A framework for auditing mobile devices
advertisement
A framework for auditing mobile devices Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. © 2010 Baker Tilly Virchow Krause, LLP Learning objectives ˃ Understand different approaches for managing mobile devices including centralized, decentralized, and BYOD management ˃ Identify the impacts of mobile devices at organization ˃ Critically analyze mobile device risks using a framework focused on people, devices, applications/websites, and data ˃ Define key mobile device controls to incorporate into audit work plans 2 Contents ˃ ˃ ˃ ˃ ˃ ˃ ˃ Define mobile & BYOD Impacts of mobile devices at organizations Risks and internal audit considerations Key mobile device management controls A framework for mobile device auditing Examples of environment Resources Define mobile & BYOD Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International © 2010 Baker Tilly Virchow Krause, LLP 4 Why do we care? ˃ Mobile is here, no going back to being tethered to a desk ˃ Mobile allows great productivity and flexibility to achieve organizational objectives ˃ Mobile employees are happier (so “they” say) ˃ Mobile can save money (maybe?) Why is mobile the future? ˃ A Cisco study says in 2014 the average number of connected devices per knowledge worker will reach an average of 3.3 devices, up from 2.8 in 2012 ˃ Gartner predicts by 2017, half of employers will require employees to supply their own device for work purposes What is a mobile device? NIST (SP 800-124) – characteristics: ˃ ˃ ˃ ˃ Small form factor Wireless network interface for internet access Local built-in (non-removable) data storage Operating system that is not a full-fledged desktop/laptop operating system ˃ Apps available through multiple methods ˃ Built-in features for synchronizing local data What is a mobile device? NIST – optional characteristics: ˃ Wireless personal area network interfaces (e.g., Bluetooth, near-field communications) ˃ Cellular network interfaces ˃ GPS ˃ Digital camera ˃ Microphone ˃ Support for removable media ˃ Support for using the device itself as removable storage What is a mobile device? Any easily portable technology that allows for the storage and transmittal of your organization’s data Examples: ˃ ˃ ˃ ˃ Phones Tablets Laptops External hard drives (e.g., USB thumb drives) ˃ Cameras (e.g., point and shoot) ˃ Logistics devices (e.g., GPS Tracking devices, RFID) ˃ eReaders ˃ Digital music players (e.g., iPods) ˃ Medical devices (e.g., pacemakers) ˃ Smartwatches and glasses What is BYOD? ˃ Bring Your Own Device ˃ Supported by organization systems and applications that allow multiple type of devices to access those services ˃ Powered by the internet BYOD – pros & cons Pros: ˃ Reduced upfront costs ˃ Employee satisfaction ˃ Potentially greater functionality for users Cons: ˃ Unmanaged devices with your organization’s data ˃ Mingling of personal and organizational data ˃ Managing legal requirements (e.g., eDiscovery) BYOD in the Enterprise—A Holistic Approach, ISACA JOURNAL, Volume 1, 2013 Risks and internal audit considerations Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International © 2010 Baker Tilly Virchow Krause, LLP 13 Major security concerns (NIST) ˃ ˃ ˃ ˃ ˃ ˃ ˃ Lack of physical security controls Use of untrusted mobile devices Use of untrusted networks Use of apps created by unknown parties Interaction with other systems Use of untrusted content Use of location services What are the mobile device risks? NIST characteristics Illustrative risks Small form factor Loss or theft of data Wireless network interface for internet access Exposure to untrusted and unsecured networks Local built-in (non-removable) data storage Loss or theft of data Operating system that is not a fullfledged desktop/laptop operating system Reduced technical controls Apps available through multiple methods Exposure to untrusted and malicious apps Built-in features for synchronizing local data Interactions with other untrusted and unsecured systems What are the mobile device risks? NIST characteristics Illustrative risks Wireless personal area network interfaces (e.g., Bluetooth, near-field communications) Exposure to untrusted and unsecured networks Cellular network interfaces Exposure to untrusted and unsecured networks GPS Exposure of private information Digital camera Exposure of private information Microphone Exposure of private information Support for removable media Loss or theft of data Support for using the device itself as removable storage Interactions with other untrusted and unsecured systems IA considerations – scoping Does your organization have a mobile device strategy, including: ˃ ˃ ˃ ˃ ˃ Alignment with organizational strategy/objectives Risk assessment(s) for mobility Definition of devices Policies governing the use of devices (with penalties) Security standards based on data IA considerations – scoping (cont.) ˃ Who owns these devices, organization or employee? ˃ Who is responsible for managing and securing the devices? ˃ Incident response procedures ˃ Antivirus / antimalware software ˃ Who is paying for devices and service plans? ˃ Does that change responsibilities? ˃ What are the legal and regulatory requirements for your organization and the jurisdictions you operate in? Identifying owners and stakeholders ˃ Who is your client? ˃ Who are the stakeholders? ˃ General Counsel ˃ Chief Information Officer ˃ Chief Information Security Officer ˃ Chief Operations Officer ˃ Chief Compliance Officer ˃ Chief Privacy Officer ˃ Chief Risk Officer ˃ Other functions with a stake in privacy and security (e.g., human resources, sales) Understanding the organization ˃ ˃ ˃ ˃ ˃ Mission and objectives Organization and responsibilities Customers Types of data Exchanges of data ˃ Interdepartmental ˃ Third parties ˃ Interstate or international ˃ Data collection, usage, retention, and disclosure ˃ Systems (e.g., websites, apps) Assessing risk ˃ ˃ ˃ ˃ ˃ ˃ ˃ Leveraging management’s risk assessments Consultation with legal counsel Regulatory risk Legal/contractual risk Industry self-regulatory initiatives Constituency relations and perceptions Public relations Where’s the GRC? Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International © 2010 Baker Tilly Virchow Krause, LLP 22 Old model ˃ Protect everything in my office network with physical and logical controls over access ˃ Then we added laptops and pushed the network out of the office using VPNs ˃ That doesn’t work any more with phones and tablets, especially when they are owned by the employee Framework – benefits ˃ Flexible – audit all at once or in parts ˃ Adaptable – scope it how you want it ˃ Inclusive – make use of other standards/frameworks (e.g., COBIT, ISO 27002, NIST) ˃ ISACA’s Bring Your Own Device (BYOD) Security Audit/Assurance Program Mobile device framework Data Websites & Apps Devices People Mobile device framework ˃ ˃ ˃ ˃ Data Websites & apps Devices People Mobile device framework – data ˃ Data (i.e., data generated, accessed, modified, transmitted, stored or used electronically by the organization) is essential to the organization's objectives and requires protection for a variety of reasons, including legal and regulatory requirements. ˃ Examples: ˃ ˃ ˃ ˃ ˃ Messages (e.g., emails, text messages, instant messages) Voice Pictures Files (e.g., attachments) Hidden (e.g., GPS) Building the framework – data types DATA Data Data Data Data Data © Baker Tilly Virchow Krause, LLP WEB & APPS DEVICES PEOPLE Mobile device framework – data ˃ Classification tiers ˃ Data owners/stewards ˃ Data inventory Mobile device framework – data – audit considerations ˃ Determine the types of data that can be accessed or stored on mobile devices. Assess restrictions in place to safeguard data. ˃ Review the data classification security policy to ensure specificity to the various types of data, based on sensitivity. ˃ Use/create an inventory of data, identify the applications and websites where it can be accessed, and determine who will take ownership of the data moving forward. Mobile device framework – data – audit considerations ˃ Determine if authentication and security requirements or restrictions are or should be established for each data type ˃ Determine if “Legal Hold” requirements are documented and align with data classification and then mobile device security Building the framework – data: classification WEB & APPS DATA Data Confidential Data Restricted Data Data Data © Baker Tilly Virchow Krause, LLP Internal Use Public DEVICES PEOPLE Data – audit considerations from ISACA’s work program ˃ 8.1.2 Data Access ˃ 8.1.4 Encryption and Data Protection Mobile device framework – websites & apps ˃ Websites and applications (i.e., tools used to process electronic data) require security controls, regardless of the device used for access, to protect the confidentiality, integrity, and availability of data. Mobile device framework – websites & apps examples Types Business Personal Websites/portals •Outlook web access •Business intranet •Google •Yahoo •ESPN Cloud services •Google services •Salesforce.com •Microsoft Office 365 •Gmail •Flickr •Facebook App stores •Apple app store •Google marketplace •Amazon app store •Custom corporate stores •Apple app store •Google marketplace •Amazon app store Custom built apps & sites •Business specific •Entertainment •Hacking/malicious Virtual desktop environments/remote desktop tools •Citrix •VMware •GoToMyPC •VNC Building the framework – web & apps WEB & APPS DATA Data Confidential Data App Web Restricted Data App Internal Use Data Web Public Data © Baker Tilly Virchow Krause, LLP App DEVICES PEOPLE Mobile device framework – web/apps – audit considerations ˃ Determine the websites and applications that are used on mobile devices to access data, and determine whether they are approved. Assess how websites and applications are secured to protect data. ˃ Review all applications and websites accessible via mobile devices to ensure they comply with security policies (e.g., encryption requirements, storage restrictions, access permissions). Building the framework – web & apps DATA WEB & APPS Data App Confidential Data Web Restricted Data App Internal Use Data Web Public Data © Baker Tilly Virchow Krause, LLP App DEVICES PEOPLE Web/App – audit considerations from ISACA’s work program ˃ 8.1.6 Malware Protection ˃ 9.1.3 Secure Software Distribution Mobile device framework – devices ˃ Devices (i.e., hardware used to access websites and applications for data processing) require an increasing variety of security controls due to the increased mobility, choice, functionality, and replacement of these products. Mobile device framework – devices ˃ Managed vs. unmanaged ˃ Business vs. employee owned Mobile device framework – devices ˃ Encryption ˃ Data transfers (e.g., sending and syncing) ˃ Logical security (e.g., linkage to HR, passwords, access management) ˃ Physical security ˃ Network architecture (e.g., configuration, monitoring) ˃ Mobile device management (***more later) Mobile device framework – devices – audit considerations ˃ Determine the types of mobiles devices that are used to access data, and whether each mobile device is supported. Assess how mobile devices are secured to protect data. ˃ Ensure that both organization managed and personally owned mobile devices that access confidential or high-risk data are secured with appropriate security controls. Building the framework – devices DATA WEB & APPS DEVICES Data App Phone Web Tablet App Laptop Confidential Data Restricted Data Internal Use Data Web Public Data © Baker Tilly Virchow Krause, LLP App PEOPLE Device – audit considerations from ISACA’s work program ˃ ˃ ˃ ˃ ˃ 8.1.1 Device Access Restrictions 8.1.3 Explicit Permission to Wipe Data 8.1.4 Encryption and Data Protection 8.1.5 Remote Access 8.2.1 Network Access Device – audit considerations from ISACA’s work program ˃ 9.1.1 Mobile Device Management (MDM) is Deployed ˃ 9.1.2 Central Management of BYOD Devices ˃ 9.1.4 Monitoring of BYOD Usage ˃ 9.1.5 Interfaces to Other Systems ˃ 9.1.6 Remote Management Mobile device framework – people ˃ People (i.e., employees that process data via websites and applications through a variety of devices) require frequent communications and trainings on the risks, policies, practices, and tools for protecting the confidentiality, integrity, and availability of data. Mobile device framework – people ˃ Risk assessment ˃ Policies, procedures, standards ˃ Training and awareness programs with acknowledged roles and responsibilities ˃ Monitoring Mobile device framework – people – audit considerations ˃ Determine if an overarching mobile device security policy exists. ˃ Assess existing policies and procedures that guide the procurement, use, support, and management of mobile devices. ˃ Determine who uses mobile devices to access data, and who supports and manages those mobile devices that access data. Mobile device framework – people – audit considerations ˃ Advise departments on creating supplementary mobile device security practices as needed. ˃ Assess formalized training and awareness programs that inform mobile device users of the risks involved and their personal responsibilities when accessing information. ˃ Are employees OK with you wiping their device? ˃ What happens to personal data on the device? Mobile device framework – people – audit considerations ˃ Labor laws (Exempt vs. Non-exempt, union) ˃ Employment contracts ˃ OSHA ˃ Tax laws (reimbursements for devices, services) ˃ Export control laws (travel) ˃ Record management laws ˃ Fair Credit Reporting Act ˃ Local jurisdiction laws (of employee’s residence) Mobile device framework – people – employee agreement ˃ ˃ ˃ ˃ ˃ ˃ ˃ ˃ Eligibility Applicable company policies Data storage and backup Data and device management Legal hold notice Hardware support (theft, loss, damage) Software support Travel and physical security Mobile device framework – people – employee training ˃ ˃ ˃ ˃ ˃ ˃ ˃ ˃ Define BYOD/MDM for your organization Onboarding device process Roles/responsibilities Expense reimbursements/stipends Security policies Data ownership policies Practical app use with organization data Tech support From Techrepublic.com Building the framework – people DATA WEB & APPS DEVICES PEOPLE Data App Phone Policy Web Tablet Agreement Confidential Data Restricted Data Practices App Laptop Procedures Internal Use Data Web Practices App Risk Assessment Public Data © Baker Tilly Virchow Krause, LLP People – audit considerations from ISACA’s work program ˃ ˃ ˃ ˃ ˃ ˃ ˃ 2.1.1 BYOD Initial Risk Assessment 2.1.2 BYOD Ongoing Risk Assessment 3.1.1 Employee BYOD Agreement 3.1.2 Mobile Acceptable Use Policy (MAUP) 3.1.3 Human Resources (HR) Support for BYOD 3.1.4 Contractors 3.2.1 Exemptions from BYOD policies People – audit considerations from ISACA’s work program ˃ 4.1.1 Legal Involvement in BYOD Policies and Procedures ˃ 4.1.2 Legal Hold ˃ 5.1.1 Help Desk ˃ 6.1.1 Policy Approval ˃ 6.1.2 Monitoring BYOD Execution ˃ 7.1.1 Initial Training ˃ 7.1.2 Security and Awareness Training What is mobile device management? ˃ Process for managing mobile devices, including policies, procedures, training, and systems and ˃ Industry term for software tools used to centrally administer mobile devices, specifically for security purposes Types of mobile device management processes (Gartner) ˃ ˃ ˃ ˃ Control-oriented Choice-oriented Innovation-oriented Hands-off What do MDM tools do? (Gartner) ˃ ˃ ˃ ˃ Software management Network service management Hardware management Security management **Focus of these tools is phones and tablets; some support laptops, but other device types are not typically supported MDM tools market (Gartner) ˃ MDM tools market estimated $784 million market ˃ About 128 or more firms in the market ˃ MDM tools projected to be $1.6-billion market by 2014 ˃ Market penetration estimated at less than 30 percent MDM tools prices (Gartner) ˃ Three years ago = $60 to $150 per device ˃ Today = under $30 per device ˃ Traditional endpoint protection = $10 to $15 per seat Mobile device management and the framework ˃ Cuts across all four parts of the framework ˃ Data – some ability to restrict access ˃ Websites & apps – blacklisting, whitelisting, ˃ ˃ deployment Devices – implement system controls People – use of MDM must align with policies (especially HR and legal areas) Key features of MDM tools ˃ Centralize device management through policy and configuration management ˃ Control both corporate owned and personally owned devices ˃ SaaS and on-premises delivery models Key features of MDM tools ˃ Still require thorough testing: ˃ ˃ ˃ ˃ ˃ ˃ Connectivity Protection Authentication Application functionality Logging Performance management Two main flavors of MDM tools ˃ Messaging server based (e.g., Microsoft Exchange) ˃ Limited control enforcement ˃ Limited support for devices ˃ Third party provided (e.g., Airwatch, Mobileiron, Good) ˃ Additional costs and licenses required ˃ Another application to support and manage When would you use MDM? ˃ ˃ ˃ ˃ ˃ BYOD Data encryption Multiple device operating systems Security breach impact Existing end point tools don’t work for mobile devices MDM – audit considerations from ISACA’s work program (9.1.2) ˃ A secure portal for BYOD users to enroll and provision their devices ˃ Centralized security policy enforcement ˃ Remotely lock and wipe data and installed apps ˃ Inventory devices, operating systems (OSs), patch levels, organization and third-party apps, and revision levels ˃ Distribution whitelists and blacklists MDM – audit considerations from ISACA’s work program ˃ Permission-based access controls for access to the organization’s networks and data ˃ Selective wipe and privacy policies for organization apps and data, i.e., sandboxing ˃ Distribution and management of digital certificates (to encrypt and digitally sign emails and sensitive documents) ˃ Role-based access groups with fine-grained access control policies and enforcement ˃ Over-the-air (OTA) distribution of software (apps, patches, updates) and policy changes MDM – audit considerations from ISACA’s work program ˃ Postpone automatic updates from Internet service providers (ISPs), e.g., in cases where an automatic OS update may cause critical apps to fail ˃ Secure logs and audit trails of all sensitive BYOD activities ˃ Capability to locate and map lost phones for recovery ˃ Backup and restore BYOD device data ˃ Remove or install profiles based on geographic location, to ensure compliance with relevant foreign legislation, e.g., data privacy and security MDM – audit considerations from ISACA’s work program ˃ When BYOD devices attempt to connect to the organization’s networks, the MDM system automatically checks: ˃ Patch levels for OSs and apps ˃ Required security software is active and current, i.e., ˃ ˃ ˃ ˃ antivirus, firewall, full-disk encryption, etc. Device is not jailbroken (Apple) or rooted (Android) Presence of unapproved devices (if any) Presence of blacklisted apps If any of the above login checks fail, the MDM can automatically update the device concerned (e.g., patch levels) or disallow access. MDM – audit considerations from ISACA’s work program ˃ Don’t forget to the secure the MDM system itself ˃ 9.2.1 MDM Application Security Building the framework – complete DATA WEB & APPS DEVICES PEOPLE Data App Phone Policy Web Tablet Agreement Confidential Data Restricted Data Practices App Internal Use Data Laptop Procedures MDM Web Practices App Risk Assessment Public Data MDM © Baker Tilly Virchow Krause, LLP Major security concerns (NIST) – mapped to framework area Security Concern Data Websites & Apps Device People s Physical security controls X X Untrusted mobile devices X X Untrusted networks X X Untrusted apps X X Interaction with other systems X X Untrusted content X X Location services X X X X X X X X Examples of environments Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International © 2010 Baker Tilly Virchow Krause, LLP 74 Example – no BYOD DATA WEB & APPS DEVICES PEOPLE HR HR Phone Policy Financial Tablet Agreement Confidential IF Restricted Customer Practices CRM Internal Use Other Laptop Procedures MDM Web Training Email Risk Assessment Public MDM - Process & Technology © Baker Tilly Virchow Krause, LLP Example – mixed devices, controls by type MDM - Tech WEB & APPS DATA Customer Employee Confidential Restricted CRM Custom Built Ops DEVICES Confidential Restricted Phone Tablet PEOPLE Practices MDM Policy Agreement Internal Use Trade Secrets HR/FIN Internal Use Marketing Phone Public Training Practices Internal Use Email Procedures Public Web Public © Baker Tilly Virchow Krause, LLP Laptop Tablet Risk Assessment Example – owned & BYOD with controls MDM - Tech WEB & APPS DATA Customer Confidential HR OWNED Confidential PEOPLE Phone Policy Practices Restricted Employee Restricted FIN Tablet MDM Agreement Public Other Public Document Management MDM - Tech Procedures BYOD Confidential Email Phone Practices Training Restricted Public © Baker Tilly Virchow Krause, LLP Tablet MDM Risk Assessment Resources Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International © 2010 Baker Tilly Virchow Krause, LLP 78 Resources ˃ ˃ ˃ ˃ BankInfoSecurity, BYOD: Get Ahead of the Risk, Intel CISO: Policy, Accountability Created Positive Results, January 2012 Digital Services Advisory Group and Federal Chief Information Officers Council, Bring Your Own Device, A Toolkit to Support Federal Agencies Implementing Bring Your Own Device (BYOD) Programs, August 2012 Gartner, Magic Quadrant for Mobile Device Management, May 2012 Gartner, Gartner Says Consumerization Will Drive At Least Four Mobile Management Styles, November 2011 Resources ˃ ˃ National Institute of Standards and Technology, Special Publication 800-124 Revision 1 (Draft), Guidelines for Managing and Securing Mobile Devices in the Enterprise, July 2012 National Institute of Standards and Technology, Special Publication 800-144, Guidelines on Security and Privacy in Public Cloud Computing, December 2011 Resources ˃ BYOD audit/assurance program ˃ ˃ www.isaca.org/auditprograms Securing mobile devices using COBIT® 5 for information security ˃ www.isaca.org/Securing-Mobile-Devices
