Mobile Device Security and Control 2012 NSAA IT Conference and Workshop Fourth Session: 2:45pm –...

Mobile Device Security and Control

http://www.apa.virginia.gov

2012 NSAA IT Conference and Workshop

Fourth Session: 2:45pm – 4:00pm_____________________________________

September 27, 2012

Goran Gustavsson

Audit Director – Information Systems Security

Auditor of Public Accounts


Presentation Topics

• 2012 State of Mobile Security• A Policy Goes to the Supreme Court• Mobile Security Governance• Example Policies



2012 State of Mobile Security


• InformationWeek 2012 Mobile Security Survey

• 322 Business Technology Professionals• March 2012



62%

24%

14%

Policy on Personal Mobile Device Use?

YesNo, but we're develop-ing a policyNo, and we have no plans to allow personal device use





Laptop

Smartphones (BlackBerry, iPhone, Android)

Tablets (iPad, Android-based, RIM Playbook, etc.)

Cell phones (voice/text only, no data plan)

Netbooks or ultralight laptops

Ruggedized, job-specific mobile devices

99%

92%

78%

76%

71%

44%

65%

86%

77%

71%

53%

24%

Percentage of Employees Using Mobile Devices

Personally owned Company-provided




Lost/stolen devices

Penetration of our corporate Wi-Fi networks

Mobile malware on applications from public app stores

Users forwarding corporate information to cloud-based storage services (e.g., Dropbox)

Security at public hotspots

Users fowarding email to personal accounts

Interception of over-the-air transmissions

Malware exployting vulnerabilities on internally developed mobile apps

Devices jailbroken or rooted by end users

Penetration of users' home Wi-Fi networks

84%

32%

31%

30%

27%

21%

21%

19%

15%

5%

Top Mobile Security Concerns




User name/passwordPower-on device password

On-device certificatesSecure token

Image or patternBiometrics

Cellular call-back verificationFacial recognition

Grid cardOtherNone

80%47%

34%21%

6%6%

3%2%2%4%3%

Mobile Device Authentication Mechanisms




Windows laptops/netbooks

BlackBerry

Apple iOS

Android 3.x and 4.x

Windows Mobile

Android 2.x

Non-Windows l;aptops/netbooks (OS X, Linux)

Windows Phone

WebOS

Symbian

Bada

80%

70%

62%

42%

35%

35%

34%

30%

14%

6%

4%

41%

41%

46%

36%

25%

28%

23%

26%

10%

7%

4%

Storage of Corporate Data on Mobile Devices





Yes; 48%No; 52%

Missing Mobile Devices




Yes; 12%

No; 88%

Public Disclosure for Data Loss




Yes, but we maintain an approved list

Yes, and we have the ability to enforce a blacklist

Yes, with no restrictions

No

15%

24%

27%

34%

11%

21%

42%

26%

Personal Applications on Mobile Devices Accessing Corporate Assets



A policy goes to the Supreme Court

• Jeff Quon• City of Ontario Police Department• Arch Wireless• Fourth Amendment Right

– Expectation of Privacy?– Search Reasonable?




• US District Court (2003)– Expectation of Privacy?

• Yes

– Search Reasonable?• Yes


(Source: Reasonable Expectation of Privacy: City of Ontario v. Quon” Harvard Law Review 124 (1): 179-188)



• US Court of Appeals Ninth Circuit (2008)– Expectation of Privacy?

• Yes

– Search Reasonable?• No


(Source: Reasonable Expectation of Privacy: City of Ontario v. Quon” Harvard Law Review 124 (1): 179-188)



• Supreme Court of the US (2010)– Expectation of Privacy?

• Yes

– Search Reasonable?• Yes


(Source: Supreme Court of the United States, City of Ontario, California, et al. v. Quon et al., retrieved from supremecourt.gov on 8/16/2012)

http://www.supremecourt.gov/opinions/09pdf/08-1332.pdf


Mobile Security Governance

• Effective Mobile Security Governance– Know Your Mobile Environment Risks– Develop an Effective Mobile Security Policy– Ensure Employees’ Responsibility and

Awareness– Establish a Baseline Security Configuration– Build a Mobile Aware IT Infrastructure


(Source: Zhang, Robert, “5 Steps for Achieving Effective Mobile Security”, retrieved from csoonline.com on 7/26/2012)

http://www.csoonline.com/article/492481/5-steps-for-achieving-effective-mobile-security-governance


Know Your Mobile Environment Risks

• What are the corporate mobile data assets that require protection?

• What, how, and where are the corporate systems accessed by mobile employees?

• How are mobile devices being used, protected and managed?

• Do employees know the procedures in responding to an incident?





Develop an Effective Mobile Security Policy

• Risk-based• Determine app availability• Limit device info to what is required• Consider new threats• Update policy as needed





Ensure Employees’ Responsibility and Awareness

• A critical security layer• The Unaware User Put Information at

Risk• Reduces mobile security risks• Policy buy-in across organization





Establish a Baseline Security Configuration

• Password protection at power-on• File or directory encryption• VPN for e-mail and internal network

access• On-device firewall• Anti-Virus software• Latest security patches





Build a Mobile Aware IT Infrastructure

• Strong Authentication• User Role-based Data Access• Network Segregation & Zoning• Centralized Device Management





Commonwealth of Virginia Example Policies

AgencyIssuedDevicePolicy

BYODPolicy

Virginia Information Technologies Agency [PDF] [PDF]

Virginia Auditor of Public Accounts


http://www.vita.virginia.gov/uploadedFiles/VITA_Main_Public/Councils_and_Committees/AITR/2011/VITA_COV_Mobile_Device_Security_Policy.pdf

http://www.vita.virginia.gov/uploadedFiles/VITA_Main_Public/Councils_and_Committees/AITR/2011/VITA_Non-COV_Mobile_Device_Security_Policy.pdf



PURPOSE: This policy establishes the minimum requirements for the use of a personal mobile device to remotely access employee’s electronic mail (e-mail), calendar, and contact information on the Auditor of Public Accounts servers.

SCOPE: All Auditor of Public Accounts employees (classified or hourly) who choose to use a personal mobile device to access and process employee’s electronic mail, calendar, and contact information. A “personal mobile device” is defined as a smart phone (e.g. iPhone, Android, etc) or a tablet (e.g., iPad, Zoom, etc) that is personally purchased, owned, and operated by an employee of the Auditor of Public Accounts. This policy does not address laptops, notebooks, or notebooks with touch-screens.


INFORMATION SECURITY POLICY Policy Name:

Personal Mobile Device Usage Policy

Effective Date:

05/01/2011






Effective Date:

05/01/2011

STATEMENT OF POLICY:

Any personal mobile device that is used to connect to an employee’s APA e-mail, calendar, and contact information servers must meet the following minimum information security requirements. 1. The employee must sign and agree to the “Personal Mobile Device

Usage Agreement” before connecting the device. 2. The personal mobile device must be registered with the Information

Security Officer prior to use. The employee is responsible to update his or her registered device information with the Information Security Officer (ISO) in case of a change.

3. APA Network Operations must deny all personal mobile device connection requests unless the device is registered with the ISO and the user has signed the appropriate usage agreement.






Effective Date:

05/01/2011


4. Devices that connect will be automatically forced to adhere to the following security policies:

a. A password is required to unlock the mobile device.b. The password consists of at least six (6) numbers.c. The personal mobile device must automatically lock after five (5)

minutes or sooner of inactivity.d. Encryption is enabled on the device and storage cards.e. Simple passwords are not allowed.f. E-mail password will expire according to active directory policy.g. E-mail password history will adhere to active directory policy.h. E-mail attachments from the APA e-mail system will not be forwarded

to the device.






Effective Date:

05/01/2011


5. The employee must run the original device operating system, or an authorized upgrade provided by the vendor or carrier. It is prohibited for an employee to connect a device to the APA e-mail, calendar, and contact server that operates on a hacked operating system, also known as a “jailbroken” device.

6. The employee must immediately contact the ISO in case the device is lost or stolen. APA Network Operations will immediately remove the device association with APA’s network, and it will no longer be able to connect.

7. The employee must be able to remotely wipe the information on his or her device in case it is lost or stolen. It is up to the employee whether he or she wants to remotely wipe the device. APA assumes no responsibility for the contents stored on the device if the employee chooses to utilize the remote wipe command.






Effective Date:

05/01/2011


8. The Auditor of Public Accounts is not responsible for any subscription fees or data overage fees accumulated by the employee as a result of connecting to the APA e-mail, calendar, and contact information servers.

9. The use of a personal mobile device to access the APA e-mail and calendar server may be terminated by the Auditor of Public Accounts if the employee is found to violate any part of this policy.


Questions?


Goran G. Gustavsson, MBA, CISSP, CISMAudit Director

Information Systems Security Specialty Team LeaderAuditor of Public Accounts

[email protected](804) 225-3350

Mobile Device Security and Control 2012 NSAA IT Conference and Workshop Fourth Session: 2:45pm –...

Documents

Transcript of Mobile Device Security and Control 2012 NSAA IT Conference and Workshop Fourth Session: 2:45pm –...