Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mobile Device Security and Control 2012 NSAA IT Conference and Workshop Fourth Session: 2:45pm – 4:00pm _____________________________________.

Published byEvelin Lowrance Modified over 10 years ago

Similar presentations

Presentation on theme: "Mobile Device Security and Control 2012 NSAA IT Conference and Workshop Fourth Session: 2:45pm – 4:00pm _____________________________________."— Presentation transcript:

1 Mobile Device Security and Control http://www.apa.virginia.gov 2012 NSAA IT Conference and Workshop Fourth Session: 2:45pm – 4:00pm _____________________________________ September 27, 2012 Goran Gustavsson Audit Director – Information Systems Security Auditor of Public Accounts Page 1

2 Mobile Device Security and Control Presentation Topics 2012 State of Mobile Security A Policy Goes to the Supreme Court Mobile Security Governance Example Policies http://www.apa.virginia.gov Page 2

3 Mobile Device Security and Control 2012 State of Mobile Security http://www.apa.virginia.gov InformationWeek 2012 Mobile Security Survey 322 Business Technology Professionals March 2012 Page 3

4 Mobile Device Security and Control 2012 State of Mobile Security http://www.apa.virginia.gov Page 4

5 Mobile Device Security and Control 2012 State of Mobile Security http://www.apa.virginia.gov Page 5

6 Mobile Device Security and Control 2012 State of Mobile Security http://www.apa.virginia.gov Page 6

7 Mobile Device Security and Control 2012 State of Mobile Security http://www.apa.virginia.gov Page 7

8 Mobile Device Security and Control 2012 State of Mobile Security http://www.apa.virginia.gov Page 8

9 Mobile Device Security and Control 2012 State of Mobile Security http://www.apa.virginia.gov Page 9

10 Mobile Device Security and Control 2012 State of Mobile Security http://www.apa.virginia.gov Page 10

11 Mobile Device Security and Control 2012 State of Mobile Security http://www.apa.virginia.gov Page 11

12 Mobile Device Security and Control A policy goes to the Supreme Court Jeff Quon City of Ontario Police Department Arch Wireless Fourth Amendment Right –Expectation of Privacy? –Search Reasonable? http://www.apa.virginia.gov Page 12

13 Mobile Device Security and Control A policy goes to the Supreme Court US District Court (2003) –Expectation of Privacy? Yes –Search Reasonable? Yes http://www.apa.virginia.gov (Source: Reasonable Expectation of Privacy: City of Ontario v. Quon Harvard Law Review 124 (1): 179-188) Page 13

14 Mobile Device Security and Control A policy goes to the Supreme Court US Court of Appeals Ninth Circuit (2008) –Expectation of Privacy? Yes –Search Reasonable? No http://www.apa.virginia.gov (Source: Reasonable Expectation of Privacy: City of Ontario v. Quon Harvard Law Review 124 (1): 179-188) Page 14

15 Mobile Device Security and Control A policy goes to the Supreme Court Supreme Court of the US (2010) –Expectation of Privacy? Yes –Search Reasonable? Yes http://www.apa.virginia.gov (Source: Supreme Court of the United States, City of Ontario, California, et al. v. Quon et al., retrieved from supremecourt.gov on 8/16/2012)supremecourt.gov Page 15

16 Mobile Device Security and Control Mobile Security Governance Effective Mobile Security Governance –Know Your Mobile Environment Risks –Develop an Effective Mobile Security Policy –Ensure Employees Responsibility and Awareness –Establish a Baseline Security Configuration –Build a Mobile Aware IT Infrastructure http://www.apa.virginia.gov (Source: Zhang, Robert, 5 Steps for Achieving Effective Mobile Security, retrieved from csoonline.com on 7/26/2012) csoonline.com Page 16

17 Mobile Device Security and Control Know Your Mobile Environment Risks What are the corporate mobile data assets that require protection? What, how, and where are the corporate systems accessed by mobile employees? How are mobile devices being used, protected and managed? Do employees know the procedures in responding to an incident? http://www.apa.virginia.gov (Source: Zhang, Robert, 5 Steps for Achieving Effective Mobile Security, retrieved from csoonline.com on 7/26/2012) csoonline.com Page 17

18 Mobile Device Security and Control Develop an Effective Mobile Security Policy Risk-based Determine app availability Limit device info to what is required Consider new threats Update policy as needed http://www.apa.virginia.gov (Source: Zhang, Robert, 5 Steps for Achieving Effective Mobile Security, retrieved from csoonline.com on 7/26/2012) csoonline.com Page 18

19 Mobile Device Security and Control Ensure Employees Responsibility and Awareness A critical security layer The Unaware User Put Information at Risk Reduces mobile security risks Policy buy-in across organization http://www.apa.virginia.gov (Source: Zhang, Robert, 5 Steps for Achieving Effective Mobile Security, retrieved from csoonline.com on 7/26/2012) csoonline.com Page 19

20 Mobile Device Security and Control Establish a Baseline Security Configuration Password protection at power-on File or directory encryption VPN for e-mail and internal network access On-device firewall Anti-Virus software Latest security patches http://www.apa.virginia.gov (Source: Zhang, Robert, 5 Steps for Achieving Effective Mobile Security, retrieved from csoonline.com on 7/26/2012) csoonline.com Page 20

21 Mobile Device Security and Control Build a Mobile Aware IT Infrastructure Strong Authentication User Role-based Data Access Network Segregation & Zoning Centralized Device Management http://www.apa.virginia.gov (Source: Zhang, Robert, 5 Steps for Achieving Effective Mobile Security, retrieved from csoonline.com on 7/26/2012) csoonline.com Page 21

22 Mobile Device Security and Control Commonwealth of Virginia Example Policies Agency Issued Device Policy BYOD Policy Virginia Information Technologies Agency [PDF]PDF[PDF]PDF Virginia Auditor of Public Accounts http://www.apa.virginia.gov Page 22

23 Mobile Device Security and Control Commonwealth of Virginia Example Policies PURPOSE: This policy establishes the minimum requirements for the use of a personal mobile device to remotely access employees electronic mail (e-mail), calendar, and contact information on the Auditor of Public Accounts servers. SCOPE:All Auditor of Public Accounts employees (classified or hourly) who choose to use a personal mobile device to access and process employees electronic mail, calendar, and contact information. A personal mobile device is defined as a smart phone (e.g. iPhone, Android, etc) or a tablet (e.g., iPad, Zoom, etc) that is personally purchased, owned, and operated by an employee of the Auditor of Public Accounts. This policy does not address laptops, notebooks, or notebooks with touch-screens. http://www.apa.virginia.gov Page 23

24 Mobile Device Security and Control Commonwealth of Virginia Example Policies http://www.apa.virginia.gov STATEMENT OF POLICY: Any personal mobile device that is used to connect to an employees APA e- mail, calendar, and contact information servers must meet the following minimum information security requirements. 1.The employee must sign and agree to the Personal Mobile Device Usage Agreement before connecting the device. 2.The personal mobile device must be registered with the Information Security Officer prior to use. The employee is responsible to update his or her registered device information with the Information Security Officer (ISO) in case of a change. 3.APA Network Operations must deny all personal mobile device connection requests unless the device is registered with the ISO and the user has signed the appropriate usage agreement. Page 24

25 Mobile Device Security and Control Commonwealth of Virginia Example Policies http://www.apa.virginia.gov STATEMENT OF POLICY: 4.Devices that connect will be automatically forced to adhere to the following security policies: a.A password is required to unlock the mobile device. b.The password consists of at least six (6) numbers. c.The personal mobile device must automatically lock after five (5) minutes or sooner of inactivity. d.Encryption is enabled on the device and storage cards. e.Simple passwords are not allowed. f.E-mail password will expire according to active directory policy. g.E-mail password history will adhere to active directory policy. h.E-mail attachments from the APA e-mail system will not be forwarded to the device. Page 25

26 Mobile Device Security and Control Commonwealth of Virginia Example Policies http://www.apa.virginia.gov STATEMENT OF POLICY: 5.The employee must run the original device operating system, or an authorized upgrade provided by the vendor or carrier. It is prohibited for an employee to connect a device to the APA e-mail, calendar, and contact server that operates on a hacked operating system, also known as a jailbroken device. 6.The employee must immediately contact the ISO in case the device is lost or stolen. APA Network Operations will immediately remove the device association with APAs network, and it will no longer be able to connect. 7.The employee must be able to remotely wipe the information on his or her device in case it is lost or stolen. It is up to the employee whether he or she wants to remotely wipe the device. APA assumes no responsibility for the contents stored on the device if the employee chooses to utilize the remote wipe command. Page 26

27 Mobile Device Security and Control Commonwealth of Virginia Example Policies http://www.apa.virginia.gov STATEMENT OF POLICY: 8.The Auditor of Public Accounts is not responsible for any subscription fees or data overage fees accumulated by the employee as a result of connecting to the APA e-mail, calendar, and contact information servers. 9.The use of a personal mobile device to access the APA e-mail and calendar server may be terminated by the Auditor of Public Accounts if the employee is found to violate any part of this policy. Page 27

28 Mobile Device Security and Control Questions? http://www.apa.virginia.gov Goran G. Gustavsson, MBA, CISSP, CISM Audit Director Information Systems Security Specialty Team Leader Auditor of Public Accounts goran.gustavsson@apa.virginia.gov (804) 225-3350 Page 28

Download ppt "Mobile Device Security and Control 2012 NSAA IT Conference and Workshop Fourth Session: 2:45pm – 4:00pm _____________________________________."

Similar presentations

Searching the Florida Vendor Bid System (VBS)

Searching the Florida Vendor Bid System (VBS)
Advanced Piloting Cruise Plot.

Advanced Piloting Cruise Plot.
JCAHO –A HIPAA Business Associate National HIPAA Summit

JCAHO –A HIPAA Business Associate National HIPAA Summit
Slide 1 FastFacts Feature Presentation April 16, 2012 To dial in, use this phone number and participant code… Phone number: 888-651-5908 Participant code:

Slide 1 FastFacts Feature Presentation April 16, 2012 To dial in, use this phone number and participant code… Phone number: Participant code:
Aviation Security Training Module 4 Design and Conduct Exercise II 1.

Aviation Security Training Module 4 Design and Conduct Exercise II 1.
Business Transaction Management Software for Application Coordination 1 www.choreology.com Business Processes and Coordination.

Business Transaction Management Software for Application Coordination 1 Business Processes and Coordination.
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
606 CMR 14.00: Background Record Checks What you need to know!

606 CMR 14.00: Background Record Checks What you need to know!
Proud Members of the Consulting Group, LLC

Proud Members of the Consulting Group, LLC
The ABCs of Credit Card Finance Essential Facts for Students 2007 Carol A. Carolan, Ph.D.

The ABCs of Credit Card Finance Essential Facts for Students 2007 Carol A. Carolan, Ph.D.
P-Card User Guide Standard Profile July 2012 1 RCNJ-BOA Purchasing Card User Guide – Standard Profile Ramapo College and Bank of America VISA Procurement.

P-Card User Guide Standard Profile July RCNJ-BOA Purchasing Card User Guide – Standard Profile Ramapo College and Bank of America VISA Procurement.
The ABCs of Credit Card Finance Essential Facts for Students 2012 Carol A. Carolan, Ph.D.

The ABCs of Credit Card Finance Essential Facts for Students 2012 Carol A. Carolan, Ph.D.
© SafeNet Confidential and Proprietary Administering SafeNet StorageSecure Smart Card Module 3: Lesson 5 SafeNet StorageSecure Storage Security Course.

© SafeNet Confidential and Proprietary Administering SafeNet StorageSecure Smart Card Module 3: Lesson 5 SafeNet StorageSecure Storage Security Course.
INFORMATION TECHNOLOGY, THE INTERNET, AND YOU

INFORMATION TECHNOLOGY, THE INTERNET, AND YOU
1 Fortinet Confidential 1 T I T R E Fortinet 2013 Global Survey.

1 Fortinet Confidential 1 T I T R E Fortinet 2013 Global Survey.
IRIS Computing Orientation Lars Rohrbach Instructional and Research Information Systems (IRIS) 1 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY.

IRIS Computing Orientation Lars Rohrbach Instructional and Research Information Systems (IRIS) 1 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY.
©2013 Check Point Software Technologies Ltd. | [Unrestricted] For everyone Best Practices to Secure the Mobile Enterprise Macy Torrey

©2013 Check Point Software Technologies Ltd. | [Unrestricted] For everyone Best Practices to Secure the Mobile Enterprise Macy Torrey
1 How to Enter Time. 2 Select: Log In Once logged in, Select: Employees.

1 How to Enter Time. 2 Select: Log In Once logged in, Select: Employees.
!! Are we under attack !! Consumer devices continue to invade *Corporate enterprise – just wanting to plug in* Mobile Device Management.

!! Are we under attack !! Consumer devices continue to invade *Corporate enterprise – just wanting to plug in* Mobile Device Management.

Similar presentations

Ads by Google