isaca smart security for smart devices
DESCRIPTION
I made this presentation for an ISACA webinar on smart device security in July 2012.TRANSCRIPT
![Page 1: ISACA smart security for smart devices](https://reader035.vdocuments.site/reader035/viewer/2022062512/5541b26bb4c905bf168b4569/html5/thumbnails/1.jpg)
Marc VaelInternational Vice-
President
Smart Security for
Smart Mobile Devices
![Page 2: ISACA smart security for smart devices](https://reader035.vdocuments.site/reader035/viewer/2022062512/5541b26bb4c905bf168b4569/html5/thumbnails/2.jpg)
Smart Mobile Device Definition
An electronic device that is • cordless (unless while being charged),• mobile (easily transportable), • always connected (via WiFi, 3G, 4G etc.)• capable of voice/video communication,
internet browsing, "geo-location" (for search purposes)
and that can operate to some extent autonomously.
![Page 3: ISACA smart security for smart devices](https://reader035.vdocuments.site/reader035/viewer/2022062512/5541b26bb4c905bf168b4569/html5/thumbnails/3.jpg)
![Page 4: ISACA smart security for smart devices](https://reader035.vdocuments.site/reader035/viewer/2022062512/5541b26bb4c905bf168b4569/html5/thumbnails/4.jpg)
![Page 5: ISACA smart security for smart devices](https://reader035.vdocuments.site/reader035/viewer/2022062512/5541b26bb4c905bf168b4569/html5/thumbnails/5.jpg)
![Page 6: ISACA smart security for smart devices](https://reader035.vdocuments.site/reader035/viewer/2022062512/5541b26bb4c905bf168b4569/html5/thumbnails/6.jpg)
Smart Mobile Device Business Benefits
1. Increased workforce productivity—facilitates completion of work offsite (+40%).2. Improved customer service—sales person or account manager can access the
CRM system while at a customer site + provide ad hoc solutions & current customer account information.
3. Response to customer problems or questions at any time—35% improvement in customer satisfaction in best-in-business enterprises.
4. Improved turnaround times for problem resolution—more flexibility facing the challenges of time zones or office hours.
5. Increased business process efficiency—shortened & more efficient business processes. SCM+ by providing employees with information to speed the capture of inbound supply chain data + shortening feedback loop between supply chain and production planning.
6. Employee security & safety—one of the first reasons for mobile device adoption: allow employees to travel to/from remote locations while staying in touch.
7. Employee retention—management creates positives for business & employees. Using mobile devices can improve work-life balance by facilitating the ability of employees to work remotely: increase employee retention by up to 25%
![Page 7: ISACA smart security for smart devices](https://reader035.vdocuments.site/reader035/viewer/2022062512/5541b26bb4c905bf168b4569/html5/thumbnails/7.jpg)
Smart Mobile Device Business Benefits
![Page 8: ISACA smart security for smart devices](https://reader035.vdocuments.site/reader035/viewer/2022062512/5541b26bb4c905bf168b4569/html5/thumbnails/8.jpg)
![Page 9: ISACA smart security for smart devices](https://reader035.vdocuments.site/reader035/viewer/2022062512/5541b26bb4c905bf168b4569/html5/thumbnails/9.jpg)
![Page 10: ISACA smart security for smart devices](https://reader035.vdocuments.site/reader035/viewer/2022062512/5541b26bb4c905bf168b4569/html5/thumbnails/10.jpg)
![Page 11: ISACA smart security for smart devices](https://reader035.vdocuments.site/reader035/viewer/2022062512/5541b26bb4c905bf168b4569/html5/thumbnails/11.jpg)
Impact of an attack on the business
![Page 12: ISACA smart security for smart devices](https://reader035.vdocuments.site/reader035/viewer/2022062512/5541b26bb4c905bf168b4569/html5/thumbnails/12.jpg)
Smart Mobile Device Risks
ISACA, Business Risks & Security Assessment for Mobile Devices, January 2008
![Page 13: ISACA smart security for smart devices](https://reader035.vdocuments.site/reader035/viewer/2022062512/5541b26bb4c905bf168b4569/html5/thumbnails/13.jpg)
Smart Mobile Device Risks
ISACA, Secure Mobile Devices, 20 July 2010, page 6
![Page 14: ISACA smart security for smart devices](https://reader035.vdocuments.site/reader035/viewer/2022062512/5541b26bb4c905bf168b4569/html5/thumbnails/14.jpg)
Smart Mobile Device Risks
![Page 15: ISACA smart security for smart devices](https://reader035.vdocuments.site/reader035/viewer/2022062512/5541b26bb4c905bf168b4569/html5/thumbnails/15.jpg)
![Page 16: ISACA smart security for smart devices](https://reader035.vdocuments.site/reader035/viewer/2022062512/5541b26bb4c905bf168b4569/html5/thumbnails/16.jpg)
![Page 17: ISACA smart security for smart devices](https://reader035.vdocuments.site/reader035/viewer/2022062512/5541b26bb4c905bf168b4569/html5/thumbnails/17.jpg)
Mobile Device Security Issues• Threats differ by industry (e.g. intelligence/security/ police
forces, fuel and energy, health and disease control, transportation, media, financial, food, retail, etc.); thus countermeasures must appropriately match the threat.
• Cost-benefit case for mobile devices depends solely on the value of corporate data at risk. Thus, critical data must be inventoried + appropriate security solutions implemented.
• Businesses can not manage what they can not identify, track or measure. Critical information is not always inventoried and proactively secured.
• Some companies outsource network security. When the third party employees leave, what customer data leave with them? Business data are available to providers with different business goals and objectives.
![Page 18: ISACA smart security for smart devices](https://reader035.vdocuments.site/reader035/viewer/2022062512/5541b26bb4c905bf168b4569/html5/thumbnails/18.jpg)
Mobile Device Security Issues• Network security issues include:
‣ Conventional firewall and VPN security systems are inadequate.‣ Lack of integration with evolving WAN network security solutions.‣ A blurred network perimeter can cause the boundary between the
“private and locally managed and owned” side of a network and the “public and usually provider-managed” side of a network to be less clear.
‣ If communication can be intercepted, piggybacked, impersonated or rerouted to “bad” people, “good” people can look “bad” and “bad” people can look “good” from any location.
‣ Encrypted remote connections are assumed to be secure. Little consideration is given to securing the end point. E-mail and other communications are encrypted only from phone to phone, or mobile device to server. Beyond that point, e-mail, instant messages and file transfers may be transmitted unencrypted over the Internet.
‣ Ad hoc service provisioning: requesting and receiving application service on demand wherever one is located.
![Page 19: ISACA smart security for smart devices](https://reader035.vdocuments.site/reader035/viewer/2022062512/5541b26bb4c905bf168b4569/html5/thumbnails/19.jpg)
Mobile Device Security Issues
![Page 20: ISACA smart security for smart devices](https://reader035.vdocuments.site/reader035/viewer/2022062512/5541b26bb4c905bf168b4569/html5/thumbnails/20.jpg)
![Page 21: ISACA smart security for smart devices](https://reader035.vdocuments.site/reader035/viewer/2022062512/5541b26bb4c905bf168b4569/html5/thumbnails/21.jpg)
![Page 22: ISACA smart security for smart devices](https://reader035.vdocuments.site/reader035/viewer/2022062512/5541b26bb4c905bf168b4569/html5/thumbnails/22.jpg)
Business Model for Information Security
![Page 23: ISACA smart security for smart devices](https://reader035.vdocuments.site/reader035/viewer/2022062512/5541b26bb4c905bf168b4569/html5/thumbnails/23.jpg)
![Page 24: ISACA smart security for smart devices](https://reader035.vdocuments.site/reader035/viewer/2022062512/5541b26bb4c905bf168b4569/html5/thumbnails/24.jpg)
ISACA, Business Risks & Security Assessment for Mobile Devices, January 2008
![Page 25: ISACA smart security for smart devices](https://reader035.vdocuments.site/reader035/viewer/2022062512/5541b26bb4c905bf168b4569/html5/thumbnails/25.jpg)
ISACA, Business Risks & Security Assessment for Mobile Devices, January 2008
![Page 26: ISACA smart security for smart devices](https://reader035.vdocuments.site/reader035/viewer/2022062512/5541b26bb4c905bf168b4569/html5/thumbnails/26.jpg)
![Page 27: ISACA smart security for smart devices](https://reader035.vdocuments.site/reader035/viewer/2022062512/5541b26bb4c905bf168b4569/html5/thumbnails/27.jpg)
Policies & Standards
Smart device security strategies
![Page 28: ISACA smart security for smart devices](https://reader035.vdocuments.site/reader035/viewer/2022062512/5541b26bb4c905bf168b4569/html5/thumbnails/28.jpg)
Smart device security strategies
![Page 29: ISACA smart security for smart devices](https://reader035.vdocuments.site/reader035/viewer/2022062512/5541b26bb4c905bf168b4569/html5/thumbnails/29.jpg)
Smart device security strategies
EDUCATION!
![Page 30: ISACA smart security for smart devices](https://reader035.vdocuments.site/reader035/viewer/2022062512/5541b26bb4c905bf168b4569/html5/thumbnails/30.jpg)
Measuring performance
Smart device security strategies
![Page 31: ISACA smart security for smart devices](https://reader035.vdocuments.site/reader035/viewer/2022062512/5541b26bb4c905bf168b4569/html5/thumbnails/31.jpg)
Smart device security metricsMost common security metrics used in evaluating the adequacy of mobile device security include:• Number of breaches or successful attacks• Virus protection and frequency of virus definition updates• Currency of patch management on the servers• Compliance with federal regulations• Cost of security solutions• Cost of loss• Evaluation of riskAre these metrics sufficient? Do you factor total cost of ownership? How do you measure the benefit & value of mobile devices and the security solutions?
So, how can CISOs explain the value of incorporating adequate security?
![Page 32: ISACA smart security for smart devices](https://reader035.vdocuments.site/reader035/viewer/2022062512/5541b26bb4c905bf168b4569/html5/thumbnails/32.jpg)
Review / Audit
Smart device security strategies
![Page 33: ISACA smart security for smart devices](https://reader035.vdocuments.site/reader035/viewer/2022062512/5541b26bb4c905bf168b4569/html5/thumbnails/33.jpg)
![Page 34: ISACA smart security for smart devices](https://reader035.vdocuments.site/reader035/viewer/2022062512/5541b26bb4c905bf168b4569/html5/thumbnails/34.jpg)
Auditing Mobile Device Security1. PLANNING & SCOPING THE AUDIT1.1 Define audit/assurance objectives.1.2 Define boundaries of review.1.3 Identify & document risks.1.4 Define assignment success.1.5 Define audit/assurance resources required.1.6 Define deliverables.1.7 Communicate the process.2. MOBILE DEVICE SECURITY2.1 Mobile Device Security Policy 2.2 Risk Management 2.3 Device Management2.4 Access Control 2.5 Stored Data 2.6 Malware Avoidance 2.7 Secure Transmission 2.8 Awareness Training
![Page 35: ISACA smart security for smart devices](https://reader035.vdocuments.site/reader035/viewer/2022062512/5541b26bb4c905bf168b4569/html5/thumbnails/35.jpg)
Conclusions
![Page 36: ISACA smart security for smart devices](https://reader035.vdocuments.site/reader035/viewer/2022062512/5541b26bb4c905bf168b4569/html5/thumbnails/36.jpg)
ConclusionBusiness executives rarely know where to start. While mobiletechnology is burgeoning with new innovations, time-testedmitigation techniques and evolving tool sets are available andhighly effective. Organizations need to:• Recognize mobile technology risks + commit resources to take
decisive actions to control their vulnerabilities• Inventory high-value data & most serious exposures• Evaluate which countermeasures directly & cost-effectively reduce
their highest risks• Implement reasonable strategy that phases in improvements in
information security commensurate with risk & resources• Commit ongoing resources to revise & refine over time as
circumstances evolveFor business leaders who fail to implement sufficient safeguards, the costs can be catastrophic. With the integration of an increasingly networked world, their problems become everyone’s.
![Page 37: ISACA smart security for smart devices](https://reader035.vdocuments.site/reader035/viewer/2022062512/5541b26bb4c905bf168b4569/html5/thumbnails/37.jpg)
![Page 38: ISACA smart security for smart devices](https://reader035.vdocuments.site/reader035/viewer/2022062512/5541b26bb4c905bf168b4569/html5/thumbnails/38.jpg)
![Page 39: ISACA smart security for smart devices](https://reader035.vdocuments.site/reader035/viewer/2022062512/5541b26bb4c905bf168b4569/html5/thumbnails/39.jpg)
Your (device) security solutionis as strong …
… as its weakest link
![Page 40: ISACA smart security for smart devices](https://reader035.vdocuments.site/reader035/viewer/2022062512/5541b26bb4c905bf168b4569/html5/thumbnails/40.jpg)
“I don’t care how many millions of dollars you spend on security
technology. If you don’t have people trained
properly, I’m going to get in if I want to get in.”
Susie Thunder, Cyberpunk
![Page 41: ISACA smart security for smart devices](https://reader035.vdocuments.site/reader035/viewer/2022062512/5541b26bb4c905bf168b4569/html5/thumbnails/41.jpg)
Marc VaelCISA, CISM, CISSP, CRISC, CGEIT, ITIL Service Manager
International Vice-President
ISACA3701 Algonquin Road, Suite 1010
Rolling MeadowsIL 60008 USA
http://www.isaca.org/
http://www.linkedin.com/in/marcvael
http://twitter.com/marcvael
Contact information
![Page 42: ISACA smart security for smart devices](https://reader035.vdocuments.site/reader035/viewer/2022062512/5541b26bb4c905bf168b4569/html5/thumbnails/42.jpg)