A framework for auditing mobile devices - Baker · PDF fileA framework for auditing mobile...
Transcript of A framework for auditing mobile devices - Baker · PDF fileA framework for auditing mobile...
Baker Tilly refers to Baker Tilly Virchow Krause, LLP,
an independently owned and managed member of Baker Tilly International. © 2010 Baker Tilly Virchow Krause, LLP
A framework for auditing mobile devices
Learning objectives
˃ Understand different approaches for managing
mobile devices including centralized, decentralized,
and BYOD management
˃ Identify the impacts of mobile devices at
organization
˃ Critically analyze mobile device risks using a
framework focused on people, devices,
applications/websites, and data
˃ Define key mobile device controls to incorporate
into audit work plans
2
Contents
˃ Define mobile & BYOD
˃ Impacts of mobile devices at organizations
˃ Risks and internal audit considerations
˃ Key mobile device management controls
˃ A framework for mobile device auditing
˃ Examples of environment
˃ Resources
Baker Tilly refers to Baker Tilly Virchow Krause, LLP,
an independently owned and managed member of Baker Tilly International
© 2010 Baker Tilly Virchow Krause, LLP
Define mobile & BYOD
4
Why do we care?
˃ Mobile is here, no going back to being tethered to a
desk
˃ Mobile allows great productivity and flexibility to
achieve organizational objectives
˃ Mobile employees are happier (so “they” say)
˃ Mobile can save money (maybe?)
Why is mobile the future?
˃ A Cisco study says in 2014 the average number of
connected devices per knowledge worker will reach
an average of 3.3 devices, up from 2.8 in 2012
˃ Gartner predicts by 2017, half of employers will
require employees to supply their own device for
work purposes
What is a mobile device?
NIST (SP 800-124) – characteristics: ˃ Small form factor
˃ Wireless network interface for internet access
˃ Local built-in (non-removable) data storage
˃ Operating system that is not a full-fledged desktop/laptop
operating system
˃ Apps available through multiple methods
˃ Built-in features for synchronizing local data
What is a mobile device?
NIST – optional characteristics: ˃ Wireless personal area network interfaces (e.g., Bluetooth,
near-field communications)
˃ Cellular network interfaces
˃ GPS
˃ Digital camera
˃ Microphone
˃ Support for removable media
˃ Support for using the device itself as removable storage
What is a mobile device?
Any easily portable technology that allows for the
storage and transmittal of your organization’s data
Examples:
˃ Phones
˃ Tablets
˃ Laptops
˃ External hard
drives (e.g., USB
thumb drives)
˃ Cameras (e.g.,
point and shoot)
˃ Logistics devices (e.g., GPS
Tracking devices, RFID)
˃ eReaders
˃ Digital music players (e.g.,
iPods)
˃ Medical devices (e.g.,
pacemakers)
˃ Smartwatches and glasses
What is BYOD?
˃ Bring Your Own Device
˃ Supported by organization systems and
applications that allow multiple type of devices to
access those services
˃ Powered by the internet
BYOD – pros & cons
Pros: ˃ Reduced upfront costs
˃ Employee satisfaction
˃ Potentially greater functionality for users
Cons: ˃ Unmanaged devices with your organization’s data
˃ Mingling of personal and organizational data
˃ Managing legal requirements (e.g., eDiscovery)
BYOD in the Enterprise—A Holistic Approach, ISACA JOURNAL, Volume 1, 2013
Baker Tilly refers to Baker Tilly Virchow Krause, LLP,
an independently owned and managed member of Baker Tilly International
© 2010 Baker Tilly Virchow Krause, LLP
Risks and internal audit considerations
13
Major security concerns (NIST)
˃ Lack of physical security controls
˃ Use of untrusted mobile devices
˃ Use of untrusted networks
˃ Use of apps created by unknown parties
˃ Interaction with other systems
˃ Use of untrusted content
˃ Use of location services
What are the mobile device risks?
NIST characteristics Illustrative risks
Small form factor Loss or theft of data
Wireless network interface for internet
access
Exposure to untrusted and unsecured
networks
Local built-in (non-removable) data
storage
Loss or theft of data
Operating system that is not a full-
fledged desktop/laptop operating
system
Reduced technical controls
Apps available through multiple
methods
Exposure to untrusted and malicious
apps
Built-in features for synchronizing
local data
Interactions with other untrusted and
unsecured systems
What are the mobile device risks?
NIST characteristics Illustrative risks
Wireless personal area network
interfaces (e.g., Bluetooth, near-field
communications)
Exposure to untrusted and unsecured
networks
Cellular network interfaces Exposure to untrusted and unsecured
networks
GPS Exposure of private information
Digital camera Exposure of private information
Microphone Exposure of private information
Support for removable media Loss or theft of data
Support for using the device itself as
removable storage
Interactions with other untrusted and
unsecured systems
IA considerations – scoping
Does your organization have a mobile device
strategy, including: ˃ Alignment with organizational strategy/objectives
˃ Risk assessment(s) for mobility
˃ Definition of devices
˃ Policies governing the use of devices (with penalties)
˃ Security standards based on data
IA considerations – scoping (cont.)
˃ Who owns these devices, organization or
employee?
˃ Who is responsible for managing and securing the
devices?
˃ Incident response procedures
˃ Antivirus / antimalware software
˃ Who is paying for devices and service plans?
˃ Does that change responsibilities?
˃ What are the legal and regulatory requirements for
your organization and the jurisdictions you operate
in?
Identifying owners and stakeholders
˃ Who is your client?
˃ Who are the stakeholders?
˃ General Counsel
˃ Chief Information Officer
˃ Chief Information Security Officer
˃ Chief Operations Officer
˃ Chief Compliance Officer
˃ Chief Privacy Officer
˃ Chief Risk Officer
˃ Other functions with a stake in privacy and security
(e.g., human resources, sales)
Understanding the organization
˃ Mission and objectives
˃ Organization and responsibilities
˃ Customers
˃ Types of data
˃ Exchanges of data
˃ Interdepartmental
˃ Third parties
˃ Interstate or international
˃ Data collection, usage, retention, and disclosure
˃ Systems (e.g., websites, apps)
Assessing risk
˃ Leveraging management’s risk assessments
˃ Consultation with legal counsel
˃ Regulatory risk
˃ Legal/contractual risk
˃ Industry self-regulatory initiatives
˃ Constituency relations and perceptions
˃ Public relations
Baker Tilly refers to Baker Tilly Virchow Krause, LLP,
an independently owned and managed member of Baker Tilly International
© 2010 Baker Tilly Virchow Krause, LLP
Where’s the GRC?
22
Old model
˃ Protect everything in my office network with
physical and logical controls over access
˃ Then we added laptops and pushed the network
out of the office using VPNs
˃ That doesn’t work any more with phones and
tablets, especially when they are owned by the
employee
Framework – benefits
˃ Flexible – audit all at once or in parts
˃ Adaptable – scope it how you want it
˃ Inclusive – make use of other
standards/frameworks (e.g., COBIT, ISO 27002,
NIST)
˃ ISACA’s Bring Your Own Device (BYOD) Security
Audit/Assurance Program
Mobile device framework
Data Websites & Apps
Devices People
Mobile device framework
˃ Data
˃ Websites & apps
˃ Devices
˃ People
Mobile device framework – data
˃ Data (i.e., data generated, accessed, modified,
transmitted, stored or used electronically by the
organization) is essential to the organization's
objectives and requires protection for a variety of
reasons, including legal and regulatory
requirements.
˃ Examples:
˃ Messages (e.g., emails, text messages, instant messages)
˃ Voice
˃ Pictures
˃ Files (e.g., attachments)
˃ Hidden (e.g., GPS)
Building the framework – data types
DATA
Data
Data
Data
Data
Data
WEB & APPS PEOPLE DEVICES
© Baker Tilly Virchow Krause, LLP
Mobile device framework – data
˃ Classification tiers
˃ Data owners/stewards
˃ Data inventory
Mobile device framework – data –
audit considerations
˃ Determine the types of data that can be accessed
or stored on mobile devices. Assess restrictions in
place to safeguard data.
˃ Review the data classification security policy to
ensure specificity to the various types of data,
based on sensitivity.
˃ Use/create an inventory of data, identify the
applications and websites where it can be
accessed, and determine who will take ownership
of the data moving forward.
Mobile device framework – data –
audit considerations
˃ Determine if authentication and security
requirements or restrictions are or should be
established for each data type
˃ Determine if “Legal Hold” requirements are
documented and align with data classification and
then mobile device security
Building the framework – data:
classification
© Baker Tilly Virchow Krause, LLP
DATA
Data
Data
Data
Data
Data
WEB & APPS PEOPLE DEVICES
Confidential
Restricted
Internal Use
Public
Data – audit considerations
from ISACA’s work program
˃ 8.1.2 Data Access
˃ 8.1.4 Encryption and Data Protection
Mobile device framework – websites &
apps
˃ Websites and applications (i.e., tools used to
process electronic data) require security controls,
regardless of the device used for access, to protect
the confidentiality, integrity, and availability of data.
Mobile device framework –
websites & apps examples
Types Business Personal
Websites/portals •Outlook web access
•Business intranet
•Yahoo
•ESPN
Cloud services •Google services
•Salesforce.com
•Microsoft Office 365
•Gmail
•Flickr
App stores •Apple app store
•Google marketplace
•Amazon app store
•Custom corporate
stores
•Apple app store
•Google marketplace
•Amazon app store
Custom built apps &
sites
•Business specific •Entertainment
•Hacking/malicious
Virtual desktop
environments/remote
desktop tools
•Citrix
•VMware
•GoToMyPC
•VNC
Building the framework – web & apps
© Baker Tilly Virchow Krause, LLP
DATA
Data
Data
Data
Data
Data
WEB & APPS PEOPLE DEVICES
App
Web
App
Web
App
Confidential
Restricted
Internal Use
Public
Mobile device framework –
web/apps – audit considerations
˃ Determine the websites and applications that are
used on mobile devices to access data, and
determine whether they are approved. Assess how
websites and applications are secured to protect
data.
˃ Review all applications and websites accessible via
mobile devices to ensure they comply with security
policies (e.g., encryption requirements, storage
restrictions, access permissions).
Building the framework – web & apps
Confidential
Restricted
Internal Use
Public
DATA
Data
Data
Data
Data
Data
WEB & APPS
App
Web
App
Web
App
PEOPLE DEVICES
© Baker Tilly Virchow Krause, LLP
Web/App – audit considerations
from ISACA’s work program
˃ 8.1.6 Malware Protection
˃ 9.1.3 Secure Software Distribution
Mobile device framework – devices
˃ Devices (i.e., hardware used to access websites
and applications for data processing) require an
increasing variety of security controls due to the
increased mobility, choice, functionality, and
replacement of these products.
Mobile device framework – devices
˃ Managed vs. unmanaged
˃ Business vs. employee owned
Mobile device framework – devices
˃ Encryption
˃ Data transfers (e.g., sending and syncing)
˃ Logical security (e.g., linkage to HR, passwords,
access management)
˃ Physical security
˃ Network architecture (e.g., configuration,
monitoring)
˃ Mobile device management (***more later)
Mobile device framework – devices –
audit considerations
˃ Determine the types of mobiles devices that are
used to access data, and whether each mobile
device is supported. Assess how mobile devices
are secured to protect data.
˃ Ensure that both organization managed and
personally owned mobile devices that access
confidential or high-risk data are secured with
appropriate security controls.
Building the framework – devices
Confidential
Restricted
Internal Use
Public
DATA
Data
Data
Data
Data
Data
WEB & APPS
App
Web
App
Web
App
PEOPLE DEVICES
Phone
Tablet
Laptop
© Baker Tilly Virchow Krause, LLP
Device – audit considerations
from ISACA’s work program
˃ 8.1.1 Device Access Restrictions
˃ 8.1.3 Explicit Permission to Wipe Data
˃ 8.1.4 Encryption and Data Protection
˃ 8.1.5 Remote Access
˃ 8.2.1 Network Access
Device – audit considerations
from ISACA’s work program
˃ 9.1.1 Mobile Device Management (MDM) is
Deployed
˃ 9.1.2 Central Management of BYOD Devices
˃ 9.1.4 Monitoring of BYOD Usage
˃ 9.1.5 Interfaces to Other Systems
˃ 9.1.6 Remote Management
Mobile device framework – people
˃ People (i.e., employees that process data via
websites and applications through a variety of
devices) require frequent communications and
trainings on the risks, policies, practices, and tools
for protecting the confidentiality, integrity, and
availability of data.
Mobile device framework – people
˃ Risk assessment
˃ Policies, procedures, standards
˃ Training and awareness programs with
acknowledged roles and responsibilities
˃ Monitoring
Mobile device framework – people – audit
considerations
˃ Determine if an overarching mobile device security
policy exists.
˃ Assess existing policies and procedures that guide
the procurement, use, support, and management of
mobile devices.
˃ Determine who uses mobile devices to access
data, and who supports and manages those mobile
devices that access data.
Mobile device framework – people – audit
considerations
˃ Advise departments on creating supplementary
mobile device security practices as needed.
˃ Assess formalized training and awareness
programs that inform mobile device users of the
risks involved and their personal responsibilities
when accessing information. ˃ Are employees OK with you wiping their device?
˃ What happens to personal data on the device?
Mobile device framework – people – audit
considerations
˃ Labor laws (Exempt vs. Non-exempt, union)
˃ Employment contracts
˃ OSHA
˃ Tax laws (reimbursements for devices, services)
˃ Export control laws (travel)
˃ Record management laws
˃ Fair Credit Reporting Act
˃ Local jurisdiction laws (of employee’s residence)
Mobile device framework – people –
employee agreement
˃ Eligibility
˃ Applicable company policies
˃ Data storage and backup
˃ Data and device management
˃ Legal hold notice
˃ Hardware support (theft, loss, damage)
˃ Software support
˃ Travel and physical security
Mobile device framework – people –
employee training
˃ Define BYOD/MDM for your organization
˃ Onboarding device process
˃ Roles/responsibilities
˃ Expense reimbursements/stipends
˃ Security policies
˃ Data ownership policies
˃ Practical app use with organization data
˃ Tech support
From Techrepublic.com
Building the framework – people
Practices
Confidential
Restricted
Internal Use
Public
DATA
Data
Data
Data
Data
Data
WEB & APPS
App
Web
App
Web
App
PEOPLE
Policy
Agreement
Procedures
Practices
Risk Assessment
DEVICES
Phone
Tablet
Laptop
© Baker Tilly Virchow Krause, LLP
People – audit considerations
from ISACA’s work program
˃ 2.1.1 BYOD Initial Risk Assessment
˃ 2.1.2 BYOD Ongoing Risk Assessment
˃ 3.1.1 Employee BYOD Agreement
˃ 3.1.2 Mobile Acceptable Use Policy (MAUP)
˃ 3.1.3 Human Resources (HR) Support for BYOD
˃ 3.1.4 Contractors
˃ 3.2.1 Exemptions from BYOD policies
People – audit considerations
from ISACA’s work program
˃ 4.1.1 Legal Involvement in BYOD Policies and
Procedures
˃ 4.1.2 Legal Hold
˃ 5.1.1 Help Desk
˃ 6.1.1 Policy Approval
˃ 6.1.2 Monitoring BYOD Execution
˃ 7.1.1 Initial Training
˃ 7.1.2 Security and Awareness Training
What is mobile device management?
˃ Process for managing mobile devices, including
policies, procedures, training, and systems
and
˃ Industry term for software tools used to centrally
administer mobile devices, specifically for security
purposes
Types of mobile device management
processes (Gartner)
˃ Control-oriented
˃ Choice-oriented
˃ Innovation-oriented
˃ Hands-off
What do MDM tools do? (Gartner)
˃ Software management
˃ Network service management
˃ Hardware management
˃ Security management
**Focus of these tools is phones and tablets; some
support laptops, but other device types are not
typically supported
MDM tools market (Gartner)
˃ MDM tools market estimated $784 million market
˃ About 128 or more firms in the market
˃ MDM tools projected to be $1.6-billion market by
2014
˃ Market penetration estimated at less than 30
percent
MDM tools prices (Gartner)
˃ Three years ago = $60 to $150 per device
˃ Today = under $30 per device
˃ Traditional endpoint protection = $10 to $15 per
seat
Mobile device management
and the framework
˃ Cuts across all four parts of the framework
˃ Data – some ability to restrict access
˃ Websites & apps – blacklisting, whitelisting,
deployment
˃ Devices – implement system controls
˃ People – use of MDM must align with policies
(especially HR and legal areas)
Key features of MDM tools
˃ Centralize device management through policy and
configuration management
˃ Control both corporate owned and personally
owned devices
˃ SaaS and on-premises delivery models
Key features of MDM tools
˃ Still require thorough testing:
˃ Connectivity
˃ Protection
˃ Authentication
˃ Application functionality
˃ Logging
˃ Performance management
Two main flavors of MDM tools
˃ Messaging server based (e.g., Microsoft Exchange)
˃ Limited control enforcement
˃ Limited support for devices
˃ Third party provided (e.g., Airwatch, Mobileiron,
Good)
˃ Additional costs and licenses required
˃ Another application to support and manage
When would you use MDM?
˃ BYOD
˃ Data encryption
˃ Multiple device operating systems
˃ Security breach impact
˃ Existing end point tools don’t work for mobile
devices
MDM – audit considerations
from ISACA’s work program (9.1.2)
˃ A secure portal for BYOD users to enroll and
provision their devices
˃ Centralized security policy enforcement
˃ Remotely lock and wipe data and installed apps
˃ Inventory devices, operating systems (OSs), patch
levels, organization and third-party apps, and
revision levels
˃ Distribution whitelists and blacklists
MDM – audit considerations
from ISACA’s work program
˃ Permission-based access controls for access to the
organization’s networks and data
˃ Selective wipe and privacy policies for organization
apps and data, i.e., sandboxing
˃ Distribution and management of digital certificates
(to encrypt and digitally sign emails and sensitive
documents)
˃ Role-based access groups with fine-grained access
control policies and enforcement
˃ Over-the-air (OTA) distribution of software (apps,
patches, updates) and policy changes
MDM – audit considerations
from ISACA’s work program
˃ Postpone automatic updates from Internet service
providers (ISPs), e.g., in cases where an automatic
OS update may cause critical apps to fail
˃ Secure logs and audit trails of all sensitive BYOD
activities
˃ Capability to locate and map lost phones for
recovery
˃ Backup and restore BYOD device data
˃ Remove or install profiles based on geographic
location, to ensure compliance with relevant foreign
legislation, e.g., data privacy and security
MDM – audit considerations
from ISACA’s work program
˃ When BYOD devices attempt to connect to the
organization’s networks, the MDM system
automatically checks:
˃ Patch levels for OSs and apps
˃ Required security software is active and current, i.e.,
antivirus, firewall, full-disk encryption, etc.
˃ Device is not jailbroken (Apple) or rooted (Android)
˃ Presence of unapproved devices (if any)
˃ Presence of blacklisted apps
˃ If any of the above login checks fail, the MDM can
automatically update the device concerned (e.g.,
patch levels) or disallow access.
MDM – audit considerations
from ISACA’s work program
˃ Don’t forget to the secure the MDM system itself
˃ 9.2.1 MDM Application Security
Building the framework – complete
MDM
MDM
Practices
Confidential
Restricted
Internal Use
Public
DATA
Data
Data
Data
Data
Data
WEB & APPS
App
Web
App
Web
App
PEOPLE
Policy
Agreement
Procedures
Practices
Risk Assessment
DEVICES
Phone
Tablet
Laptop
© Baker Tilly Virchow Krause, LLP
Major security concerns (NIST) –
mapped to framework area
Security Concern Data Websites &
Apps
Device
s
People
Physical security controls X X
Untrusted mobile devices X X
Untrusted networks X X
Untrusted apps X X X
Interaction with other
systems
X X X X
Untrusted content X X X
Location services X X X X
Baker Tilly refers to Baker Tilly Virchow Krause, LLP,
an independently owned and managed member of Baker Tilly International
© 2010 Baker Tilly Virchow Krause, LLP
Examples of environments
74
Example – no BYOD
MDM
MDM - Process & Technology
Practices
Confidential
Restricted
Internal Use
Public
DATA
HR
IF
Customer
Other
WEB & APPS
HR
Financial
CRM
Web
PEOPLE
Policy
Agreement
Procedures
Training
Risk Assessment
DEVICES
Phone
Tablet
Laptop
© Baker Tilly Virchow Krause, LLP
Example – mixed devices, controls by type
Practices Internal Use
Public
Confidential
Restricted
Internal Use
Public
PEOPLE
Confidential
Restricted
Internal Use
Public
DEVICES
MDM
MDM - Tech
Practices
DATA
Customer
Employee
Trade Secrets
Marketing
WEB & APPS
CRM
Custom Built Ops
HR/FIN
Web
Policy
Agreement
Procedures
Training
Risk Assessment
Phone
Tablet
Laptop
Phone
Tablet
© Baker Tilly Virchow Krause, LLP
Example – owned & BYOD with controls
© Baker Tilly Virchow Krause, LLP
MDM
Practices
Confidential
Restricted
Public
Public
Confidential
Restricted
Public
PEOPLE
Confidential
Restricted
BYOD
OWNED
MDM
MDM - Tech
Practices
DATA
Customer
Employee
Other
WEB & APPS
HR
FIN
Document Management
Policy
Agreement
Procedures
Training
Risk Assessment
Phone
Tablet
Phone
Tablet
MDM - Tech
Baker Tilly refers to Baker Tilly Virchow Krause, LLP,
an independently owned and managed member of Baker Tilly International
© 2010 Baker Tilly Virchow Krause, LLP
Resources
78
Resources
˃ BankInfoSecurity, BYOD: Get Ahead of the Risk, Intel CISO:
Policy, Accountability Created Positive Results, January 2012
˃ Digital Services Advisory Group and Federal Chief Information
Officers Council, Bring Your Own Device, A Toolkit to Support
Federal Agencies Implementing Bring Your Own Device (BYOD)
Programs, August 2012
˃ Gartner, Magic Quadrant for Mobile Device Management, May
2012
˃ Gartner, Gartner Says Consumerization Will Drive At Least Four
Mobile Management Styles, November 2011
Resources
˃ National Institute of Standards and Technology, Special
Publication 800-124 Revision 1 (Draft), Guidelines for
Managing and Securing Mobile Devices in the Enterprise,
July 2012
˃ National Institute of Standards and Technology, Special
Publication 800-144, Guidelines on Security and Privacy in
Public Cloud Computing, December 2011
Resources
˃ BYOD audit/assurance program
˃ www.isaca.org/auditprograms
˃ Securing mobile devices using COBIT® 5 for information
security
˃ www.isaca.org/Securing-Mobile-Devices