mobility risk, strategy and policy

Harry Contreras – CISSP

Mobility, Risk, Strategy & PolicyAddressing Mobile Business & Technology Issues

ISSA Phoenix Chapter - April, 2011 – Copyright 2011

Orienting mobile strategy to negotiate risk landscape obstacles

April 2011- Presentation Outline• Mobility issues facing businesses today

• Risk and Liability issues • Strategy development• Policy program issues and concerns• Delivery elements

• Summary with Q&A opportunity• Resources & References - Take Away

Mobility Risk, Strategy and Policy

Orienting mobile strategy to negotiate risk landscape obstacles

Risks Strategy Policy Delivery

Develop strategy within the framework of identified risks that impact the business. With stakeholders define the requirements that meet elements for advancing business objectives.

Identify the common and unique risks of mobile technology that are in scope for business use. Consider liability and choices for risks accepted, avoided and transferred.

Authorized and endorsed the corporate policy & standards for mobile technology use in the company. Communicate and train via compliance & security awareness programs.

Identify the actions to deliver a mobile strategy. What it will take to support, maintain and sustain with currency a complete plan for an enterprise.

Mobility Issues to Assess and Address

Risks Strategy Policy Delivery


We will follow these four tracks throughout the presentation

Risk & Liability Issues

Risk


Assessing company risk with mobile technologies

Establish understanding of company tolerance for risk• Business culture • Company compliance impacts points• Consumer technologies introduce new risk issues

Integrate cross-linkages with existing Compliance issues• Consult with your company Legal department• Corporate governance determines

One of the first areas to “do your homework”.

Risk

Mobility Risk, Strategy and PolicyRisk & Liability Issues

Regulatory, Liability and Risk Landscape

Regulatory “entanglements”• Personal, Health and Card Holder privacy regulations• SEC regulation• Rule 26 / e-Discovery• Forensics and investigations• IRS Regulation and Reporting requirements

Company and Operations specific issues• Corporate Contractual obligations• Business “verticals” - i.e. health industry, government contracting• Global operation regional issues - i.e. European work councils

Other “surprises” both foreign and domestic.

Risk


Business operating issues and risk posture• Separation of asset ownership- i.e. BYO assets (More on this later.)

• Business owned or employee owned• Ownership and control of platform resident data• Business capitalization concerns

Employee privacy issues or business “enablers”• “Invading technologies” to consider

• Presence• Geo-location• Tracking and utilization reporting

Identity specific usage issues• Business representative – i.e. how phone number associated• Personal, non-Company persona

How much or how little is the Company willing to address.

Risk


Business issues and risks for BYO assets• How much encroachment do company controls extend?

• Comingled personal and Company information • Are business resources and services being “misappropriated”?

How do employees expect Company services at their disposal?• Truth or fallacy? - Reality Check

• Employees expect free-reign utilization of assets and services• Do not want and will not tolerate limitations

Assessing risk and liability usage issues for BYO assets• HR reports employees are doing “WHAT” with their devices?• Client claims that employee took recording of their conversation• Liability remains for Company regardless of approach

Can you say it with me…“No employee entitlements to Company provisioned services for personal use.”

Risk


Tablets and smartphones in the enterpriseThere are two types of risk. One, to the organization, of sensitive content being exposed of the device is lost, hacked or otherwise compromised. In some cases there are financial penalties for this, as well as costly notification practices that need to be complied with if it involves any customer data.The other is to the employee. In the event of a legal action involving anything they may have been involved in, or a data call to “…produce any/all records related to XYZ, “ the employees device may be subject to search. This could risk exposing their personal data, including passwords, contacts, browser history and other things they may not want their employer or others to have access to.Comingling business/personal content and activity just plain isn’t good sense. Even a one-person consulting business keeps it personal and business financial assets/accounts independent of each other; why doesn’t it make the same sense to keep your information assets independent?

LarryWith this as a “backdrop” … “Discuss, discuss…”

Industry perspective – “Peersay”, NetworkWorld.com – 3/21/2011


Risk



Original risk issues for mobile technologies remain• Approaches for laptops and enterprise architected solutions formobile platforms (i.e. RIM, Good Technology) have addressed most of the risks over time

Newer mobile technologies bring added complexity• Consumer grade technologies are introducing and broadening the risk and threat horizon

• “Not ready for enterprise introduction”• Patchwork quilt of solutions to weave together for mixed results and effectiveness• “Consumer use mentality” is the “insider threat” today.

Remember, once you go “Tablet” you can never go back.


Risk



Presentation points in due diligence for management briefing.Burying your head in the sand – not an option.

Accept or Retain the identified risk. The risk is unlikely or impact does not warrant any further action, the company simply decides to bear any recovery costs.

Avoid or Reject the risk. When costs of likelihood of the risk are great, it is not feasible to continue in that area of activity – product, process or geography.

Transfer or Share the risk. When risk is part of the business operation and cost is predictable then the company may elect to insure, warranty or contract (outsource).

Mitigate or Reduce the risk. The identified risk(s) are core to the business and theimplementation of controls are applied to reduce likelihood and impact to the business.

Ignore the risk. A identified option of choice to consciously do nothing. Potential for catastrophic business impact and serious legal and liability repercussions.

Strategy

Mobility Risk, Strategy and PolicyStrategy Development

Where is your Strategy now? New or inherited Mobile Strategy

• What is in place now?• Functional or “death spiral”

• What is your charter for this initiative?• Build new or patch and repair

What you may need or what may be missing – Resources(Any way you can get them allocated - internal or contracted.)

• Enterprise Architect or IT Strategist • Subject Matter Expert (SME) Engineer • Analyst• Project Manager• Leadership/Management endorsement - oversight

The all important “management underwriting” license for change.

Strategy


What is the approach for “services”?• In-house vs. Hosted

• Will need to build out or negotiate contract(s)• Take opportunity to research each option

• Can business replicate what providers have already built?

Present state analysis and comparison to “to-be” state • Are there any accounting stats or metrics to baseline?• What is Cost of Doing Business today for strategy• Can gains and improvements be attained with volume discounts?• Will outsourcing “provisioning” be beneficial? • Is “standardization” going to be an issue?• Does your Telcom services strategy run parallel or intersect?• Is there an expectation or goal for cost/expense limitation?

Be on the lookout for “scope creep” around every corner.

Strategy


What is the approach for “services”?• In-house vs. Hosted

• Will need to build out or negotiate contract(s)• Take opportunity to research each option

• Can business replicate what providers have already done

Present state analysis and comparison to “to-be” state • Are there any accounting stats or metrics to baseline?• What is Cost of Doing Business today for strategy• Can gains and improvements be attained with volume discounts?• Will outsourcing “provisioning” be beneficial? • Is “standardization” going to be an issue?• Does your Telcom services strategy run parallel or intersect?

How may personal plans on how many providers come into play?The BYO approach compounds the variables & dilutes volume plans.

Ask these same questions with the BYO assets approach

Strategy


$$$$

$$

0+ -

Anything goes Non-functional

Adding Controls

Risk Tolerance Axis

Plotting a Successful Strategy

Unsupportable Model Overly draconianSuccess or Ultimate “Fail”

Mobile Strategy

Compliance Issues

Every Business has its own “Sweet Spot”

Cos

t Tol

eran

ce A

xis

+

Strategy


What are we up against with newer mobile technologies?• Lack of built-in security• Open and easily extensible operating architectures• Poor control over devices• Poor control over connectivity• Weak connection security• Weak authentication of user and device• Poor working practices• Compromise of stored data

Control, Contain, Maintain and Explain…• Asset sprawl, capitalization, operational expense, support costs• Policy, standardization, licensing • Regulatory compliance, content management, security controls• Add to and refine this list…

iPhones, Androids, and Blackberrys… Oh My!

Strategy


Several mobile security strategy approaches available today• Basic device management• Enhanced device management• Walled garden• Risk based management

• Basic device management – use Microsoft Activesync for simple policy management.• Enhanced device management – use mobile device management software for more sophisticated control of company-issue devices.• Walled garden / Virtual workspace – Allow corporate access from personal devices, but wall it off from the device’s personal content.• Risk based management – Set policies that restrict corporate access of phones with high risk factors, like unauthorized apps or out-of-date policies.

The more product solutions are applied – the more profits are eroded.

Strategy


Some focus points for major solutions in your strategy• Set strategy, policies and standards• Deploy standard hardware, apps and security software

• Virus protection, firewalls, disable concurrent connection options• Use device authentication to eliminate “rogue” devices connecting• Consider two-factor authentication – smart cards, imbedded tokens• Harden / lock-down operating systems and device options• White list authorized and support applications – app fingerprinting• Implement software upgrade and patch management solutions• Encrypt stored data and removable storage media• Use remote kill and data wipe solutions• Educate user of mobile use requirements/policy• Provide helpdesk and IT support to mobile users• Scan networks for unauthorized devices and connections

Strategy


Strategy


Technology Landscape Considerations

Which bands, services, operators and where does your solution fit? Wireless Technology Continuum

GSM, UMTS, LTE

HSPA

CDMA, CDMA2000, UMB

3G

4G

WiFi

Bluetooth

WiMax

Strategy


What services and features fit into your business model?• Multiple service bands – which ones are operator specific• Phone / Voice capability with simultaneous Data session capability• What is the bandwidth overhead for the mobile application portfolio?• Email – Single Company source or all services allowed?• Internet browsing allow all or filter? Liabilities?• Are texting and Multi Media Services included in operating costs?• Audio – Allow personal music files? (How will you address licensing?)

• Allow audio recording capability? Liabilities?• Allow video recording capabilities? Liabilities?• Camera phone “follies” – (Your own mental image goes here.)• Limit instant messaging to in-house services or allow all?• Global Positioning Services (GPS) • Tele-presence / Video conferencing• Is unified communications (UC) in your Telcom Plan

All equate to bandwidth – Bandwidth equates to expense.

Strategy Development

Strategy


Strategy Analysis:The What, When, Why, How and Who

– What = Identify risks to the business– When = Prioritize actions– Why = Cost justification– How = Solutions/Mitigation approaches– Who = Assign actions to carry out

Famous phrase applies here – “Choose wisely grasshopper.”

Policy


Policy ProgramWhat is the approach for mobile “policy” issues?

• First and foremost -• Will need to be endorsed by Corporate representation

• Take opportunity to review and align• Consider the following

• Business culture• Compliance & regulations• Risk mitigation targets

What is required in policy statements • Are policy statements expectation for behavioral controls• Are policy statements declarations of automated enforcement

• It can be one, the other or combination in policy

What did we have to say about that in the Acceptable Use Policy?

Policy

Mobility Risk, Strategy and PolicyPolicy Program

Other considerations for “Mobile Technology Use Policy”• Consult with Legal Team -

• Inclusion of “Opt-In” – Employee sign off on Mobile policy• Where any “personally owned device” enters into the program

• Objective -• Acknowledging company controls and expectations when an “event” condition occurs and implications to personal information and access to personal device.

“Bricking” is a last resort • Rendering a field unit inoperable has consequences• Both good and bad results

• Is it the only communication resource for employee?• Read in health, safety and other personnel issues here…

What did we have to say about that in the Acceptable Use Policy?

IT SecurityStandards

SecurityPosition

Statements

IT SecurityAwarenessMaterials

Overarching Global Policy (Core)Authorized & EndorsedAcceptable Use

IT Security Policy ManualImplementation policy details

Security Position StatementsAddresses new technologiesMitigating immediate business risks

Subordinate Security StandardsDetailed technology specsRequired compliance controls

Security Awareness ContentAwareness Library of Tools & Resources

Privacy and Data

ProtectionPolicy(Core)

&AUP

(AUP) Acceptable Use Policy endorsed by Human Resources, Legal and Compliance

Policy

IT SecurityPolicyManual

Mobility Risk, Strategy and PolicyPolicy Program – Hierarch of Policies

Mobile Technology Policy Opt-In (Sign-Off) to participate in Company plan.

Delivery

Mobility Risk, Strategy and PolicyDelivering the Strategy

What to include in the Delivery plan• First and foremost -

• Must be manageable• Must be supportable• Must be affordable• Must be sustainable• Is it aligned with business use model• Addresses Compliance & regulations

• Can assets be forensically interrogated?• Risk mitigation targets must be addressed

• Data escape controls in place

What next? • Once you embark on a plan of action – course corrections will impact all of the previously defined variable elements

Critical Success Factors

Delivery

Mobility Risk, Strategy and PolicyDelivering the Strategy

Delivery element analysis:The What, When, Why, How and Who

• Why = Business objectives for mobility• What = Strategy, policy and technologies• How = Delivery plan• Who = Resources, personnel and funding• When = Delivery timeline

Critical Success Factors

Security - Be recognized as the visionary security leaders that collaboratively consults with the business.

Security –Enable the business with compliant and consistent security policy and controls focused on secure future computing within the Company.

Security - Ensure governed, integrated protection for entire Company and resources.

Risk Strategy Policy Delivery


Summary

Sustaining Security Objectives for the Organization

Protecting colleagues, company assets and reputation

Mobility, Risk, Strategy & PolicyAddressing Mobile Business & Technology Issues

Conclusion – Question & Answers

- Disclaimer -“Not a lawyer.”

This presentation is available at: http://www.slideshare.net/hcontrex

H. Contreras – CISSP ISSA Phoenix Chapter - April, 2011 – Copyright 2011

References – ResourcesInformation Week, Grant Moerschel – Jan 29, 20114 Strategies To Lower Mobile Device Risk


NetworkWorld, Toolshed: Mark Gibbs – Feb 7, 2011Mobile Devices: You’re losing controlSCMagazine, Greg Masters – Feb 17, 2010On the go: Mobile Security (http://scmagazineus.com)Information Week, David F. Carr – Dec 6, 2010iPad in the EnterpriseComputerWorld, Security Manager’s Journal – Mathias Thurman – Mar 22, 2010BYOPC won’t be a party for securityComputerWorld, Opinion – Steven J. Vaughan-Nichols – Mar 21, 2011I Want My iPad at Work!ProfitLine, White Paper – Nov, 2009Culture Shift–The most overlooked aspect of deploying smart devices in the enterprise

H. Contreras – CISSP ISSA Phoenix Chapter - April, 2011 – Copyright 2011

This presentation is available at: http://www.slideshare.net/hcontrex