Upload
h-contrex
View
393
Download
4
Tags:
Embed Size (px)
Citation preview
Effective Security Policies for a BYOD
Environment
A Presentation to Industry Colleagues
Delivered on Wednesday, October 31, 2012 in Scottsdale, AZ
Harry Contreras - CISSP Information Security Policy Manager
H. Contreras - CISSP Presentation - Slide 2© COMPANY NAME
Mobility issues facing businesses today
Addressing risk and liability issues through policy
Writing effective mobile security policies
Policy re-use: What can remote access teach us about mobile issues?
Policy program challenges and solutions
Sign-off and delivery of policies
Policy enforcement and updating
Q & A
References and Resources following
Presentation Key Points
H. Contreras - CISSP Presentation - Slide 3© COMPANY NAME
Address company risks through policy for newer mobility technologies introduced by consumer owned and managed platforms.
Your goal –
A mobility BYOD policy that negotiates the risk landscape obstacles.
Addressing risk and liability issues through policy
H. Contreras - CISSP Presentation - Slide 4© COMPANY NAME
What’s that? You said you addressed this before…
Enter the “BYOD” mobility model
Reflection point –
A newer mobility approach that introduces consumer owned and managed platforms.
Risk and liability remains for the company regardless of the mobility approach.
Only now, these are not Company assets to control…
Addressing risk and liability issues through policy
H. Contreras - CISSP Presentation - Slide 5© COMPANY NAME
What is policy?
Company/business position statements
Declaration of expected behaviors for business operations and employees to follow
Effectiveness of policy is based on its integration into the Company culture and the clearly identified enforcement outcomes that are visible to employees.
Key point here is - “visible” enforcement.
Without consequence there is no behavior modification.
Addressing risk and liability issues through policy
H. Contreras - CISSP Presentation - Slide 6© COMPANY NAME
There is hierarchy of policy for Companies to address
Internal External
Company derived Regulatory/legislated
Industry based
Company internal and external issues not “vs.”
Both are influencing factors to address
Addressing risk and liability issues through policy
H. Contreras - CISSP Presentation - Slide 7© COMPANY NAME
Regulatory “entanglements”
Personal, Health and Card Holder privacy regulations
SEC regulation
Rule 26 / e-Discovery
IRS regulation and use reporting requirements
Forensics and investigations
Company and operations specific issues
Company contractual obligations
Business “verticals” – i.e. Health, government, industry
Global operation and regional regulatory issues
Addressing risk & liability issues through policy
H. Contreras - CISSP Presentation - Slide 8© COMPANY NAME
… we are only porting Company email to our users personal devices…
Why all this concern?
- Liability and Risk -
Will the company information remain captive on these devices?
Do employees “conduct business” on their personal devices?
Now that you comingled Company information the liability and risk issues are compounded.
Addressing risk and liability issues through policy
H. Contreras - CISSP Presentation - Slide 9© COMPANY NAME
Remember…You don’t own it!
- Audit Question? -
“You put the Company data where?”
Secured by how and who?
Now that you comingled Company information the liability and risk issues are compounded…
You know that auditors will inspect, document and report.
(That is their mission.)
Addressing risk and liability issues through policy
H. Contreras - CISSP Presentation - Slide 10© COMPANY NAME
Communicating policy and expected behaviors -
Employees are introduced to Company policy at time of hire and continually reminded of the expectations stated in legacy and newly introduced policies.
Key point here is continual reminder of compliance to the operational and behavioral expectations in stated policies.
Are your Company policies out in front of the risk and liability issues?
This is a critical factor in introducing BYOD policies to a Company today.
Addressing risk and liability issues through policy
H. Contreras - CISSP Presentation - Slide 11© COMPANY NAME
Addressing policy effectiveness
Assimilate with existing Company policies for compliance
Implementation of an employee signed “Opt-In” Agreement to participate in a BYOD Mobility program.
Consult with Legal and Human Resources
Corporate governance must endorse
These are critical factors in introducing BYOD policies to a Company.
Addressing risk and liability issues through policy
H. Contreras - CISSP Presentation - Slide 12© COMPANY NAME
Addressing risk and liability issues through policy
H. Contreras - CISSP Presentation - Slide 13© COMPANY NAME
Policy in this specific technology space –
Must be clear, concise and definitive
Not effective if subject to differing interpretations.
Does not conflict with precedent Company policies.
What is required in policy statements for BYOD
Statements of behavioral expectations
Declaration of implemented enforcement controls
Writing effective mobile security policies
H. Contreras - CISSP Presentation - Slide 14© COMPANY NAME
Policy abstract – types of policy
Behavioral - Voluntary participation or consensual
Some examples – Agreements, “Opt-In”
Control enforcement declaration
Automated management and enforcement systems
Logical event or conditional based actions
- MDM systems
- New or existing control systems
Writing effective mobile security policies
H. Contreras - CISSP Presentation - Slide 15© COMPANY NAME
Policy examples of other Company compensating controls (Legal) binding agreements
Non-Compete Agreements
Non-Disclosure Agreements (NDA)
Some other example instruments
Intellectual property agreements
Writing effective mobile security policies
H. Contreras - CISSP Presentation - Slide 16© COMPANY NAME
Policy in this specific technology space –
Must be clear, concise and definitive
Some example written statements contain -
Do, do not, will, must, always …
Is enforced…
In the event of…
Will be subject to…
Writing effective mobile security policies
H. Contreras - CISSP Presentation - Slide 17© COMPANY NAME
Writing effective mobile security policies
H. Contreras - CISSP Presentation - Slide 18© COMPANY NAME
Writing effective mobile security policiesWhat’s that? You said you addressed this before…
The “BYOD” mobility model is an entirely different technology problem and risk acceptance model
Critical success point –
Signed “Opt-In Acknowledgement” for program participation
Addresses the introduction of consumer owned and managed platforms as these are not Company assets to control
H. Contreras - CISSP Presentation - Slide 19© COMPANY NAME
Writing effective mobile security policiesWhat’s in that “Opt-In” agreement?
Policy objective – acknowledgement of implemented company controls and behavioral expectations when an “event” condition occurs regarding personal information and physical access to the personal device brought into the program. Clearly delineates agreement violation consequences.
Critical success point – Ask counsel…
Is it defensible?
Even with an “Opt-In” you have a two-legged stool.
H. Contreras - CISSP Presentation - Slide 20© COMPANY NAME
Writing effective mobile security policiesSome example provisions in an “Opt-In” agreement
Signed acknowledgement and consent to adhere to the usage provisions stated therein
Consent to the implementation of the Company security controls applied to the device and restriction to not modify these controls
Consent to surrender the device for Company forensic investigation and/or e-Discovery when requested
Consent to surrender the associated mobile device phone number if requested by the Company
Clearly delineated agreement violation consequences.
H. Contreras - CISSP Presentation - Slide 21© COMPANY NAME
Addressing the introduction of consumer owned and basically un-managed platforms into Company networks and services
What are some issues –
Comingled personal and Company information
Are Company resources and services being “miss- appropriated”?
Are activities “auditable” and have accountability?
Note: user devices will be audited.
Consumer use mentality is an “insider threat” reality.
Writing effective mobile security policies
H. Contreras - CISSP Presentation - Slide 22© COMPANY NAME
Addressed remote access services before…
What’s different?
Less control and more risk in connecting platforms of questionable integrity to Company platforms and services
Extending basically remote access services to platforms not Company owned
Exact parallel to connecting “third-party” systems
Same trust and control issues as third-party risk model
Policy re-use: What can remote access teach us about mobile issues?
H. Contreras - CISSP Presentation - Slide 23© COMPANY NAME
Policy program challenges and solutionsTraditional policy driven controls for Company platforms
H. Contreras - CISSP Presentation - Slide 24© COMPANY NAME
Policy program challenges and solutionsWhat’s different from the traditional approach?
It is not a Company owned asset (third-party asset)
What is viable, supportable and allowable to implement on employee owned assets?
Will it be rejected as “intrusive” or “invading” technology?
User presence, Geo-locating, web content filtering
Services utilization reporting
Remote control and data erasure actions
Company requested surrender of personal device
H. Contreras - CISSP Presentation - Slide 25© COMPANY NAME
Policy program challenges and solutionsSecurity will be a paramount issue
Mobile platforms represent the next and largest attack surface facing consumers and businesses
Asset loss – you already know the consumer track record in this space
Can the required support and security control expenses be met?
Will users accept application white-listing?
New and more aggressive mobile device exploits are on the way
H. Contreras - CISSP Presentation - Slide 26© COMPANY NAME
Policy program challenges and solutionsIntegrating “BYOD policy” into automated controls (MDM)
H. Contreras - CISSP Presentation - Slide 27© COMPANY NAME
Policy program challenges and solutionsWhat are we up against with Mobility BYOD policy?
Lack of the following -
Command, Control, Contain
Even the “maintain” aspects for assets is out of reach.
And hopefully we do not have to…
Explain – data losses and escapes due to platform compromises outside of the policy control set.
Consideration - Your “walled garden” has a backdoor...
H. Contreras - CISSP Presentation - Slide 28© COMPANY NAME
Recommendations and critical delivery actions
Conduct “walk-through” exercises for policy and controls elements
Conduct “table-top” exercise of a BYOD “incidents”
Validation activity
Testing of support services
Policy is vetted and endorsed
Mobility program is amended to include BYOD services
Availability of BYOD services is communicated
Sign-off and delivery of policies
H. Contreras - CISSP Presentation - Slide 29© COMPANY NAME
Policy enforcement and updatingRecommendations and critical delivery actions
Policy enforcement actions clearly visible
Findings of abuse and negligent activity consequences communicated in Company newsletter
Policy maintenance is a unilateral activity by all Corporate functional stakeholders supporting risk and compliance concerns
Legal, Human Resources, Compliance, Business and IT Leadership all have vested interest
Policy remains vetted, endorsed and “in-place”
H. Contreras - CISSP Presentation - Slide 30© COMPANY NAME
Reality check –
BYOD - it is not “if we build it they will come”
Policy exists in two realms
Behavior modification based on stated directives
Implemented controls automatically enforcing the stated policy directives
Adherence to policy is ___________ (fill in the blank).
Without consequence there is no behavior modification.
Summary
H. Contreras - CISSP Presentation - Slide 31© COMPANY NAME
Q & A
Effective Security Policies for a BYOD Environment
- Resources list follows -
H. Contreras - CISSP Presentation - Slide 32© COMPANY NAME
What Could Go Wrong?By Grant Moerschel - November 7, 2011, Published: informationweek.com
Information Week Reports – 2012 State of Mobile SecurityBy Michael Finnerman - May 11, 2012, Published: reports.informationweek.com
When BYOD Goes WrongBy Darraugh Delaney – July 11, 2012, Published: http://blogs.computerworld.com
For BYOD Best Practices, Secure Data not DevicesBy Thor Olavsrud - July 17, 2012, Published www.cio.com.com
Mobile policy resource – Information Security Policies Made Easyhttp://www.informationshield.com/ispmemain.htm
Mobile policy resource – Individual Liable User Policy Considerationshttp://www1.good.com/mobility-management-solutions
Mobile policy resource – Mobile Policy Samplehttp://www.tangoe.com/White-Papers/sample-of-mobile-policy.html
Effective Security Policies for a BYOD Environment Resources
H. Contreras - CISSP Presentation - Slide 33© COMPANY NAME
Special Webcast: How to Develop a Bring-Your-Own-Device Policy
WHEN: Thursday, November 15, 2012 at 1:00 PM EDT (1700 UTC/GMT) Featuring: Benjamin Wright https://www.sans.org/webcasts/develop-bring-your-own-device-byod- policy-95564
Abstract -
As mobile devices like tablets, laptops and smartphones have become the typical tools for professionals to do their work, many employers have allowed and even encouraged employees to use their own devices. Some employers today subsidize the cost of mobile devices that employees purchase and then use part time for work. But setting policy on employee-owned devices can be really hard. This webinar will examine case law and policy options related to such topics as security and record retention and destruction. It will offer sample language as a starting place for drafting policy, while explaining the risks and benefits of wording a policy one way or another. Mr. Wright will give practical tips and suggestions on how to develop a policy that everyone in an enterprise can (more or less) live with, while explaining pitfalls and suggestions for employee training and education.
Effective Security Policies for a BYOD Environment Resources