Mobile Device Security and Control 2012 NSAA IT Conference and Workshop Fourth Session: 2:45pm –...
-
Upload
evelin-lowrance -
Category
Documents
-
view
218 -
download
3
Transcript of Mobile Device Security and Control 2012 NSAA IT Conference and Workshop Fourth Session: 2:45pm –...
Mobile Device Security and Control
http://www.apa.virginia.gov
2012 NSAA IT Conference and Workshop
Fourth Session: 2:45pm – 4:00pm_____________________________________
September 27, 2012
Goran Gustavsson
Audit Director – Information Systems Security
Auditor of Public Accounts
Page 1
Mobile Device Security and Control
Presentation Topics
• 2012 State of Mobile Security• A Policy Goes to the Supreme Court• Mobile Security Governance• Example Policies
http://www.apa.virginia.gov Page 2
Mobile Device Security and Control
2012 State of Mobile Security
http://www.apa.virginia.gov
• InformationWeek 2012 Mobile Security Survey
• 322 Business Technology Professionals• March 2012
Page 3
Mobile Device Security and Control
2012 State of Mobile Security
62%
24%
14%
Policy on Personal Mobile Device Use?
YesNo, but we're develop-ing a policyNo, and we have no plans to allow personal device use
http://www.apa.virginia.gov Page 4
Mobile Device Security and Control
2012 State of Mobile Security
http://www.apa.virginia.gov
Laptop
Smartphones (BlackBerry, iPhone, Android)
Tablets (iPad, Android-based, RIM Playbook, etc.)
Cell phones (voice/text only, no data plan)
Netbooks or ultralight laptops
Ruggedized, job-specific mobile devices
99%
92%
78%
76%
71%
44%
65%
86%
77%
71%
53%
24%
Percentage of Employees Using Mobile Devices
Personally owned Company-provided
Page 5
Mobile Device Security and Control
2012 State of Mobile Security
http://www.apa.virginia.gov
Lost/stolen devices
Penetration of our corporate Wi-Fi networks
Mobile malware on applications from public app stores
Users forwarding corporate information to cloud-based storage services (e.g., Dropbox)
Security at public hotspots
Users fowarding email to personal accounts
Interception of over-the-air transmissions
Malware exployting vulnerabilities on internally developed mobile apps
Devices jailbroken or rooted by end users
Penetration of users' home Wi-Fi networks
84%
32%
31%
30%
27%
21%
21%
19%
15%
5%
Top Mobile Security Concerns
Page 6
Mobile Device Security and Control
2012 State of Mobile Security
http://www.apa.virginia.gov
User name/passwordPower-on device password
On-device certificatesSecure token
Image or patternBiometrics
Cellular call-back verificationFacial recognition
Grid cardOtherNone
80%47%
34%21%
6%6%
3%2%2%4%3%
Mobile Device Authentication Mechanisms
Page 7
Mobile Device Security and Control
2012 State of Mobile Security
http://www.apa.virginia.gov
Windows laptops/netbooks
BlackBerry
Apple iOS
Android 3.x and 4.x
Windows Mobile
Android 2.x
Non-Windows l;aptops/netbooks (OS X, Linux)
Windows Phone
WebOS
Symbian
Bada
80%
70%
62%
42%
35%
35%
34%
30%
14%
6%
4%
41%
41%
46%
36%
25%
28%
23%
26%
10%
7%
4%
Storage of Corporate Data on Mobile Devices
Personally owned Company-provided
Page 8
Mobile Device Security and Control
2012 State of Mobile Security
http://www.apa.virginia.gov
Yes; 48%No; 52%
Missing Mobile Devices
Page 9
Mobile Device Security and Control
2012 State of Mobile Security
http://www.apa.virginia.gov
Yes; 12%
No; 88%
Public Disclosure for Data Loss
Page 10
Mobile Device Security and Control
2012 State of Mobile Security
http://www.apa.virginia.gov
Yes, but we maintain an approved list
Yes, and we have the ability to enforce a blacklist
Yes, with no restrictions
No
15%
24%
27%
34%
11%
21%
42%
26%
Personal Applications on Mobile Devices Accessing Corporate Assets
Personally owned Company-provided
Page 11
Mobile Device Security and Control
A policy goes to the Supreme Court
• Jeff Quon• City of Ontario Police Department• Arch Wireless• Fourth Amendment Right
– Expectation of Privacy?– Search Reasonable?
http://www.apa.virginia.gov Page 12
Mobile Device Security and Control
A policy goes to the Supreme Court
• US District Court (2003)– Expectation of Privacy?
• Yes
– Search Reasonable?• Yes
http://www.apa.virginia.gov
(Source: Reasonable Expectation of Privacy: City of Ontario v. Quon” Harvard Law Review 124 (1): 179-188)
Page 13
Mobile Device Security and Control
A policy goes to the Supreme Court
• US Court of Appeals Ninth Circuit (2008)– Expectation of Privacy?
• Yes
– Search Reasonable?• No
http://www.apa.virginia.gov
(Source: Reasonable Expectation of Privacy: City of Ontario v. Quon” Harvard Law Review 124 (1): 179-188)
Page 14
Mobile Device Security and Control
A policy goes to the Supreme Court
• Supreme Court of the US (2010)– Expectation of Privacy?
• Yes
– Search Reasonable?• Yes
http://www.apa.virginia.gov
(Source: Supreme Court of the United States, City of Ontario, California, et al. v. Quon et al., retrieved from supremecourt.gov on 8/16/2012)
Page 15
Mobile Device Security and Control
Mobile Security Governance
• Effective Mobile Security Governance– Know Your Mobile Environment Risks– Develop an Effective Mobile Security Policy– Ensure Employees’ Responsibility and
Awareness– Establish a Baseline Security Configuration– Build a Mobile Aware IT Infrastructure
http://www.apa.virginia.gov
(Source: Zhang, Robert, “5 Steps for Achieving Effective Mobile Security”, retrieved from csoonline.com on 7/26/2012)
Page 16
Mobile Device Security and Control
Know Your Mobile Environment Risks
• What are the corporate mobile data assets that require protection?
• What, how, and where are the corporate systems accessed by mobile employees?
• How are mobile devices being used, protected and managed?
• Do employees know the procedures in responding to an incident?
http://www.apa.virginia.gov
(Source: Zhang, Robert, “5 Steps for Achieving Effective Mobile Security”, retrieved from csoonline.com on 7/26/2012)
Page 17
Mobile Device Security and Control
Develop an Effective Mobile Security Policy
• Risk-based• Determine app availability• Limit device info to what is required• Consider new threats• Update policy as needed
http://www.apa.virginia.gov
(Source: Zhang, Robert, “5 Steps for Achieving Effective Mobile Security”, retrieved from csoonline.com on 7/26/2012)
Page 18
Mobile Device Security and Control
Ensure Employees’ Responsibility and Awareness
• A critical security layer• The Unaware User Put Information at
Risk• Reduces mobile security risks• Policy buy-in across organization
http://www.apa.virginia.gov
(Source: Zhang, Robert, “5 Steps for Achieving Effective Mobile Security”, retrieved from csoonline.com on 7/26/2012)
Page 19
Mobile Device Security and Control
Establish a Baseline Security Configuration
• Password protection at power-on• File or directory encryption• VPN for e-mail and internal network
access• On-device firewall• Anti-Virus software• Latest security patches
http://www.apa.virginia.gov
(Source: Zhang, Robert, “5 Steps for Achieving Effective Mobile Security”, retrieved from csoonline.com on 7/26/2012)
Page 20
Mobile Device Security and Control
Build a Mobile Aware IT Infrastructure
• Strong Authentication• User Role-based Data Access• Network Segregation & Zoning• Centralized Device Management
http://www.apa.virginia.gov
(Source: Zhang, Robert, “5 Steps for Achieving Effective Mobile Security”, retrieved from csoonline.com on 7/26/2012)
Page 21
Mobile Device Security and Control
Commonwealth of Virginia Example Policies
AgencyIssuedDevicePolicy
BYODPolicy
Virginia Information Technologies Agency [PDF] [PDF]
Virginia Auditor of Public Accounts
http://www.apa.virginia.gov Page 22
Mobile Device Security and Control
Commonwealth of Virginia Example Policies
PURPOSE: This policy establishes the minimum requirements for the use of a personal mobile device to remotely access employee’s electronic mail (e-mail), calendar, and contact information on the Auditor of Public Accounts servers.
SCOPE: All Auditor of Public Accounts employees (classified or hourly) who choose to use a personal mobile device to access and process employee’s electronic mail, calendar, and contact information. A “personal mobile device” is defined as a smart phone (e.g. iPhone, Android, etc) or a tablet (e.g., iPad, Zoom, etc) that is personally purchased, owned, and operated by an employee of the Auditor of Public Accounts. This policy does not address laptops, notebooks, or notebooks with touch-screens.
http://www.apa.virginia.gov
INFORMATION SECURITY POLICY Policy Name:
Personal Mobile Device Usage Policy
Effective Date:
05/01/2011
Page 23
Mobile Device Security and Control
Commonwealth of Virginia Example Policies
http://www.apa.virginia.gov
INFORMATION SECURITY POLICY Policy Name:
Personal Mobile Device Usage Policy
Effective Date:
05/01/2011
STATEMENT OF POLICY:
Any personal mobile device that is used to connect to an employee’s APA e-mail, calendar, and contact information servers must meet the following minimum information security requirements. 1. The employee must sign and agree to the “Personal Mobile Device
Usage Agreement” before connecting the device. 2. The personal mobile device must be registered with the Information
Security Officer prior to use. The employee is responsible to update his or her registered device information with the Information Security Officer (ISO) in case of a change.
3. APA Network Operations must deny all personal mobile device connection requests unless the device is registered with the ISO and the user has signed the appropriate usage agreement.
Page 24
Mobile Device Security and Control
Commonwealth of Virginia Example Policies
http://www.apa.virginia.gov
INFORMATION SECURITY POLICY Policy Name:
Personal Mobile Device Usage Policy
Effective Date:
05/01/2011
STATEMENT OF POLICY:
4. Devices that connect will be automatically forced to adhere to the following security policies:
a. A password is required to unlock the mobile device.b. The password consists of at least six (6) numbers.c. The personal mobile device must automatically lock after five (5)
minutes or sooner of inactivity.d. Encryption is enabled on the device and storage cards.e. Simple passwords are not allowed.f. E-mail password will expire according to active directory policy.g. E-mail password history will adhere to active directory policy.h. E-mail attachments from the APA e-mail system will not be forwarded
to the device.
Page 25
Mobile Device Security and Control
Commonwealth of Virginia Example Policies
http://www.apa.virginia.gov
INFORMATION SECURITY POLICY Policy Name:
Personal Mobile Device Usage Policy
Effective Date:
05/01/2011
STATEMENT OF POLICY:
5. The employee must run the original device operating system, or an authorized upgrade provided by the vendor or carrier. It is prohibited for an employee to connect a device to the APA e-mail, calendar, and contact server that operates on a hacked operating system, also known as a “jailbroken” device.
6. The employee must immediately contact the ISO in case the device is lost or stolen. APA Network Operations will immediately remove the device association with APA’s network, and it will no longer be able to connect.
7. The employee must be able to remotely wipe the information on his or her device in case it is lost or stolen. It is up to the employee whether he or she wants to remotely wipe the device. APA assumes no responsibility for the contents stored on the device if the employee chooses to utilize the remote wipe command.
Page 26
Mobile Device Security and Control
Commonwealth of Virginia Example Policies
http://www.apa.virginia.gov
INFORMATION SECURITY POLICY Policy Name:
Personal Mobile Device Usage Policy
Effective Date:
05/01/2011
STATEMENT OF POLICY:
8. The Auditor of Public Accounts is not responsible for any subscription fees or data overage fees accumulated by the employee as a result of connecting to the APA e-mail, calendar, and contact information servers.
9. The use of a personal mobile device to access the APA e-mail and calendar server may be terminated by the Auditor of Public Accounts if the employee is found to violate any part of this policy.
Page 27
Mobile Device Security and Control
Questions?
http://www.apa.virginia.gov
Goran G. Gustavsson, MBA, CISSP, CISMAudit Director
Information Systems Security Specialty Team LeaderAuditor of Public Accounts
[email protected](804) 225-3350
Page 28