Download pdf - A framework for auditing mobile devices - Baker · PDF fileA framework for auditing mobile devices . Learning objectives ˃ Understand different approaches for managing mobile devices

Baker Tilly refers to Baker Tilly Virchow Krause, LLP,

an independently owned and managed member of Baker Tilly International. © 2010 Baker Tilly Virchow Krause, LLP

A framework for auditing mobile devices

Learning objectives

˃ Understand different approaches for managing

mobile devices including centralized, decentralized,

and BYOD management

˃ Identify the impacts of mobile devices at

organization

˃ Critically analyze mobile device risks using a

framework focused on people, devices,

applications/websites, and data

˃ Define key mobile device controls to incorporate

into audit work plans

2

Contents

˃ Define mobile & BYOD

˃ Impacts of mobile devices at organizations

˃ Risks and internal audit considerations

˃ Key mobile device management controls

˃ A framework for mobile device auditing

˃ Examples of environment

˃ Resources


an independently owned and managed member of Baker Tilly International

© 2010 Baker Tilly Virchow Krause, LLP

Define mobile & BYOD

4

Why do we care?

˃ Mobile is here, no going back to being tethered to a

desk

˃ Mobile allows great productivity and flexibility to

achieve organizational objectives

˃ Mobile employees are happier (so “they” say)

˃ Mobile can save money (maybe?)

Why is mobile the future?

˃ A Cisco study says in 2014 the average number of

connected devices per knowledge worker will reach

an average of 3.3 devices, up from 2.8 in 2012

˃ Gartner predicts by 2017, half of employers will

require employees to supply their own device for

work purposes

What is a mobile device?

NIST (SP 800-124) – characteristics: ˃ Small form factor

˃ Wireless network interface for internet access

˃ Local built-in (non-removable) data storage

˃ Operating system that is not a full-fledged desktop/laptop

operating system

˃ Apps available through multiple methods

˃ Built-in features for synchronizing local data


NIST – optional characteristics: ˃ Wireless personal area network interfaces (e.g., Bluetooth,

near-field communications)

˃ Cellular network interfaces

˃ GPS

˃ Digital camera

˃ Microphone

˃ Support for removable media

˃ Support for using the device itself as removable storage


Any easily portable technology that allows for the

storage and transmittal of your organization’s data

Examples:

˃ Phones

˃ Tablets

˃ Laptops

˃ External hard

drives (e.g., USB

thumb drives)

˃ Cameras (e.g.,

point and shoot)

˃ Logistics devices (e.g., GPS

Tracking devices, RFID)

˃ eReaders

˃ Digital music players (e.g.,

iPods)

˃ Medical devices (e.g.,

pacemakers)

˃ Smartwatches and glasses

What is BYOD?

˃ Bring Your Own Device

˃ Supported by organization systems and

applications that allow multiple type of devices to

access those services

˃ Powered by the internet

BYOD – pros & cons

Pros: ˃ Reduced upfront costs

˃ Employee satisfaction

˃ Potentially greater functionality for users

Cons: ˃ Unmanaged devices with your organization’s data

˃ Mingling of personal and organizational data

˃ Managing legal requirements (e.g., eDiscovery)

BYOD in the Enterprise—A Holistic Approach, ISACA JOURNAL, Volume 1, 2013




Risks and internal audit considerations

13

Major security concerns (NIST)

˃ Lack of physical security controls

˃ Use of untrusted mobile devices

˃ Use of untrusted networks

˃ Use of apps created by unknown parties

˃ Interaction with other systems

˃ Use of untrusted content

˃ Use of location services

What are the mobile device risks?

NIST characteristics Illustrative risks

Small form factor Loss or theft of data

Wireless network interface for internet

access

Exposure to untrusted and unsecured

networks

Local built-in (non-removable) data

storage

Loss or theft of data

Operating system that is not a full-

fledged desktop/laptop operating

system

Reduced technical controls

Apps available through multiple

methods

Exposure to untrusted and malicious

apps

Built-in features for synchronizing

local data

Interactions with other untrusted and

unsecured systems

What are the mobile device risks?

NIST characteristics Illustrative risks

Wireless personal area network

interfaces (e.g., Bluetooth, near-field

communications)

Exposure to untrusted and unsecured

networks

Cellular network interfaces Exposure to untrusted and unsecured

networks

GPS Exposure of private information

Digital camera Exposure of private information

Microphone Exposure of private information

Support for removable media Loss or theft of data

Support for using the device itself as

removable storage

Interactions with other untrusted and

unsecured systems

IA considerations – scoping

Does your organization have a mobile device

strategy, including: ˃ Alignment with organizational strategy/objectives

˃ Risk assessment(s) for mobility

˃ Definition of devices

˃ Policies governing the use of devices (with penalties)

˃ Security standards based on data

IA considerations – scoping (cont.)

˃ Who owns these devices, organization or

employee?

˃ Who is responsible for managing and securing the

devices?

˃ Incident response procedures

˃ Antivirus / antimalware software

˃ Who is paying for devices and service plans?

˃ Does that change responsibilities?

˃ What are the legal and regulatory requirements for

your organization and the jurisdictions you operate

in?

Identifying owners and stakeholders

˃ Who is your client?

˃ Who are the stakeholders?

˃ General Counsel

˃ Chief Information Officer

˃ Chief Information Security Officer

˃ Chief Operations Officer

˃ Chief Compliance Officer

˃ Chief Privacy Officer

˃ Chief Risk Officer

˃ Other functions with a stake in privacy and security

(e.g., human resources, sales)

Understanding the organization

˃ Mission and objectives

˃ Organization and responsibilities

˃ Customers

˃ Types of data

˃ Exchanges of data

˃ Interdepartmental

˃ Third parties

˃ Interstate or international

˃ Data collection, usage, retention, and disclosure

˃ Systems (e.g., websites, apps)

Assessing risk

˃ Leveraging management’s risk assessments

˃ Consultation with legal counsel

˃ Regulatory risk

˃ Legal/contractual risk

˃ Industry self-regulatory initiatives

˃ Constituency relations and perceptions

˃ Public relations




Where’s the GRC?

22

Old model

˃ Protect everything in my office network with

physical and logical controls over access

˃ Then we added laptops and pushed the network

out of the office using VPNs

˃ That doesn’t work any more with phones and

tablets, especially when they are owned by the

employee

Framework – benefits

˃ Flexible – audit all at once or in parts

˃ Adaptable – scope it how you want it

˃ Inclusive – make use of other

standards/frameworks (e.g., COBIT, ISO 27002,

NIST)

˃ ISACA’s Bring Your Own Device (BYOD) Security

Audit/Assurance Program

Mobile device framework

Data Websites & Apps

Devices People

Mobile device framework

˃ Data

˃ Websites & apps

˃ Devices

˃ People

Mobile device framework – data

˃ Data (i.e., data generated, accessed, modified,

transmitted, stored or used electronically by the

organization) is essential to the organization's

objectives and requires protection for a variety of

reasons, including legal and regulatory

requirements.

˃ Examples:

˃ Messages (e.g., emails, text messages, instant messages)

˃ Voice

˃ Pictures

˃ Files (e.g., attachments)

˃ Hidden (e.g., GPS)

Building the framework – data types

DATA

Data

Data

Data

Data

Data

WEB & APPS PEOPLE DEVICES

© Baker Tilly Virchow Krause, LLP

Mobile device framework – data

˃ Classification tiers

˃ Data owners/stewards

˃ Data inventory

Mobile device framework – data –

audit considerations

˃ Determine the types of data that can be accessed

or stored on mobile devices. Assess restrictions in

place to safeguard data.

˃ Review the data classification security policy to

ensure specificity to the various types of data,

based on sensitivity.

˃ Use/create an inventory of data, identify the

applications and websites where it can be

accessed, and determine who will take ownership

of the data moving forward.

Mobile device framework – data –


˃ Determine if authentication and security

requirements or restrictions are or should be

established for each data type

˃ Determine if “Legal Hold” requirements are

documented and align with data classification and

then mobile device security

Building the framework – data:

classification


DATA

Data

Data

Data

Data

Data


Confidential

Restricted

Internal Use

Public

Data – audit considerations

from ISACA’s work program

˃ 8.1.2 Data Access

˃ 8.1.4 Encryption and Data Protection

Mobile device framework – websites &

apps

˃ Websites and applications (i.e., tools used to

process electronic data) require security controls,

regardless of the device used for access, to protect

the confidentiality, integrity, and availability of data.

Mobile device framework –

websites & apps examples

Types Business Personal

Websites/portals •Outlook web access

•Business intranet

•Google

•Yahoo

•ESPN

Cloud services •Google services

•Salesforce.com

•Microsoft Office 365

•Gmail

•Flickr

•Facebook

App stores •Apple app store

•Google marketplace

•Amazon app store

•Custom corporate

stores

•Apple app store

•Google marketplace

•Amazon app store

Custom built apps &

sites

•Business specific •Entertainment

•Hacking/malicious

Virtual desktop

environments/remote

desktop tools

•Citrix

•VMware

•GoToMyPC

•VNC

Building the framework – web & apps


DATA

Data

Data

Data

Data

Data


App

Web

App

Web

App

Confidential

Restricted

Internal Use

Public

Mobile device framework –

web/apps – audit considerations

˃ Determine the websites and applications that are

used on mobile devices to access data, and

determine whether they are approved. Assess how

websites and applications are secured to protect

data.

˃ Review all applications and websites accessible via

mobile devices to ensure they comply with security

policies (e.g., encryption requirements, storage

restrictions, access permissions).

Building the framework – web & apps

Confidential

Restricted

Internal Use

Public

DATA

Data

Data

Data

Data

Data

WEB & APPS

App

Web

App

Web

App

PEOPLE DEVICES


Web/App – audit considerations


˃ 8.1.6 Malware Protection

˃ 9.1.3 Secure Software Distribution

Mobile device framework – devices

˃ Devices (i.e., hardware used to access websites

and applications for data processing) require an

increasing variety of security controls due to the

increased mobility, choice, functionality, and

replacement of these products.


˃ Managed vs. unmanaged

˃ Business vs. employee owned


˃ Encryption

˃ Data transfers (e.g., sending and syncing)

˃ Logical security (e.g., linkage to HR, passwords,

access management)

˃ Physical security

˃ Network architecture (e.g., configuration,

monitoring)

˃ Mobile device management (***more later)

Mobile device framework – devices –


˃ Determine the types of mobiles devices that are

used to access data, and whether each mobile

device is supported. Assess how mobile devices

are secured to protect data.

˃ Ensure that both organization managed and

personally owned mobile devices that access

confidential or high-risk data are secured with

appropriate security controls.

Building the framework – devices

Confidential

Restricted

Internal Use

Public

DATA

Data

Data

Data

Data

Data

WEB & APPS

App

Web

App

Web

App

PEOPLE DEVICES

Phone

Tablet

Laptop


Device – audit considerations


˃ 8.1.1 Device Access Restrictions

˃ 8.1.3 Explicit Permission to Wipe Data

˃ 8.1.4 Encryption and Data Protection

˃ 8.1.5 Remote Access

˃ 8.2.1 Network Access

Device – audit considerations


˃ 9.1.1 Mobile Device Management (MDM) is

Deployed

˃ 9.1.2 Central Management of BYOD Devices

˃ 9.1.4 Monitoring of BYOD Usage

˃ 9.1.5 Interfaces to Other Systems

˃ 9.1.6 Remote Management

Mobile device framework – people

˃ People (i.e., employees that process data via

websites and applications through a variety of

devices) require frequent communications and

trainings on the risks, policies, practices, and tools

for protecting the confidentiality, integrity, and

availability of data.

Mobile device framework – people

˃ Risk assessment

˃ Policies, procedures, standards

˃ Training and awareness programs with

acknowledged roles and responsibilities

˃ Monitoring

Mobile device framework – people – audit

considerations

˃ Determine if an overarching mobile device security

policy exists.

˃ Assess existing policies and procedures that guide

the procurement, use, support, and management of

mobile devices.

˃ Determine who uses mobile devices to access

data, and who supports and manages those mobile

devices that access data.


considerations

˃ Advise departments on creating supplementary

mobile device security practices as needed.

˃ Assess formalized training and awareness

programs that inform mobile device users of the

risks involved and their personal responsibilities

when accessing information. ˃ Are employees OK with you wiping their device?

˃ What happens to personal data on the device?


considerations

˃ Labor laws (Exempt vs. Non-exempt, union)

˃ Employment contracts

˃ OSHA

˃ Tax laws (reimbursements for devices, services)

˃ Export control laws (travel)

˃ Record management laws

˃ Fair Credit Reporting Act

˃ Local jurisdiction laws (of employee’s residence)

Mobile device framework – people –

employee agreement

˃ Eligibility

˃ Applicable company policies

˃ Data storage and backup

˃ Data and device management

˃ Legal hold notice

˃ Hardware support (theft, loss, damage)

˃ Software support

˃ Travel and physical security

Mobile device framework – people –

employee training

˃ Define BYOD/MDM for your organization

˃ Onboarding device process

˃ Roles/responsibilities

˃ Expense reimbursements/stipends

˃ Security policies

˃ Data ownership policies

˃ Practical app use with organization data

˃ Tech support

From Techrepublic.com

Building the framework – people

Practices

Confidential

Restricted

Internal Use

Public

DATA

Data

Data

Data

Data

Data

WEB & APPS

App

Web

App

Web

App

PEOPLE

Policy

Agreement

Procedures

Practices

Risk Assessment

DEVICES

Phone

Tablet

Laptop


People – audit considerations


˃ 2.1.1 BYOD Initial Risk Assessment

˃ 2.1.2 BYOD Ongoing Risk Assessment

˃ 3.1.1 Employee BYOD Agreement

˃ 3.1.2 Mobile Acceptable Use Policy (MAUP)

˃ 3.1.3 Human Resources (HR) Support for BYOD

˃ 3.1.4 Contractors

˃ 3.2.1 Exemptions from BYOD policies

People – audit considerations


˃ 4.1.1 Legal Involvement in BYOD Policies and

Procedures

˃ 4.1.2 Legal Hold

˃ 5.1.1 Help Desk

˃ 6.1.1 Policy Approval

˃ 6.1.2 Monitoring BYOD Execution

˃ 7.1.1 Initial Training

˃ 7.1.2 Security and Awareness Training

What is mobile device management?

˃ Process for managing mobile devices, including

policies, procedures, training, and systems

and

˃ Industry term for software tools used to centrally

administer mobile devices, specifically for security

purposes

Types of mobile device management

processes (Gartner)

˃ Control-oriented

˃ Choice-oriented

˃ Innovation-oriented

˃ Hands-off

What do MDM tools do? (Gartner)

˃ Software management

˃ Network service management

˃ Hardware management

˃ Security management

**Focus of these tools is phones and tablets; some

support laptops, but other device types are not

typically supported

MDM tools market (Gartner)

˃ MDM tools market estimated $784 million market

˃ About 128 or more firms in the market

˃ MDM tools projected to be $1.6-billion market by

2014

˃ Market penetration estimated at less than 30

percent

MDM tools prices (Gartner)

˃ Three years ago = $60 to $150 per device

˃ Today = under $30 per device

˃ Traditional endpoint protection = $10 to $15 per

seat

Mobile device management

and the framework

˃ Cuts across all four parts of the framework

˃ Data – some ability to restrict access

˃ Websites & apps – blacklisting, whitelisting,

deployment

˃ Devices – implement system controls

˃ People – use of MDM must align with policies

(especially HR and legal areas)

Key features of MDM tools

˃ Centralize device management through policy and

configuration management

˃ Control both corporate owned and personally

owned devices

˃ SaaS and on-premises delivery models

Key features of MDM tools

˃ Still require thorough testing:

˃ Connectivity

˃ Protection

˃ Authentication

˃ Application functionality

˃ Logging

˃ Performance management

Two main flavors of MDM tools

˃ Messaging server based (e.g., Microsoft Exchange)

˃ Limited control enforcement

˃ Limited support for devices

˃ Third party provided (e.g., Airwatch, Mobileiron,

Good)

˃ Additional costs and licenses required

˃ Another application to support and manage

When would you use MDM?

˃ BYOD

˃ Data encryption

˃ Multiple device operating systems

˃ Security breach impact

˃ Existing end point tools don’t work for mobile

devices

MDM – audit considerations

from ISACA’s work program (9.1.2)

˃ A secure portal for BYOD users to enroll and

provision their devices

˃ Centralized security policy enforcement

˃ Remotely lock and wipe data and installed apps

˃ Inventory devices, operating systems (OSs), patch

levels, organization and third-party apps, and

revision levels

˃ Distribution whitelists and blacklists



˃ Permission-based access controls for access to the

organization’s networks and data

˃ Selective wipe and privacy policies for organization

apps and data, i.e., sandboxing

˃ Distribution and management of digital certificates

(to encrypt and digitally sign emails and sensitive

documents)

˃ Role-based access groups with fine-grained access

control policies and enforcement

˃ Over-the-air (OTA) distribution of software (apps,

patches, updates) and policy changes



˃ Postpone automatic updates from Internet service

providers (ISPs), e.g., in cases where an automatic

OS update may cause critical apps to fail

˃ Secure logs and audit trails of all sensitive BYOD

activities

˃ Capability to locate and map lost phones for

recovery

˃ Backup and restore BYOD device data

˃ Remove or install profiles based on geographic

location, to ensure compliance with relevant foreign

legislation, e.g., data privacy and security



˃ When BYOD devices attempt to connect to the

organization’s networks, the MDM system

automatically checks:

˃ Patch levels for OSs and apps

˃ Required security software is active and current, i.e.,

antivirus, firewall, full-disk encryption, etc.

˃ Device is not jailbroken (Apple) or rooted (Android)

˃ Presence of unapproved devices (if any)

˃ Presence of blacklisted apps

˃ If any of the above login checks fail, the MDM can

automatically update the device concerned (e.g.,

patch levels) or disallow access.



˃ Don’t forget to the secure the MDM system itself

˃ 9.2.1 MDM Application Security

Building the framework – complete

MDM

MDM

Practices

Confidential

Restricted

Internal Use

Public

DATA

Data

Data

Data

Data

Data

WEB & APPS

App

Web

App

Web

App

PEOPLE

Policy

Agreement

Procedures

Practices

Risk Assessment

DEVICES

Phone

Tablet

Laptop


Major security concerns (NIST) –

mapped to framework area

Security Concern Data Websites &

Apps

Device

s

People

Physical security controls X X

Untrusted mobile devices X X

Untrusted networks X X

Untrusted apps X X X

Interaction with other

systems

X X X X

Untrusted content X X X

Location services X X X X




Examples of environments

74

Example – no BYOD

MDM

MDM - Process & Technology

Practices

Confidential

Restricted

Internal Use

Public

DATA

HR

IF

Customer

Other

WEB & APPS

HR

Financial

CRM

Web

Email

PEOPLE

Policy

Agreement

Procedures

Training

Risk Assessment

DEVICES

Phone

Tablet

Laptop


Example – mixed devices, controls by type

Practices Internal Use

Public

Confidential

Restricted

Internal Use

Public

PEOPLE

Confidential

Restricted

Internal Use

Public

DEVICES

MDM

MDM - Tech

Practices

DATA

Customer

Employee

Trade Secrets

Marketing

WEB & APPS

CRM

Custom Built Ops

HR/FIN

Web

Email

Policy

Agreement

Procedures

Training

Risk Assessment

Phone

Tablet

Laptop

Phone

Tablet


Example – owned & BYOD with controls


MDM

Practices

Confidential

Restricted

Public

Public

Confidential

Restricted

Public

PEOPLE

Confidential

Restricted

BYOD

OWNED

MDM

MDM - Tech

Practices

DATA

Customer

Employee

Other

WEB & APPS

HR

FIN

Document Management

Email

Policy

Agreement

Procedures

Training

Risk Assessment

Phone

Tablet

Phone

Tablet

MDM - Tech




Resources

78

Resources

˃ BankInfoSecurity, BYOD: Get Ahead of the Risk, Intel CISO:

Policy, Accountability Created Positive Results, January 2012

˃ Digital Services Advisory Group and Federal Chief Information

Officers Council, Bring Your Own Device, A Toolkit to Support

Federal Agencies Implementing Bring Your Own Device (BYOD)

Programs, August 2012

˃ Gartner, Magic Quadrant for Mobile Device Management, May

2012

˃ Gartner, Gartner Says Consumerization Will Drive At Least Four

Mobile Management Styles, November 2011

Resources

˃ National Institute of Standards and Technology, Special

Publication 800-124 Revision 1 (Draft), Guidelines for

Managing and Securing Mobile Devices in the Enterprise,

July 2012

˃ National Institute of Standards and Technology, Special

Publication 800-144, Guidelines on Security and Privacy in

Public Cloud Computing, December 2011

Resources

˃ BYOD audit/assurance program

˃ www.isaca.org/auditprograms

˃ Securing mobile devices using COBIT® 5 for information

security

˃ www.isaca.org/Securing-Mobile-Devices