Академический Документы
Профессиональный Документы
Культура Документы
August 2010
Abstract Mobile computing devices have become a critical tool in todays networked world. Enterprises and individuals alike rely on mobile devices to remain reachable when away from the office or home. While mobile devices such as smartphones, laptops, personal digital assistants (PDAs) and Universal Serial Bus (USB) memory sticks have facilitated increased convenience for individuals as well as the potential for increased productivity in the workplace, these benefits are not without risks. Mobile devices have been, and continue to be, a source of various types of security incidents. These stem from issues such as device loss, malware and external breaches. As the availability of human resources and systems continues to be critical to society and business operations, it stands to reason that mobile device usage will continue to escalate as will the features these devices offer. It is, therefore, imperative that proper risk management be applied and security controls implemented to maximize the benefits while minimizing the risks associated with such devices.
Securing Mobile Devices CRISC is a trademark/service mark of ISACA. The mark has been applied for or registered in countries throughout the world.
2010 ISACA. A
l l
r I g h t S
r e S e r v e d
2010 ISACA. A
l l
r I g h t S
r e S e r v e d
As a result of the increased use of mobile devices in business, many enterprises are seeing an increase in employee productivity.
While an increase in productivity and a quick and high ROI are positive attributes for any enterprise, the risks associated with mobile devices can be significant and include issues stemming from human factors to technology and architecture issues. A lack of enterprise control of physical devices, and employees using personal devices for business has increased mobile device risk levels. Therefore, it is imperative when considering the deployment of such tools to consider the potential benefits, risks and controls associated with the technology. What Are Mobile Devices? Mobile devices can mean many different things to people. For this paper, we will define mobile devices as: Full-featured mobile phones with personal computer-like functionality, or smartphones Laptops and netbooks Tablet computers Portable digital assistants (PDAs) Portable Universal Serial Bus (USB) devices for storage (such as thumb drives and MP3 devices) and for connectivity (such as Wi-Fi, Bluetooth and HSDPA/UMTS/EDGE/GPRS modem cards) Digital cameras Radio frequency identification (RFID) and mobile RFID (M-RFID) devices for data storage, identification and asset management Infrared-enabled (IrDA) devices such as printers and smart cards Devices such as these provide the user with the opportunity for seamless communication and/or information storage whether in the office or elsewhere. The communication capabilities allow workers to utilize wireless networks to communicate via phone, e-mail and text. Many provide access to the Internet, access to company documents and drives, video and photographic capabilities, and storage capability. In short, many of these devices enable an employee to be away from the office yet have the convenience of all the office resources.
Aberdeen Group, More MobilityLess Budget: Enterprise Strategies in the Current Economic Downturn, USA, 2009 Gartner, www.gartner.com/it/page.jsp?id=1278413 2010 ISACA. A
l l r I g h t S r e S e r v e d
Benefits can be realized only if the enterprise manages the technology effectivelyfor both value and risk.
2010 ISACA. A
l l
r I g h t S
r e S e r v e d
Mobility provides users with the opportunity to Mobile devices cross boundaries and network leave enterprise boundaries and thereby eliminates perimeters, carrying malware, and can bring this many security controls. malware into the enterprise network. Bluetooth technology is very convenient for many users to have hands-free conversations; however, it is often left on and then is discoverable. Unencrypted information is stored on the device. Hackers can discover the device and launch an attack. In the event that a malicious outsider intercepts data in transit or steals a device, or if the employee loses the device, the data are readable and usable. Mobile devices may be lost or stolen due to their portabiliy. Data on these devices are not always backed up. In the event that the device is lost or stolen, outsiders can access the device and all of its data. If no mobile device strategy exists, employees may choose to bring in their own, unsecured devices. While these devices may not connect to the virtual private network (VPN), they may interact with e-mail or store sensitive documents.
Workers dependent on mobile devices unable to work in the event of broken, lost or stolen devices and data that are not backed up Data exposure, resulting in damage to the enterprise and liability and regulation issues Data leakage, malware propagation, unknown data loss in the case of device loss or theft
The device has no authentication requirements applied. The enterprise is not managing the device.
The device allows for installation of unsigned third- Applications may carry malware that propagates party applications. Trojans or viruses; the applications may also transform the device into a gateway for malicious outsiders to enter the enterprise network.
2010 ISACA. A
An enterprise strategy should always start with a comprehensive policy and finish with a full device life cycle support program.
Mobile devices have the potential to become the biggest threat for leakage of confidential information.
2010 ISACA. A
l l
r I g h t S
r e S e r v e d
Providing support to various devices Controlling data flow on multiple devices Preventing data from being synchronized onto mobile devices in an unauthorized way Keeping up with the usage of the latest and greatest devices Promoting accountability, responsibility and transparency with device usage Demonstrating regulatory compliance
2010 ISACA. A
l l
r I g h t S
r e S e r v e d
Mobile devices should be managed, controlled and secured by enterprisewide policies, standards and procedures.
Some special considerations that auditors should bear in mind when verifying the operational efficiency are: PolicyDoes a security policy exist for mobile devices? Does it include rules for appropriate physical and logical handling? The enterprise should have a policy addressing mobile device use and specifying the type of information and kind of devices and information services that may be accessible through the devices. Antivirus updatesAuditors should verify that the enterprise updates the mobile device antivirus software to prevent perpetuation of malware. EncryptionAuditors should verify that any data labeled as sensitive are properly secured while in transit or at rest. Secure transmissionAuditors should determine whether mobile device users are connecting to the enterprise network via a secure connection. VPN, IP security (IPsec) or Secure Sockets Layer (SSL) can offer some levels of assurance. Device managementAuditors should determine whether there is an asset management process in place for tracking mobile devices. This asset management program should also detail procedures for lost and stolen devices as well as procedures for employees who have been terminated or have resigned from the enterprise. Access controlAuditors should verify that data synchronization of mobile devices is not set to receive access to shared files or network drives that contain data that are prohibited for mobile use by the policy. Awareness trainingThe auditor should verify that the enterprise has an awareness program in place that addresses the importance of securing the mobile devices physically and logically. The training should also make clear the types of information that can and cannot be stored on such devices. RiskMobile devices have the capability to store large amounts of data and present a high risk of data leakage and loss. As such, mobile device policies should be created and enforced to ensure that information assets are not exposed.
2010 ISACA. A
l l
r I g h t S
r e S e r v e d
Frameworks such as COBIT and Risk IT can provide a strong foundation for technology management.
Conclusion
Technical innovation has paved the way for mobile device assimilation into the workplace. These devices have acted as a catalyst for improving efficiency, productivity and availability in business operations. While many enterprises have chosen to utilize this technology, they have often not considered the business risk or the governance implications associated with these devices. Loss, theft or corruption of sensitive or confidential data; malware that can affect not only the mobile device itself, but also the enterprise network; and the way in which employees use the devices are just a few of the risks involved with this type of technology. In addition to the governance and security that already exist within the enterprise, risks and associated controls (if they exist) that accompany this boundaryless technology must be assessed to ensure that enterprise information assets are protected and available. Enterprises that have been considering the use of mobile computing devices in their environment should calculate the benefits that the technology can offer them and the additional risks that are incurred. Once benefits and risks are understood, businesses should utilize a governance framework to ensure that process and policy changes are implemented and understood, and that appropriate levels of security are applied to prevent data loss.
Additional Resources and Feedback Visit www.isaca.org/mobiledevices for additional resources and use the feedback function to provide your comments and suggestions on this document. Your feedback is a very important element in the development of ISACA guidance for its constituents and is greatly appreciated.
10
2010 ISACA. A
l l
r I g h t S
r e S e r v e d