Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mobile Device Security and Control 2012 NSAA IT Conference and Workshop Fourth Session: 2:45pm – 4:00pm _____________________________________.

Similar presentations


Presentation on theme: "Mobile Device Security and Control 2012 NSAA IT Conference and Workshop Fourth Session: 2:45pm – 4:00pm _____________________________________."— Presentation transcript:

1 Mobile Device Security and Control NSAA IT Conference and Workshop Fourth Session: 2:45pm – 4:00pm _____________________________________ September 27, 2012 Goran Gustavsson Audit Director – Information Systems Security Auditor of Public Accounts Page 1

2 Mobile Device Security and Control Presentation Topics 2012 State of Mobile Security A Policy Goes to the Supreme Court Mobile Security Governance Example Policies Page 2

3 Mobile Device Security and Control 2012 State of Mobile Security InformationWeek 2012 Mobile Security Survey 322 Business Technology Professionals March 2012 Page 3

4 Mobile Device Security and Control 2012 State of Mobile Security Page 4

5 Mobile Device Security and Control 2012 State of Mobile Security Page 5

6 Mobile Device Security and Control 2012 State of Mobile Security Page 6

7 Mobile Device Security and Control 2012 State of Mobile Security Page 7

8 Mobile Device Security and Control 2012 State of Mobile Security Page 8

9 Mobile Device Security and Control 2012 State of Mobile Security Page 9

10 Mobile Device Security and Control 2012 State of Mobile Security Page 10

11 Mobile Device Security and Control 2012 State of Mobile Security Page 11

12 Mobile Device Security and Control A policy goes to the Supreme Court Jeff Quon City of Ontario Police Department Arch Wireless Fourth Amendment Right –Expectation of Privacy? –Search Reasonable? Page 12

13 Mobile Device Security and Control A policy goes to the Supreme Court US District Court (2003) –Expectation of Privacy? Yes –Search Reasonable? Yes (Source: Reasonable Expectation of Privacy: City of Ontario v. Quon Harvard Law Review 124 (1): ) Page 13

14 Mobile Device Security and Control A policy goes to the Supreme Court US Court of Appeals Ninth Circuit (2008) –Expectation of Privacy? Yes –Search Reasonable? No (Source: Reasonable Expectation of Privacy: City of Ontario v. Quon Harvard Law Review 124 (1): ) Page 14

15 Mobile Device Security and Control A policy goes to the Supreme Court Supreme Court of the US (2010) –Expectation of Privacy? Yes –Search Reasonable? Yes (Source: Supreme Court of the United States, City of Ontario, California, et al. v. Quon et al., retrieved from supremecourt.gov on 8/16/2012)supremecourt.gov Page 15

16 Mobile Device Security and Control Mobile Security Governance Effective Mobile Security Governance –Know Your Mobile Environment Risks –Develop an Effective Mobile Security Policy –Ensure Employees Responsibility and Awareness –Establish a Baseline Security Configuration –Build a Mobile Aware IT Infrastructure (Source: Zhang, Robert, 5 Steps for Achieving Effective Mobile Security, retrieved from csoonline.com on 7/26/2012) csoonline.com Page 16

17 Mobile Device Security and Control Know Your Mobile Environment Risks What are the corporate mobile data assets that require protection? What, how, and where are the corporate systems accessed by mobile employees? How are mobile devices being used, protected and managed? Do employees know the procedures in responding to an incident? (Source: Zhang, Robert, 5 Steps for Achieving Effective Mobile Security, retrieved from csoonline.com on 7/26/2012) csoonline.com Page 17

18 Mobile Device Security and Control Develop an Effective Mobile Security Policy Risk-based Determine app availability Limit device info to what is required Consider new threats Update policy as needed (Source: Zhang, Robert, 5 Steps for Achieving Effective Mobile Security, retrieved from csoonline.com on 7/26/2012) csoonline.com Page 18

19 Mobile Device Security and Control Ensure Employees Responsibility and Awareness A critical security layer The Unaware User Put Information at Risk Reduces mobile security risks Policy buy-in across organization (Source: Zhang, Robert, 5 Steps for Achieving Effective Mobile Security, retrieved from csoonline.com on 7/26/2012) csoonline.com Page 19

20 Mobile Device Security and Control Establish a Baseline Security Configuration Password protection at power-on File or directory encryption VPN for and internal network access On-device firewall Anti-Virus software Latest security patches (Source: Zhang, Robert, 5 Steps for Achieving Effective Mobile Security, retrieved from csoonline.com on 7/26/2012) csoonline.com Page 20

21 Mobile Device Security and Control Build a Mobile Aware IT Infrastructure Strong Authentication User Role-based Data Access Network Segregation & Zoning Centralized Device Management (Source: Zhang, Robert, 5 Steps for Achieving Effective Mobile Security, retrieved from csoonline.com on 7/26/2012) csoonline.com Page 21

22 Mobile Device Security and Control Commonwealth of Virginia Example Policies Agency Issued Device Policy BYOD Policy Virginia Information Technologies Agency [PDF]PDF[PDF]PDF Virginia Auditor of Public Accounts Page 22

23 Mobile Device Security and Control Commonwealth of Virginia Example Policies PURPOSE: This policy establishes the minimum requirements for the use of a personal mobile device to remotely access employees electronic mail ( ), calendar, and contact information on the Auditor of Public Accounts servers. SCOPE:All Auditor of Public Accounts employees (classified or hourly) who choose to use a personal mobile device to access and process employees electronic mail, calendar, and contact information. A personal mobile device is defined as a smart phone (e.g. iPhone, Android, etc) or a tablet (e.g., iPad, Zoom, etc) that is personally purchased, owned, and operated by an employee of the Auditor of Public Accounts. This policy does not address laptops, notebooks, or notebooks with touch-screens. Page 23

24 Mobile Device Security and Control Commonwealth of Virginia Example Policies STATEMENT OF POLICY: Any personal mobile device that is used to connect to an employees APA e- mail, calendar, and contact information servers must meet the following minimum information security requirements. 1.The employee must sign and agree to the Personal Mobile Device Usage Agreement before connecting the device. 2.The personal mobile device must be registered with the Information Security Officer prior to use. The employee is responsible to update his or her registered device information with the Information Security Officer (ISO) in case of a change. 3.APA Network Operations must deny all personal mobile device connection requests unless the device is registered with the ISO and the user has signed the appropriate usage agreement. Page 24

25 Mobile Device Security and Control Commonwealth of Virginia Example Policies STATEMENT OF POLICY: 4.Devices that connect will be automatically forced to adhere to the following security policies: a.A password is required to unlock the mobile device. b.The password consists of at least six (6) numbers. c.The personal mobile device must automatically lock after five (5) minutes or sooner of inactivity. d.Encryption is enabled on the device and storage cards. e.Simple passwords are not allowed. f. password will expire according to active directory policy. g. password history will adhere to active directory policy. h. attachments from the APA system will not be forwarded to the device. Page 25

26 Mobile Device Security and Control Commonwealth of Virginia Example Policies STATEMENT OF POLICY: 5.The employee must run the original device operating system, or an authorized upgrade provided by the vendor or carrier. It is prohibited for an employee to connect a device to the APA , calendar, and contact server that operates on a hacked operating system, also known as a jailbroken device. 6.The employee must immediately contact the ISO in case the device is lost or stolen. APA Network Operations will immediately remove the device association with APAs network, and it will no longer be able to connect. 7.The employee must be able to remotely wipe the information on his or her device in case it is lost or stolen. It is up to the employee whether he or she wants to remotely wipe the device. APA assumes no responsibility for the contents stored on the device if the employee chooses to utilize the remote wipe command. Page 26

27 Mobile Device Security and Control Commonwealth of Virginia Example Policies STATEMENT OF POLICY: 8.The Auditor of Public Accounts is not responsible for any subscription fees or data overage fees accumulated by the employee as a result of connecting to the APA , calendar, and contact information servers. 9.The use of a personal mobile device to access the APA and calendar server may be terminated by the Auditor of Public Accounts if the employee is found to violate any part of this policy. Page 27

28 Mobile Device Security and Control Questions? Goran G. Gustavsson, MBA, CISSP, CISM Audit Director Information Systems Security Specialty Team Leader Auditor of Public Accounts (804) Page 28


Download ppt "Mobile Device Security and Control 2012 NSAA IT Conference and Workshop Fourth Session: 2:45pm – 4:00pm _____________________________________."

Similar presentations


Ads by Google