, The Netherlands
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 10
1 INTRODUCTION
This is the first chapter of the thesis for the Postgraduate degree of Register IT Auditor and
discusses the context, topic, problems and its research questions. The purpose for
highlighting these subjects is to capture the rationale for initiating this research and to
create common understanding. This chapter kicks-off with the description of the context in
which the research will take place. After that, the research topic will be introduced in
conjunction with a perceived phenomenon that eventually leads to a problem related to this
topic. Its problem description is given in §1.3 wherein the occurring problem is described
and analysed. This perceived problem is decomposed into several research questions which
each attends to a part of the phenomenon and are formulated in §1.4. §1.5 elaborates the
academic relevance. Chapter 1 concludes with the description of the scope that defines
what is included in this research.
1.1 Context of this research This thesis is written to acquire the Postgraduate degree of Register IT Auditor at the Vrije
University Amsterdam under the supervision of Mr A. Shahim (FEWEB). This degree is
required by employer Deloitte Touche Tohmatsu, hereafter Deloitte, as a mandatory
component for the personal development plan within the organization to ultimately become
an IT Auditor.
The results of this research are of relevance for the organization’s service portfolio as well
for the field of mobile IT security. As the use of mobile devices within a company’s context is
more and more common, thorough in-depth research on IT security is needed to enforce
and facilitate a healthy and responsible growth of its use.
1.2 Introduction to consumerization of Mobile Devices & Problems In the recent years, developments in the field of mobile devices like smartphones and tablets
have been extraordinary. ‘Normal’ mobile phones which main functionality was calling are
gradually losing ground to smartphones which are basically a personal computer in a pocket
friendly size. Due to the introduction of the IPad by Apple in January 2010, tablets became
more and more popular and even overshadowed traditional laptops and pc in terms of sales
in 2010 and 2011.
Using smartphones or tablets for the consumption of multimedia content and remote access
to information is in the modern society very common nowadays. Due to the portability and
flexibility of their use, companies started to gradually look to possibilities to use these
mobile devices for work related activities to increase efficiency. This trend resulted in the
consumerisation of mobile devices. Consumerisation drives changes in the way employees
access, store, process and exchange of corporate data.
Despite of the many benefits mobile devices have to offer, the majority of CIO’s at the same
time felt that a growing numbers of employee owned devices, which are used to access
company information, are riskier than anything which was supplied by IT department. This is
because Consumerization entails further blurring of the corporate perimeter and at the
same time introduces new challenges for organisations in meeting the confidentiality,
integrity and availability requirements of corporate data.
“Trend #1: Trojan Wars
Continue, but Zeus will
Prevail as the Top Financial
Malware” RSA cybercrime trends
report 2012
“Trend #2: Cybercriminals
will Find New Ways to
Monetize Non-Financial
Data” RSA cybercrime trends report
2012
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 11
In a survey performed by ISACA in 2011, 45% of the 2765 global members and IT
professionals responded that mobile devices represent the greatest risk to their enterprises
[ISACA’s 2011 IT Risk/Reward Barometer]. This view is also enforced by the results of the
online survey of Forrester in which the topic ‘Securing Mobile devices’ was indicated as top 1
priority in terms of security challenges [2011 Q2 Global Security And Risk Council Challenge
Assessment Online Survey].
Their concerns regarding introducing consumerization in their company are not unfounded.
As reported by RSA in their annual cybercrime trend report, cybercrime continues to show
no signs of slowing down. 2011 marked a year of new advanced threats and an increased
level of sophistication in the attacks witnessed around the globe. Cybercriminals find new
ways to monetize non-financial data. About the threats in the Bank landscape, RSA reported
the following in their 2012 cybercrime trends report:
“RSA has been observing the Trojan landscape throughout 2011, and Zeus 2.0 has continued
to dominate as the leading financial Trojan throughout the year. Indisputably the most
widely spread financial malware in the world, Zeus is responsible for around 80% of all
attacks against financial institutions today and is estimated to have caused over $1 billion in
global losses in the last five years.
Number 1 trend RSA observed in the beginning of 2011 was the surge of financial attacks
connected to the SpyEye Trojan. Financial cybercrime attributed to SpyEye variants
decreased over the course of the year, however, with 19% of attacks attributed to SpyEye in
Q1 ’11 to around 4% in Q3 ’11. At this time, SpyEye continues to be the most costly Trojan
code sold on the black market, selling for a few thousands of dollars for a basic kit and
separate plug-ins averaging $1,000 each. SpyEye also features technical complexity which
has been known to be a problem for the average cybercriminal to use effectively.
Trojans for mobile platforms
A growing trend in the world of cybercrime codes will further carry Zeus (ZitMo) and SpyEye
(SPitMo) over to the various mobile platforms, with the purpose of having these banking
Trojans steal data such as SMS codes. “InfoStealers” for the mobile platform are also likely to
emerge with Trojans designed to keylog touch-screen input and monitor data traffic through
the mobile device.” (RSA, 2012).
1.3 Research questions The question Consumerization entails is how to manage security risks as imposed by the use
of privately owned mobile phones and tablets within the bank sector (consumerization).
Mobile phones and tablets are referred as mobile devices hereafter in this thesis proposal
and the thesis itself. For this purpose, the thesis will attempt to answer the following
research question:
With what control framework can the security of mobile devices within the Bank Sector be improved to
manage identified risks related to Consumerization?
Figure 1: Global Security And Risk Council Challenge Assessment Online Survey
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 12
Several sub questions (SQ) are defined:
1. SQ1: What is consumerization of mobile devices and why does this trend require proper considerations?
2. SQ2: What are the security risks and impact imposed by consumerization of mobile devices within the Bank sector?
3. SQ3: How can the security of mobile devices be ensured using controls to manage identified risks as a result of consumerization?
1.4 Academic relevance This research is performed based on the results of the journal published by ENISA in
December 2010. ENISA performed an extensive research on Information security risks,
opportunities and vulnerabilities related to the use of smartphones (Hogben & Dekker,
2010). This research will attempt to adapt the ENISA’s risk assessment specifically for the
bank sector to ultimately define a profound risk based security control framework for
consumerization of mobile devices.
1.5 Scope & Focus Mobile Devices
As the title suggests, this thesis focusses on security & compliancy related issues of
consumerization of Mobile devices within the bank sector. In this research, mobile device is
referred to smartphones and tablets with which employees can access, process and store
corporate data. Other mobile devices like laptops and nettops are not included in this
research. The rationale behind this scoping can be found in sections “Mobile Devices” of
chapter 3. Furthermore, this research is focused on the bank sector which is the largest
group in the financial services sector. The target group of the survey for this research is
therefore performed under bank employees.
Internal Control Framework & External Auditors For Financial Statement
In addition, the scope of this research is focused on compliancy requirements which applies
to the bank sector in the Netherlands in general. Specific control frameworks (e.g. internal &
external control frameworks from internal & external accountants) that applies only to
individual bank are not considered as this may result in different outcome when this
research is reperformed by third parties.
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 13
2 RESEARCH METHODOLOGY
The problem and the research questions have been presented in the previous chapter. This
chapter will proceed with the discussion of the approach which describes the process of
planning, design, preparation, data collection, analysis and sharing of this research. This
framework contains a research design which is a specification of the logical and systematic
steps for finding the answers to the established research questions.
2.1 Research Design This section discusses the conceptual structure of this research, which is basically a blueprint
of how to achieve the overall objective. A proper documentation of this process allows other
researchers to adapt, replicate and imitate this research by providing sufficient information.
To establish such research, a specific research
design is chosen which actually contains a
collection of scientific methods in order to
achieve the goals. The case study approach of
Robert K. Yin is elicited which is comprised of the
following processes:
2.2 Research Process This section aims at describing this research design in terms of specific activities relevant for
this research. It consists of a path to be followed and the goals and objectives along the
course that need to be achieved. Figure 2-2 provides a conceptual schema of this research
process.
Figure 2: Research Design
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 14
2.3 Document Structure The structure of this thesis is established mainly conforming to the defined phases and is
structured as follows:
• Chapter 3: This chapter contains the literature study performed as an initial
research on relevant subjects related to this thesis. This chapter attempts to find
answers to the first sub research question which provides input for the next
chapter.
• Chapter 4: This chapter elaborates risks related to the usage of mobile devices. In
addition, a risk assessment by which important security attributes (Confidentiality,
Integrity & Availability) are taken into account. This chapter should provide insights
into real risks which deserve attention.
• Chapter 5: This chapter contains the security control framework which is derived
from previous study performed in chapter 3 &4. This security control framework
should provide a profound foundation which auditors can use during assessment
of using mobile devices in business context.
• Chapter 6: This chapter concludes this research performed on the subject of
mobile devices in business context.
Figure 3: Research Process
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 15
3 LITERATURE STUDY: MOBILE DEVICES &
CONSUMERIZATION IN THE BANK SECTOR This chapter provides a literature study in which definitions are explained in an attempt to
answer the first sub question derived from the main research question: “SQ1: What is
consumerization of mobile devices and why does this trend require proper considerations?”.
Additionally, this chapter also describes compliancy requirements for the bank sector within
the Netherlands.
3.1 Literature Study The main research question which is defined in chapter one contains several concepts/words
which requires explanation. This is needed in order to create a common understanding.
Answering the first sub question (SQ1) should achieve this goal:
“SQ1: What is consumerization of mobile devices and why does this trend require proper
considerations?”
The following section will provide explanations of these terms using literature, information
retrieved from renown websites etc. The second part of this question regarding the reason
why this trend should be considered is addressed in the next paragraph.
3.1.1 Definitions of Consumerization, BYOD & Mobile Devices
An unambiguous definition of the term ‘Consumerization’ is not easily established as large
number of consulted dictionaries (Merriam-Webster, Oxford dictionaries) does not provide
answers. The word ‘Consumerization’ is apparently not formally defined yet which is often
the case with emerging trends in IT. In an attempt to find a general description on this term,
a definition is given which should provide better context of the meaning of this word:
Con•sum•er•ize [kuhn-soo-muh-rahyz]
verb (used with object), con•sum•er•ized, con•sum•er•iz•ing.
1. to make (goods or a product) suitable or available for mass consumption: to
consumerize computers by making them cheaper.
2. to encourage or foster the widespread consumption of (goods or a product).
(Dictionary.com, 2012)
Consumerization in IT
The term consumerization is believed to have been first used in IT context by Douglas Neal,
John Taylor and Piet Opperman of the Leading Edge Forum in 2001. In their paper, the
authors provided aspects of consumerization that describe the term:
“The defining aspect of consumerization is the concept of ‘dual use’. Increasingly, hardware
devices, network infrastructure and value-added services will be used by both businesses
and consumers. This will require IT organizations to rethink their investments and
strategies.” (Moschella, Neal, Opperman, & Taylor, 2004).
Bring Your Own Device (BYOD)
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 16
Considering the description given above, Bring Your Own Device (BYOD) can be identified as
a form of implementation of consumerization. BYOD is a business policy of employees
bringing personally owned mobile devices to their work and using these devices to access
company resources such as email, file servers and databases as well as their personal
applications and data (Bradley, 2011).
Mobile Devices
A mobile device is a small, hand-held computing device that enables mobile computing.
Mobile computing is human–computer interaction by which the computer is transported
during normal usage. Mobile computing involves mobile communication, mobile hardware,
and mobile software. Communication issues include ad-hoc and infrastructure networks as
well as communication properties, protocols, data formats and concrete technologies.
Hardware includes mobile devices or device components (Zimmerman, 1999). Mobile
computing enables the ability to use a computing device when being mobile. Portability is
therefore an important aspect of mobile computing.
3.2 Trend of Consumerization on IT Risk Landscape The reason for performing further research on the subject of consumerization of mobile
devices is due to observations of continued trend since introduction a couple years ago. This
trend is recognized by Gartner who published a journal on predictions for IT organisation in
the coming years. In its journal, Gartner noted that users (employees) are taking more
control of the devices they use in business context which result in loss of control. Due to the
recent economic turmoil, organizations are considering consumer-grade devices for business
use. This trend is believed to result in higher employee satisfaction and more importantly,
significant cuts in operational expenses. However, Consumerization of mobile devices also
enables attacks against critical business and customer data (Plummer, et al., 2011).
The continuing trend is also observed by ISACA. ISACA conducted a survey under more than
4,700 of its members from 84 countries. The member survey results show that IT
professionals believe that their organizations are increasingly challenged to deal with BYOD.
In every region except Europe, more respondents say that employees are allowed to use
personal devices for work purposes, but members in five of the six regions say that the risk
of using a personal mobile device for work purposes still outweighs the benefits. Use of
personally owned PCs or mobile devices–typically more difficult to secure than work-issued
devices and used for a wide range of often high-risk online activities–means that sensitive
corporate information may be compromised through device theft or loss, or malware attacks
(ISACA, ISACA Survey: Bring Your Own Device (BYOD) Trend Heightens Online Holiday
Shopping Risk, 2011).
The results of the survey that ISACA performed in
2011 showed that more than half (58%) of
information technology leaders in the US believe that
consumerization poses a greater risk to the enterprise
than mobile devices supplied by the company. Yet a
significant number of these leaders (27%) still believe
that the benefits of employees using personal devices
outweigh the risks. Other regions (Asia, Europe, Latin
America, North America, Oceania) to which the same
survey was submitted, showed comparable results
(ISACA, 2011 ISACA IT Risk/Reward Barometer—US
Edition).
“BYOD presents both opportunities and threats. It lets both employees and organizations take advantage of the latest technology innovations at limited cost to the organization.
Figure 4: Which device poses the greatest risk to your organization?
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 17
Unfortunately, it also introduces new vulnerabilities, due to the limited ability of most organizations to effectively manage and secure employee-owned devices accessing their information infrastructure,” said John Pironti, CISA, CISM, CGEIT, CRISC, CISSP, advisor with ISACA and president of IP Architects, LLC. “Organizations should educate their employees on their BYOD security requirements and implement a comprehensive mobile device policy that aligns with the organization’s risk profile.” (ISACA, Over Half of IT Leaders Say Employee-Owned Mobile Devices Are Riskiest , 2011).
Deloitte performed a survey under Chief Security Officers/Chief Information Security Officers (CISOs) of over 250 financial services organizations from 39 countries, 11 of the leading 100 global banks by revenue and 24 of the leading 100 global insurance organizations by revenue. In this survey, it is revealed that only 13,9 % (12,7% no support and 1,2 Do not know) of the companies do not support the use of mobile devices in their organization. Most of the companies do support either a corporate provided device or employee purchased device. Please refer to the results of question 36 of the survey which is: “To what extent is your enterprise supporting mobile devices?”.
On the question regarding what the organization does to address the security risks associated with mobile devices, it is revealed that none of the suggested controls/measures are implemented by more than 50% of the respondents. This means that most of the companies do not have all the measures in place to mitigate risk related to the use of mobile devices. This is also observed by Deloitte which noted the following:
“As a part of their mobility program, many organizations have already deployed, or plan to
deploy, mobile VPN, central device management, and mobile device management software.
However, more than 50% of respondents have not yet planned for deployment of anti-
phishing software, employee and customer-facing applications, and data loss prevention for
mobile devices”
Figure 5: Support of Mobile Devices in Enterprises
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 18
The figure below shows that most of the enterprises deployed mobile device or will deploy
them in the next 12 months.
3.3 Consumerization of mobile devices: Answer to SQ1 The first sub research question of this thesis is formulated as: What is consumerization of
mobile devices and why does this trend require proper considerations?.
Consumerization of mobile devices is the process or phenomenon in which consumer
products are made suitable for ‘dual use’. Dual use in this context is referred to privately
owned consumer devices being used or made suitable for business purposes next to private
use. Using privately owned mobile devices is generally referred as Bring Your Own Device
(BYOD).
Research in this field is interesting as this trend is gaining more and more attention. Recent
surveys performed by Gartner and ISACA showed that global information technology leaders
recognize risks related to consumerization of mobile devices. However, the pros related to
this concept are apparently too attractive to ignore nowadays.
The Deloitte survey provided insights on real problems that enterprises are experiencing and
also answers the question why consumerization of mobile devices require proper
considerations. On the question whether their enterprise have been breached in the past 12
months which compromises the confidentiality, integrity and or availability of sensitive
information, all (100%) of the respondents revealed that they have been breached at least
once.
Figure 6: Addressing risk associated with Mobile Devices
Figure 7: Deployment of mobile devices in the next 12 months
Figure 8: External breaches occurrences in the past 12 months
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 19
Respondents report mobile network vulnerabilities are highest in Canada and lowest in APAC
and Japan. All other regions reported similar figures (around 11% on average) whereas the
average on global level in 2011 was 10%. Please refer to the table below:
Figure 9: Attacks exploiting mobile network vulnerability
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 20
4 RISK ASSESSMENT MOBILE DEVICE CONSUMERIZATION
WITHIN BANK SECTOR
This chapter identifies the security risks identified related to the use of mobile devices in
private and business context and herewith answers the second sub research question. This
question is defined as follows: What are the security risks and impact imposed by
consumerization of mobile devices within the Bank sector? Identifying risks is essential in
defining a profound security control framework for consumerization of mobile devices. As
mentioned in chapter one of this thesis, this research is performed based on the results of
the journal published by ENISA in December 2010. ENISA performed an extensive research
on Information security risks, opportunities and vulnerabilities related to the use of
smartphones. Their report is intended for the business and public organisations to facilitate
their evaluation and mitigation of the risks associated with adopting smartphones. This
research will attempt to adapt ENISA’s risk assessment specifically for the bank sector to
ultimately define a profound risk based security control framework for consumerization of
mobile devices.
ENISA is an agency of the European Union, established to contribute to a high level of
network and information security within the EU by:
• giving expert advice on network and information security to national authorities
and EU institutions;
• acting as a forum for sharing best practices;
• facilitating contacts between EU institutions, national authorities and businesses.
Together with EU institutions and national authorities, ENISA seeks to develop a culture of
security for information networks across the EU. This report and other ENISA reports can be
found on ENISA’s website (http://enisa.europa.eu) (Hogben & Dekker, 2010).
4.1 Identified Risks categories of Bank Sector (Hogben & Dekker, 2010) identified and analysed 10 information security risks and gave
recommendations per each risk. Their research provides an overview of generic technical
solutions to mitigate the risks but however does not provide specific security controls with
which compliancy can be demonstrated. The ten risks are:
• R1 Data leakage: a stolen or lost phone with unprotected memory allows an
attacker to access the data on it.
• R2 Improper decommissioning: the phone is disposed of or transferred to another
user without removing sensitive data, allowing an attacker to access the data on it.
• R3 Unintentional data disclosure: most apps have privacy settings but many users
are unaware (or do not recall) that the data is being transmitted, let alone know of
the existence of the settings to prevent this.
• R4 Phishing: an attacker collects user credentials (e.g. passwords, creditcard
numbers) using fake apps or (sms,email) messages that seem genuine.
• R5 Spyware: the smartphone has spyware installed allowing an attacker to access
or infer personal data. NB spyware includes any software requesting and abusing
excessive privilege requests. It does not include targeted surveillance software
(R7).
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 21
• R6 Network spoofing attacks: an attacker deploys a rogue network access point
and users connect to it. The attacker subsequently intercepts the user
communication to carry out further attacks such as phishing.
• R7 Surveillance: spying on an individual with a targeted user’s smartphone.
• R8 Diallerware: an attacker steals money from the user by means of malware that
makes hidden use of premium sms services or numbers.
• R9 Financial malware: malware specifically designed for stealing credit card
numbers, online banking credentials or subverting online banking or ecommerce
transactions.
• R10 Network congestion: network resource overload due to smartphone usage
leading to network unavailability for the end-user.
4.2 CIA Triad for Information Security (Confidentiality, Integrity & Availability) The Confidentiality, Integrity & Availability (CIA) Triad is a venerable, well-known model for
security policy development, used to identify problem areas and necessary solutions for
information security (Perrin, 2008). CIA are security attributes that help to identify impact of
certain risks. Therefore, CIA is used in conjunction to Enisa’s risk analysis results to help
understanding the impact. Explanation on CIA is retrieved from ISO27001:
Confidentiality describes the assurance that information is shared only amongst authorised
persons or organisations. Breaches of Confidentiality can occur when data is not handled in a
manner adequate to safeguard the confidentiality of the information concerned. Such
disclosure can take place by word of mouth, by printing, copying, e-mailing or creating
documents and other data etc. The classification of the information should determine is
confidentiality and hence the appropriate safeguards.
Integrity. Assurance that the information is authentic and complete. Ensuring that
information can be relied upon to be sufficiently accurate for its purpose. The term Integrity
is used frequently when considering Information Security as it is represents one of the
primary indicators of security (or lack of it). The integrity of data is not only whether the data
is 'correct', but whether it can be trusted and relied upon. For example, making copies (say
by e-mailing a file) of a sensitive document, threatens both confidentiality and the integrity
of the information. Why? Because, by making one or more copies, the data is then at risk of
change or modification.
Availability. Assurance that the systems responsible for delivering, storing and processing
information are accessible when needed, by those who need them.
4.3 Risk Assessment results The results of ENISA’s research are discussed in this section and the original publication can
be found in Appendix D: ENISA Risk Assessment. Their risk assessment is adapted for this
research and CIA ratings as discussed in previous section is incorporated into this assessment
specifically for the bank sector. Please refer to the illustration which explains how the tables
should be interpreted.
The illustration below shows the results of Enisa’s risk assessment on the identified risk
categories (A). In this section of the table, Enisa elaborated the likelihood, Impact and
herewith the risk of each particular risk category. Their assessment is performed against
three user scenario’s: Consumers, Employee and High Official (B). These scenarios are
explained in the next section. Although extensive, Enisa’s analysis does not provide insight
on how a particular risk category impacts data related to the use of mobile devices.
Therefore, security attributes of data, confidentiality, integrity and availability, are included
in the analysis (C). These data are the result of the survey performed under 2 regular
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 22
consumers, 2 employees of a large Dutch bank and 2 high officials (managers). These surveys
can be found in Appendix F: Survey Results. (D) contains the vulnerabilities to which a
certain risk category is exposed. The explanation of each vulnerability can be found in
Appendix B: Vulnerabilities by ENISA.
Usage Scenarios
ENISA made the distinction between different usage scenarios as the impact and likelihood
of the identified risk vary depending on how the smartphone is used. ENISA defined three
different usage scenarios: Consumer (C), Employee (E) and High Official (H). For this
research, these usage scenarios are kept and customized for the bank sector.
Usage
scenario
Description
Consumer
(C)
Banks nowadays provide extensive services like mobile Internet banking applications
etc to its consumers. Within the context of this research, consumers (C) are customers
of the bank who make use of the bank applications.
The mobile device is an integral part of a person’s daily life for this group – e.g. private
phone-calls, social networking, messaging, navigation, gaming, online banking, on-the-
go entertainment, location based services, Internet browsing, micro-blogging, email,
photography, video recording, e-health, etc (Hogben & Dekker, 2010).
Employee
(E)
Within the context of this research, employees (E) are considered to have higher
authorizations within banking application for their daily operational tasks within the
bank. A good example is the authorization to approve transactions above certain
amount of money. This group of users might have access to sensitive corporate data
and other critical functionalities.
The mobile device is used by this group in a business or government organization. It is
used for business phone calls, Internet browsing, corporate email, expense
management, customer relationship management, travel assistance, contact
management and business social networking, video conferencing, scheduling tasks, and
reading documents. In some cases workflow applications are run on the mobile device,
e.g. to fill in forms as part of an employee task. Usage in this scenario is subject to IT
(security) policies, set by the employer’s IT officer. The mobile device is used for
personal use in a limited way (Hogben & Dekker, 2010).
High
official (H)
Within the context of this research, high officials (H) do not necessarily access critical
functionalities as these are required for normal employees within the bank for their
daily task. However, their communications may contain sensitive information regarding
the banks strategy, decisions etc.
The smartphone is used by a high or top-level official in a business or government
Table 1: Usage Scenario
Figure 10: Explanation Risk Assessment
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 23
organisation, or by his or her close aide. The smartphone is used as in usage scenario E
but in addition it is used for dealing with sensitive information and/or tasks. Usage in
this scenario is subject to security policies and the functionality of the smartphone may
be restricted or customized, for example by adding cryptographic modules for
protecting call-confidentiality (Hogben & Dekker, 2010).
4.3.1 R1: Data leakage
Mobile devices are general easily stolen or lost due to their size. Its memory or removable
media are unprotected, allowing an attacker to access the data stored on it. When data on
the memory or its removable media is not sufficiently protected then an attacker can access
that data. Memory of the mobile device itself and removable media like SD cards have large
capacity to store a lot of sensitive data nowadays.
Please refer to Appendix F: Survey Results. The analysis performed by Enisa shows that data
leakage entails great risk. The survey performed under the target group shows that data
leakage has a significant impact on CIA. Impact on security attribute ‘availability’ of the data
is the greatest as the data stored on the mobile device is lost indefinitely. In terms of
confidentiality and integrity, the target group responded with similar ratings which is ranged
from medium to very high.
CIA Rating ENISA’s Risk Analysis
Rating per user scenario
Confidentially Integrity Availability Likelihood Impact Risk
Consumer (C) Medium Medium Very High High Medium Medium
Employee (E) Very High High Very High Medium High High
High official (H) Medium Medium High Medium Very High High
Vulnerabilities [6.7 Lack of user awareness] [6.4 Encryption weaknesses]
4.3.2 R2: Improper decommissioning
Mobile devices are product with a relatively short life cycle. Users of such devices usually
change their device for newer ones. A mobile device which is decommissioned improperly
allows an attacker to access the data on the device.
Please refer to Appendix F: Survey Results. The analysis performed by Enisa shows that
improper decommissioning entails great risk. However, the survey performed under the
target group shows an increased impact on the security attribute ‘confidentiality’ only.
Respondents noted that data on decommissioned devices are not needed anymore or
already transferred to the new device. Data on decommissioned devices will not affect its
integrity however, the data is out in the open. Hence the high impact on ‘confidentiality’.
CIA Rating ENISA’s Risk Analysis
Rating per user scenario Confidentially Integrity Availability Likelihood Impact Risk
Consumer (C) Medium N/A N/A Medium Medium Medium
Employee (E) Very High Low Low High High High
High official (H) High Low Low Medium Very High High
Vulnerabilities [6.7 Lack of user awareness] [6.4 Encryption weaknesses]
4.3.3 R3: Unintentional disclosure of data
Mobile device users may unintentionally disclose data due to the use of functionalities that
are not thoroughly understood. Even if they have given explicit consent for certain
functionality, users may be unaware that an application collects and publishes personal data.
Please refer to Appendix F: Survey Results. The analysis performed by Enisa shows that
unintentional disclosure of data entails the greatest risk amongst all the risk categories.
However, the survey performed under the target group shows that not all three security
attributes are impacted as such. Respondents noted that ‘availability’ of data is not a
concern as the data is still available to them even though it is send with or without their
consent. The data on the device will remain the same and therefore its integrity is not in
Table 4: R3 - Unintentional disclosure of data
Table 3: R2 - Improper decommissioning
Table 2: R1 - Data leakage
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 24
dispute. However, confidentiality is more of a concern as (sensitive) data may be
transmitted unknowingly at any time.
CIA Rating ENISA’s Risk Analysis
Rating per user scenario Confidentially Integrity Availability Likelihood Impact Risk
Consumer (C) Medium Low Low Very High High High
Employee (E) Very High N/A N/A High Medium High
High official (H) High Medium N/A High Very High High
Vulnerabilities [6.3 User permissions fatigue ] [6.2 Covert channels/weak sandboxing]
[6.6 No privacy protection best practices][6.7 Lack of user awareness]
4.3.4 R4: Phishing
Phishing involves acquiring information by masquerading as a trustworthy entity in a
communication. An attacker collects user credentials (such as passwords and credit card
numbers) by means of fake apps or (SMS, email) messages that seem genuine.
Please refer to Appendix F: Survey Results. The analysis performed by Enisa shows that
phishing entails medium to high risk. The survey performed under the target group shows
that phishing has a great impact on ‘confidentiality’ of data as the receiving party (attacker)
may appear to be trustworthy and therefore the threshold of sending (sensitive) data is
considerable lower. Within the target group, consumers (c) noted, in contrast to other
groups, that security attribute ‘integrity’ is also impacted as well. This group uses their
mobile devices for private purposes and therefore are more inclined to install applications.
Installation of applications increases the chance of malicious functionalities on their device
which may affect their data. The remaining two groups (employees and high officials)
responded a lower impact on this attribute as they find that phishing attacks generally
involves illegal data retrievement rather than data modification.
CIA Rating ENISA’s Risk Analysis
Rating per user scenario Confidentially Integrity Availability Likelihood Impact Risk
Consumer (C) Very High Very High Low Medium High Medium
Employee (E) Very High Low Low Medium High Medium
High official (H) Very High N/A N/A Medium Very High High
Vulnerabilities [6.5 Weak app distributor authentication mechanisms] [6.7 Lack of user awareness]
4.3.5 R5: Spyware
The mobile device has spyware installed which allows an attacker to access or infer personal
data. Spyware covers untargeted collection of personal information as opposed to targeted
surveillance.
Please refer to Appendix F: Survey Results. The analysis performed by Enisa shows that
spyware attacks entails medium to high risk. The survey performed under the target group
shows that spyware attacks have significant impact on two of the three security attributes of
data. Confidentiality and Integrity are considered a concern during such attack since data is
out in the open and the attacker may modify data. Availability is not a concern as the goal of
such attacks is seldom to take away data from users.
CIA Rating ENISA’s Risk Analysis
Rating per user scenario Confidentially Integrity Availability Likelihood Impact Risk
Consumer (C) Very High Very High N/A High Medium High
Employee (E) Very High Very High N/A Medium High Medium
High official (H) High Medium N/A Medium Medium Medium
Vulnerabilities [6.1 Vulnerabilities leading to malware installation][Ability to unlock phones] [Reputation vulnerabilities] [6.2 Covert channels/weak sandboxing]
Table 6: R5 - Spyware
Table 5: R4 - Phishing
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 25
4.3.6 R6: Network spoofing attacks
An attacker deploys a rogue network access point (WiFi or GSM) and users connect to it. The
attacker subsequently intercepts (or tampers with) the user communication to carry out
further attacks such as phishing.
Please refer to Appendix F: Survey Results. The analysis performed by Enisa shows that
Network spoofing attacks entails medium to high risk. The survey performed under the
target group shows that Network spoofing attacks have significant impact on two of the
three security attributes of data. Confidentiality and Integrity are considered a concern
during such attack since data is out in the open and the attacker may modify data.
Availability is not a concern as the goal of such attacks is seldom to take away data from
users. Respondents noted that Network spoofing attacks impact the CIA significantly as it
provides attackers a platform for further attack like installing spyware, phishing etc.
CIA Rating ENISA’s Risk Analysis
Rating per user scenario Confidentially Integrity Availability Likelihood Impact Risk
Consumer (C) Very High Very High Low Medium Medium Medium
Employee (E) Very High Very High Low Medium High Medium
High official (H) High Very High Low Medium High High
Vulnerabilities [6.7 Lack of user awareness]
4.3.7 R7: Surveillance
An attacker keeps a specific user under surveillance through the target user’s mobile device.
Mobile devices can be used to keep a targeted individual under surveillances. Mobile devices
contain multiple sensors such as a microphone, camera, accelerometer and GPS. This,
combined with the possibility of installing third-party software and the fact that a mobile
device is closely associated with an individual, makes it a useful spying tool.
Please refer to Appendix F: Survey Results. The analysis performed by Enisa shows that
Network spoofing attacks entails medium to high risk. The survey performed under the
target group shows that surveillance have significant impact on two of the three security
attributes of data. Confidentiality and Integrity are considered a concern during such attack.
High officials expressed increased impact on confidentiality and integrity as their
communication is usually more sensitive. One official noted that the impact is very high
when an attacker enables the microphone and camera of his mobile devices which allows
him to spy during meetings with management. Employees also share this view as
surveillance may provide insight on procedures of their daily operations and user credentials
to access sensitive bank applications.
CIA Rating ENISA’s Risk Analysis
Rating per user scenario Confidentially Integrity Availability Likelihood Impact Risk
Consumer (C) Very High Low Low Low High Medium
Employee (E) Very High High N/A Low High Medium
High official (H) Very High Very High N/A Medium Very High High
Vulnerabilities [6.1 Vulnerabilities leading to malware installation]
4.3.8 R8: Diallerware
An attacker steals money from the user by means of malware that makes hidden use of premium SMS services or numbers. Please refer to Appendix F: Survey Results. The analysis performed by Enisa shows that
diallerware attacks entails medium to high risk to consumers and employees and low risk for
high officials. According to their risk assessment, high officials are not likely to be impacted
with this risk as they have a more budget and are more unlikely to download rogue apps.
The survey performed under the target group shows that diallerware attacks have significant
impact on confidentiality however, integrity and availability are unlikely to be impacted.
CIA Rating ENISA’s Risk Analysis
Rating per user scenario Confidentially Integrity Availability Likelihood Impact Risk
Table 7: R6 - Network spoofing attacks
Table 8: R7 - Surveillance
Table 9: R8 - Diallerware
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 26
Consumer (C) Medium Low Low High High High
Employee (E) Very High Low N/A Medium Medium Medium
High official (H) Medium Low N/A Low Low Low
Vulnerabilities [6.1 Vulnerabilities leading to malware installation] [Reputation vulnerabilities] [6.3 User permissions fatigue ]
[6.2 Covert channels/weak sandboxing] [6.7 Lack of user awareness]
4.3.9 R9: Financial malware
The mobile device is infected with malware specifically designed for stealing credit card numbers, online banking credentials or subverting online banking or ecommerce transactions. Please refer to Appendix F: Survey Results. The analysis performed by Enisa shows that
financial malware attacks entails medium to high risk to consumers and employees and low
risk for high officials. The survey performed under the target group shows that financial
malware attacks have significant impact on two of the three security attributes of data.
Confidentiality and Integrity are considered a concern during such attack since data is out in
the open and the attacker may modify data. Availability is not a concern as the goal of such
attacks is seldom to take away data from users.
CIA Rating ENISA’s Risk Analysis
Rating per user scenario Confidentially Integrity Availability Likelihood Impact Risk
Consumer (C) Medium Medium Low Medium High High
Employee (E) Very High Very High N/A Low High Medium
High official (H) Medium High N/A Low Low Low
Vulnerabilities
4.3.10 R10: Network congestion
Network resource overload due to smartphone usage leading to network unavailability for the end-user. Please refer to Appendix F: Survey Results. The analysis performed by Enisa shows that
Network congestion attacks entails low risk. The survey performed under the target group
shows that network congestion attacks have significant impact on only the availability of
data. Confidentiality and Integrity are not of concerns as data on the mobile device cannot
be transmitted and modified during such attack.
CIA Rating ENISA’s Risk Analysis
Rating per user scenario Confidentially Integrity Availability Likelihood Impact Risk
Consumer (C) Low Low Very High Low Low Low
Employee (E) N/A N/A Very High Low Low Low
High official (H) N/A N/A Very High Low Low Low
Vulnerabilities [Inadequate resource provisioning]
4.4 Security risks and impact consumerization mobile devices: Answer to SQ2 Chapter 4 answered the second sub research question which is defined as follows: What are
the security risks and impact imposed by consumerization of mobile devices within the Bank
sector? Results of the research conducted by Enisa on risk related to the use of mobile
devices. In general, there are 10 risks applicable to the use of mobile devices. These risks are
explained in section 4.1 of this chapter. Enisa’s risk analysis is enriched with CIA ratings per
risk category retrieved from a survey performed under 2 consumers, 2 employees and 2 high
official of a large Dutch bank. Results of Enisa show that the use of mobile devices is the
most vulnerable to R1: Data leakage, R2: Improper decommissioning and R3: Unintentional
disclosure of data. The likelihood and impact are the highest among the 10 risk category.
Results of the survey performed under the target group shows that R4: Phishing, R5:
Spyware, R6: Network spoofing attacks have the greatest impact on the security attributes
of data (CIA) during attacks.
Under the target group, bank employees report higher impacts on CIA in case their mobile
devices are under attack. During interview, bank employees noted that when they use their
Table 10: R9 - Financial malware
Table 11: R10 - Network congestion
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 27
mobile device for business purposes, bank applications are required to be installed for daily
operations. These bank applications provide bank employees access to sensitive corporate
databases. Hence, the increased chance of employees’ devices having a large amount of
sensitive data or contain user credentials to access databases.
High officials and consumers report somewhat lower impact of identified risk as compared
to bank employees. High officials do not install bank applications to perform operational
tasks like employees. Chance of high officials having sensitive valuable data on their mobile
phone is low. One high official reported that he does bring his own device for business
purposes, however only the email function is intensively used. The email clients on mobile
devices are fairly secured.
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 28
Figure 11: Theoretical Process
5 SECURITY CONTROL FRAMEWORK This chapter consolidates all requirements and information acquired in the previous
chapters to the establishment of a security framework for mobile devices. In addition, this
chapter also answers the third sub question which is defined as follows: How can the
security of mobile devices be ensured using controls to manage identified risks as a result of
consumerization?
Firstly, the process of selecting relevant controls based on legal requirements, identified
risks and bank sector requirements is explained. After that, the theoretical model of this
security control framework is discussed. This chapter concludes with final sets of controls
bundled by identified risk categories.
5.1 Security Control Framework Theoretical Process The process for selecting the appropriate security controls for the usage of mobile devices
within business context is depicted in the figure below. Prior to this chapter which discusses
the final version of the framework, research has been performed on compliancy
requirements specifically for the bank sector. Banks in the Netherlands are subject of the
DNB information security assessment. The most recent version of this assessment is
established based on Cobit 4.1 which will be explained later in this chapter. Furthermore,
real risks related to smartphones/mobile devices are discussed in the previous chapter by
which CIA (Confidentiality, Integrity & Availability) are incorporated into the framework. This
will allow the business to better focus on certain controls that are of importance based on
their governance framework.
Select Best Practice Framework
Select Bank Sector Requirements
COBIT Framework Bank Sector Requirements
Select Security Controls Based on Risks
ENISA Risk Assessment
Assign CIA Rating to each Risk
Define Security Controls Framework
CIA Ratings
The result of this process is a set of Cobit controls for each risk category which governs the
bank requirements (DNB) and reporting based on security attributes (CIA).
5.2 Cobit Framework Cobit (Control Objectives for Information and Related Technologies) is a framework created
by ISACA for information technology (IT) management and IT Governance. It is a supporting
toolset that allows managers to bridge the gap between control requirements, technical
issues and business risks. Cobit enables clear policy development and good practice for IT
control throughout organizations. Cobit supports IT governance by providing a framework to
ensure that:
• IT is aligned with the business
• IT enables the business and maximizes benefits
• IT resources are used responsibly
• IT risks are managed appropriately
Cobit has become the integrator for IT best practices and the umbrella framework for IT
governance because it is harmonized with other standards and continuously kept up to date.
The process structure of Cobit, in conjunction with
its high-level, business oriented approach, provides
an end-to-end view of IT that aids organizations in
getting the most value possible from their IT
Figure 12: Domains of Cobit
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 29
investments. (ISACA, 2007). The Cobit framework is comprised of 210 distinct controls of
which most are not applicable for the identified risk related to mobile devices. Therefore, a
theoretical model is defined to distil an appropriate security framework for consumerization
of mobile devices in the bank sector. This can be found in the paragraph 5.4.
5.3 The Bank sector & Compliancy Requirement For The Bank Sector This section discusses the compliancy requirements of the Bank sector in the Netherlands.
As discussed in the scope in chapter 1 of this thesis, internal control frameworks and
external audits for the financial statements of banks are not considered in this research as
these requirements may differ significantly per organization. For this research, regulatory
compliancy requirements are elicited as this applies to the bank sector in the Netherlands in
general. Financial institutions in the Netherlands are obliged to comply with the DNB
requirements for information security.
5.3.1 DNB Information Security Assessment (Regulatory requirements)
De Nederlandsche Bank (DNB) is the central bank of the Netherlands and is part of the
European System of Central Banks (ESCB). DNB is as a central bank responsible for
safeguarding financial stability. More particularly, DNB contributes to defining and
implementing the single monetary policy of the countries which have introduced the euro
and supervises financial institutions and the financial sector.
DNB has developed an assessment framework to evaluate the security of information of
banks in the Netherlands. In respect of all measures, institutions must comply with a
maturity level of at least 3 (“defined process”). The procedures and measures must be
embedded in the IT processes and operations of all relevant units of the financial institution
so that they constitute an integral element of the organisation as a whole.
Law that explains organizations which are subject for this assessment is provided below by
DNB:
“Financial institutions subject to section 3:17 of the Financial Supervision Act (Wet op het
financieel toezicht) must, in pursuance of the first subsection of said section, organise their
operations in such a way as to safeguard controlled and sound operations.
The second subsection, opening sentence and under (a), stipulates that rules may be laid
down by or pursuant to general administrative order with regard to the attainment of
controlled business processes and business risks.
To implement these provisions, section 20(2) of the Decree on Prudential Rules for Financial
Undertakings (Besluit prudentiële regels Wft) stipulates that a financial institution – defined
as a payment institution, a clearing institution, a special purpose reinsurance vehicle, a credit
institution, a premium pension institution, an insurer or a branch as referred to in section 17
of the Decree – must have in place procedures and measures to safeguard the integrity,
continuous availability and security of electronic data. these institutions must also have in
place procedures and measures to ensure the integrity, continuous availability and security of
electronic data processing.” (dnb.nl, 2012).
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 30
5.4 Security Control Framework Theoretical Model Find below the theoretical model as a result of the selecting process as described in section
5.1. As mentioned, Cobit 4.1 is comprised of 210 controls and not all of them are applicable
to the risks that mobile devices are exposed to. All 210 distinct Cobit controls are considered
during the research. The result of this selection process is a security controls framework for
mobile devices that contains 29 controls spread over 10 identified risks. The set of controls
can be found in the next section.
Plan & Organise
P P P P P P P
C C C C C C C
Acquire & Implement
P P P P P P P
C C C C C C C
Deliver & Support
P P P P P P P
C C C C C C C
Monitor and Evaluate
P P P P P P P
C C C C C C C
Cob
it do
mai
nC
obit
proc
ess
Cob
it co
ntro
lsS
elec
tion
Crit
eria
Selection Criteria (DNB Information Security & Identified Risks)
5.5 The Framework: The selection process The security control framework for Consumerization of mobile devices and the process to
establish it are discussed in this section. All identified risk categories are analyzed in the
previous chapter in which the CIA ratings and also the compliancy requirements of the Dutch
bank sector are discussed. Please refer to the illustration below for explanation of this
framework. This framework is comprised of Cobit controls mapped to specific vulnerabilities
that contribute to a risk category (A & B). This mapping is performed by Enisa and their
results are reused for this research. Please refer to Appendix D: ENISA Risk Assessment.
These vulnerabilities are mapped to Cobit controls based on Cobit’s risk driver per control
(C). These Cobit controls are mapped to DNB’s requirements for information security for the
purpose of demonstrating compliancy (D). At last, the results of the survey performed under
the target group is included in order to determine the impact on CIA of certain risk category
(0=N/A, 1=Low, 2=Medium, 3=High & 4=Very High).
Figure 13: Theoretical Model
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 31
Figure 14: Explanation Security Control Framework
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 32
5.5.1 R1: Data leakage
According to Enisa, the risk of data leakage exists due to vulnerabilities encryption weakness
and lack of user awareness. These vulnerabilities are mapped to Cobit defined risks and in
turn mapped to the relevant Cobit controls.
- Improperly secured business data- Improper protection of information assets- Requirements for protecting business data not in line with the business requirements- Inadequate security measures for data and systems- Business process owners not taking responsibility for data- Sensitive data misused or destroyed- Unauthorised data access- Incompleteness and inaccuracy of transmitted data- Data altered by unauthorised users- Keys misused by unauthorised parties- Registration of non-verified users, thus compromising system security- Unauthorised access to cryptographic keys
- IT security plan not aligned with business requirements- IT security plan not cost effective- Business exposed to threats not covered in the strategy- Gaps between planned and implemented IT security measures- Users not aware of the IT security plan- Security measures compromised by stakeholders and users
6.4 Encryption weaknesses
6.7 Lack of user awareness
Cobit RisksVulnerabilities
Four Cobit controls are selected based on the risks related to the vulnerabilities. The CIA
rating is 3-3-4 (High-High-Very High).
• PO4.9 - Data and System Ownership
• DS11.6 - Security Requirements for Data Management
• DS5.8 - Cryptographic Key Management
• DS5.2 - IT Security Plan
Table 12: R1: Data leakage Risk Mapping
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 33
Table 13: R1: Data leakage Framework
Risk VulnerabilitiesCOBIT
ControlsCOBIT Control Objectives CIA
6.4 Encryption weaknesses
PO4.9 - Data and System Ownership
Provide the business with procedures and tools, enabling it to address its responsibilities for ownership of data and information systems. Owners should make decisions about classifying information and systems and protecting them in line with this classification.
6.1
6.4 Encryption weaknesses
DS11.6 - Security Requirements for Data Management
Define and implement policies and procedures to identify and apply security requirements applicable to the receipt, processing, storage and output of data to meet business objectives, the organisation’s security policy and regulatory requirements.
12.3
6.4 Encryption weaknesses
DS5.8 - Cryptographic Key
Management
Determine that policies and procedures are in place to organise the generation, change, revocation, destruction, distribution, certification, storage, entry, use and archiving of cryptographic keys to ensure the protection of keys against modification and unauthorised disclosure.
18.3
6.7 Lack of user awareness
DS5.2 - IT Security Plan
Translate business, risk and compliance requirements into an overall IT security plan, taking into consideration the IT infrastructure and the security culture. Ensure that the plan is implemented in security policies and procedures together with appropriate investments in services, personnel, software and hardware. Communicate security policies and procedures to stakeholders and users.
1.1
DNB
R1: Data leakage 3-3-4
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 34
Table 14: R2: Improper decommissioning Risk Mapping
5.5.2 R2: Improper decommissioning
According to Enisa, the risk of Improper decommissioning exists due to vulnerabilities No
privacy protection best practices, Lack of user awareness, User permissions fatigue and
Covert channels/weak sandboxing. These vulnerabilities are mapped to Cobit defined risks
and in turn mapped to the relevant Cobit controls.
6.6 No privacy protection best practices
6.7 Lack of user awareness
6.3 User permissions fatigue
6.2 Covert channels/weak sandboxing
- Data not protected from unauthorised viewing or altering- Documents not retrieved when needed- Non-compliance with regulatory and legal obligations- Unauthorised data access- Disclosure of corporate information- Compromised integrity of sensitive data- Unauthorised access to data tapes- Sensitive data misused or destroyed- Unauthorised data access- Incompleteness and inaccuracy of transmitted data- Data altered by unauthorised users
- IT security plan not aligned with business requirements- IT security plan not cost effective- Business exposed to threats not covered in the strategy- Gaps between planned and implemented IT security measures- Users not aware of the IT security plan- Security measures compromised by stakeholders and users
- Security breaches- Users failing to comply with security policy- Incidents not solved in a timely manner- Failure to terminate unused accounts in a timely manner, thus impacting corporate security
- Misuse of users’ accounts, compromising organisational security- Undetected security breaches- Unreliable security logs
Cobit RisksVulnerabilities
Six Cobit controls are selected based on the risks related to the vulnerabilities. The CIA rating
is 3-1-1 (High-Low-Low).
• DS11.2 - Storage and Retention Arrangements
• DS11.4 - Disposal
• DS11.6 - Security Requirements for Data Management
• DS5.2 - IT Security Plan
• DS5.4 - User Account Management
• DS5.5 - Security Testing, Surveillance and Monitoring
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 35
Table 15: R2: Improper decommissioning Framework
Risk VulnerabilitiesCOBIT
ControlsCOBIT Control Objectives CIA
6.6 No privacy protection best
practices
DS11.2 - Storage and Retention Arrangements
Define and implement procedures for effective and efficient data storage, retention and archiving to meet business objectives, the organisation’s security policy and regulatory requirements.
12.1
6.6 No privacy protection best
practicesDS11.4 - Disposal
Define and implement procedures to ensure that business requirements for protection of sensitive data and software are met when data and hardware are disposed or transferred.
12.2
6.6 No privacy protection best
practices
DS11.6 - Security Requirements for Data Management
Define and implement policies and procedures to identify and apply security requirements applicable to the receipt, processing, storage and output of data to meet business objectives, the organisation’s security policy and regulatory requirements.
12.3
6.7 Lack of user awareness
DS5.2 - IT Security Plan
Translate business, risk and compliance requirements into an overall IT security plan, taking into consideration the IT infrastructure and the security culture. Ensure that the plan is implemented in security policies and procedures together with appropriate investments in services, personnel, software and hardware. Communicate security policies and procedures to stakeholders and users.
1.1
6.3 User permissions fatigue
DS5.4 - User Account
Management
Address requesting, establishing, issuing, suspending, modifying and closing user accounts and related user privileges with a set of user account management procedures. Include an approval procedure outlining the data or system owner granting the access privileges. These procedures should apply for all users, including administrators (privileged users) and internal and external users, for normal and emergency cases. Rights and obligations relative to access to enterprise systems and information should be contractually arranged for all types of users. Perform regular management review of all accounts and related privileges.
17.2
6.2 Covert channels/weak
sandboxing
DS5.5 - Security Testing,
Surveillance and Monitoring
Test and monitor the IT security implementation in a proactive way. IT security should be reaccredited in a timely manner to ensure that the approved enterprise’s information security baseline is maintained. A logging and monitoring function will enable the early prevention and/or detection and subsequent timely reporting of unusual and/or abnormal activities that may need to be addressed.
16.1
DNB
R2: Improper decommissioning 3-1-1
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 36
Table 17: R3: Unintentional data disclosure Framework
Table 16: R3: Unintentional data disclosure Risk Mapping
5.5.3 R3: Unintentional data disclosure
According to Enisa, the risk of Unintentional data disclosure exists due to vulnerabilities
encryption weakness and lack of user awareness. These vulnerabilities are mapped to Cobit
defined risks and in turn mapped to the relevant Cobit controls.
Cobit Risks
- Sensitive information exposed- Inadequate physical security measures- Unauthorised external connections to remote sites- Disclosure of corporate assets and sensitive information accessible for unauthorised parties- Disclosure of corporate information- Compromised integrity of sensitive data- Unauthorised access to data tapes
- Sensitive data misused or destroyed- Unauthorised data access- Incompleteness and inaccuracy of transmitted data- Data altered by unauthorised users
6.4 Encryption weaknesses
6.7 Lack of user awareness
Vulnerabilities
Three Cobit controls are selected based on the risks related to the vulnerabilities. The CIA
rating is 3-2-1 (High-Medium-Low).
• DS5.11 - Exchange of Sensitive Data
• DS11.4 - Disposal
• DS11.6 - Security Requirements for Data Management
Risk VulnerabilitiesCOBIT
ControlsCOBIT Control Objectives CIA
6.4 Encryption weaknesses
DS5.11 - Exchange of Sensitive Data
Exchange sensitive transaction data only over a trusted path or medium with controls to provide authenticity of content, proof of submission, proof of receipt and non-repudiation of origin.
18.5
6.4 Encryption weaknesses
DS11.4 - Disposal Define and implement procedures to ensure that business requirements for protection of sensitive data and software are met when data and hardware are disposed or transferred.
12.2
6.7 Lack of user awareness
DS11.6 - Security Requirements for Data Management
Define and implement policies and procedures to identify and apply security requirements applicable to the receipt, processing, storage and output of data to meet business objectives, the organisation’s security policy and regulatory requirements.
12.3
R3: Unintentional data disclosure 3-2-1
DNB
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 37
5.5.4 R4: Phishing
According to Enisa, the risk of Phishing exists due to vulnerabilities Weak app distributor
authentication mechanisms and lack of user awareness. These vulnerabilities are mapped to
Cobit defined risks and in turn mapped to the relevant Cobit controls.
Cobit Risks
- Unauthorised access when employees are terminated- Lack of smooth continuation of business-critical operations- Disruptions in production processing- Undetected bypassing of access controls- Unauthorised access to sensitive software- Business needs not supported by technology- Unauthorised changes to hardware and software- Access management failing business requirements and compromising the security of business-critical systems- Unspecified security requirements for all systems- Segregation-of-duty violations- Compromised system information- Keys misused by unauthorised parties- Registration of non-verified users, thus compromising system security- Unauthorised access to cryptographic keys
- IT security plan not aligned with business requirements- IT security plan not cost effective- Business exposed to threats not covered in the strategy- Gaps between planned and implemented IT security measures- Users not aware of the IT security plan- Security measures compromised by stakeholders and users
Vulnerabilities
6.5 Weak app distributor authentication mechanisms
6.7 Lack of user awareness
Five Cobit controls are selected based on the risks related to the vulnerabilities. The CIA
rating is 4-3-1 (Very High-High-Low).
• PO7.8 - Job change and Termination
• AI3.2 - Infrastructure Resource Protection and Availability
• DS5.3 - Identity Management
• DS5.8 - Cryptographic Key Management
• DS5.2 - IT Security Plan
Table 18:R4: Phishing Risk Mapping
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 38
Risk VulnerabilitiesCOBIT
ControlsCOBIT Control Objectives CIA
6.5 Weak app distributor
authentication mechanisms
PO7.8 - Job change and Termination
Take expedient actions regarding job changes, especially job terminations. Knowledge transfer should be arranged, responsibilities reassigned and access rights removed such that risks are minimised and continuity of the function is guaranteed.
8.5
6.5 Weak app distributor
authentication mechanisms
AI3.2 - Infrastructure
Resource Protection and
Availability
Implement internal control, security and auditability measures during configuration, integration and maintenance of hardware and infrastructural software to protect resources and ensure availability and integrity. Responsibilities for using sensitive infrastructure components should be clearly defined and understood by those who develop and integrate infrastructure components. Their use should be monitored and evaluated.
18.1
6.5 Weak app distributor
authentication mechanisms
DS5.3 - Identity Management
Ensure that all users (internal, external and temporary) and their activity on IT systems (business application, IT environment, system operations, development and maintenance) are uniquely identifiable. Enable user identities via authentication mechanisms. Confirm that user access rights to systems and data are in line with defined and documented business needs and that job requirements are attached to user identities. Ensure that user access rights are requested by user management, approved by system owners and implemented by the security-responsible person. Maintain user identities and access rights in a central repository. Deploy cost-effective technical and procedural measures, and keep them current to establish user identification, implement authentication and enforce access rights.
17.1
6.5 Weak app distributor
authentication mechanisms
DS5.8 - Cryptographic Key
Management
Determine that policies and procedures are in place to organise the generation, change, revocation, destruction, distribution, certification, storage, entry, use and archiving of cryptographic keys to ensure the protection of keys against modification and unauthorised disclosure.
18.3
6.7 Lack of user awareness
DS5.2 - IT Security Plan
Translate business, risk and compliance requirements into an overall IT security plan, taking into consideration the IT infrastructure and the security culture. Ensure that the plan is implemented in security policies and procedures together with appropriate investments in services, personnel, software and hardware. Communicate security policies and procedures to stakeholders and users.
1.1
DNB
R4: Phishing 4-3-1
Table 19:R4: Phishing Framework
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 39
Table 21: R5: Spyware Framework
Table 20: R5: Spyware Risk Mapping
5.5.5 R5: Spyware
According to Enisa, the risk of Spyware exists due to vulnerabilities Covert channels/weak
sandboxing and Vulnerabilities leading to malware installation. These vulnerabilities are
mapped to Cobit defined risks and in turn mapped to the relevant Cobit controls.
Cobit Risks
- Undetected security breaches- Lack of information for performing counterattacks- Missing classification of security breaches- Misuse of users’ accounts, compromising organisational security- Undetected security breaches- Unreliable security logs
- Exposure of information- Violations of legal and regulatory requirements- Systems and data that are prone to virus attacks- Ineffective countermeasures
6.2 Covert channels/weak sandboxing
Vulnerabilities
6.1 Vulnerabilities leading to malware installation
Three Cobit controls are selected based on the risks related to the vulnerabilities. The CIA
rating is 4-3-3 (Very High-High-High).
• DS5.6 - Security Incident Definition
• DS5.9 - Malicious Software Prevention, Detection and Correction
• DS5.5 - Security Testing, Surveillance and Monitoring
Risk VulnerabilitiesCOBIT
ControlsCOBIT Control Objectives CIA
6.2 Covert channels/weak
sandboxing
DS5.6 - Security Incident
Definition
Clearly define and communicate the characteristics of potential security incidents so they can be properly classified and treated by the incident and problem management process.
15.1
6.1 Vulnerabilities leading to malware
installation
DS5.9 - Malicious Software
Prevention, Detection and
Correction
Put preventive, detective and corrective measures in place (especially up-to-date security patches and virus control) across the organisation to protect information systems and technology from malware (e.g., viruses, worms, spyware, spam).
19.1
6.2 Covert channels/weak
sandboxing
DS5.5 - Security Testing,
Surveillance and Monitoring
Test and monitor the IT security implementation in a proactive way. IT security should be reaccredited in a timely manner to ensure that the approved enterprise’s information security baseline is maintained. A logging and monitoring function will enable the early prevention and/or detection and subsequent timely reporting of unusual and/or abnormal activities that may need to be addressed.
16.1
DNB
R5: Spyware 4-3-3
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 40
5.5.6 R6: Network spoofing attacks
According to Enisa, the risk of Network spoofing attacks exists due to vulnerability Lack of
user awareness. This vulnerability is mapped to Cobit defined risks and in turn mapped to
the relevant Cobit controls.
Cobit Risks
- IT security plan not aligned with business requirements- IT security plan not cost effective- Business exposed to threats not covered in the strategy- Gaps between planned and implemented IT security measures- Users not aware of the IT security plan- Security measures compromised by stakeholders and users- Undetected security breaches- Lack of information for performing counterattacks- Missing classification of security breaches- Failure of firewall rules to reflect the organisation’s security policy- Undetected unauthorised modifications to firewall rules- Compromised overall security architecture- Security breaches not detected in a timely manner
Vulnerabilities
6.7 Lack of user awareness
Three Cobit controls are selected based on the risks related to the vulnerabilities. The CIA
rating is 4-4-1 (Very High-Very High-Low).
• DS5.2 - IT Security Plan
• DS5.6 - Security Incident Definition
• DS5.10 - Network Security
Risk VulnerabilitiesCOBIT
ControlsCOBIT Control Objectives CIA
6.7 Lack of user awareness
DS5.2 - IT Security Plan
Translate business, risk and compliance requirements into an overall IT security plan, taking into consideration the IT infrastructure and the security culture. Ensure that the plan is implemented in security policies and procedures together with appropriate investments in services, personnel, software and hardware. Communicate security policies and procedures to stakeholders and users.
1.1
6.7 Lack of user awareness
DS5.6 - Security Incident Definition
Clearly define and communicate the characteristics of potential security incidents so they can be properly classified and treated by the incident and problem management process.
15.1
6.7 Lack of user awareness
DS5.10 - Network Security
Use security techniques and related management procedures (e.g., firewalls, security appliances, network segmentation, intrusion detection) to authorise access and control information flows from and to networks.
18.4
DNB
R6: Network spoofing attacks 4-4-1
5.5.7 R7: Surveillance, R8: Diallerware & R9: Financial malware
According to Enisa, the risk of Surveillance, Daillerware and Financial Malware exists due to
vulnerabilities Covert channels/weak sandboxing, Lack of user awareness and User
Table 23: R6: Network spoofing attacks Framework
Table 22: R6: Network spoofing attacks Risk Mapping
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 41
permissions fatigue . These vulnerabilities are mapped to Cobit defined risks and in turn
mapped to the relevant Cobit controls.
Cobit Risks
- Undetected security breaches- Lack of information for performing counterattacks- Missing classification of security breaches- Exposure of information- Violations of legal and regulatory requirements- Systems and data that are prone to virus attacks- Ineffective countermeasures- Misuse of users’ accounts, compromising organisational security- Undetected security breaches- Unreliable security logs
- IT security plan not aligned with business requirements- IT security plan not cost effective- Business exposed to threats not covered in the strategy- Gaps between planned and implemented IT security measures- Users not aware of the IT security plan- Security measures compromised by stakeholders and users
- Security breaches- Users failing to comply with security policy- Incidents not solved in a timely manner- Failure to terminate unused accounts in a timely manner, thus impacting corporate security
Vulnerabilities
6.2 Covert channels/weak sandboxing
6.7 Lack of user awareness
6.3 User permissions fatigue
Three Cobit controls are selected based on the risks related to the vulnerabilities. The CIA
rating is 4-3-1 (Very High-High-Low), 1-1-1 (Low-Low-Low) and 3-3-1 (High-High-Low).
• DS5.5 - Security Testing, Surveillance and Monitoring
• DS5.2 - IT Security Plan
• DS5.4 - User Account Management
Table 24: R7: Surveillance, R8: Diallerware & R9: Financial malware Risk Mapping
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 42
Table 25: R7: Surveillance, R8: Diallerware & R9: Financial malware Framework
Table 26: R10: Network congestion Risk Mapping
Risk VulnerabilitiesCOBIT
ControlsCOBIT Control Objectives CIA
6.2 Covert channels/weak
sandboxing
DS5.5 - Security Testing,
Surveillance and Monitoring
Test and monitor the IT security implementation in a proactive way. IT security should be reaccredited in a timely manner to ensure that the approved enterprise’s information security baseline is maintained. A logging and monitoring function will enable the early prevention and/or detection and subsequent timely reporting of unusual and/or abnormal activities that may need to be addressed.
16.1
6.7 Lack of user awareness
DS5.2 - IT Security Plan
Translate business, risk and compliance requirements into an overall IT security plan, taking into consideration the IT infrastructure and the security culture. Ensure that the plan is implemented in security policies and procedures together with appropriate investments in services, personnel, software and hardware. Communicate security policies and procedures to stakeholders and users.
1.1
6.3 User permissions fatigue
DS5.4 - User Account
Management
Address requesting, establishing, issuing, suspending, modifying and closing user accounts and related user privileges with a set of user account management procedures. Include an approval procedure outlining the data or system owner granting the access privileges. These procedures should apply for all users, including administrators (privileged users) and internal and external users, for normal and emergency cases. Rights and obligations relative to access to enterprise systems and information should be contractually arranged for all types of users. Perform regular management review of all accounts and related privileges.
17.2
DNB
R7: SurveillanceR8: Diallerware
R9: Financial malware
4-3-11-1-13-3-1
5.5.8 R10: Network congestion
According to Enisa, the risk of Network congestion exists due to vulnerability Inadequate
resource provisioning. This vulnerability is mapped to Cobit defined risks and in turn mapped
to the relevant Cobit controls.
Cobit Risks
- Failure to recover IT systems and services in a timely manner- Failure of alternative decision-making processes- Lack of required recovery resources- Failed communication to internal and external stakeholders- Shortcomings in recovery plans- Outdated recovery plans that do not reflect the current architecture- Inappropriate recovery steps and processes- Inability to effectively recover should real disaster occur- Lack of defined measures important to the organisation- Unidentified underlying service problems and issues- Dissatisfied users due to lack of information, irrespective of quality of service
Vulnerabilities
Inadequate resource provisioning
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 43
Table 27: R10: Network congestion Framework
Three Cobit controls are selected based on the risks related to the vulnerabilities. The CIA
rating is 1-1-4 (Low- Low –Very High).
• DS4.2 - IT Continuity Plans
• DS4.5 - Testing of the IT Continuity Plan
• DS1.5 - Monitoring and Reporting of Service Level Achievements
Risk VulnerabilitiesCOBIT
ControlsCOBIT Control Objectives CIA
Inadequate resource provisioning
DS4.2 - IT Continuity Plans
Develop IT continuity plans based on the framework and designed to reduce the impact of a major disruption on key business functions and processes. The plans should be based on risk understanding of potential business impacts and address requirements for resilience, alternative processing and recovery capability of all critical IT services. They should also cover usage guidelines, roles and responsibilities, procedures, communication processes, and the testing approach.
11.1
Inadequate resource provisioning
DS4.5 - Testing of the IT Continuity
Plan
Test the IT continuity plan on a regular basis to ensure that IT systems can be effectively recovered, shortcomings are addressed and the plan remains relevant. This requires careful preparation, documentation, reporting of test results and, according to the results, implementation of an action plan. Consider the extent of testing recovery of single applications to integrated testing scenarios to end-to-end testing and integrated vendor testing.
11.2
Inadequate resource provisioning
DS1.5 - Monitoring and Reporting of
Service Level Achievements
Continuously monitor specified service level performance criteria. Reports on achievement of service levels should be provided in a format that is meaningful to the stakeholders. The monitoring statistics should be analysed and acted upon to identify negative and positive trends for individual services as well as for services overall.
14.1
DNB
R10: Network congestion 1-1-4
5.6 How implementing controls can ensure better security: Answer to SQ3 In chapter 5, it is demonstrated that the relevant risks to the use of mobile devices in
business context can be mapped to Cobit controls which mitigate (parts of) identified risks.
This chapter concludes with an answer to the third sub research question which is defined
as: How can the security of mobile devices be ensured using controls to manage identified
risks as a result of consumerization? As discussed in section 5.2, Cobit provides a set of
standards and processes that can be used to ensure that IT is working as effectively as
possible and to minimize IT-related risks. As each control is defined to mitigate particular IT
risk, selecting the appropriate controls from Cobit should allow an enterprise to define a
customized framework according to the risks profiles and herewith ensure better security.
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 44
6 CONCLUSION & FUTURE RESEARCH A research has been performed in order to define a security control framework for mobile
devices within the bank sector. The need for such control framework is due to the trend of
consumerization and the significant risks this phenomenon entail. A main research question
has been defined which is comprised of 3 sub research questions:
With what control framework can the security of mobile devices within the Bank Sector be improved to
manage identified risks related to Consumerization?
Sub research questions:
1. SQ1: What is consumerization of mobile devices and why does this trend require proper considerations?
2. SQ2: What are the security risks and impact imposed by consumerization of mobile devices within the Bank sector?
3. SQ3: How can the security of mobile devices be ensured using controls to manage identified risks as a result of consumerization?
SQ1: Consumerization of mobile devices is the process or phenomenon in which consumer
products are made suitable for ‘dual use’. Dual use in this context is referred to privately
owned consumer devices being used or made suitable for business purposes next to private
use. Using privately owned mobile devices is generally referred as Bring Your Own Device
(BYOD). This trend entails great risks that impact the security attributes (CIA) of sensitive
corporate data. Surveys performed in this field, which are discussed in section 3.1 and 3.2,
indicated that most CIO’s of global corporations would like to introduce mobile devices in
their company. They are aware of the great risks related the use of mobile devices, however
effective measures/controls are not sufficiently implemented Please refer to section 3.3
Consumerization of mobile devices: Answer to SQ1.
SQ2: In general, there are 10 risks categories applicable to the use of mobile devices. These
risks are explained in section 4.1 of this chapter. Enisa’s risk analysis is enriched with CIA
ratings per risk category retrieved from a survey performed under 2 consumers, 2
employees and 2 high official of a large Dutch bank. Results of Enisa show that the use of
mobile devices is the most vulnerable to R1: Data leakage, R2: Improper decommissioning
and R3: Unintentional disclosure of data. The likelihood and impact are the highest among
the 10 risk category. Results of the survey performed under the target group shows that R4:
Phishing, R5: Spyware, R6: Network spoofing attacks have the greatest impact on the
security attributes of data (CIA) during attacks. Please refer to section 4.4 Security risks and
impact consumerization mobile devices: Answer to SQ2.
SQ3: Cobit provides a set of standards and processes that can be used to ensure that IT is
working as effectively as possible and to minimize IT-related. As each control is defined to
mitigate particular risk, selecting the appropriate controls from Cobit should allow assessors
to define a customized framework according to the risks profiles. Ultimately, this research
resulted in a security control framework for Consumerization of mobile devices in the bank
sector which consists of 19 distinctive Cobit controls. This framework is established based on
research performed on the related risks, vulnerability and the compliancy requirements
within the Dutch bank sector. Please refer to section 5.2 Cobit Framework: Answer to SQ3.
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 45
Main Research Question
The answer to the main research question is derived from the selection process which is
described in chapter 5. In this chapter, relevant Cobit controls are mapped to the
vulnerabilities of all 10 risk categories. Please refer to Appendix A: The Security Framework
for Consumerization for the final framework. Implementing the suggested security controls
should mitigate the risks related to consumerization of mobile devices and also provide
auditors a framework for risk based auditing. This framework is comprised of the following
components
10 Risks are identified which are related to the use of mobile devices: o R1: Data leakage o R2: Improper decommissioning o R3: Unintentional data disclosure o R4 Phishing o R5: Spyware o R6: Network spoofing attacks o R7: Surveillance o R8: Diallerware o R9: Financial malware o R10: Network congestion
7 Vulnerabilities that contributes to the identified risks:
o Vulnerabilities leading to malware installation
o Covert channels/weak sandboxing
o User permissions fatigue
o Encryption weaknesses
o Weak app distributor authentication mechanisms
o No privacy protection best practices
o Lack of user awareness
19 selected Cobit controls to mitigate risks related to the vulnerabilities:
o PO7.8 - Job change and Termination o PO4.9 - Data and System Ownership o DS5.9 - Malicious Software Prevention, Detection and Correction o DS5.8 - Cryptographic Key Management o DS5.6 - Security Incident Definition o DS5.5 - Security Testing, Surveillance and Monitoring o DS5.4 - User Account Management o DS5.3 - Identity Management o DS5.2 - IT Security Plan o DS5.11 - Exchange of Sensitive Data o DS5.10 - Network Security o DS4.5 - Testing of the IT Continuity Plan o DS4.2 - IT Continuity Plans o DS11.6 - Security Requirements for Data Management o DS11.4 - Disposal o DS11.2 - Storage and Retention Arrangements o DS1.5 - Monitoring and Reporting of Service Level Achievements o AI3.2 - Infrastructure Resource Protection and Availability
6.1 Further research Further research is required in order to verify the defined security control framework. In this
research, it was attempted to define a set of controls that could mitigate the risk related to
consumerization of mobile devices. It is possible to map Cobit controls to the vulnerabilities
in theory. However, extensive verification of the framework through case study should take
place to evaluate its applicability in practice.
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 46
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 47
7 REFERENCES Business Dictionary. (2012, September 2). Retrieved September 2, 2012, from
http://www.businessdictionary.com: http://www.businessdictionary.com
dnb.nl. (2012, April 09). Retrieved from De Nederlandse Bank Eurosystem:
http://www.dnb.nl/en/about-dnb/index.jsp
Bradley, T. (2011, December 21). PCWorld. Retrieved September 1, 2012, from
PCWorld.com:
http://www.pcworld.com/businesscenter/article/246760/pros_and_cons_of_brin
ging_your_own_device_to_work.html
Dictionary.com. (2012, September 2). Dictionary Reference. Retrieved September 2, 2012,
from Dictionary.com: http://dictionary.reference.com/browse/consumerize
Doyle, J. T., Ge , W., & McVay , S. (2007, Janurary 1). Accruals Quality and Internal Control
Over Financial Reporting. The Accounting Review, Vol. 82, pp. 1141-1170, October
2007.
Hogben, G., & Dekker, M. (2010). Smartphones:Information security risks, opportunities and
recommendations for users. Crete, Greece: ENISA.
ISACA. (2007). Cobit 4.1. Rolling Meadows, USA: ISACA.
ISACA. (n.d.). 2011 ISACA IT Risk/Reward Barometer—US Edition. Retrieved Septerber 11,
2012, from www.isaca.org: http://www.isaca.org/SiteCollectionDocuments/2011-
Risk-Reward-Barometer-US.pdf
ISACA. (2011, November 1). ISACA Survey: Bring Your Own Device (BYOD) Trend Heightens
Online Holiday Shopping Risk. Retrieved September 11, 2012, from
www.ISACA.org: http://www.isaca.org/About-ISACA/Press-room/News-
Releases/2011/Pages/ISACA-Survey-Bring-Your-Own-Device-Trend-Heightens-
Online-Holiday-Shopping-Risk.aspx
ISACA. (2011, June 1). Over Half of IT Leaders Say Employee-Owned Mobile Devices Are
Riskiest . Retrieved September 11, 2012, from www.isaca.org:
http://www.isaca.org/About-ISACA/Press-room/News-Releases/2011/Pages/Over-
Half-of-IT-Leaders-Say-Employee-owned-Mobile-Devices-Are-Riskiest.aspx
IT Governance Institute. (2007). Cobit 4.1 Framework. Rolling Meadows: The IT Governance
Institute.
Moschella, D., Neal, D., Opperman, P., & Taylor, J. (2004). The ‘Consumerization’ of
Information Technology. CSC’S RESEARCH & ADVISORY SERVICES.
Perrin, C. (2008, June 20). The CIA Triad. Retrieved September 14, 2012, from Tech Republic:
http://www.techrepublic.com/blog/security/the-cia-triad/488
Plummer, D., Prentice, S., Da Rold, C., Feiman, J., Pescatore, J., Clark, W., et al. (2011). Top
Predictions for IT Organizations. Gartner, 29.
RSA. (2012). 2012 CYBERCRIME TRENDS REPORT. Hopkinton: RSA.
Zimmerman, J. B. (1999). Mobile Computing: Characteristics, Business Benefits, and the
Mobile Framework. University of Maryland European Division - Bowie State:
Maryland.
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 48
8 APPENDICES Appendix A: The Security Framework for Consumerization
Vulnera-bilities
COBIT Controls
COBIT Control Objectives COBIT Risk Drivers CIA
6.4 Encryption weaknesses
PO4.9 - Data and System Ownership
Provide the business with procedures and tools, enabling it to address its responsibilities for ownership of data and information systems. Owners should make decisions about classifying information and systems and protecting them in line with this classification.
• Improperly secured business data• Improper protection of information assets• Requirements for protecting business data not in line with the business requirements• Inadequate security measures for data and systems• Business process owners not taking responsibility for data
6.1 Data and system ownership: The business is provided with procedures and tools, enabling it to address its responsibilities for ownership of data and information systems. Owners make decisions about classifying information and systems and are protecting them in line with this classification.
6.4 Encryption weaknesses
DS11.6 - Security
Requirements for Data
Management
Define and implement policies and procedures to identify and apply security requirements applicable to the receipt, processing, storage and output of data to meet business objectives, the organisation’s security policy and regulatory requirements.
• Sensitive data misused or destroyed• Unauthorised data access• Incompleteness and inaccuracy of transmitted data• Data altered by unauthorised users
12.3 Security requirements for data management: Policies and procedures are defined and implemented to identify and apply security requirements applicable to the receipt, processing, storage and output of data to meet business objectives, the organisation’s security policy and regulatory requirements.
6.4 Encryption weaknesses
DS5.8 - Cryptograph
ic Key Managemen
t
Determine that policies and procedures are in place to organise the generation, change, revocation, destruction, distribution, certification, storage, entry, use and archiving of cryptographic keys to ensure the protection of keys against modification and unauthorised disclosure.
• Keys misused by unauthorised parties• Registration of non-verified users, thus compromising system security• Unauthorised access to cryptographic keys
18.3 Cryptographic key management: Policies and procedures are in place to organise the generation, change, revocation, destruction, distribution, certification, storage, entry, use and archiving of cryptographic keys is in place to ensure the protection of keys against modification and unauthorised disclosure.
6.7 Lack of user awareness
DS5.2 - IT Security Plan
Translate business, risk and compliance requirements into an overall IT security plan, taking into consideration the IT infrastructure and the security culture. Ensure that the plan is implemented in security policies and procedures together with appropriate investments in services, personnel, software and hardware. Communicate security policies and procedures to stakeholders and users.
• IT security plan not aligned with business requirements• IT security plan not cost effective• Business exposed to threats not covered in the strategy• Gaps between planned and implemented IT security measures• Users not aware of the IT security plan• Security measures compromised by stakeholders and users
1.1 Information Security plan: Business, risk and compliance requirements are translated into an overall IT security plan, taking into consideration the IT infrastructure and the security culture. The plan is implemented in security policies and procedures together with appropriate investments in services, personnel, software and hardware. Security policies and procedures are communicated to stakeholders and users.
3-3-4
DNB
R1: Data leakage
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 49
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 50
Vulnera-bilities
COBIT Controls
COBIT Control Objectives COBIT Risk Drivers CIA
6.6 No privacy protection best
practices
DS11.2 - Storage and Retention
Arrangements
Define and implement procedures for effective and efficient data storage, retention and archiving to meet business objectives, the organisation’s security policy and regulatory requirements.
• Data not protected from unauthorised viewing or altering• Documents not retrieved when needed• Non-compliance with regulatory and legal obligations• Unauthorised data access
12.1
Storage and retention arrangements: Procedures are defined and implemented for effective and efficient data storage, retention and archiving to meet business objectives, the organisation’s security policy and regulatory requirements.
6.6 No privacy protection best
practices
DS11.4 - Disposal
Define and implement procedures to ensure that business requirements for protection of sensitive data and software are met when data and hardware are disposed or transferred.
• Disclosure of corporate information• Compromised integrity of sensitive data• Unauthorised access to data tapes
12.2
Disposal: Procedures are defined and implemented to ensure that business requirements for protection of sensitive data and software are met when data and hardware are disposed or transferred.
6.6 No privacy protection best
practices
DS11.6 - Security
Requirements for Data
Management
Define and implement policies and procedures to identify and apply security requirements applicable to the receipt, processing, storage and output of data to meet business objectives, the organisation’s security policy and regulatory requirements.
• Sensitive data misused or destroyed• Unauthorised data access• Incompleteness and inaccuracy of transmitted data• Data altered by unauthorised users
12.3
Security requirements for data management: Policies and procedures are defined and implemented to identify and apply security requirements applicable to the receipt, processing, storage and output of data to meet business objectives, the organisation’s security policy and regulatory requirements.
6.7 Lack of user awareness
DS5.2 - IT Security Plan
Translate business, risk and compliance requirements into an overall IT security plan, taking into consideration the IT infrastructure and the security culture. Ensure that the plan is implemented in security policies and procedures together with appropriate investments in services, personnel, software and hardware. Communicate security policies and procedures to stakeholders and users.
• IT security plan not aligned with business requirements• IT security plan not cost effective• Business exposed to threats not covered in the strategy• Gaps between planned and implemented IT security measures• Users not aware of the IT security plan• Security measures compromised by stakeholders and users
1.1 Information Security plan: Business, risk and compliance requirements are translated into an overall IT security plan, taking into consideration the IT infrastructure and the security culture. The plan is implemented in security policies and procedures together with appropriate investments in services, personnel, software and hardware. Security policies and procedures are communicated to stakeholders and users.
6.3 User permissions
fatigue
DS5.4 - User Account
Management
Address requesting, establishing, issuing, suspending, modifying and closing user accounts and related user privileges with a set of user account management procedures. Include an approval procedure outlining the data or system owner granting the access privileges. These procedures should apply for all users, including administrators (privileged users) and internal and external users, for normal and emergency cases. Rights and obligations relative to access to enterprise systems and information should be contractually arranged for all types of users. Perform regular management review of all accounts and related privileges.
• Security breaches• Users failing to comply with security policy• Incidents not solved in a timely manner• Failure to terminate unused accounts in a timely manner, thus impacting corporate security
17.2 User account management: Requesting, establishing, issuing, suspending, modifying and closing user accounts and related user privileges are addressed with a set of user account management procedures. An approval procedure outlining the data or system owner granting the access privileges is included. These procedures should apply for all users, including administrators (privileged users) and internal and external users, for normal and emergency cases. Rights and obligations relative to access to enterprise systems and information are contractually arranged for all types of users. Regular management review of all accounts and related privileges are performed.
6.2 Covert channels/weak
sandboxing
DS5.5 - Security Testing,
Surveillance and
Monitoring
Test and monitor the IT security implementation in a proactive way. IT security should be reaccredited in a timely manner to ensure that the approved enterprise’s information security baseline is maintained. A logging and monitoring function will enable the early prevention and/or detection and subsequent timely reporting of unusual and/or abnormal activities that may need to be addressed.
• Misuse of users’ accounts, compromising organisational security• Undetected security breaches• Unreliable security logs
16.1 Security testing, surveillance and monitoring: The IT security implementation is tested and monitored in a proactive way. IT security should be reaccredited in a timely manner to ensure that the approved enterprise’s information security baseline is maintained. A logging and monitoring function will enable the early prevention and/or detection and subsequent timely reporting of unusual and/or abnormal activities that may need to be addressed.
3-1-1
R2: Improper decommissioning
DNB
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 51
Vulnera-bilities
COBIT Controls
COBIT Control Objectives COBIT Risk Drivers CIA
6.4 Encryption weaknesses
DS5.11 - Exchange of Sensitive Data
Exchange sensitive transaction data only over a trusted path or medium with controls to provide authenticity of content, proof of submission, proof of receipt and non-repudiation of origin.
• Sensitive information exposed• Inadequate physical security measures• Unauthorised external connections to remote sites• Disclosure of corporate assets and sensitive information accessible for unauthorised parties
18.5 Exchange of sensitive data: Sensitive transaction data is only exchanged over a trusted path or medium with controls to provide authenticity of content, proof of submission, proof of receipt and non-repudiation of origin.
6.4 Encryption weaknesses
DS11.4 - Disposal
Define and implement procedures to ensure that business requirements for protection of sensitive data and software are met when data and hardware are disposed or transferred.
• Disclosure of corporate information• Compromised integrity of sensitive data• Unauthorised access to data tapes
12.2 Disposal: Procedures are defined and implemented to ensure that business requirements for protection of sensitive data and software are met when data and hardware are disposed or transferred.
6.7 Lack of user awareness
DS11.6 - Security Requirements for Data Management
Define and implement policies and procedures to identify and apply security requirements applicable to the receipt, processing, storage and output of data to meet business objectives, the organisation’s security policy and regulatory requirements.
• Sensitive data misused or destroyed• Unauthorised data access• Incompleteness and inaccuracy of transmitted data• Data altered by unauthorised users
12.3 Security requirements for data management: Policies and procedures are defined and implemented to identify and apply security requirements applicable to the receipt, processing, storage and output of data to meet business objectives, the organisation’s security policy and regulatory requirements.
3-2-1
R3: Unintentional data disclosure
DNB
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 52
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 53
Vulnera-bilities
COBIT Controls
COBIT Control Objectives COBIT Risk Drivers CIA
6.5 Weak app distributor
authentication mechanisms
PO7.8 - Job change and Termination
Take expedient actions regarding job changes, especially job terminations. Knowledge transfer should be arranged, responsibilities reassigned and access rights removed such that risks are minimised and continuity of the function is guaranteed.
• Unauthorised access when employees are terminated• Lack of smooth continuation of business-critical operations
8.5 Job change and termination: Expedient actions are taken regarding job changes, especially job terminations. Knowledge transfer is arranged, responsibilities are reassigned and access rights are removed such that risks are minimised and continuity of the function is guaranteed.
6.5 Weak app distributor
authentication mechanisms
AI3.2 - Infrastructure Resource Protection
and Availability
Implement internal control, security and auditability measures during configuration, integration and maintenance of hardware and infrastructural software to protect resources and ensure availability and integrity. Responsibilities for using sensitive infrastructure components should be clearly defined and understood by those who develop and integrate infrastructure components. Their use should be monitored and evaluated.
• Disruptions in production processing• Undetected bypassing of access controls• Unauthorised access to sensitive software• Business needs not supported by technology
18.1 Infrastructure resource protection and availability: Internal control, security and auditability measures are implemented during configuration, integration and maintenance of hardware and infrastructural software to protect resources and ensure availability and integrity. Responsibilities for using sensitive infrastructure components are clearly defined and understood by those who develop and integrate infrastructure components. Their use is monitored and evaluated.
6.5 Weak app distributor
authentication mechanisms
DS5.3 - Identity
Management
Ensure that all users (internal, external and temporary) and their activity on IT systems (business application, IT environment, system operations, development and maintenance) are uniquely identifiable. Enable user identities via authentication mechanisms. Confirm that user access rights to systems and data are in line with defined and documented business needs and that job requirements are attached to user identities. Ensure that user access rights are requested by user management, approved by system owners and implemented by the security-responsible person. Maintain user identities and access rights in a central repository. Deploy cost-effective technical and procedural measures, and keep them current to establish user identification, implement authentication and enforce access
• Unauthorised changes to hardware and software• Access management failing business requirements and compromising the security of business-critical systems• Unspecified security requirements for all systems• Segregation-of-duty violations• Compromised system information
17.1 Identity management: All users (internal, external and temporary) and their activity on IT systems (business application, IT environment, system operations, development and maintenance) are uniquely identifiable. User identities are enabled via authentication mechanisms. User access rights to systems and data are in line with defined and documented business needs and that job requirements are attached to user identities. User access rights are requested by user management, approved by system owners and implemented by the security-responsible person. User identities and access rights are maintained in a central repository. Deploy cost-effective technical and procedural measures are deployed, and kept current to establish user identification,
6.5 Weak app distributor
authentication mechanisms
DS5.8 - Cryptograph
ic Key Managemen
t
Determine that policies and procedures are in place to organise the generation, change, revocation, destruction, distribution, certification, storage, entry, use and archiving of cryptographic keys to ensure the protection of keys against modification and unauthorised disclosure.
• Keys misused by unauthorised parties• Registration of non-verified users, thus compromising system security• Unauthorised access to cryptographic keys
18.3 Cryptographic key management: Policies and procedures are in place to organise the generation, change, revocation, destruction, distribution, certification, storage, entry, use and archiving of cryptographic keys is in place to ensure the protection of keys against modification and unauthorised disclosure.
6.7 Lack of user awareness
DS5.2 - IT Security Plan
Translate business, risk and compliance requirements into an overall IT security plan, taking into consideration the IT infrastructure and the security culture. Ensure that the plan is implemented in security policies and procedures together with appropriate investments in services, personnel, software and hardware. Communicate security policies and procedures to stakeholders and users.
• IT security plan not aligned with business requirements• IT security plan not cost effective• Business exposed to threats not covered in the strategy• Gaps between planned and implemented IT security measures• Users not aware of the IT security plan• Security measures compromised by stakeholders and users
1.1 Information Security plan: Business, risk and compliance requirements are translated into an overall IT security plan, taking into consideration the IT infrastructure and the security culture. The plan is implemented in security policies and procedures together with appropriate investments in services, personnel, software and hardware. Security policies and procedures are communicated to stakeholders and users.
4-3-1
R4: Phishing
DNB
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 54
Vulnera-bilities
COBIT Controls
COBIT Control Objectives COBIT Risk Drivers CIA
6.2 Covert channels/weak
sandboxing
DS5.6 - Security Incident
Definition
Clearly define and communicate the characteristics of potential security incidents so they can be properly classified and treated by the incident and problem management process.
• Undetected security breaches• Lack of information for performing counterattacks• Missing classification of security breaches
15.1 Security Incident Definition: The characteristics of potential security incidents are defined and communicated so they are properly classified and treated by the incident and problem management process.
6.1 Vulnerabilities
leading to malware
installation
DS5.9 - Malicious Software
Prevention, Detection
and Correction
Put preventive, detective and corrective measures in place (especially up-to-date security patches and virus control) across the organisation to protect information systems and technology from malware (e.g., viruses, worms, spyware, spam).
• Exposure of information• Violations of legal and regulatory requirements• Systems and data that are prone to virus attacks• Ineffective countermeasures
19.1 Malicious software prevention, detection and correction: Preventive, detective and corrective measures are in place (especially up-to-date security patches and virus control) across the organisation to protect information systems and technology from malware (e.g., viruses, worms, spyware, spam).
6.2 Covert channels/weak
sandboxing
DS5.5 - Security Testing,
Surveillance and
Monitoring
Test and monitor the IT security implementation in a proactive way. IT security should be reaccredited in a timely manner to ensure that the approved enterprise’s information security baseline is maintained. A logging and monitoring function will enable the early prevention and/or detection and subsequent timely reporting of unusual and/or abnormal activities that may need to be addressed.
• Misuse of users’ accounts, compromising organisational security• Undetected security breaches• Unreliable security logs
16.1 Security testing, surveillance and monitoring: The IT security implementation is tested and monitored in a proactive way. IT security should be reaccredited in a timely manner to ensure that the approved enterprise’s information security baseline is maintained. A logging and monitoring function will enable the early prevention and/or detection and subsequent timely reporting of unusual and/or abnormal activities that may need to be addressed.
6.7 Lack of user awareness
DS5.2 - IT Security Plan
Translate business, risk and compliance requirements into an overall IT security plan, taking into consideration the IT infrastructure and the security culture. Ensure that the plan is implemented in security policies and procedures together with appropriate investments in services, personnel, software and hardware. Communicate security policies and procedures to stakeholders and users.
• IT security plan not aligned with business requirements• IT security plan not cost effective• Business exposed to threats not covered in the strategy• Gaps between planned and implemented IT security measures• Users not aware of the IT security plan• Security measures compromised by stakeholders and users
1.1 Information Security plan: Business, risk and compliance requirements are translated into an overall IT security plan, taking into consideration the IT infrastructure and the security culture. The plan is implemented in security policies and procedures together with appropriate investments in services, personnel, software and hardware. Security policies and procedures are communicated to stakeholders and users.
6.7 Lack of user awareness
DS5.6 - Security Incident Definition
Clearly define and communicate the characteristics of potential security incidents so they can be properly classified and treated by the incident and problem management process.
• Undetected security breaches• Lack of information for performing counterattacks• Missing classification of security breaches
15.1 Security Incident Definition: The characteristics of potential security incidents are defined and communicated so they are properly classified and treated by the incident and problem management process.
6.7 Lack of user awareness
DS5.10 - Network Security
Use security techniques and related management procedures (e.g., firewalls, security appliances, network segmentation, intrusion detection) to authorise access and control information flows from and to networks.
• Failure of firewall rules to reflect the organisation’s security policy• Undetected unauthorised modifications to firewall rules• Compromised overall security architecture• Security breaches not detected in a timely manner
18.4 Network security: Security techniques and related management procedures (e.g., firewalls, security appliances, network segmentation, intrusion detection) are used to authorise access and control information flows from and to networks. Available best practices in this area (i.e. GovCert, ISO/IEC, ITSec) are considered.
R6: Network spoofing attacks
4-3-3
4-4-1
R5: Spyware
DNB
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 55
Vulnera-bilities
COBIT Controls
COBIT Control Objectives COBIT Risk Drivers CIA
6.2 Covert channels/weak
sandboxing
DS5.6 - Security Incident
Definition
Clearly define and communicate the characteristics of potential security incidents so they can be properly classified and treated by the incident and problem management process.
• Undetected security breaches• Lack of information for performing counterattacks• Missing classification of security breaches
15.1 Security Incident Definition: The characteristics of potential security incidents are defined and communicated so they are properly classified and treated by the incident and problem management process.
6.1 Vulnerabilities
leading to malware
installation
DS5.9 - Malicious Software
Prevention, Detection
and Correction
Put preventive, detective and corrective measures in place (especially up-to-date security patches and virus control) across the organisation to protect information systems and technology from malware (e.g., viruses, worms, spyware, spam).
• Exposure of information• Violations of legal and regulatory requirements• Systems and data that are prone to virus attacks• Ineffective countermeasures
19.1 Malicious software prevention, detection and correction: Preventive, detective and corrective measures are in place (especially up-to-date security patches and virus control) across the organisation to protect information systems and technology from malware (e.g., viruses, worms, spyware, spam).
6.2 Covert channels/weak
sandboxing
DS5.5 - Security Testing,
Surveillance and
Monitoring
Test and monitor the IT security implementation in a proactive way. IT security should be reaccredited in a timely manner to ensure that the approved enterprise’s information security baseline is maintained. A logging and monitoring function will enable the early prevention and/or detection and subsequent timely reporting of unusual and/or abnormal activities that may need to be addressed.
• Misuse of users’ accounts, compromising organisational security• Undetected security breaches• Unreliable security logs
16.1 Security testing, surveillance and monitoring: The IT security implementation is tested and monitored in a proactive way. IT security should be reaccredited in a timely manner to ensure that the approved enterprise’s information security baseline is maintained. A logging and monitoring function will enable the early prevention and/or detection and subsequent timely reporting of unusual and/or abnormal activities that may need to be addressed.
6.7 Lack of user awareness
DS5.2 - IT Security Plan
Translate business, risk and compliance requirements into an overall IT security plan, taking into consideration the IT infrastructure and the security culture. Ensure that the plan is implemented in security policies and procedures together with appropriate investments in services, personnel, software and hardware. Communicate security policies and procedures to stakeholders and users.
• IT security plan not aligned with business requirements• IT security plan not cost effective• Business exposed to threats not covered in the strategy• Gaps between planned and implemented IT security measures• Users not aware of the IT security plan• Security measures compromised by stakeholders and users
1.1 Information Security plan: Business, risk and compliance requirements are translated into an overall IT security plan, taking into consideration the IT infrastructure and the security culture. The plan is implemented in security policies and procedures together with appropriate investments in services, personnel, software and hardware. Security policies and procedures are communicated to stakeholders and users.
6.3 User permissions
fatigue
DS5.4 - User Account
Management
Address requesting, establishing, issuing, suspending, modifying and closing user accounts and related user privileges with a set of user account management procedures. Include an approval procedure outlining the data or system owner granting the access privileges. These procedures should apply for all users, including administrators (privileged users) and internal and external users, for normal and emergency cases. Rights and obligations relative to access to enterprise systems and information should be contractually arranged for all types of users. Perform regular management review of all accounts and related privileges.
• Security breaches• Users failing to comply with security policy• Incidents not solved in a timely manner• Failure to terminate unused accounts in a timely manner, thus impacting corporate security
17.2 User account management: Requesting, establishing, issuing, suspending, modifying and closing user accounts and related user privileges are addressed with a set of user account management procedures. An approval procedure outlining the data or system owner granting the access privileges is included. These procedures should apply for all users, including administrators (privileged users) and internal and external users, for normal and emergency cases. Rights and obligations relative to access to enterprise systems and information are contractually arranged for all types of users. Regular management review of all accounts and related privileges are performed.
R7: Surveillance, R8: Diallerware & R9: Financial malware
4-3-11-1-13-3-1
DNB
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 56
Vulnera-bilities
COBIT Controls
COBIT Control Objectives COBIT Risk Drivers CIA
Inadequate resource
provisioning]
DS4.2 - IT Continuity
Plans
Develop IT continuity plans based on the framework and designed to reduce the impact of a major disruption on key business functions and processes. The plans should be based on risk understanding of potential business impacts and address requirements for resilience, alternative processing and recovery capability of all critical IT services. They should also cover usage guidelines, roles and responsibilities, procedures, communication processes, and the testing approach.
• Failure to recover IT systems and services in a timely manner• Failure of alternative decision-making processes• Lack of required recovery resources• Failed communication to internal and external stakeholders
11.1 IT Continuity plans: IT continuity plans are developed based on the framework and designed to reduce the impact of a major disruption on key business functions and processes. The plans are based on risk understanding of potential business impacts and address requirements for resilience, alternative processing and recovery capability of all critical IT services. The plans also cover usage guidelines, roles and responsibilities, procedures, communication processes, and the testing approach.
Inadequate resource
provisioning]
DS4.5 - Testing of
the IT Continuity
Plan
Test the IT continuity plan on a regular basis to ensure that IT systems can be effectively recovered, shortcomings are addressed and the plan remains relevant. This requires careful preparation, documentation, reporting of test results and, according to the results, implementation of an action plan. Consider the extent of testing recovery of single applications to integrated testing scenarios to end-to-end testing and integrated vendor testing.
• Shortcomings in recovery plans• Outdated recovery plans that do not reflect the current architecture• Inappropriate recovery steps and processes• Inability to effectively recover should real disaster occur
11.2 Testing of the IT Continuity plan: The IT continuity plan is tested on a regular basis to ensure that IT systems can be effectively recovered, shortcomings are addressed and the plan remains relevant. This requires careful preparation, documentation, reporting of test results and, according to the results, implementation of an action plan. The extent of testing recovery of single applications to integrated testing scenarios to end-to-end testing and integrated vendor testing is considered.
Inadequate resource
provisioning]
DS1.5 - Monitoring
and Reporting of Service Level Achievemen
ts
Continuously monitor specified service level performance criteria. Reports on achievement of service levels should be provided in a format that is meaningful to the stakeholders. The monitoring statistics should be analysed and acted upon to identify negative and positive trends for individual services as well as for services overall.
• Lack of defined measures important to the organisation• Unidentified underlying service problems and issues• Dissatisfied users due to lack of information, irrespective of quality of service
14.1 Monitoring and reporting of Service Level Achievements: Specified service level performance criteria are continuously monitored. Reports on achievement of service levels are provided in a format that is meaningful to the stakeholders. The monitoring statistics are analysed and acted upon to identify negative and positive trends for individual services as well as for services overall.
R10: Network congestion
1-1-4
DNB
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 57
Appendix B: Vulnerabilities by ENISA Below we describe classes of vulnerabilities which may be present in a smartphone, for use
as a reference (Hogben & Dekker, 2010).
6.1 Vulnerabilities leading to malware installation
1. Patching weaknesses
• In walled-garden app-store models, any patch has to find its way through the app-
store vetting process before it can be applied to a device. Despite an obvious
opportunity for improving security, app vetting schemes are a bottleneck in the
distribution of patches. This is a serious obstacle to the timely patching of apps,
which in a fast moving industry may be required frequently.
• Thoroughly testing that a patch does not break any applications is challenging even
for only one or just a few products. Managing a security update system for tens of
different products (some of them based on very different platforms and operating
systems, some of them already many years old, etc.) would be extremely
challenging. If security patches are not thoroughly tested for all models, automatic
updates could deliver more harm than benefits to users. Thus, deploying such an
infrastructure would be very challenging for many manufacturers.
• Several OSs still rely on users to confirm or even discover individual updates of
apps, which is a serious problem for patching security flaws.
2. Limited capabilities for 3rd party security solutions (centralised security management)
Many platforms allow only limited functionality for third-party security services. For
example, on some platforms, apps are not allowed access to processes unless they are
signed by the same developer certificate. Some platforms do not allow certain types of apps
to run in the background. This makes it difficult to provide security services which rely on
monitoring the activities of applications. This places more responsibility in the hands of the
OS and app-store providers. Although this has obvious opportunities for improving security
(see [3.3 Remote application removal]), it nevertheless creates a significant single point of
failure in the event that the provider’s defences prove inadequate.
3. Reputation vulnerabilities
Vulnerabilities in reputation systems applied to apps might allow an attacker to inflate the
reputation of an app artificially and thus gain undue trust from users. These vulnerabilities
include lack of voter authentication, the possibility of multiple votes, votes not being
weighted according to the importance of the target app, etc. (further information can be
found in the ENISA report (63) )
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 58
4. Lack of code/app review processes
Due to market forces, recent mobile platforms tend to be very open and developer friendly
to encourage adoption. This is because of current trends in which third-party application
developers have an increasingly important role in mobile device ecosystems. Furthermore
application signing infrastructures and operating system level security frameworks are
sometimes considered a major hurdle for the development of applications by third-parties.
5. Signed ≠ trusted
Users may think that signed apps are more trustworthy than unsigned apps when there may
be no such implication. Clearly in some cases, the app signature is an assertion that the app
has been checked according to certain criteria but, in other cases, it may be simply a
mechanism to establish the origin of the application. The risks from malware and spyware
are increased with respect to older phones since mechanisms available for users to
distinguish trusted from untrusted apps (reputation systems, digital signatures) are open to
abuse and misinterpretation.
6. Ability to unlock phones
These vulnerabilities are of a rather different category, in that the user of the device is aware
that he or she is disabling certain security measures, and indeed almost certainly wants to
work around them. However an unlocked phone allows the user to install apps which are not
subject to the vetting processes used in app-stores. This leads to a situation where users are
often not aware that they are executing code which has not been subject to any review
process and which operates with root privileges.
6.2 Covert channels/weak sandboxing
personal data from the user and usage data from other apps. Many apps are also granted
access to the user address book, which usually contains highly sensitive information (e.g.
users hide bank account details as address book entries). Network interfaces may also be
used to transmit private data covertly between apps or to an attacker; e.g. a backdoor in an
SMS app is easy to implement.
In some smartphone platforms, location data is added to photo filenames or in file
metadata. If these photos are made available to other apps or uploaded to social networking
sites, users will be asked for permission to access the gallery, but not location data. This
therefore constitutes a covert channel. For example, a user might post a photo on a public
blog or micro-blogging site, without realising that the filename contains the location of the
data.
6.3 User permissions fatigue
Many platforms request user consent for app access to different types of data and
messaging (e.g. push notifications) on the phone at installation time. There are several
problems with this:
• Compared to PCs and laptops, user interfaces are usually more limited, meaning
that, for example, storage of credentials on the device is more probable and user
authentication cannot be so frequent (biometric authentication is one possible
solution). For example, a request for user authentication is more invasive on a
smartphone than on a PC and the fraction of a user’s attention which can be
devoted to dealing with security-related decisions is even smaller than in larger
form-factor environments.
• Users do not have the time or commitment to evaluate permissions requests even
though it is restricted to a once-per-install request.
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 59
• Permissions are not detailed enough to convey the risks of giving consent – e.g.
granting access to the frequently typed words list in the keyboard cache may
sound harmless to many users, but this could reveal passwords.
• Some data types naturally lend themselves to integration with user consent,
without having to assume the persistence of a decision. For example, file upload
naturally involves the user in selecting the file and therefore presents little
difficulty. Other types, however, cannot be managed in this way. It is not feasible
for the user to provide input every time their location, temperature, acceleration,
magnetic field, etc are disclosed.
• It is often very difficult for users to examine and/or change the permissions they
have granted after the initial request.
• There is no means to set global policies for permissions granted, e.g. ‘do not install
any apps which request location data for marketing purposes’.
6.4 Encryption weaknesses
Various high-profile weaknesses have been found in some implementations of smartphone
encryption, rendering data protection on the devices close to useless (12) (13). These
weaknesses come into play when an attacker gains physical access to the device through
theft or loss. Additionally the effectiveness of encryption mechanisms depends strongly on
the procedures and technical measures used to manage cryptographic keys.
6.5 Weak app distributor authentication mechanisms
It is often easy to impersonate a trusted brand such as a banking app. There may be no PKI
or other trust infrastructure to assure the identities of developers.
6.6 No privacy protection best practices
This applies especially to developers – there are no privacy best practices available for
smartphone developers. Given the privacy risks outlined in [Information security risk], many
of which rely on features specific to smartphones, this is an important issue.
6.7 Lack of user awareness
This is no different from other platforms but is, nevertheless, a factor in some risk scenarios.
For example, unintentional disclosure of data often relies on users’ lack of awareness of the
implications of consenting to certain kinds of data disclosure.
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 60
Appendix C: DNB Information Security Assessment Framework
The DNB assessment is divided in six sections: Strategy&Policies, Organization, People,
Processes, Technology and Facilities. The full format of the DNB assessment for Information
Security of financial institutions can be found on https://dnb.nl (dnb.nl, 2012).
Strategy & Policies
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 61
Strategy & Policies (Continued)
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 62
Organization
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 63
People
Processes
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 64
Processes (Continued)
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 65
Processes (Continued)
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 66
Processes (Continued)
Technology
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 67
Technology (Continued)
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 68
Facilities
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 69
Appendix D: ENISA Risk Assessment The following Risk assessments are retrieved from (Hogben & Dekker, 2010).
R1: Data leakage
Threat description
The smartphone is stolen or lost and its memory or removable media are unprotected, allowing an attacker access to the data stored on it.
Rating Likelihood Impact Risk
Consumer (C) High Medium Medium Employee (E) Medium High High High official (H) Medium Very High High Vulnerabilities [6.7 Lack of user awareness]
[6.4 Encryption weaknesses] Assets All
R2: Unintentional disclosure of data
Threat description
The smartphone user unintentionally discloses data on the smartphone.
Rating Likelihood Impact Risk
Consumer (C) Very Very High High High Employee (E) High Medium High High official (H) High Very High High Vulnerabilities [6.3 User permissions fatigue ]
[6.2 Covert channels/weak sandboxing] [6.6 No privacy protection best practices][6.7 Lack of user awareness]
Assets [Personal data] [Personal and political reputation]
R3: Attacks on decommissioned smartphones
Threat description
The smartphone is decommissioned improperly allowing an attacker access to the data on the device.
Rating Likelihood Impact Risk
Consumer (C) Medium Medium Medium Employee (E) High High High High official (H) Medium Very High High Vulnerabilities [6.7 Lack of user awareness]
[6.4 Encryption weaknesses] Assets All
R4: Phishing
Threat description
An attacker collects user credentials (such as passwords and credit card numbers) by means of fake apps or (SMS, email) messages that seem genuine.
Rating Likelihood Impact Risk
Consumer (C) Medium High Medium Employee (E) Medium High Medium High official (H) Medium Very High High Vulnerabilities [6.5 Weak app distributor authentication mechanisms]
[6.7 Lack of user awareness] Assets All
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 70
R5: Spyware
Threat description
The smartphone has spyware installed, allowing an attacker to access or infer personal data. Spyware covers untargeted collection of personal information as opposed to targeted surveillance.
Rating Likelihood Impact Risk
Consumer (C) High Medium High Employee (E) Medium High Medium High official (H) Medium Medium Medium Vulnerabilities [6.1 Vulnerabilities leading to malware installation][Ability to unlock phones] [Reputation vulnerabilities]
[6.2 Covert channels/weak sandboxing] Assets [Personal data][ Personal and political reputation]
R6: Network spoofing attacks
Threat description
An attacker deploys a rogue network access point (WiFi or GSM) and users connect to it. The attacker subsequently intercepts (or tampers with) the user communication to carry out further attacks such as phishing.
Rating Likelihood Impact Risk
Consumer (C) Medium Medium Medium Employee (E) Medium High Medium High official (H) Medium High High Vulnerabilities [6.7 Lack of user awareness] Assets All
R7: Surveillance
Threat description
An attacker keeps a specific user under surveillance through the target user’s smartphone.
Rating Likelihood Impact Risk
Consumer (C) Low High Medium Employee (E) Low High Medium High official (H) Medium Very High High Vulnerabilities [6.1 Vulnerabilities leading to malware installation] Assets [Personal data] [Classified information]
R8: Diallerware
Threat description
An attacker steals money from the user by means of malware that makes hidden use of premium SMS services or numbers.
Rating Likelihood Impact Risk
Consumer (C) High High High Employee (E) Medium Medium Medium High official (H) Low Low Low Vulnerabilities [6.1 Vulnerabilities leading to malware installation] [Reputation vulnerabilities]
[6.3 User permissions fatigue ] [6.2 Covert channels/weak sandboxing]
[6.7 Lack of user awareness] Assets [Financial assets]
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 71
R9: Financial malware
Threat description
The smartphone is infected with malware specifically designed for stealing credit card numbers, online banking credentials or subverting online banking or ecommerce transactions.
Rating Likelihood Impact Risk
Consumer (C) Medium High High Employee (E) Low High Medium High official (H) Low Low Low Vulnerabilities [6.1 Vulnerabilities leading to malware installation] [Reputation vulnerabilities]
[6.3 User permissions fatigue ] [6.2 Covert channels/weak sandboxing]
[6.7 Lack of user awareness] Assets [Financial assets]
R10: Network congestion
Threat description
Network resource overload due to smartphone usage leading to network unavailability for the end-user.
Rating Likelihood Impact Risk
Consumer (C) Low Low Low Employee (E) Low Low Low High official (H) Low Low Low Vulnerabilities [Inadequate resource provisioning] Assets [Device and service availability and functionality]
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 72
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 73
Appendix E: Survey Form Name (Optional):Function:Company:Date: Not
ApplicableLOW Medium High Very High
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
Consumer (C)
Employee ('E)
High official (H)
R10 Network congestion
Network resource overload due to smartphone usage leading to network unavailability for the end-user.
Consumer (C)
Employee ('E)
High official (H)
R9 Financial malware
Malware specifically designed for stealing credit card numbers, online banking credentials or subverting online banking or ecommerce transactions.
Consumer (C)
Employee ('E)
High official (H)
R8 Diallerware
An attacker steals money from the user by means of malware that makes hidden use of premium sms services or numbers.
Consumer (C)
Employee ('E)
High official (H)
R7 SurveillanceSpying on an individual with a targeted user’s smartphone.
R5 Spyware
The smartphone has spyware installed allowing an attacker to access or infer personal data. NB spyware includes any software requesting and abusing excessive privilege requests. It does not include targeted surveillance software (R7).
Consumer (C)
Employee ('E)
High official (H)
R6 Network spoofing attacks
An attacker deploys a rogue network access point and users connect to it. The attacker subsequently intercepts the user communication to carry out further attacks such as phishing.
Consumer (C)
Employee ('E)
High official (H)
R3 Unintentional data disclosure
Most apps have privacy settings but many users are unaware (or do not recall) that the data is being transmitted, let alone know of the existence of the settings to prevent this.
Consumer (C)
Employee ('E)
High official (H)
R4 Phishing
An attacker collects user credentials (e.g. passwords, creditcard numbers) using fake apps or (sms,email) messages that seem genuine.
Consumer (C)
Employee ('E)
High official (H)
Consumer (C)
Employee ('E)
High official (H)
A stolen or lost phone with unprotected memory allows an attacker to access the data on it.
R1 Data leakage
R2 Improper decommissioning
The phone is disposed of or transferred to another user without removing sensitive data, allowing an attacker to access the data on it.
Consumer (C)
Employee ('E)
High official (H)
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 74
Appendix F: Survey Results
Function:Company:Date: 10-Sep-12 Not
ApplicableLOW Medium High Very High
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
R2 Improper decommissioning
The phone is disposed of or transferred to another user without removing sensitive data, allowing an attacker to access the data on it.
Consumer (C)
Employee ('E)
High official (H)
R1 Data leakageA stolen or lost phone with unprotected memory allows an attacker to access the data on it.
Consumer (C)
Employee ('E)
High official (H)
R4 Phishing
An attacker collects user credentials (e.g. passwords, creditcard numbers) using fake apps or (sms,email) messages that seem genuine.
Consumer (C)
Employee ('E)
High official (H)
R3 Unintentional data disclosure
Most apps have privacy settings but many users are unaware (or do not recall) that the data is being transmitted, let alone know of the existence of the settings to prevent this.
Consumer (C)
Employee ('E)
High official (H)
R6 Network spoofing attacks
An attacker deploys a rogue network access point and users connect to it. The attacker subsequently intercepts the user communication to carry out further attacks such as phishing.
Consumer (C)
Employee ('E)
High official (H)
R5 Spyware
The smartphone has spyware installed allowing an attacker to access or infer personal data. NB spyware includes any software requesting and abusing excessive privilege requests. It does not include targeted surveillance software (R7).
Consumer (C)
Employee ('E)
High official (H)
Employee ('E)
R10 Network congestion
Network resource overload due to smartphone usage leading to network unavailability for the end-user.
Consumer (C)
Employee ('E)
High official (H)
High official (H)
SURVEY 1: Consumer (C) User (A) of smartphone (not for business)-
R9 Financial malware
Malware specifically designed for stealing credit card numbers, online banking credentials or subverting online banking or ecommerce transactions.
Consumer (C)
Employee ('E)
High official (H)
R7 SurveillanceSpying on an individual with a targeted user’s smartphone.
Consumer (C)
Employee ('E)
High official (H)
R8 Diallerware
An attacker steals money from the user by means of malware that makes hidden use of premium sms services or numbers.
Consumer (C)
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 75
Function:Company:Date: 10-Sep-12 Not
ApplicableLOW Medium High Very High
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
R10 Network congestion
Network resource overload due to smartphone usage leading to network unavailability for the end-user.
Consumer (C)
Employee ('E)
High official (H)
R8 Diallerware
An attacker steals money from the user by means of malware that makes hidden use of premium sms services or numbers.
Consumer (C)
Employee ('E)
High official (H)
R9 Financial malware
Malware specifically designed for stealing credit card numbers, online banking credentials or subverting online banking or ecommerce transactions.
Consumer (C)
Employee ('E)
High official (H)
R6 Network spoofing attacks
An attacker deploys a rogue network access point and users connect to it. The attacker subsequently intercepts the user communication to carry out further attacks such as phishing.
Consumer (C)
Employee ('E)
High official (H)
R7 SurveillanceSpying on an individual with a targeted user’s smartphone.
Consumer (C)
Employee ('E)
High official (H)
R4 Phishing
An attacker collects user credentials (e.g. passwords, creditcard numbers) using fake apps or (sms,email) messages that seem genuine.
Consumer (C)
Employee ('E)
High official (H)
R5 Spyware
The smartphone has spyware installed allowing an attacker to access or infer personal data. NB spyware includes any software requesting and abusing excessive privilege requests. It does not include targeted surveillance software (R7).
Consumer (C)
Employee ('E)
High official (H)
R2 Improper decommissioning
The phone is disposed of or transferred to another user without removing sensitive data, allowing an attacker to access the data on it.
Consumer (C)
Employee ('E)
High official (H)
R3 Unintentional data disclosure
Most apps have privacy settings but many users are unaware (or do not recall) that the data is being transmitted, let alone know of the existence of the settings to prevent this.
Consumer (C)
Employee ('E)
High official (H)
SURVEY 2: Consumer (C) User (B) of smartphone (not for business)-
R1 Data leakageA stolen or lost phone with unprotected memory allows an attacker to access the data on it.
Consumer (C)
Employee ('E)
High official (H)
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 76
Function:Company:Date: 12-Sep-12 Not
ApplicableLOW Medium High Very High
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
R2 Improper decommissioning
The phone is disposed of or transferred to another user without removing sensitive data, allowing an attacker to access the data on it.
Consumer (C)
Employee ('E)
High official (H)
R1 Data leakageA stolen or lost phone with unprotected memory allows an attacker to access the data on it.
Consumer (C)
Employee ('E)
High official (H)
R4 Phishing
An attacker collects user credentials (e.g. passwords, creditcard numbers) using fake apps or (sms,email) messages that seem genuine.
Consumer (C)
Employee ('E)
High official (H)
R3 Unintentional data disclosure
Most apps have privacy settings but many users are unaware (or do not recall) that the data is being transmitted, let alone know of the existence of the settings to prevent this.
Consumer (C)
Employee ('E)
High official (H)
R6 Network spoofing attacks
An attacker deploys a rogue network access point and users connect to it. The attacker subsequently intercepts the user communication to carry out further attacks such as phishing.
Consumer (C)
Employee ('E)
High official (H)
R5 Spyware
The smartphone has spyware installed allowing an attacker to access or infer personal data. NB spyware includes any software requesting and abusing excessive privilege requests. It does not include targeted surveillance software (R7).
Consumer (C)
Employee ('E)
High official (H)
Employee ('E)
R10 Network congestion
Network resource overload due to smartphone usage leading to network unavailability for the end-user.
Consumer (C)
Employee ('E)
High official (H)
High official (H)
SURVEY 3: Employee (E)Business AnalysistDutch Bank
R9 Financial malware
Malware specifically designed for stealing credit card numbers, online banking credentials or subverting online banking or ecommerce transactions.
Consumer (C)
Employee ('E)
High official (H)
R7 SurveillanceSpying on an individual with a targeted user’s smartphone.
Consumer (C)
Employee ('E)
High official (H)
R8 Diallerware
An attacker steals money from the user by means of malware that makes hidden use of premium sms services or numbers.
Consumer (C)
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 77
Function:Company:Date: 10-Sep-12 Not
ApplicableLOW Medium High Very High
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
R2 Improper decommissioning
The phone is disposed of or transferred to another user without removing sensitive data, allowing an attacker to access the data on it.
Consumer (C)
Employee ('E)
High official (H)
R1 Data leakageA stolen or lost phone with unprotected memory allows an attacker to access the data on it.
Consumer (C)
Employee ('E)
High official (H)
R4 Phishing
An attacker collects user credentials (e.g. passwords, creditcard numbers) using fake apps or (sms,email) messages that seem genuine.
Consumer (C)
Employee ('E)
High official (H)
R3 Unintentional data disclosure
Most apps have privacy settings but many users are unaware (or do not recall) that the data is being transmitted, let alone know of the existence of the settings to prevent this.
Consumer (C)
Employee ('E)
High official (H)
R6 Network spoofing attacks
An attacker deploys a rogue network access point and users connect to it. The attacker subsequently intercepts the user communication to carry out further attacks such as phishing.
Consumer (C)
Employee ('E)
High official (H)
R5 Spyware
The smartphone has spyware installed allowing an attacker to access or infer personal data. NB spyware includes any software requesting and abusing excessive privilege requests. It does not include targeted surveillance software (R7).
Consumer (C)
Employee ('E)
High official (H)
Employee ('E)
R10 Network congestion
Network resource overload due to smartphone usage leading to network unavailability for the end-user.
Consumer (C)
Employee ('E)
High official (H)
High official (H)
SURVEY 4: Employee (E)AssociateFinancial Institute
R9 Financial malware
Malware specifically designed for stealing credit card numbers, online banking credentials or subverting online banking or ecommerce transactions.
Consumer (C)
Employee ('E)
High official (H)
R7 SurveillanceSpying on an individual with a targeted user’s smartphone.
Consumer (C)
Employee ('E)
High official (H)
R8 Diallerware
An attacker steals money from the user by means of malware that makes hidden use of premium sms services or numbers.
Consumer (C)
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 78
Function:Company:Date: 13-Sep-12 Not
ApplicableLOW Medium High Very High
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
R9 Financial malware
Malware specifically designed for stealing credit card numbers, online banking credentials or subverting online banking or ecommerce transactions.
Consumer (C)
Employee ('E)
High official (H)
R10 Network congestion
Network resource overload due to smartphone usage leading to network unavailability for the end-user.
Consumer (C)
Employee ('E)
High official (H)
R7 SurveillanceSpying on an individual with a targeted user’s smartphone.
Consumer (C)
Employee ('E)
High official (H)
R8 Diallerware
An attacker steals money from the user by means of malware that makes hidden use of premium sms services or numbers.
Consumer (C)
Employee ('E)
High official (H)
R5 Spyware
The smartphone has spyware installed allowing an attacker to access or infer personal data. NB spyware includes any software requesting and abusing excessive privilege requests. It does not include targeted surveillance software (R7).
Consumer (C)
Employee ('E)
High official (H)
R6 Network spoofing attacks
An attacker deploys a rogue network access point and users connect to it. The attacker subsequently intercepts the user communication to carry out further attacks such as phishing.
Consumer (C)
Employee ('E)
High official (H)
R3 Unintentional data disclosure
Most apps have privacy settings but many users are unaware (or do not recall) that the data is being transmitted, let alone know of the existence of the settings to prevent this.
Consumer (C)
Employee ('E)
High official (H)
R4 Phishing
An attacker collects user credentials (e.g. passwords, creditcard numbers) using fake apps or (sms,email) messages that seem genuine.
Consumer (C)
Employee ('E)
High official (H)
SURVEY 5: High official (H)Head IT Risk Management DepartmentDutch Bank
R2 Improper decommissioning
The phone is disposed of or transferred to another user without removing sensitive data, allowing an attacker to access the data on it.
Consumer (C)
Employee ('E)
High official (H)
R1 Data leakageA stolen or lost phone with unprotected memory allows an attacker to access the data on it.
Consumer (C)
Employee ('E)
High official (H)
A Security Control Framework for Consumerization of Mobile Devices in the Bank Sector 2012
P a g e | 79
Function:Company:Date: 13-Sep-12 Not
ApplicableLOW Medium High Very High
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
C 0 1 2 3 4
I 0 1 2 3 4
A 0 1 2 3 4
R2 Improper decommissioning
The phone is disposed of or transferred to another user without removing sensitive data, allowing an attacker to access the data on it.
Consumer (C)
Employee ('E)
High official (H)
R1 Data leakageA stolen or lost phone with unprotected memory allows an attacker to access the data on it.
Consumer (C)
Employee ('E)
High official (H)
R4 Phishing
An attacker collects user credentials (e.g. passwords, creditcard numbers) using fake apps or (sms,email) messages that seem genuine.
Consumer (C)
Employee ('E)
High official (H)
R3 Unintentional data disclosure
Most apps have privacy settings but many users are unaware (or do not recall) that the data is being transmitted, let alone know of the existence of the settings to prevent this.
Consumer (C)
Employee ('E)
High official (H)
R6 Network spoofing attacks
An attacker deploys a rogue network access point and users connect to it. The attacker subsequently intercepts the user communication to carry out further attacks such as phishing.
Consumer (C)
Employee ('E)
High official (H)
R5 Spyware
The smartphone has spyware installed allowing an attacker to access or infer personal data. NB spyware includes any software requesting and abusing excessive privilege requests. It does not include targeted surveillance software (R7).
Consumer (C)
Employee ('E)
High official (H)
Employee ('E)
R10 Network congestion
Network resource overload due to smartphone usage leading to network unavailability for the end-user.
Consumer (C)
Employee ('E)
High official (H)
High official (H)
SURVEY 6: High official (H)Head IT Security ServicesDutch Bank
R9 Financial malware
Malware specifically designed for stealing credit card numbers, online banking credentials or subverting online banking or ecommerce transactions.
Consumer (C)
Employee ('E)
High official (H)
R7 SurveillanceSpying on an individual with a targeted user’s smartphone.
Consumer (C)
Employee ('E)
High official (H)
R8 Diallerware
An attacker steals money from the user by means of malware that makes hidden use of premium sms services or numbers.
Consumer (C)