Enterprise_Mobility_BYOD.pdf

7/27/2019 Enterprise_Mobility_BYOD.pdf

1/41

JUNE 2013

RiskManagement ofEnterpriseMobility

IncludingBringYourOwnDevice


2/41

ii

TABLEOFCONTENTS

ExecutiveSummaryIntroductiontoEnterpriseMobility .......................................................................................1Potential

Benefits

of

Enterprise

Mobility .................................................................................................................. 2

PotentialBenefitsofUsingPersonallyOwnedDevices............................................................................................. 2DevelopanEnterpriseMobilityStrategy................................................................................................................... 3DeterminetheExtentofExistingEnterpriseMobility...............................................................................................3DevelopBusinessCasesWithSuitableMobilityApproaches.................................................................................... 3

ExampleBusinessCases ........................................................................................................................................ 3ExampleEnterpriseMobilityApproachesandScenarios ......................................................................................4ConsiderationsforChoosingEnterpriseMobilityApproaches .............................................................................6

IdentifyRegulatoryObligationsandLegislation........................................................................................................ 7AllocateBudgetandPersonnelResources ................................................................................................................ 8DevelopandCommunicateEnterpriseMobilityPolicy ............................................................................................. 9

TechnicalSupport ................................................................................................................................................ 10FinancialSupport ................................................................................................................................................. 11

MonitortheImplementationandReporttoManagement ....................................................................................12FacilitateOrganisationalTransformation................................................................................................................ 12FurtherInformation................................................................................................................................................. 12ContactDetails......................................................................................................................................................... 13AppendixA:ArbitraryUnmanagedDevicesforInternetAccess.............................................................................14

CorporatelyEnforcedRiskManagementControls ..............................................................................................15 FilteredandMonitoredNetworkTraffic ......................................................................................................... 15SeparationBetweentheOrganisationsCorporateNetworkandtheGuestWiFiNetwork..........................15CorporateWorkstationsConfiguredtoBlockAccesstoUnauthorisedDevices ............................................. 15

UserreliantRiskManagementControls .............................................................................................................15AntimalwareSoftware.................................................................................................................................... 15AvoidBehaviourthatisUnauthorised,Excessive,OffensiveorUnlawful ......................................................16

AppendixB:ArbitraryUnmanagedDevicesforNonsensitiveData ....................................................................... 17CorporatelyEnforcedRiskManagementControls ..............................................................................................17

SegmentationandSegregationBetweenDevicesandOrganisationalSystems ............................................. 17WebApplicationandOperatingSystemVulnerabilityAssessmentandSecurityHardening .........................17


3/41

iii

AppendixC:CorporatelyApprovedandPartiallyManagedDevicesforSensitiveData.........................................18 CorporatelyEnforcedRiskManagementControls ..............................................................................................19

OverviewofManagedSeparation,RemoteVirtualDesktopandMobileDeviceManagement.....................19ManagedSeparation ....................................................................................................................................... 22RemoteVirtualDesktopSoftware ...................................................................................................................22MobileDeviceManagement ...........................................................................................................................25MultifactorAuthentication ............................................................................................................................26EncryptionofDatainTransit ...........................................................................................................................27RemoteTracking,LockingandWiping ............................................................................................................27LowPrivilegedCorporateUserAccounts ........................................................................................................ 27NetworkArchitectureControllingAccesstoOrganisationalDataandSystems ............................................. 28OperatingSystemExploitMitigationMechanisms .........................................................................................29

UserreliantRiskManagementControls .............................................................................................................29RegularBackupsofWorkData ........................................................................................................................29AccesstoEmails,FilesandOtherDataofArchivalSignificance...................................................................... 29AvoidUnauthorisedCloudServicesforDataBackup,StorageorSharing ...................................................... 30StrongPassphraseConfigurationSettings....................................................................................................... 30SecurityIncidentReportingandInvestigation ................................................................................................31 AvoidJailbreakingandRooting .......................................................................................................................31EmployeeEducationtoAvoidPhysicalConnectivitywithUntrustedOutletsorDevices............................... 31EmployeeEducationaboutBluetooth,NearFieldCommunicationandQuickResponseCodes ................... 32EmployeeEducationtoAvoidInstallingPotentiallyMaliciousApplications...................................................32EmployeeEducationtoAvoidBeingVictimsofShoulderSurfing ................................................................... 33EmployeeEducationtoAvoidCommonIntrusionVectors .............................................................................33SecurityPatches...............................................................................................................................................34OwnershipofIntellectualPropertyandCopyright..........................................................................................35 Encryption

of

Data

at

Rest............................................................................................................................... 35

AvoidPrintingviaUntrustedSystems ............................................................................................................. 36PersonalFirewall .............................................................................................................................................36

AppendixD:CorporatelyApprovedandManagedDevicesforHighlySensitiveData............................................ 37CorporatelyEnforcedRiskManagementControls ..............................................................................................37

DeviceSelection...............................................................................................................................................38MobileApplicationManagementandEnterpriseApplicationStores............................................................. 38


4/41

1

EXECUTIVESUMMARYINTRODUCTIONTOENTERPRISEMOBILITY

Enterprisemobilityenablesemployeestoperformworkinspecifiedbusinesscasescenariosusingdevicessuch

assmartphones,

tablets

and

laptops,

while

leveraging

technologies

that

facilitate

remote

access

to

data.

A

well

designedenterprisemobilitystrategycancreateopportunitiesfororganisationstosecurelyimprovecustomer

servicedelivery,businessefficiencyandproductivity.Inaddition,employeesobtainincreasedflexibilityto

performworkregardlessoftheirphysicallocation.

ThisdocumentisdevelopedbytheAustralianSignalsDirectorate(ASD),alsoknownastheDefenceSignals

Directorate(DSD),toprovideseniorbusinessrepresentativeswithalistofenterprisemobilityconsiderations.

Theseincludebusinesscases,regulatoryobligationsandlegislation,availablebudgetandpersonnelresources,

andrisktolerance.Additionally,riskmanagementcontrolsareprovidedforcybersecuritypractitioners.

This

document

aims

to

assist

readers

to

understand

and

help

mitigate

the

significant

risks

associated

with

using

devicesforworkrelatedpurposesthathavethepotentialtoexposesensitivedata.Risksareprimarilydueto

thelikelihoodofdevicesstoringunprotectedsensitivedatabeinglostorstolen1

,useofcorporatelyunapproved

applicationsandcloudservicestohandlesensitivedata,inadequateseparationbetweenworkrelateduseand

personaluseofadevice,andtheorganisationhavingreducedassuranceintheintegrityandsecuritypostureof

devicesthatarenotcorporatelymanaged.Additionalrisksariseduetolegalliability,regulatoryobligationsand

legislationrequiringcompliance,andtheimplicationsfortheorganisationsbudgetandpersonnelresources.

Riskscanbepartiallymitigatedthroughapolicyoutliningthepermitteduseofdevices,includingtherequired

behaviourexpectedfromemployees,whichiscomplementedbytechnicalriskmanagementcontrolstoenforce

the

policy

and

detect

violations.

Businesscasesforenterprisemobilitythatinvolveaccessingnonsensitivedatamightpermitemployeestouse

theirpersonallyowneddevices,referredtoasBringYourOwnDevice(BYOD).

Businesscasesforenterprisemobilitythatinvolveaccessingandpotentiallystoringsensitivedatamightpermit

employeestousedevicesthatarelistedonacorporatelyapprovedshortlistofdevices.Suchdevicesare

partiallyorcompletelycorporatelymanagedtoenforcepolicyandtechnicalriskmanagementcontrols.These

controlscanincludepreventingunapprovedapplicationsfromrunningandaccessingsensitivedata,applying

patchestoapplicationsandoperatingsystemsinatimelymanner,andlimitingtheabilityofemployeestouse

devicesthatarejailbroken,rootedorotherwiserunwithadministrativeprivileges2

.Optionally,some

organisationsmightprovidedevicestoemployees,permitareasonabledegreeofpersonaluse,andretain

ownershipofthedevicesforlegalreasonsthatfacilitatetheorganisationmonitoringdevices,remotelywiping

sensitivedata,performingsecurityandlegalinvestigations,andretainingownershipofintellectualproperty.

Beforeimplementingenterprisemobilityforaspecificbusinesscase,organisationsmustdecidewhether

applyingthechosenriskmanagementcontrolswouldresultinanacceptablelevelofresidualrisk.

1http://www.amta.org.au/pages/amta/The.Mobile.Phone.Industry.Statement

2http://www.dsd.gov.au/infosec/top35mitigationstrategies.htm
http://www.amta.org.au/pages/amta/The.Mobile.Phone.Industry.Statementhttp://www.amta.org.au/pages/amta/The.Mobile.Phone.Industry.Statementhttp://www.amta.org.au/pages/amta/The.Mobile.Phone.Industry.Statementhttp://www.amta.org.au/pages/amta/The.Mobile.Phone.Industry.Statementhttp://www.dsd.gov.au/infosec/top35mitigationstrategies.htmhttp://www.dsd.gov.au/infosec/top35mitigationstrategies.htmhttp://www.dsd.gov.au/infosec/top35mitigationstrategies.htmhttp://www.dsd.gov.au/infosec/top35mitigationstrategies.htmhttp://www.amta.org.au/pages/amta/The.Mobile.Phone.Industry.Statement


5/41

2

POTENTIALBENEFITSOFENTERPRISEMOBILITY

Potentialbenefitsofenterprisemobilityinclude:

improvedcustomerservicedelivery,businessefficiencyandproductivity,especiallyforemployeeswhoworkoutoftheoffice,arefieldagents,orwhotravelfrequently

improvedproductivitythatisindependentofanemployeesphysicallocation,andprovidesemployeeswiththeopportunitytobeproductivewhenotherwiseidlesuchaswhentravellingonpublictransport

enablingtherecruitmentoftalentedpeoplefromanywhereintheworldwhodontwanttorelocatetothecityoftheorganisationsoffice

flexibleworkinghoursenablingemployeestoblendpersonaltimeandprofessionaltimetoachieveanintegrated

work

life

balance

opportunitiestotransitionemployeesonextendedleavebackintotheworkplacesoonerbyworkingparttimefromhome

reducedcostsofrealestate,buildingoperationsandbuildingmaintenanceifemployeeshotdeskandareencouragedtoworkoutoftheoffice

businesscontinuityifemployeesareunabletoworkintheoffice,forexampleduetoanairconditioningfailure,poweroutage,publictransportstrike,flood,fireorotherevent

environmentalbenefitssuchasreducedcommutingtotheofficeandreduceduseofprintedpaper.POTENTIALBENEFITSOFUSINGPERSONALLYOWNEDDEVICES

Potentialbenefitsofusingpersonallyowneddevicesforenterprisemobilityinclude:

reducedhardwarecostsfortheorganisationifemployeespayfortheirdeviceanincreasingnumberofemployeesalreadyownpowerfuldevicesandemployeesmighttakebettercareofadeviceifthey

contributetheirownmoneytowardsit

freedomforemployeestousedevicesthattheyprefer,arefamiliarwithandhavetailoredtotheirusagepreferencestoincreasetheirproductivity

negatingtheneedforemployeestocarryadeviceforworkuseandanotherdeviceforpersonaluse improvedemployeejobsatisfaction,staffretentionandrecruitmentofstaffwhodesiretheabilityto

usetheirowndevice

leveragingmoderntechnologiesthatempoweremployeestoinnovatefasteranddevelopmoreefficientwaystodotheirjob,bytakingadvantageofemployeeswhorefreshtheirsoftwareandhardwaremore

regularlythanorganisationsthatprovideoutdatedITcapabilitythatisrefreshedevery35years.


6/41

3

DEVELOPANENTERPRISEMOBILITYSTRATEGY

Developinganenterprisemobilitystrategyisfundamentallyimportanttoanorganisationsuccessfully

implementingenterprise

mobility

to

achieve

business

outcomes

with

an

acceptable

level

of

risk.

In

the

absence

ofastrategy,theorganisationsmobilitymightbedrivenbyemployees,withoutclearmeasuresofsuccessand

withoutadequateconsiderationofrisks.

Anenterprisemobilitystrategymightinvolvestartingwithapilottrialconsistingofasmallnumberofusersand

abusinesscasethatislowrisk,highvalueandhasclearmeasuresofsuccess.Subsequentlyreviewingthe

successofthetrial,includingthecostsandtheimpacttotheorganisationssecurityposture,enablesthe

organisationtomakeaninformeddecisionastowhethertoincreasetheiruseofenterprisemobility.

Thefollowingsectionsinthisdocumentprovideguidanceforthestepsassociatedwithimplementingthe

enterprise

mobility

strategy

that

the

organisation

has

developed.

DETERMINETHEEXTENTOFEXISTINGENTERPRISEMOBILITY

Theextentofexistingauthorisedandunauthorisedenterprisemobilitycanbeinformedbytalkingtobusiness

representativesandemployees,reviewingtheorganisationsassetinventoryofassigneddevices,andusing

securitycontrolstodetect:

rogueWiFiaccesspointslocatedontheorganisationspremises unauthoriseddevicesaccessingthecorporatenetworkoraccessingtheInternetviatheorganisations

networkinfrastructure

employeesobtainingacopyoforganisationaldataviaremovablestoragemedia,emailorcloudservices.DEVELOPBUSINESSCASESWITHSUITABLEMOBILITYAPPROACHES

Justifiedbusinesscasesforenterprisemobilityhavetangibleandmeasuredbenefitstotheorganisation,its

employeesandcustomers.Thesebenefitsoutweightherisksandcoststotheorganisation.Clearlydefiningeach

businesscase,includingspecifyingwhatorganisationaldataneedstobeaccessed,providesabetter

understandingoftheopportunitiesandbenefitsversustherisksandcoststotheorganisation.

ExampleBusinessCases

Organisationsdevelopingenterprisemobilitybusinesscasesmightdecidetopermitemployeesto:

collaboratewithotheremployeesviainstantmessagingorvideoconferencing useworkrelatedsoftwareincludingapplicationsdevelopedbytheorganisation send,receiveandprintworkrelatedemailswithfileattachments


7/41

4

access,develop,print,storeandshareworkrelatedfilesthatresideindatarepositoriessuchasSharePoint,networksharesorenterprisegradecloudstorage

accesscalendars,contacts,intranetwebsitesandintranetwebapplications accesstheInternetusingtheorganisationsnetworkinfrastructure.

ExampleEnterpriseMobilityApproachesandScenarios

Anexampleenterprisemobilityimplementationmightinvolveacombinationofthefollowingapproaches.

ScenarioA:Thisscenarioinvolvesusingdeviceswithahardwaremodelandoperatingsystemversionthat:

isarbitrarilychosenbytheemployee hasminimalriskmanagementcontrolsappliedfurtherdetailsareprovidedinAppendixA iscorporatelyunmanaged isusedtoaccesstheInternetviatheorganisationsnetworkinfrastructure.

ScenarioB:Thisscenarioinvolvesusingdeviceswithahardwaremodelandoperatingsystemversionthat:

isarbitrarilychosenbytheemployee hasminimalriskmanagementcontrolsappliedfurtherdetailsareprovidedinAppendixB iscorporatelyunmanaged isusedtoaccessnonsensitivedata.

ForAustraliangovernmentagencies,nonsensitivedataisdefinedforthepurposeofthisdocumentasdatathat

isunclassified.Examplesofnonsensitivedataareunclassifiedcomputerbasedtrainingcoursesandunclassified

intranetwebapplications.

ScenarioC:Thisscenarioinvolvesusingdeviceswithahardwaremodelandoperatingsystemversionthat:

ischosenbytheemployeefromacorporatelyapprovedshortlist hasmoderateriskmanagementcontrolsappliedfurtherdetailsareprovidedinAppendixC usescorporatelymanagedseparationoforganisationaldataandpersonaldata,forexampleusing

remotevirtualdesktopsoftware,amanagedcontainerorpartitioningfunctionalitybuiltintothe

operatingsystem

usesacorporatelymanagedmechanismtoaccessandpotentiallystoresensitivedata,forexampleusingremotevirtualdesktopsoftwareorcorporatelyapprovednativeapplicationscombinedwithaVirtual

PrivateNetwork.


8/41

5

ForAustraliangovernmentagencies,sensitivedataisdefinedforthepurposeofthisdocumentasdatathatis

unclassifiedwithdisseminationlimitingmarkerssuchasForOfficialUseOnly(FOUO),Sensitive,Sensitive:Legal

orSensitive:Personal.Examplesofsensitivedataarecorporateemails,calendarsandcontacts,aswellasfiles

residingin

SharePoint,

network

shares

or

enterprise

grade

cloud

storage.

Devicesinthisscenariomightbeprovidedtoemployeesbytheorganisation,withareasonabledegreeof

personalusepermitted.Organisationsmightretainownershipofdevicesforlegalreasonsthatfacilitatethe

organisationmonitoringdevices,remotelywipingsensitivedata,performingsecurityandlegalinvestigations,

andretainingownershipofintellectualproperty.Enablingemployeestochooseadevicefromacorporately

approvedshortlistisreferredtobysomevendorsasChooseYourOwnDevice,especiallyifthedeviceis

purchased,ownedandmanagedbytheorganisation.

ScenarioD:Thisscenarioinvolvesusingdeviceswithahardwaremodelandoperatingsystemversionthat:

ischosenbytheemployeefromacorporatelyapprovedshortlist hascomprehensiveriskmanagementcontrolsappliedfurtherdetailsareprovidedinAppendixD iscompletelycorporatelymanaged,forexampleusingASDevaluatedBlackBerryEnterpriseServer3or

AppleConfigurationProfilescombinedwithSupervisedMode4

potentiallyincludescorporatelymanagedseparationoforganisationaldataandpersonaldata,forexampleusingremotevirtualdesktopsoftware,amanagedcontainerorpartitioningfunctionalitybuilt

intotheoperatingsystem

usesacorporatelymanagedmechanismtoaccessandpotentiallystorehighlysensitivedata,forexampleusingremotevirtualdesktopsoftwareorcorporatelyapprovednativeapplicationscombined

withaVirtualPrivateNetwork.

ForAustraliangovernmentagencies,highlysensitivedataisdefinedforthepurposeofthisdocumentasdataup

toPROTECTED.

Thecomprehensiveriskmanagementcontrolsmightrestrictthedevicesfunctionalitytoanextentthatwould

overlyfrustrateanemployeeusingapersonallyowneddevice.Therefore,devicesinthisscenariomightbe

providedtoemployeesbytheorganisation,withareasonabledegreeofpersonalusepermitted.Devicesonthe

shortlistmight

be

limited

to

smartphones

and

tablets

that

are

part

of

asingle

vendors

ecosystem

due

to

the

requiredcompatibilitywithriskmanagementcontrols.Organisationsmightretainownershipofdevicesforlegal

reasonsthatfacilitatetheorganisationmonitoringdevices,remotelywipingsensitivedata,performingsecurity

andlegalinvestigations,andretainingownershipofintellectualproperty.Enablingemployeestochoosea

devicefromacorporatelyapprovedshortlistisreferredtobysomevendorsasChooseYourOwnDevice,

especiallyifthedeviceispurchased,ownedandmanagedbytheorganisation.

3http://www.dsd.gov.au/infosec/epl/index_details.php?product_id=MTE2IyMjMjAzLjYuNjkuMg==

4http://www.dsd.gov.au/publications/iOS5_Hardening_Guide.pdf
http://www.dsd.gov.au/infosec/epl/index_details.php?product_id=MTE2IyMjMjAzLjYuNjkuMg==http://www.dsd.gov.au/infosec/epl/index_details.php?product_id=MTE2IyMjMjAzLjYuNjkuMg==http://www.dsd.gov.au/infosec/epl/index_details.php?product_id=MTE2IyMjMjAzLjYuNjkuMg==http://www.dsd.gov.au/publications/iOS5_Hardening_Guide.pdfhttp://www.dsd.gov.au/publications/iOS5_Hardening_Guide.pdfhttp://www.dsd.gov.au/publications/iOS5_Hardening_Guide.pdfhttp://www.dsd.gov.au/publications/iOS5_Hardening_Guide.pdfhttp://www.dsd.gov.au/infosec/epl/index_details.php?product_id=MTE2IyMjMjAzLjYuNjkuMg==


9/41

6

Figure1.Exampleenterprisemobilityscenariosvaryintheirsuitabilitytohandlesensitivedata,theircostandtheirimpacttotheemployeesuserexperience.

ConsiderationsforChoosingEnterpriseMobilityApproaches

Whenselectinganenterprisemobilityapproachforaparticularbusinesscase,considertheemployeesjobrole,

thesensitivity

of

the

data

to

be

accessed,

risk

management

controls

and

their

impact

to

employee

privacy

and

userexperience.Alsoconsiderwhetherthelevelofresidualriskisacceptabletotheorganisation,andcoststo

theorganisationsuchastheleveloftechnicalsupportandfinancialsupportprovidedtoemployees.

TheseconsiderationsarerepresentedinFigure1whichreflectstheexampleenterprisemobilityscenariosmentionedpreviously.Detailedriskmanagementcontrolsforeachenterprisemobilityscenarioareprovidedin

theappendicesofthisdocument.

High

Securit

ort

Low

yPosture

,User

Experience

Impact,

Te

chn

ica

lan

dFinanc

ialSupp

ScenarioC

Corporatelyapproveddevicemodel

andOS,

with

corporately

managed

access/storageforsensitivedata,

separatingpersonalandworkdata

ScenarioD

Corporatelymanagedandapproved

devicemodelandOS,toaccess/store

highlysensitivedata,potentially

separatingpersonalandworkdata

CharacteristicsofExampleEnterpriseMobility Scenarios

Corporatelyunmanagedarbitrary

devicemodelandOS,toaccessnon

sensitivedata

ScenarioB

Corporatelyunmanagedarbitrary

devicemodelandOS,toaccessthe

Internetviatheorganisationsnetwork

ScenarioA

OrganisationEmployee

Degreeof DeviceOwnership


10/41

7

IDENTIFYRE

ISMadvises

nisational

systems.

ives

rminetowhatextententerprisemobilitycanbeusedbasedonregulatoryobligationsandlegislation

affectingtheirorganisation.RelevantlegislationincludesthePrivacyAct1988,thePrivacyAmendment

whethertheorganisationispermittedtomonitordevicesandnetworktraffictoidentifypolicy

the

telylocatingandtrackingadeviceslocationbasedonthe

devicesGPScoordinates,nearbymobilecelltowersorthelocationofnearbyknownWiFinetworks

a

contactsand

photos,

as

well

as

personal

data

stored

in

the

employees

personal

consumer

grade

oyeesdeviceornetworktraffic

tentiallycausesinjurysuch

damagemightoccurthroughnofaultoftheemployeesincludingwhileusingthedeviceintheofficefor

hasnotprovidedwrittenconsent,suchastheestateofadeceasedemployee

GULATORYOBLIGATIONSANDLEGISLATION

ASDdevelopsandpublishestheAustralianGovernmentInformationSecurityManual(ISM)5.Thethat

legal

advice

must

be

obtained

before

allowing

personally

owned

devices

to

connect

to

orga

NeithertheISMnorthisdocumentaretobeconsideredaslegaladvice.Anorganisationslegalrepresentat

mustdete

(EnhancingPrivacyProtection)Act20126,stateandterritoryprivacylawsincludingActscoveringsurveillanceofemployees

7,theArchivesAct1983andtheFreedomofInformationAct1982.Organisationsneedtomaintainan

awarenessofrelevantlegislationandaddressanyassociatedimpactstotheirorganisation.

Aspects

of

enterprise

mobility

requiring

legal

advice

might

include:

violationsandothersecurityincidents

whethertheorganisationispermittedtomonitortheuseofpersonallyowneddevicesoutsideoforganisationspremises,includingremo

whethertheorganisationispermittedtoaccesspersonaldatastoredonadevicewhenperformingsecurityorlegalinvestigationpersonaldataincludesemails,historyofwebsitesaccessed,calendar,

webmailorcloudstorageaccount

whatactionanorganisationshouldtakeifviolationsofcivillaworcriminallawareaccidentallydiscoveredwhileanalysinganempl

insuranceandliabilityforcompensation,repairorreplacementofanemployeesdevicethatislost,stolen,compromisedwithmalwareorisotherwisedamagedandpo

workrelatedpurposes

legalliabilityresultingfromanorganisationremotelywipingpersonaldata8,especiallyifthedeviceisownedbysomeonewho

5http://www.dsd.gov.au/infosec/ism/index.htm

s_privacy/Privacy_law_reform.html

1381/wipeoutwhenyourcompanykillsyouriphone

6http://www.oaic.gov.au/privacy portal/resource

7http://www.privacy.gov.au/law/states

8http://www.npr.org/2010/11/22/13151
http://www.dsd.gov.au/infosec/ism/index.htmhttp://www.dsd.gov.au/infosec/ism/index.htmhttp://www.dsd.gov.au/infosec/ism/index.htmhttp://www.oaic.gov.au/privacy-portal/resources_privacy/Privacy_law_reform.htmlhttp://www.oaic.gov.au/privacy-portal/resources_privacy/Privacy_law_reform.htmlhttp://www.npr.org/2010/11/22/131511381/wipeout-when-your-company-kills-your-iphonehttp://www.npr.org/2010/11/22/131511381/wipeout-when-your-company-kills-your-iphonehttp://www.npr.org/2010/11/22/131511381/wipeout-when-your-company-kills-your-iphonehttp://www.npr.org/2010/11/22/131511381/wipeout-when-your-company-kills-your-iphonehttp://www.npr.org/2010/11/22/131511381/wipeout-when-your-company-kills-your-iphonehttp://www.npr.org/2010/11/22/131511381/wipeout-when-your-company-kills-your-iphonehttp://www.npr.org/2010/11/22/131511381/wipeout-when-your-company-kills-your-iphonehttp://www.npr.org/2010/11/22/131511381/wipeout-when-your-company-kills-your-iphonehttp://www.npr.org/2010/11/22/131511381/wipeout-when-your-company-kills-your-iphonehttp://www.npr.org/2010/11/22/131511381/wipeout-when-your-company-kills-your-iphonehttp://www.npr.org/2010/11/22/131511381/wipeout-when-your-company-kills-your-iphonehttp://www.npr.org/2010/11/22/131511381/wipeout-when-your-company-kills-your-iphonehttp://www.npr.org/2010/11/22/131511381/wipeout-when-your-company-kills-your-iphonehttp://www.npr.org/2010/11/22/131511381/wipeout-when-your-company-kills-your-iphonehttp://www.oaic.gov.au/privacy-portal/resources_privacy/Privacy_law_reform.htmlhttp://www.oaic.gov.au/privacy-portal/resources_privacy/Privacy_law_reform.htmlhttp://www.oaic.gov.au/privacy-portal/resources_privacy/Privacy_law_reform.htmlhttp://www.privacy.gov.au/law/stateshttp://www.privacy.gov.au/law/stateshttp://www.privacy.gov.au/law/stateshttp://www.npr.org/2010/11/22/131511381/wipeout-when-your-company-kills-your-iphonehttp://www.npr.org/2010/11/22/131511381/wipeout-when-your-company-kills-your-iphonehttp://www.privacy.gov.au/law/stateshttp://www.oaic.gov.au/privacy-portal/resources_privacy/Privacy_law_reform.htmlhttp://www.dsd.gov.au/infosec/ism/index.htm


11/41

8

legalliabilitytotheorganisationresultingfromemployeeshavingortransferringtoorganisational

tis

s.

as:

subsidisingorcompletelypayingforthecostofdevicesandassociatedworkrelatedexpenses respondingtosecuritybreaches,policyviolationsandregulatorycomplianceviolations personnelresourcesneededfromavarietyofsectionsacrosstheorganisationtocollaboratively

upgradingtheorganisationsITinfrastructureincludingtheWiFinetwork10,Internetbandwidth,aswell

as

,especiallyiftheorganisationpaysforsoftwarelicencesperdeviceinstead

ofperuser

nsettingsandbasictrainingtoconnecttopermittedorganisationalnetworksandsystems

enhancingidentityandaccessmanagementinfrastructuretoperformauthenticationandauthorisation developingmobilewebapplicationsornativesoftwareapplicationstointeractwithorganisationaldata,

potentiallyrequiringtheuseofmiddlewaresolutionsenablingaccesstodatastoragerepositories.

legalliabilityresultingfromdevicesspreadingmalwareorotherwiseharmingothercomputers

systemsanysoftwareordatathatispirated,infringingcopyrightorisinappropriatelylicenced9

whethertheorganisationortheemployeeownstheintellectualpropertyandcopyrightofworkthaperformedonanemployeesdevice,especiallyifperformedoutsideoftraditionalbusinesshour

ALLOCATEBUDGETANDPERSONNELRESOURCES

Organisationsimplementingenterprisemobilitymightencounteravarietyofcostssuch

developtheenterprisemobilitystrategyandassociatedpolicies

implementingriskmanagementcontrolssuchaslicencingsecuritysoftwareandusereducation

asthedatacentresnetwork,storageandserverprocessingcapacity

cybersecuritypersonneltoarchitecttheITinfrastructureandperformongoingdevicemanagement,monitoring

and

reporting

additionalsoftwareClientAccessLicencesforMicrosoftWindowsserverandclientoperatingsystemswellasforMicrosoftOffice

trainingIThelpdeskstafftosupportavarietyofdevicesataminimumprovidingemployeeswithconfiguratio

modifyingintranetwebsitesandwebapplicationstosupportavarietyofwebbrowsers

ofemployeesanddevices

9http://www.zdnet.com/au/byod couldopenbusinessestocopyrightlitigationbsa7000010533/

10http://www.dsd.gov.au/publications/csocprotect/wireless_network_security_tech_advice.htm
http://www.zdnet.com/au/byod-could-open-businesses-to-copyright-litigation-bsa-7000010533/http://www.zdnet.com/au/byod-could-open-businesses-to-copyright-litigation-bsa-7000010533/http://www.zdnet.com/au/byod-could-open-businesses-to-copyright-litigation-bsa-7000010533/http://www.zdnet.com/au/byod-could-open-businesses-to-copyright-litigation-bsa-7000010533/http://www.zdnet.com/au/byod-could-open-businesses-to-copyright-litigation-bsa-7000010533/http://www.zdnet.com/au/byod-could-open-businesses-to-copyright-litigation-bsa-7000010533/http://www.zdnet.com/au/byod-could-open-businesses-to-copyright-litigation-bsa-7000010533/http://www.zdnet.com/au/byod-could-open-businesses-to-copyright-litigation-bsa-7000010533/http://www.zdnet.com/au/byod-could-open-businesses-to-copyright-litigation-bsa-7000010533/http://www.zdnet.com/au/byod-could-open-businesses-to-copyright-litigation-bsa-7000010533/http://www.zdnet.com/au/byod-could-open-businesses-to-copyright-litigation-bsa-7000010533/http://www.zdnet.com/au/byod-could-open-businesses-to-copyright-litigation-bsa-7000010533/http://www.zdnet.com/au/byod-could-open-businesses-to-copyright-litigation-bsa-7000010533/http://www.zdnet.com/au/byod-could-open-businesses-to-copyright-litigation-bsa-7000010533/http://www.zdnet.com/au/byod-could-open-businesses-to-copyright-litigation-bsa-7000010533/http://www.zdnet.com/au/byod-could-open-businesses-to-copyright-litigation-bsa-7000010533/http://www.zdnet.com/au/byod-could-open-businesses-to-copyright-litigation-bsa-7000010533/http://www.zdnet.com/au/byod-could-open-businesses-to-copyright-litigation-bsa-7000010533/http://www.zdnet.com/au/byod-could-open-businesses-to-copyright-litigation-bsa-7000010533/http://www.dsd.gov.au/publications/csocprotect/wireless_network_security_tech_advice.htmhttp://www.dsd.gov.au/publications/csocprotect/wireless_network_security_tech_advice.htmhttp://www.dsd.gov.au/publications/csocprotect/wireless_network_security_tech_advice.htmhttp://www.dsd.gov.au/publications/csocprotect/wireless_network_security_tech_advice.htmhttp://www.zdnet.com/au/byod-could-open-businesses-to-copyright-litigation-bsa-7000010533/


12/41

9

Policyreliesonuseradherenceandislikelytobemoreeffectiveifitexhibitsthefollowingcharacteristics:

offersenterprisemobilityasoptininsteadofmandatory,unlesstheorganisationiswillingtocompletelypayforthecostofdevicesandassociatedworkrelatedcosts

isjointlydevelopedbyanadvisoryboardconsistingofstakeholdersincludingthecybersecurityteam,systemandnetworkadministrators,humanresources,finance,legal,seniormanagementand

employeesthisconsultativeprocesshelpstoensurethatstakeholdershavehadinput,arewillingto

adheretothepolicyandacceptanyadditionalresponsibilitiestoprotectorganisationaldata

clearlystateswhattypesoforganisationaldataarepermittedtobeaccessedfromwhichdevicesandwhichapplicationstheabsenceofanapplicationstrategymightresultinemployeesusingapplications

thathaventbeenvettedbytheorganisationtodeterminetheirpotentialtoexposesensitivedata

clearlystateshoworganisationaldataispermittedtobestoredanddistributed,forexampleusingcorporatelymanageddatarepositoriessuchasSharePoint,networksharesorenterprisegradecloud

storage,whileavoidingtheuseofconsumergradecloudstorageandpersonalconsumergradewebmail

clearlystateswhichriskmanagementcontrolsapplyanddetersemployeesfromcircumventingthesecontrols

by

helping

employees

to

understand

why

policy

rules

exist

requiresemployeestosignanAcceptableUsePolicythatclearlystatestherequiredbehaviourexpectedfromemployeesandtheconsequencesofviolations

iscommunicatedthroughouttheorganisationtoenableemployeestounderstandtheirobligationsandthepolicy,toensurefullawarenessoftheexistenceofthepolicyandramificationsofnoncompliance

theorganisationneedstodeterminewhichbusinessrepresentativesareresponsibleforremediating

noncompliance,whichiscomplementedbyadocumenteddisputeescalationandresolutionprocess

iscomplementedbytechnicalriskmanagementcontrolstoenforcethepolicyanddetectviolations,especially

in

cases

where

an

employee

dishonours

their

written

agreement

to

adhere

to

the

policy

minimisesnegativeimpactstotheemployeesuserexperiencenegativeimpactsincluderequiringaverycomplexunlockpassphrase,automaticallylockingadevicesscreenafteraveryshortidletimeout

period,excessivelylimitingadevicesfunctionality,anddeletingpersonaldatawhenwipinganentire

deviceremotelyorafteraverysmallnumberofconsecutiveincorrectunlockpassphraseattempts

statesthetechnicalsupportandfinancialsupportthatemployeescanobtain

DEVELOPANDCOMMUNICATEENTERPRISEMOBILITYPOLICY

ASDsISMadvisesthatenterprisemobilitypolicymustbedevelopedtogoverntheuseofdevicesaccessing

organisationaldata.


13/41

10

r,

on

eoffboardingprocesstoremoveorganisationalsoftwareanddatafromdevicesthatare

epolicy

terprisemobilityisstillnewto

costswillbeshiftedfromtheorganisationtothem

thefunctionalityoftheirdevicewillbeexcessivelylimited

TechnicalSupport

fromalargevarietyofmanufacturers

runningalargevarietyofoperatingsystemswithalargevarietyofconfigurationsettings.Therefore,the

providingguests,contractorsandotheremployeeswithdetailsofhowtoconnecttotheorganisations

providingemployeeswithdetailsofhowtoconnecttopermittedorganisationalnetworksandsystems,

contributingtowebforumdiscussionstoanswerfrequentlyaskedquestionsaninternalwebforum

nsnetwork

infrastructureconfigurationwhenseekingassistanceonpubliclyvisibleInternetforums

documentstheonboardingprocessforemployeestoobtainsignedapprovalfromtheirmanageregistertheirdevice,havetheorganisationalpolicyapplied,andpotentiallyhavesoftwareinstalled

theirdevicetoassisttheorganisationtoconfigureandmanagethedevice

documentsthlost,stolenordeprovisionedincludingwhenemployeesceaseemployment

providesabusinessrepresentativepointofcontactincaseemployeeshavefeedbackaboutth isreviewedandrefinedifnecessary,initiallyonaquarterlybasiswhileen

theorganisation,andthenonanannualbasis.

Surveyingemployeescanhelprevealwhethertheywouldbewillingtoacceptthepolicyandparticipatein

enterprisemobilitybusinesscases,notingthatsomeemployeesmightperceivethat:

theirprivacywillbeinvaded

personaldatastoredontheirdevicewillbedeletedorexposed theywillbeexpectedtobeoncalltoansweremailsandphonecallsatalltimesoutsideoftraditional

businesshours.

ItisimpracticalforanorganisationsIThelpdesktosupportdevices

amountoftechnicalsupportprovidedtoemployeesdependsontheorganisationspersonnelresources,

whetherdevicesarelistedonacorporatelyapprovedshortlistofdevices,andthedegreetowhichdevicesare

necessaryforemployeestoperformtheirjob.Technicalsupportmightinclude:

guest

Wi

Fi

network

to

access

the

Internet

andtheorganisationobtainingvisibilityofsecurityincidentsthatplacetheorganisationsdataatrisk

providinganinternalselfservicecommunitysupportwebforumenablingemployeestoassisteachother,withtheIThelpdeskadvertisingtheexistenceoftheinternalwebforumandoccasionally

helpstomitigatetheriskofemployeesdisclosingdetailsabouttheorganisatio


14/41

11

ort

providingemployeeswithfulltechnicalsupport,includingreplacingdamagedorbrokendevices.

foremployeestoperformtheirjob.Financialsupport

xdeductibleclaims

ipend,orotherwisesubsidisingorreimbursingthe

obligatingemployeestorepayaprorataportioniftheycease

employmentwithinasettimeperiod

providingemployeeswithadevicethatiscompletelypaidforbytheorganisation,contractuallyentwithinasettimeperiodorifthe

eeswithreimbursementfortheworkrelatedportionofthemonthlybillfromthe

employeestelecommunications

carrier

and

Internet

Service

Provider,

noting

that

rates

associated

with

htbehigherthanratesassociatedwithacorporateplan

scarrierintheforeigncountry,

orbydisablingdataroamingviaMobileDeviceManagementtoonlyallowWiFidataconnectivity12

rthecostofessentialworkrelatedsoftware,notingthat

softwarelicencedtoanemployeeviaaconsumerlicenceinsteadofanenterpriselicenceisunlikelyto

providingemployeeswithreimbursementforthecostofessentialperipheralsandaccessories.

providingemployeeswithasmuchtechnicalsupportastheIThelpdeskiscapableof,includingashtermloanofadevicetokeepanemployeeproductivewhiletheygettheirdamageddevicerepaired

FinancialSupport

FinancialsupportmighthaveFringeBenefitTaximplicationsduetotheorganisationpayingforadeviceor

Internetandtelecommunicationsconnectivitythatisusedforpersonaluse,especiallyoutsideofbusiness

hours11

.Theamountoffinancialsupportprovidedtoemployeesdependsontheorganisationsfinancial

resourcesandthedegreetowhichdevicesarenecessary

mightinclude:

acknowledgingworkrelatedcostsincurredinsupportofemployeesmakingta providingemployeeswithataxableallowanceorst

costofadevice,contractually

obligatingemployeestoreturnthedeviceiftheyceaseemploym

organisationretainsownershipofthedevice

providingemployaconsumerplanmig

providingemployeeswithacorporateSIMcardorotherwisearrangingInternetandtelecommunicationsconnectivityviaacorporateplan,usinganautomatedprocesstorecoverthe

employeesportionofthemonthlybillviapayrollbasedoncriteriathatindicatepersonaluse

expensivedataroamingchargesforemployeestravellingoverseascanbemitigatedbyproviding

employeeswithaprepaidSIMcardassociatedwithatelecommunication

providingemployeeswithreimbursementfobetransferabletoadifferentemployee

11http://www.ato.gov.au/businesses/content.aspx?doc=/content/00167381.htm

12http://www.zdnet.com/au/telstra phonetheftbillshockshowsroamingstillbroken7000008331/
http://www.ato.gov.au/businesses/content.aspx?doc=/content/00167381.htmhttp://www.ato.gov.au/businesses/content.aspx?doc=/content/00167381.htmhttp://www.ato.gov.au/businesses/content.aspx?doc=/content/00167381.htmhttp://www.zdnet.com/au/telstra-phone-theft-bill-shock-shows-roaming-still-broken-7000008331/http://www.zdnet.com/au/telstra-phone-theft-bill-shock-shows-roaming-still-broken-7000008331/http://www.zdnet.com/au/telstra-phone-theft-bill-shock-shows-roaming-still-broken-7000008331/http://www.zdnet.com/au/telstra-phone-theft-bill-shock-shows-roaming-still-broken-7000008331/http://www.zdnet.com/au/telstra-phone-theft-bill-shock-shows-roaming-still-broken-7000008331/http://www.zdnet.com/au/telstra-phone-theft-bill-shock-shows-roaming-still-broken-7000008331/http://www.zdnet.com/au/telstra-phone-theft-bill-shock-shows-roaming-still-broken-7000008331/http://www.zdnet.com/au/telstra-phone-theft-bill-shock-shows-roaming-still-broken-7000008331/http://www.zdnet.com/au/telstra-phone-theft-bill-shock-shows-roaming-still-broken-7000008331/http://www.zdnet.com/au/telstra-phone-theft-bill-shock-shows-roaming-still-broken-7000008331/http://www.zdnet.com/au/telstra-phone-theft-bill-shock-shows-roaming-still-broken-7000008331/http://www.zdnet.com/au/telstra-phone-theft-bill-shock-shows-roaming-still-broken-7000008331/http://www.zdnet.com/au/telstra-phone-theft-bill-shock-shows-roaming-still-broken-7000008331/http://www.zdnet.com/au/telstra-phone-theft-bill-shock-shows-roaming-still-broken-7000008331/http://www.zdnet.com/au/telstra-phone-theft-bill-shock-shows-roaming-still-broken-7000008331/http://www.zdnet.com/au/telstra-phone-theft-bill-shock-shows-roaming-still-broken-7000008331/http://www.zdnet.com/au/telstra-phone-theft-bill-shock-shows-roaming-still-broken-7000008331/http://www.zdnet.com/au/telstra-phone-theft-bill-shock-shows-roaming-still-broken-7000008331/http://www.zdnet.com/au/telstra-phone-theft-bill-shock-shows-roaming-still-broken-7000008331/http://www.zdnet.com/au/telstra-phone-theft-bill-shock-shows-roaming-still-broken-7000008331/http://www.zdnet.com/au/telstra-phone-theft-bill-shock-shows-roaming-still-broken-7000008331/http://www.zdnet.com/au/telstra-phone-theft-bill-shock-shows-roaming-still-broken-7000008331/http://www.ato.gov.au/businesses/content.aspx?doc=/content/00167381.htm


15/41

12

mentand

other

log

sources

such

as

network

logs,

user

authentication

logs

and

security

software.

ementhelpsthemtounderstandandaddressunacceptablerisks,andassess

whetherthebenefitsofenterprisemobilitytotheorganisationjustifytherisksandcoststotheorganisation.

erityandnumberofpolicyviolationsandothersecurityincidents

costburdenduetotheiruseofInternetbandwidth,data

storage,technicalsupportorfinancialsupport.

llyeven

riskthatisacceptabletotheorganisation.

ThisdocumentcomplementstheadviceinASDsISMandrelevantguidanceavailableathttp://www.dsd.gov.au.

MONITORTHEIMPLEMENTATIONANDREPORTTOMANAGEMENT

OngoingmonitoringoftheenterprisemobilityimplementationincludesreviewinglogsfromMobileDevice

Manage

Regularreportingtomanag

Informationtoreporttomanagementincludes:

thedegreeofcompliancewithregulatoryobligations,legislationandorganisationalpolicies thesev thenamesofemployeeswhoareregularlyinvolvedinpolicyviolationsandothersecurityincidents costsofITinfrastructureincludingnetworkupgrades,Internetbandwidth,datastorageandserver

processingcapacity

costsofriskmanagementcontrols costsofprovidingemployeeswithtechnicalsupportandfinancialsupport thenamesofemployeescausinganexcessive

FACILITATEORGANISATIONAL

TRANSFORMATION

Organisationsmightupdatetheirbusinessprocessestoleverageenterprisemobility,potentia

transformingtheorganisationtoembraceopportunitiessuchasactivitybasedworking13

by:

reviewingthesuccessofenterprisemobilitypilottrials,includingthecostsandtheimpacttotheorganisationssecurityposture

reviewingandupdatingtheorganisationsenterprisemobilitystrategy makinganinformeddecisionwhethertoincreasethescopeofenterprisemobilitytoidentifyand

pursueadditionalinnovativecosteffectiveopportunitiestoimprovecustomerservicedelivery,

efficiencyandproductivitywithalevelof

FURTHERINFORMATION

13http://www.smh.com.au/it pro/businessit/kpmgtestrunsfutureworkplace2012111929m1j.html
http://www.smh.com.au/it-pro/business-it/kpmg-testruns-future-workplace-20121119-29m1j.htmlhttp://www.smh.com.au/it-pro/business-it/kpmg-testruns-future-workplace-20121119-29m1j.htmlhttp://www.smh.com.au/it-pro/business-it/kpmg-testruns-future-workplace-20121119-29m1j.htmlhttp://www.smh.com.au/it-pro/business-it/kpmg-testruns-future-workplace-20121119-29m1j.htmlhttp://www.smh.com.au/it-pro/business-it/kpmg-testruns-future-workplace-20121119-29m1j.htmlhttp://www.smh.com.au/it-pro/business-it/kpmg-testruns-future-workplace-20121119-29m1j.htmlhttp://www.smh.com.au/it-pro/business-it/kpmg-testruns-future-workplace-20121119-29m1j.htmlhttp://www.smh.com.au/it-pro/business-it/kpmg-testruns-future-workplace-20121119-29m1j.htmlhttp://www.smh.com.au/it-pro/business-it/kpmg-testruns-future-workplace-20121119-29m1j.htmlhttp://www.smh.com.au/it-pro/business-it/kpmg-testruns-future-workplace-20121119-29m1j.htmlhttp://www.smh.com.au/it-pro/business-it/kpmg-testruns-future-workplace-20121119-29m1j.htmlhttp://www.smh.com.au/it-pro/business-it/kpmg-testruns-future-workplace-20121119-29m1j.htmlhttp://www.smh.com.au/it-pro/business-it/kpmg-testruns-future-workplace-20121119-29m1j.htmlhttp://www.smh.com.au/it-pro/business-it/kpmg-testruns-future-workplace-20121119-29m1j.htmlhttp://www.smh.com.au/it-pro/business-it/kpmg-testruns-future-workplace-20121119-29m1j.htmlhttp://www.smh.com.au/it-pro/business-it/kpmg-testruns-future-workplace-20121119-29m1j.htmlhttp://www.smh.com.au/it-pro/business-it/kpmg-testruns-future-workplace-20121119-29m1j.htmlhttp://www.smh.com.au/it-pro/business-it/kpmg-testruns-future-workplace-20121119-29m1j.html


16/41

13

RT

CONTACTDETAILS

AustraliangovernmentcustomerswithquestionsregardingthisadviceshouldcontactASDAdviceand

Assistanceat

[email protected]

or

by

calling

1300

CYBER1

(1300

292

371).

AustralianbusinessesorotherprivatesectororganisationsseekingfurtherinformationshouldcontactCE

[email protected].


17/41

14

APPENDICES

GEDDEVICESFORINTERNET

CCESS

ThisappendixprovidesguidancetomanagerisksassociatedwithScenarioA.Thisscenarioinvolvesdeviceswith

ahardwaremodelandoperatingsystemversionthat:

isarbitrarilychosenbytheemployee hasminimalriskmanagementcontrolsapplied iscorporatelyunmanaged isusedtoaccesstheInternetviatheorganisationsnetworkinfrastructure.

Thisimplementationcanenableorganisationstoapplymorestringentwebcontentfilteringcontrolsonthe

corporatenetworktoreducetheriskofcorporateworkstationsbecomingcompromised.

Highlevelobjectivesassociatedwiththisexamplescenarioinclude:

avoidunauthorisedaccesstotheorganisationscorporatenetworktohelppreventemployeesintroducingmalwareontoorganisationalsystemsorexposingsensitivedata

mitigatethethreatofsensitiveworkrelateddiscussionsbeingrecordedbyInternettelephony,voicerecognitionorothervoicerecordingapplications

maintaintheavailabilityoforganisationalInternetconnectivityatanacceptablecost reducetheriskoflegalliabilitytotheorganisationresultingfrom:

o compromiseddevicesspreadingmalwareorharmingothercomputersontheInterneto employeesdownloadingcopyrightinfringingmovies,musicorsoftwarefromtheInterneto softwareordatathatispirated,infringingcopyright,orusedforworkrelatedpurposeseven

thoughitisonlylicencedforhomeuse,noncommercialuseoreducationaluse

o employeesaccessingpornographyorotheroffensivematerialwhileintheoffice,duringworkinghours,fromdevicessubsidisedbytheorganisationorviatheorganisationsnetwork

infrastructure.

UsingtheAppendices

Theseappendicesprovideguidanceforfourdifferentexampleenterprisemobilityimplementationscenarios.

APPENDIXA:ARBITRARYUNMANA

A


18/41

15

CorporatelyEnforcedRiskMan ols

eriskbyenforcingthefollowingtechnicalcontrols.

Implement:

tes

reventemployeesfromusingexcessivebandwidth

onitoringto

help

identify

policy

violations

and

security

incidents.

NetworkandtheGuestWiFiNetwork

lcorporatenetworkfromtheguestWiFinetworkthatenablescorporately

Bdevices14

15,

Bluetoothdevices,WiFiaccesspoints,mobilehotspotsandotherdeviceswith3G/4Gconnectivity.Thishelps

ithunauthorised

devices,

or

tethering

to

UserreliantRiskManagementControls

ageriskrelyonemployeescomplyingwithpolicy.

mitigatedevicesbeing

compromised.

This lessapplicabletodevicesthatuseastrongsandboxdesign,andlimittheexecutionofapplications

to

marketplacewithagoodhistoryofcurationtoexcludemalware16

.

agementContr

Theorganisationisabletomanag

FilteredandMonitoredNetworkTraffic

basicInternetwebcontentfilteringtoblockaccesstoknownpiracy,pornographicandoffensivewebsi

bandwidththrottlingandQualityofServicetoprioritiseworkrelatednetworktraffic bandwidthquotasperuserandperdevicetop networktrafficlogging,archivingandm

SeparationBetweentheOrganisationsCorporate

Separatetheorganisationsinterna

unmanagedanduntrustworthydevicestoaccesstheInternet.

CorporateWorkstationsConfiguredtoBlockAccesstoUnauthorisedDevices

Configurecorporateworkstationstoblockaccesstounauthoriseddevices,forexampleUS

mitigatethe

risk

of

corporate

workstations

either

exchanging

data

w

devicesandaccessingtheInternetviaanunmonitoredandunfilteredInternetgateway.

Thefollowingtechnicalcontrolsandpolicycontrolstoman

AntimalwareSoftware

Obtainwrittenemployeeagreementtouseantimalwaresoftwarewhichhelps

controlis

onlythosethatarecryptographicallysignedbyatrustedauthorityandoriginatefromanapplication

14http:/

15http:/

16http:/ itcenter/security.html

/www.securelist.com/en/blog/805/Mobile_attacks

/www.dsd.gov.au/videos/cybersense1.htm

/www.apple.com/ipad/business/
http://www.securelist.com/en/blog/805/Mobile_attackshttp://www.securelist.com/en/blog/805/Mobile_attackshttp://www.dsd.gov.au/videos/cybersense1.htmhttp://www.dsd.gov.au/videos/cybersense1.htmhttp://www.apple.com/ipad/business/it-center/security.htmlhttp://www.apple.com/ipad/business/it-center/security.htmlhttp://www.apple.com/ipad/business/it-center/security.htmlhttp://www.apple.com/ipad/business/it-center/security.htmlhttp://www.apple.com/ipad/business/it-center/security.htmlhttp://www.securelist.com/en/blog/805/Mobile_attackshttp://www.securelist.com/en/blog/805/Mobile_attackshttp://www.dsd.gov.au/videos/cybersense1.htmhttp://www.dsd.gov.au/videos/cybersense1.htmhttp://www.apple.com/ipad/business/it-center/security.htmlhttp://www.apple.com/ipad/business/it-center/security.htmlhttp://www.dsd.gov.au/videos/cybersense1.htmhttp://www.securelist.com/en/blog/805/Mobile_attacks


19/41

16

theInternetviaa

pproachthatisunlikelytoprotectagainsttargetedmalware

virusvendordoesnthavevisibilityof.Antimalwaresoftwareextendssignaturebasedantivirus

softwaretotypicallyincludeheuristicdetection,identificationofapplicationsbehavingsuspiciously,aswellas

Obtainwrittenemployeeagreementto:

onlyaccessorganisationalsystemsordatathattheyareexplicitlypermittedtoaccess avoidsensitiveworkrelateddiscussionsbeingrecordedbyInternettelephony,voicerecognition17or

ofInternetbandwidthforexampleviapersonal

omised

athat

notdeliberatelyaccesspornographyorotheroffensivematerialwhileintheoffice,duringworking

viatheorganisationsnetworkinfrastructure

eAustralianPublicServiceCodeofConductand

AdditionalInformationTheorganisationmightofferantimalwaresoftwarefreeofchargewhenemployeesaccess

captiveportalandagreetothepolicy.

Signaturebasedantivirussoftwareisareactivea

thattheanti

reputationcheckingofapplicationsandwebsitesaccessed.

AvoidBehaviourthatisUnauthorised,Excessive,OffensiveorUnlawful

othervoicerecordingapplications

useorganisationalInternetconnectivityasperexistingpolicy,whichmightdisallowaccessingoffensiveandcopyrightinfringingcontent,disallowexcessiveuse

useofYouTube,andrequireemployeestoaccepttheriskoftheirdevicebeingcompr

ensurethattheirdevicedoesntcontainortransfertoorganisationalsystemsanysoftwareordatispirated,infringingcopyright,orusedforworkrelatedpurposeseventhoughitisonlylicencedfor

home

use,

non

commercial

use

or

educational

use

hours,fromdevicessubsidisedbytheorganisation,or

AustralianPublicServiceemployeesareboundbyth

Valuesevenwhenworkingoutoftheofficeusingtheirowndevice.

17http://www.zdnet.com/apple storesyourvoicedatafortwoyears7000014216/
http://www.zdnet.com/apple-stores-your-voice-data-for-two-years-7000014216/http://www.zdnet.com/apple-stores-your-voice-data-for-two-years-7000014216/http://www.zdnet.com/apple-stores-your-voice-data-for-two-years-7000014216/http://www.zdnet.com/apple-stores-your-voice-data-for-two-years-7000014216/http://www.zdnet.com/apple-stores-your-voice-data-for-two-years-7000014216/http://www.zdnet.com/apple-stores-your-voice-data-for-two-years-7000014216/http://www.zdnet.com/apple-stores-your-voice-data-for-two-years-7000014216/http://www.zdnet.com/apple-stores-your-voice-data-for-two-years-7000014216/http://www.zdnet.com/apple-stores-your-voice-data-for-two-years-7000014216/http://www.zdnet.com/apple-stores-your-voice-data-for-two-years-7000014216/http://www.zdnet.com/apple-stores-your-voice-data-for-two-years-7000014216/http://www.zdnet.com/apple-stores-your-voice-data-for-two-years-7000014216/http://www.zdnet.com/apple-stores-your-voice-data-for-two-years-7000014216/http://www.zdnet.com/apple-stores-your-voice-data-for-two-years-7000014216/http://www.zdnet.com/apple-stores-your-voice-data-for-two-years-7000014216/http://www.zdnet.com/apple-stores-your-voice-data-for-two-years-7000014216/http://www.zdnet.com/apple-stores-your-voice-data-for-two-years-7000014216/http://www.zdnet.com/apple-stores-your-voice-data-for-two-years-7000014216/http://www.zdnet.com/apple-stores-your-voice-data-for-two-years-7000014216/http://www.zdnet.com/apple-stores-your-voice-data-for-two-years-7000014216/


20/41

17

RBITRARYUNMANAGEDDEVICESFORNON

h

hasminimalriskmanagementcontrolsapplied

pendixB

andSegregationBetweenDevicesandOrganisationalSystems

Appropriatelyarchitectandsegmenttheorganisationscorporatenetworkusingacombinationofsecurity

enforcingmechanismssuchasfirewalls,reverseproxies,VirtualLocalAreaNetworksandVirtualPrivate

Networks.This

helps

mitigate

devices

accessing

unauthorised

organisational

systems

and

data.

WebApplicationandOperatingSystemVulnerabilityAssessmentandSecurityHardening

Performvulnerabilityassessmentsandsecurityhardeningofwebapplicationsandoperatingsystemsrunningon

organisationalsystemsthatarepermittedtobeaccessed.Thishelpsmitigatedevicescompromising

organisationalsystemsandtheirdata.

APPENDIXB:A

SENSITIVEDATA

ThisappendixprovidesguidancetomanagerisksassociatedwithScenarioB.Thisscenarioinvolvesdeviceswit


isarbitrarilychosenbytheemployee

iscorporatelyunmanaged isusedtoaccessnonsensitivedata.

ForAustraliangovernmentagencies,nonsensitivedataisdefinedforthepurposeofthisdocumentasdatathat

isunclassified.Examplesofnonsensitivedataareunclassifiedcomputerbasedtrainingcoursesandunclassified

intranetwebapplications.

Thisappendixbuildsuponandincorporatesthehighlevelobjectivesandriskmanagementcontrolsdiscussedin

AppendixAwhichcoversarbitrarycorporatelyunmanageddevicesusedtoaccesstheInternetviathe

organisationsnetworkinfrastructure.HighlevelobjectivesassociatedwiththeexamplescenarioinAp

alsoinclude:

avoidunauthorisedaccesstoorganisationalsystemsanddata avoiduntrustworthydevicescompromisingorganisationalsystemsthatarepermittedtobeaccessed.

CorporatelyEnforcedRiskManagementControls

Theorganisationisabletomanageriskbyenforcingthefollowingtechnicalcontrols.

Segmentation


21/41

18

NAGED

SITIVEDATA

oratelyapprovedshortlist

separationoforganisationaldataandpersonaldata,forexampleusing

remotevirtualdesktopsoftware,amanagedcontainerorpartitioningfunctionalitybuiltintothe

ve:Legal

arePoint,networksharesorenterprisegradecloudstorage.

ation,withareasonabledegreeof

organisationmonitoringdevices,remotelywipingsensitivedata,performingsecurityandlegalinvestigations,

ooseadevicefromacorporately

especiallyifthedeviceis

trolsdiscussedin

data.Highlevel

organisationaldatacreatedbyemployeesusingtheirdevice

rapidlyrespondtopolicyviolations,dataspillsandothersecurityincidents beabletoperformelectronicdiscoveryforlitigationcasesandfreedomofinformationrequests.

APPENDIXC:CORPORATELYAPPROVEDANDPARTIALLYMA

DEVICESFORSEN

ThisappendixprovidesguidancetomanagerisksassociatedwithScenarioC.Thisscenarioinvolvesdeviceswith


ischosenbytheemployeefromacorp hasmoderateriskmanagementcontrolsapplied usescorporatelymanaged

operatingsystem

usesacorporatelymanagedmechanismtoaccessandpotentiallystoresensitivedata,forexampleusingremotevirtualdesktopsoftwareorcorporatelyapprovednativeapplicationscombinedwithaVirtual

PrivateNetwork.

ForAustraliangovernmentagencies,sensitivedataisdefinedforthepurposeofthisdocumentasdatathatis

unclassifiedwithdisseminationlimitingmarkerssuchasForOfficialUseOnly(FOUO),Sensitive,Sensiti

orSensitive:Personal.Examplesofsensitivedataarecorporateemails,calendarsandcontacts,aswellasfiles

residinginSh

Devicesinthisscenariomightbeprovidedtoemployeesbytheorganis

personalusepermitted.Organisationsmightretainownershipofdevicesforlegalreasonsthatfacilitatethe

andretainingownershipofintellectualproperty.Enablingemployeestoch

approvedshortlistisreferredtobysomevendorsasChooseYourOwnDevice,

purchased,ownedandmanagedbytheorganisation.

Thisappendixbuildsuponandincorporatesthehighlevelobjectivesandriskmanagementcon

AppendixBwhichcoversarbitrarycorporatelyunmanageddevicesusedtoaccessnonsensitive

objectivesassociatedwiththeexamplescenarioinAppendixCalsoinclude:

protecttheorganisationsfinancialinvestmentinthecostofdevices maintaintheavailabilityandintegrityoforganisationaldataforbusinesscontinuity maintaintheconfidentialityofsensitivedata maintaincorporateownershipof


22/41

19

gthatsomecontrolsfocusprimarilyonsmartphonesand

tabletsrather

than

laptops.

canchooseisasmartphoneortabletdevicerunning:

tha

ingsecurityupdatesinatimelymanner.

arecompatiblewithrequiredbusinessapplicationsdevelopedbytheorganisationandbythirdparties

ingcompatibilitywiththe

organisationschosenriskmanagementcontrolssuchasMobileDeviceManagementaswellas

DeviceManagement

edFOUO/Sensitive

beprevented

sunclassifiedFOUO/Sensitivedataorclassifieddata.

Someoftheriskmanagementcontrolsdescribedinthisappendixmightbeunnecessaryorimpractical

dependingontheorganisationsbusinesscase,thesensitivityofdataaccessedbydevices,theuseofotherrisk

managementcontrols,andthetypeofdevicenotin

Anexampleshortlistofdevicesfromwhichemployees

iOSversion5.1orlater18 BlackBerryversion5orlater Windowsversion8orlater Androidversion4orlaterrunningondevicesfromspecificallynamedhardwaremanufacturerswi

historyofdistribut

Theshortlistofdevicesisregularlyupdatedtoreflectnewlyavailabledevicesonthemarketandislimitedto

onlydevicesthat:

theorganisationhasthetechnicalknowledgetosupport,resultinginmorepredictablesupportcosts meetminimumrequirementsspecifiedbytheorganisation,includ

managedseparationmechanismssuchasmanagedcontainers

providetheorganisationwithadequateassuranceofthedevicesabilitytoappropriatelyprotectsensitivedata

complywithAustralianlegislation19andarecoveredbyAustralianwarranties.CorporatelyEnforcedRiskManagementControls

Theorganisationisabletomanageriskbyenforcingthefollowingtechnicalcontrols.

Overviewof

Managed

Separation,

Remote

Virtual

Desktop

and

Mobile

ASDsISMadvisesthatdeviceswithoutASDapprovedencryptionshouldnotstoreunclassifi

dataandmustnotstoreclassifieddata.Additionally,ASDsISMadvisesthatemployeesshould

frominstallingunapprovedapplicationsthatcanacces

18toftheproduct.AllMentionofanyvendorproductisforillustrativepurposesonlyanddoesnotimplyASDsendorsemen

trademarksarethepropertyoftheirrespectiveowners.

19http://www.acma.gov.au/webwr/_assets/main/lib310037/summary%20of%20labelling%20requirements%20%20fs89.pdf
http://www.acma.gov.au/webwr/_assets/main/lib310037/summary%20of%20labelling%20requirements%20-%20fs89.pdfhttp://www.acma.gov.au/webwr/_assets/main/lib310037/summary%20of%20labelling%20requirements%20-%20fs89.pdfhttp://www.acma.gov.au/webwr/_assets/main/lib310037/summary%20of%20labelling%20requirements%20-%20fs89.pdfhttp://www.acma.gov.au/webwr/_assets/main/lib310037/summary%20of%20labelling%20requirements%20-%20fs89.pdfhttp://www.acma.gov.au/webwr/_assets/main/lib310037/summary%20of%20labelling%20requirements%20-%20fs89.pdf


23/41

20

crypted

phraseremote

virtual

desktop

software

in

this

document

incorporates

virtualisedapplicationsandVirtualDesktopInfrastructure(VDI).

OrganisationsmightchoosetousemanagedseparationforsomebusinesscasessuchasanASDevaluated

nevaluatedsmartphones21

withsmallscreens,andremotevirtualdesktop

hasunevaluateddevicesordeviceswithlargescreens.

separation,remotevirtualdesktopsoftwareandMobileDevice

Managementisprovidedinthefollowingpagesofthisappendix.Figure2showsthecomparativeabilityofthesetcontrolssuchasapplyingvendor

securitypatchesinatimelymanner,usinguptodateantimalwaresoftwareandperformingbackupsofwork

us

yingorganisationaldatabytakingascreenshotorphotographoftheirdevicesscreen.

Riskmanagementcontrolsusedtofollowthisguidanceincludeusingmanagedseparationsuchasanen

managedcontainer,preferablycombinedwithMobileDeviceManagementtoprovidesomebasicassurancein

thedevicesunderlyingoperatingsystemconfiguration,orusingappropriatelyconfiguredremotevirtual

desktopsoftware.

Use

of

the

encryptedmanagedcontainer20

o

softwareforotherbusinesscasessuc

Detailedinformationaboutmanaged

riskmanagementcontrolstoprotectorganisationaldataandtheirnegativeimpacttotheemployeesuser

experience.Alloftheimplementationsshownincludebasicriskmanagemen

datatobackupserversspecifiedbytheorganisation.Theseriskmanagementcontrolswontpreventamalicio

employeefromcop

product_id=MzA5IyMjMjAzLjYuNjkuMg==20

http://www.dsd.gov.au/infosec/epl/index_details.php?

21http://www.dsd.gov.au/infosec/epl/
http://www.dsd.gov.au/infosec/epl/index_details.php?product_id=MzA5IyMjMjAzLjYuNjkuMg==http://www.dsd.gov.au/infosec/epl/index_details.php?product_id=MzA5IyMjMjAzLjYuNjkuMg==http://www.dsd.gov.au/infosec/epl/index_details.php?product_id=MzA5IyMjMjAzLjYuNjkuMg==http://www.dsd.gov.au/infosec/epl/index_details.php?product_id=MzA5IyMjMjAzLjYuNjkuMg==http://www.dsd.gov.au/infosec/epl/http://www.dsd.gov.au/infosec/epl/http://www.dsd.gov.au/infosec/epl/http://www.dsd.gov.au/infosec/epl/http://www.dsd.gov.au/infosec/epl/index_details.php?product_id=MzA5IyMjMjAzLjYuNjkuMg==


24/41

21

Figure2.Riskmanagementcontrolsvaryintheirabilitytoprotectorganisationaldataandtheirnegativeimpacttotheemployeesuserexperience.

TradeoffofRiskManagementControlsBetweenSecurityandUserImpact

Abilityto

Protect

Organ

isationa

lDa

ta

H

igh

da

ta)

(e.g.

PROTECTED

Devicerunningsoftware

edby

er

shardeningguide,

andmanagedbythe

andcryptoevaluat

ASD,configuredasp

ASD

organisation

Remotevirtualdesktopon

asmartphone,

with

MDM

providingassuranceinthe

devicesconfiguration

Remotevirtualdesktoponatablet,

withMobile

Device

Management

(MDM)providingassuranceinthe


ManagedcontainerwithMDM

providingassuranceinthe


Remotevirtual

desktoponatablet

Remotevirtualdesktop

onasmartphone

Managed

containeronly

Low

(e.g.non

sensitivedata)

MDMonly

Unmanageddeviceusingnative

applicationsandstoringorganisational

dataunencrypted

on

the

device

Low High

ImpacttoUserExperience


25/41

22

ManagedSeparation

Managedseparationhelpsprotectandisolateorganisationaldatastoredondevices.Organisationaldatais

logicallyseparatedfromtheemployeespersonaloperatingenvironment,limitingtheabilityofsuchdatato

spread,and

facilitating

the

remote

wiping

of

only

organisational

data.

AdditionalInformationThereareseveraldifferenttypesofseparationmechanismsincludingpartitioningfunctionalitybuiltintothe

operatingsystemaswellasmechanismsboltedontopoftheoperatingsystemsuchasmanagedcontainers22

23.

Emergingtechnologyincludestype1hypervisorsandtype2hypervisorsprovidingalocallyvirtualisedoperating

system24

.Someseparationmechanismsaredesignedtoensurethatorganisationaldatacanonlybeaccessedby

applicationsthathavebeenvettedbytheorganisation.

dcontainers,type2hypervisorsorothermechanismsboltedontotheoperatingsystemprovide

securityifthereisinadequateassuranceintheintegrityandsecuritypostureoftheoperatingsystem.

ofamanagedcontainerhasthefollowingcorporatebenefitswithassociatedpotentialimpactstothe

userexperience:

requiringemployeestoenteranadditionalpassphrasetoaccessorganisationaldata dataencryptionthatisindependentoftheencryptionprovidedbyadevicesoperatingsystem

softwarebasedencryptionmightslowdownthedeviceduetocryptographicoverhead

reducingtheriskofdataleakagebyrestrictingemployeestouseonlycorporatelyapprovedapplicationstohandleorganisationaldata,whilelimitingtheabilityofsuchapplicationstocopyorganisationaldata

tocorporatelyunapprovedcloudservicesorelsewherebeyondthemanagedcontainer.

Organisationsconsideringusingamanagedcontainerneedtodeterminewhetherthevendorhasaccessto

organisationaldataorcryptographickeysusedtodecryptorganisationaldata.

RemoteVirtualDesktopSoftware

Appropriatelyconfiguredremotevirtualdesktopsoftwarehelpskeeporganisationaldataintheorganisations

datacentreandnotstoredondevices,whilestillenablingemployeestoaccessorganisationaldataand

applications.

AdditionalInformation

Manage

reduced

Use

employees

22http://www.dsd.g

23http://www.theregister.co.uk/2013/03/14/blackberry_secure/

24http://computerworld.com/s/article/print/9233834/Dual_identity_smartphones_could_bridge_BYOD_private_corporate_divide

ov.au/infosec/epl/view_document.php?document_id=OTUxIyMjMjAzLjYuNjkuMg==
http://www.dsd.gov.au/infosec/epl/view_document.php?document_id=OTUxIyMjMjAzLjYuNjkuMg==http://www.dsd.gov.au/infosec/epl/view_document.php?document_id=OTUxIyMjMjAzLjYuNjkuMg==http://www.theregister.co.uk/2013/03/14/blackberry_secure/http://www.theregister.co.uk/2013/03/14/blackberry_secure/http://www.theregister.co.uk/2013/03/14/blackberry_secure/http://computerworld.com/s/article/print/9233834/Dual_identity_smartphones_could_bridge_BYOD_private_corporate_dividehttp://computerworld.com/s/article/print/9233834/Dual_identity_smartphones_could_bridge_BYOD_private_corporate_dividehttp://computerworld.com/s/article/print/9233834/Dual_identity_smartphones_could_bridge_BYOD_private_corporate_dividehttp://www.dsd.gov.au/infosec/epl/view_document.php?document_id=OTUxIyMjMjAzLjYuNjkuMg==http://www.dsd.gov.au/infosec/epl/view_document.php?document_id=OTUxIyMjMjAzLjYuNjkuMg==http://computerworld.com/s/article/print/9233834/Dual_identity_smartphones_could_bridge_BYOD_private_corporate_dividehttp://www.theregister.co.uk/2013/03/14/blackberry_secure/http://www.dsd.gov.au/infosec/epl/view_document.php?document_id=OTUxIyMjMjAzLjYuNjkuMg==


26/41

23

lassifiedFOUO/Sensitivedataorclassifieddataexchangedduringtheentireremote

Someremotevirtualdesktopsoftware

deliberatelyenableorganisationaldatatobecopiedtoandfromdevices,includingthe

abilityformalwareondevicestobeintroducedintotheremotevirtualdesktopasshowninFigure3below.

ASDsISMadvisesthatunc

virtualdesktopsessionmustbeencryptedusingASDapprovedencryption.

ASDsexperienceisthatremotevirtualdesktopsoftwaredoesnotnecessarilykeeporganisationaldatainthe

datacentreorpreventsuchdatabeingtransferredtoandfromdevices.

containsfunctionalityto

Figure3.Inthisexample,anemployeeisaccessingtheirAndroiddevicesfilesystemandremovablemediafromwithintheremotevirtualdesktoprunningMicrosoftWindows.The

into

resultsinalessstringentaudittrail

ortointroducemalware.

employeeisabletocopyorganisationaldatatotheirdevice,andintroducemalware

theremotevirtualdesktop.Thisemployeebehaviour

thanifemailwasusedtoextractorganisationaldata


27/41

24

dataleakageinclude:

usingfulldeviceencryptiontohelpprotectorganisationaldatathatmightinadvertentlybestoredonthedevice,especiallyifthedeviceisalaptopduetothepossibilityofdatainmemorybeingwrittento

diskaspartofapage/swapfileorhibernation/sleepfile

obtainingwrittenagreementfromemployeestoavoiddeliberatelycopyingorganisationaldatatotheirdeviceandtoavoidintroducingpotentialmalwarefromtheirdeviceintotheremotevirtualdesktop

partiallymitigatingkeystrokeloggingsoftwareandmalwarethatenablesanadversarytotakescreenshotsoftheremotevirtualdesktopbyusinguptodateantimalwaresoftwareondevices,

ensuringthatallvendorsecuritypatchesareappliedtodevicesassoonaspatchesareavailablefrom

thevendor,andeducatingemployeestoavoidinstallingpotentiallymaliciousapplications

configuringtheremotevirtualdesktoptolockitsscreenafterashortidletimeoutperiodtohelpmitigateanadversaryusingacompromiseddevicetocontroltheremotevirtualdesktopsmouseand

keyboard

disallowing

the

use

of

keyboard

applications

featuring

a

custom

dictionary

or

predictive

text

which

capturesensitivewordsorwordcombinationstypedintotheremotevirtualdesktopandsavesuch

sensitivedataonthedeviceslocalfilesystem25

.

Thefollowingimpactsofremotevirtualdesktopsoftwareshouldbeconsideredpriortoimplementation:

therequirementforemployeestohavereliableInternetconnectivity theimpactontheemployeesuserexperienceespeciallyfordeviceswithsmallscreenssuchas

smartphonesforexample,usingremotevirtualdesktopsoftwaretoturnasmartphoneintoadumb

terminalmightfrustrateemployeestryingtosendanemailusingMicrosoftOutlookrunningonanolder

versionof

Microsoft

Windows

that

was

not

designed

for

atouch

interface

thepotentialrequirementfortheorganisationtoupgradetheirnetworkanddatacentresstorageandserverprocessingcapacity

the Microsoft

Thereareavarietyofwaysinwhichorganisationaldatamightleakoutoftheremotevirtualdesktopandbe

storedunprotectedondevices.Riskmanagementcontrolstohelpmitigatesuch

appropriatelyconfiguringremotevirtualdesktopsoftwarerunningontheserverandonthedevicetohelpmitigatetheemployeeprintingtolocalprinters,printingtolocalfiles,accessingtheirdevicesfile

systemandremovablemediafromwithintheremotevirtualdesktop,andusingtheclipboardtocopy

andpastedatainbothdirectionsbetweentheremotevirtualdesktopandthedevice

potentialrequirementfortheorganisationtopurchaseadditionalClientAccessLicencesfor

WindowsserverandclientoperatingsystemsaswellasforMicrosoftOffice.

25http://support.swiftkey.net/knowledgebase/articles/9101swiftkeyispredictingmypasswordhowdoistop
http://support.swiftkey.net/knowledgebase/articles/9101-swiftkey-is-predicting-my-password-how-do-i-stophttp://support.swiftkey.net/knowledgebase/articles/9101-swiftkey-is-predicting-my-password-how-do-i-stophttp://support.swiftkey.net/knowledgebase/articles/9101-swiftkey-is-predicting-my-password-how-do-i-stophttp://support.swiftkey.net/knowledgebase/articles/9101-swiftkey-is-predicting-my-password-how-do-i-stophttp://support.swiftkey.net/knowledgebase/articles/9101-swiftkey-is-predicting-my-password-how-do-i-stophttp://support.swiftkey.net/knowledgebase/articles/9101-swiftkey-is-predicting-my-password-how-do-i-stophttp://support.swiftkey.net/knowledgebase/articles/9101-swiftkey-is-predicting-my-password-how-do-i-stophttp://support.swiftkey.net/knowledgebase/articles/9101-swiftkey-is-predicting-my-password-how-do-i-stophttp://support.swiftkey.net/knowledgebase/articles/9101-swiftkey-is-predicting-my-password-how-do-i-stophttp://support.swiftkey.net/knowledgebase/articles/9101-swiftkey-is-predicting-my-password-how-do-i-stophttp://support.swiftkey.net/knowledgebase/articles/9101-swiftkey-is-predicting-my-password-how-do-i-stophttp://support.swiftkey.net/knowledgebase/articles/9101-swiftkey-is-predicting-my-password-how-do-i-stophttp://support.swiftkey.net/knowledgebase/articles/9101-swiftkey-is-predicting-my-password-how-do-i-stophttp://support.swiftkey.net/knowledgebase/articles/9101-swiftkey-is-predicting-my-password-how-do-i-stophttp://support.swiftkey.net/knowledgebase/articles/9101-swiftkey-is-predicting-my-password-how-do-i-stophttp://support.swiftkey.net/knowledgebase/articles/9101-swiftkey-is-predicting-my-password-how-do-i-stophttp://support.swiftkey.net/knowledgebase/articles/9101-swiftkey-is-predicting-my-password-how-do-i-stophttp://support.swiftkey.net/knowledgebase/articles/9101-swiftkey-is-predicting-my-password-how-do-i-stophttp://support.swiftkey.net/knowledgebase/articles/9101-swiftkey-is-predicting-my-password-how-do-i-stophttp://support.swiftkey.net/knowledgebase/articles/9101-swiftkey-is-predicting-my-password-how-do-i-stophttp://support.swiftkey.net/knowledgebase/articles/9101-swiftkey-is-predicting-my-password-how-do-i-stop


28/41

25

has:

tilthedeviceisautomaticallywiped

t

endpointcompliancecheckingincludingwhetherpatchesandantimalwaresoftwareareuptodate

bebackedup

overtheInternet

classifieddata:

anagetheconfigurationofdevicesandauditadherencetopolicy

MobileDeviceManagement

MobileDeviceManagementconfiguresandauditsdevices,includingenforcingaspectsofthepolicysuc

thedeviceenrolmentprocess,whichmightinvolveinstallingsoftwareonthedevicetoassisttheorganisationtomanagethedeviceandadigitalcertificatetoauthenticatethedevicetothenetwork

unlockpassphraseshavingaspecifiedminimumlengthandrequiredcomplexity thedeviceidletimeoutperioduntilthedevicesscreenisautomaticallylocked thenumberofconsecutivefailedpassphraseattemptsun thecapabilitytoperformremotetracking,lockingandwipingofdevices

the

ability

of

employees

to

print

to

non

organisational

printers

encryptionofdataatrestandintransit,includingVirtualPrivateNetworkconfigurationsettings theabilityforemployeestousetheirdevicescamera,microphone,Bluetooth,USBinterface,

removablemediaorGPS,particularlywhileonorganisationalpremises

detecting,reportingandblockingdevicesthatarejailbrokenorrooted,notingthatdetectionisnoperfectandreliesonanuntrusteddevicetotellthetruthaboutitssoftware

26

disablingthebackupofunprotectedsensitivedatatoconsumergradecloudstoragesuchasiCloud,whilestillenablinganemployeespersonaldatato

configuringappropriateemailandWiFiconnectivitysettings disablinginbuiltvoicerecordingapplicationsthatsendcapturedvoice ongoingdevicemanagement,monitoringandassettracking.

AdditionalInformationASDs

ISM

advises

that

mobile

devices

accessing

unclassified

FOUO/Sensitive

data

or

shoulduseMobileDeviceManagementtoensurethatorganisationalpolicyisapplied,enablingorganisationstocentrallym

mustpreventemployeesfromdisablingsecurityfunctionsonadeviceonceprovisioned

26http://www.networkworld.com/news/2010/121010 appleiosjailbreak.html
http://www.networkworld.com/news/2010/121010-apple-ios-jailbreak.htmlhttp://www.networkworld.com/news/2010/121010-apple-ios-jailbreak.htmlhttp://www.networkworld.com/news/2010/121010-apple-ios-jailbreak.htmlhttp://www.networkworld.com/news/2010/121010-apple-ios-jailbreak.htmlhttp://www.networkworld.com/news/2010/121010-apple-ios-jailbreak.htmlhttp://www.networkworld.com/news/2010/121010-apple-ios-jailbreak.htmlhttp://www.networkworld.com/news/2010/121010-apple-ios-jailbreak.htmlhttp://www.networkworld.com/news/2010/121010-apple-ios-jailbreak.htmlhttp://www.networkworld.com/news/2010/121010-apple-ios-jailbreak.htmlhttp://www.networkworld.com/news/2010/121010-apple-ios-jailbreak.html


29/41

26

ensurethatdevicesarestillsecure,forexamplethattheirconfiguration

the

experience.

OrganisationsconsideringusingMobileDeviceManagementneedtodeterminewhetherthevendorhasaccess

byusingcompromised

employeecorporateaccountcredentials .

AdditionalInformationASDs ISMadvisesthatmultifactorauthenticationmustbeusedforremoteaccesstogovernmentsystems.

authenticationisrequired

teranidletimeoutperiod.

to

S softwareapplication

SIMcardisreissuedtoanadversary30

,theemployeessofttokenvaluecanbeaccessedbytheadversary,

Usingmultifactorauthenticationdoesntcompletelymitigatetheriskoftypingacorporatepassphraseintoan

oratepassphrasewhentheemployee

ntintrusion,

theemployee.

omiseanyemployeesworkstationonthe

corporatenetworkandusethepreviouslyobtainedpassphrasetoaccesssensitivedataonnetworkdrives.

Tohelpmitigatethisrisk,eitherrequiremultifactorauthenticationforallemployeeloginsincludingloginsto

o

n tworthydevicesaredifferenttocorporatepassphrasesenteredintocorporateworkstationsintheoffice.

shouldberegularlytestedtoalignswiththeorganisationspolicyandthatsecurityupdateshavebeenappliedonaregularbasis.

UsingMobileDeviceManagementtoenforceanorganisationsunreasonablystrictpolicy,especiallywhen

employeeisnotusingtheirdeviceforworkrelatedpurposes,mightnegativelyaffecttheemployeesuser

tosensitivedatasuchasadevicesunlockpassphrase.

MultifactorAuthentication

Multifactorauthenticationhelpsmitigateanadversaryaccessingorganisationalsystems27

Employeesshouldlogofforganisationalsystemswhenfinished,sothatmultifactor

toregainaccess.Organisationalsystemsshouldbeconfiguredtologusersoffaf

Aphysicallyseparatehardwaremultifactorauthenticationtokenwithatimebasedvalue,storedseparately

theemployeesdevice,canprovidegreatersecuritythanasofttokensuchasanSM or

thatdisplaysanauthenticationtokenvalueontheemployeesdevice.Ifthedeviceiscompromised28

29orifits

therebydefeatingthemultifactorauthenticationmechanism.

untrustworthydevice.Anadversarymightobtaintheemployeescorp

typesitintoacompromiseddevice.Theadversarycouldthenusethispassphraseduringasubseque

forexamplebyeithergainingphysicalaccesstoacorporateworkstationandsimplylogginginas

Alternatively,theadversarycoulduseaspearphishingemailtocompr

corporateworkstations

in

the

office,

or

require

that

corporate

passphrases

entered

by

employees

int

u trus

27http://www.dsd.gov.au/publications/csocprotect/multi_factor_authentication.htm

28http://www.securitybistro.com/blog/?p=4226

29http://www.scmagazine.com/zeusforandroidstealsonetimebankingpasswords/article/207286/

nfraudstersbustedbydelhicops/30

http://nakedsecurity.sophos.com/2013/01/20/indian twofactorauthenticatio
http://www.dsd.gov.au/publications/csocprotect/multi_factor_authentication.htmhttp://www.dsd.gov.au/publications/csocprotect/multi_factor_authentication.htmhttp://www.dsd.gov.au/publications/csocprotect/multi_factor_authentication.htmhttp://www.securitybistro.com/blog/?p=4226http://www.securitybistro.com/blog/?p=4226http://www.securitybistro.com/blog/?p=4226http://www.scmagazine.com/zeus-for-android-steals-one-time-banking-passwords/article/207286/http://www.scmagazine.com/zeus-for-android-steals-one-time-banking-passwords/article/207286/http://www.scmagazine.com/zeus-for-android-steals-one-time-banking-passwords/article/207286/http://www.scmagazine.com/zeus-for-android-steals-one-time-banking-passwords/article/207286/http://www.scmagazine.com/zeus-for-android-steals-one-time-banking-passwords/article/207286/http://www.scmagazine.com/zeus-for-android-steals-one-time-banking-passwords/article/207286/http://www.scmagazine.com/zeus-for-android-steals-one-time-banking-passwords/article/207286/http://www.scmagazine.com/zeus-for-android-steals-one-time-banking-passwords/article/207286/http://www.scmagazine.com/zeus-for-android-steals-one-time-banking-passwords/article/207286/http://www.scmagazine.com/zeus-for-android-steals-one-time-banking-passwords/article/207286/http://www.scmagazine.com/zeus-for-android-steals-one-time-banking-passwords/article/207286/http://www.scmagazine.com/zeus-for-android-steals-one-time-banking-passwords/article/207286/http://www.scmagazine.com/zeus-for-android-steals-one-time-banking-passwords/article/207286/http://www.scmagazine.com/zeus-for-android-steals-one-time-banking-passwords/article/207286/http://www.scmagazine.com/zeus-for-android-steals-one-time-banking-passwords/article/207286/http://www.scmagazine.com/zeus-for-android-steals-one-time-banking-passwords/article/207286/http://www.scmagazine.com/zeus-for-android-steals-one-time-banking-passwords/article/207286/http://nakedsecurity.sophos.com/2013/01/20/indian-two-factor-authentication-fraudsters-busted-by-delhi-cops/http://nakedsecurity.sophos.com/2013/01/20/indian-two-factor-authentication-fraudsters-busted-by-delhi-cops/http://nakedsecurity.sophos.com/2013/01/20/indian-two-factor-authentication-fraudsters-busted-by-delhi-cops/http://nakedsecurity.sophos.com/2013/01/20/indian-two-factor-authentication-fraudsters-busted-by-delhi-cops/http://nakedsecurity.sophos.com/2013/01/20/indian-two-factor-authentication-fraudsters-busted-by-delhi-cops/http://nakedsecurity.sophos.com/2013/01/20/indian-two-factor-authentication-fraudsters-busted-by-delhi-cops/http://nakedsecurity.sophos.com/2013/01/20/indian-two-factor-authentication-fraudsters-busted-by-delhi-cops/http://nakedsecurity.sophos.com/2013/01/20/indian-two-factor-authentication-fraudsters-busted-by-delhi-cops/http://nakedsecurity.sophos.com/2013/01/20/indian-two-factor-authentication-fraudsters-busted-by-delhi-cops/http://nakedsecurity.sophos.com/2013/01/20/indian-two-factor-authentication-fraudsters-busted-by-delhi-cops/http://nakedsecurity.sophos.com/2013/01/20/indian-two-factor-authentication-fraudsters-busted-by-delhi-cops/http://nakedsecurity.sophos.com/2013/01/20/indian-two-factor-authentication-fraudsters-busted-by-delhi-cops/http://nakedsecurity.sophos.com/2013/01/20/indian-two-factor-authentication-fraudsters-busted-by-delhi-cops/http://nakedsecurity.sophos.com/2013/01/20/indian-two-factor-authentication-fraudsters-busted-by-delhi-cops/http://nakedsecurity.sophos.com/2013/01/20/indian-two-factor-authentication-fraudsters-busted-by-delhi-cops/http://nakedsecurity.sophos.com/2013/01/20/indian-two-factor-authentication-fraudsters-busted-by-delhi-cops/http://nakedsecurity.sophos.com/2013/01/20/indian-two-factor-authentication-fraudsters-busted-by-delhi-cops/http://nakedsecurity.sophos.com/2013/01/20/indian-two-factor-authentication-fraudsters-busted-by-delhi-cops/http://nakedsecurity.sophos.com/2013/01/20/indian-two-factor-authentication-fraudsters-busted-by-delhi-cops/http://nakedsecurity.sophos.com/2013/01/20/indian-two-factor-authentication-fraudsters-busted-by-delhi-cops/http://nakedsecurity.sophos.com/2013/01/20/indian-two-factor-authentication-fraudsters-busted-by-delhi-cops/http://www.scmagazine.com/zeus-for-android-steals-one-time-banking-passwords/article/207286/http://www.securitybistro.com/blog/?p=4226http://www.dsd.gov.au/publications/csocprotect/multi_factor_authentication.htm


30/41

27

a

nsidereduntrustworthy.

usedtoencryptunclassifiedFOUO/Sensitivedataor

stworthynetworkinfrastructure.Forexample,datasentoveranuntrusted

beprotectedbyusingASDapprovedencryptionimplementedviaaVirtual

nwhenexchangedbetweenadeviceandanorganisations

Remotetrackinghelpstorecoveradevice

Enterprise_Mobility_BYOD.pdf

Documents

Transcript of Enterprise_Mobility_BYOD.pdf