Bring Your Own Device 2014 TeamMate User Conference Palm Desert California
-
Upload
jim-kaplan-cia-cfe -
Category
Business
-
view
246 -
download
0
Transcript of Bring Your Own Device 2014 TeamMate User Conference Palm Desert California
9/11/2014
1
BYOD Guide for Auditors
TeamMate 2014 User Conference Palm Springs, CA
Jim Kaplan CIA CFE
Founder: AuditNet® IIA Bradford Cadmus Award
Recipient Local Government Auditors
Lifetime Achievement Award Chief Audit Executive Internet for Auditors
Pioneer Author: The Auditor’s Guide
to Internet Resources [email protected]
9/11/2014
2
Objectives
Define BYOD and MDM Identify Risks and Internal Audit
Considerations Identify Controls Provide a Framework for Mobile Device
Auditing Resources
Mobile Devices and BYOD
Many organizations have now opted to allow employees to procure their own devices which will ultimately connect to enterprise data and resources
What does your organization allow?
9/11/2014
3
BYOD comes in different shades
BYOD or bring your own device: employees are allowed to use their privately owned hard- and software. IT-applications and company data of the employer are made available on the platform of the end-user.
CYOD or choose your own device: the employer still provides the hardware and the employee can choose e.g. the model.
SYOD or smuggle your own device: this means that people are using a second tablet, smartphone or tablet, and use that one also for company purposes next to the one provided by the employer.
BYOD Terminology
BYOD bring your own device (or bring your own disaster) BYOT bring your own technology (or now tablet) BYOP bring your own phone BYOPC bring your own pc CYOD choose your own device SYOD smuggle your own device MDM mobile device management
a range of products and services that enables organizations to deploy and support corporate applications to mobile devices, such as smartphones and tablets, possibly for personal use — enforcing policies and maintaining the desired level of IT control across multiple platforms
MDS mobile device security Endpoint Security
9/11/2014
4
BYOD Where Do We Start
BYOD Mobile Device Picture
A Cisco study says in 2014 the average number of connected devices per knowledge worker will reach an average of 3.3 devices, up from 2.8 in 2012
Gartner predicts by 2017, half of employers will require employees to supply their own device for work purposes By a show of hands how many of you have at
least 1 mobile device?
9/11/2014
5
BYOD Statistics 67% of people use personal devices at work, regardless of the office’s official BYOD policy
(Source: Microsoft via CBS News) 42% of companies surveyed already use BYO (Source: Moka5 Survey, July 2013) 46% of end users surveyed said network performance negatively affects mobile devices the
most (Source: Cisco) Tweet this. 77% of employees haven’t received any education about the risks related to BYOD (Source:
2013 Data Protection Trends Research, conducted by Ponemon Institute via AllThingsD) 78% of employees believe that having a single mobile device helps balance employees’ work
and personal lives (Source: Samsung) 62% of companies surveyed plan to support BYOD by the year’s end (Source: TechRepublic via
ZDNet) Only 11% of end users access business applications from the corporate office 100% of the time
(Source: Cisco) 24% of consumers surveyed currently use a smartphone or tablet as their primary, work-
related computing device (Source: Samsung) 95% of surveyed organizations were permitting employees to use their own devices in some
form in the workplace. According to the same study, each connected worker will have as many as three devices connected to employer networks by 2014.”
Setting the Stage
Gartner Group predicted Bring Your Own Device (BYOD) would be a top technology trend for 2013 with mobile devices surpassing PCs as the most common web access tool, and it appears they were right.
9/11/2014
6
Mobile Device Facts
Consumer focused technology is not a fad, the benefits outweigh the costs
Researchers estimate 159.9 million smartphone users in US by the end of 2014
Gartner Worldwide sales of tablets to end users reached 195.4 million units in 2013
Gartner Says Mobile App Stores Will See Annual Downloads Reach 102 Billion in 2013
BYOD Could Spell Trouble: More than half the
organizations responding to the ITIC survey (March 2014) said they have no response ready for a hack into data on notebooks, tablets and smartphones their staff is using as “bring your own devices”.
http://www.cutimes.com/2014/03/10/byod-could-spell-trouble-survey
9/11/2014
7
Why is this important?
Growth of mobile device use means increased risks for organizations Increased risks for organizations means
audit must address Audit needs to add BYOD to the audit
plan to address policy, controls and risks.
AuditNet® 2014 BYOD Survey
• April 2014 AuditNet® launched a Survey of Bring your own Device (BYOD) Control, Risk and Audit
• Responses from 339 auditors from eight different organization sectors
• Organizations ranging from less than 100 to over 10,000 with the median being 1,000-5,000
• Staff size from 1 to over 50 with the median being 11-25
• More than 70% reported that their companies/organizations permitted the use of mobile devices.
9/11/2014
8
Survey Key Findings •Close to 3/4 of those who responded indicated that their employer allowed employees
to bring their own devices to work. •The primary BYOD service allowed by companies and organization as reported by survey
respondents was e-mail followed by application access via a Virtual Private Network (VPN). Almost half the organizations allowed access to social media.
•Close to 80% said that their employer provides company owned mobile devices to employees while more than half said that they did not have a policy for mobile devices (commonly referred to as “bring your own device” or BYOD
•More than half that said their employer had a policy indicated that it was not well communicated to staff.
•Almost two thirds of those who said their employer had a policy felt that it was not thorough or lacked the basic best practice elements
•Slightly more than half required employees to sign a written agreement that outlines employer and employee rights and obligations with respect to the devices and a code of conduct.
•Greatest concern expressed by the auditors was confidentiality of information followed by data breach or misuse
•More than 80% of the auditors indicated that: a risk evaluation covering mobile devices has not been performed a training or awareness program covering BYOD risks or control has been conducted they have not audited this area they have not included this area in their current or future audit plans
Survey Conclusion
BYOD and MDM has not been a high priority for IA Risk tolerance is high and perceived
threat is low Pace of BYOD adoption has clearly
outpaced senior management and BOD vision IA should evaluate controls, educate on
risks, and plans audits for this area
9/11/2014
9
BYOD Risks - SPI
Security – Privacy – Incident Response Malware infection, which may result in leakage, corruption, or
unavailability of data Leakage or compromise of sensitive data due to lost or improperly secured
devices Negative publicity, loss of reputation, noncompliance with statues or
industry requirements, fines, and lawsuits Access controls and control over device security Ability to eliminate sensitive data upon termination or loss of the device Management issues related to supporting many different types of devices
and applications Ensuring that employee-owned devices are properly backed up.
Security Concerns
Lack of Physical Security Controls Use of Untrusted Mobile Devices Use of Untrusted Networks Use of Apps Created by Unknown Parties Interaction with Other Systems Use of Untrusted Content Use of Location Services
9/11/2014
10
Risks Associated with Mobile Devices
NIST Characteristics Illustrative Risks
Small form factor Loss or theft of data
Wireless network interface for Internet access
Exposure to untrusted and unsecured networks
Local built‐in (non‐removable) data storage
Loss or theft of data
Operating system that is not a full‐fledged desktop/laptop operating system
Reduced technical controls
Apps available through multiple methods
Exposure to untrusted and malicious apps
Built‐in features for synchronizing local data
Interactions with other untrusted and unsecured systems
Policy
1. Voluntary of Mandatory2. Scope3. Device support4. Security5. Consent
Must be monitored and enforced
9/11/2014
11
BYOD policy should at a minimum:
Clearly articulate the company's rights with respect to monitoring and accessing all the data stored on employees' mobile devices
Address an employee's obligations regarding device security, password requirements, and procedures for lost or stolen devices.
Include specific language about approved and non-approved business usage. For example, a company might allow the use of personal devices for emailing but prohibit their use for recording meetings.
Develop reasonable restrictions Advise users that they may be required to disclose passwords to
websites and applications. Restrict the use of company data to legitimate company purposes.
BYOD Controls
Protection of sensitive data and intellectual property Protection of networks to which BYOD devices connect Responsibility and accountability for the device and the information
contained on it Removal of the organization’s data from employee-owned devices upon
termination of employment or loss of the device Malware protection
9/11/2014
12
BYOD Audit Issues
Risk Assessment Policies Legal Issues Technical and User Support Governance Training Device Security Connectivity Security Device Management
Source: AzzurriCommunications.com
9/11/2014
13
Audit’s Role in BYOD
Assessing the organization’s BYOD risks Evaluate MDM and other policy solution determine their adequacy to protect the
organization’s proprietary and sensitive information.
Ensure that the organization’s BYOD practices comply with privacy and data security requirements imposed by applicable industry standards, laws, and regulations.
BYOD Threats – IA FocusThreats Internal Audit Focus
1. Review Anti Malware and firewall policy
2. Review Operating system/ Application update policies
3. Ensure that the contents of the device are encrypted and secured.
4. Ensure that Bluetooth feature is in non discoverable mode or disabling it altogether if it is not needed in organization
5. Verify awareness on protection against unauthorized observation of sensitive information in public places
1. Increased risk of information loss A security incident is easier with a smart device because of the theft or loss of that device.
2. Monitoring An ever-increasing range of malware and espionage software is being created for mobile devices.
3. Awareness and communicationIt’s increasingly important to educate staff and other users about the use of poor security practices
4. Treatment of devices as any other end-pointRoutes into the corporate network are created by mobile device architecture, which could result in the leakage of highly sensitive information
9/11/2014
14
Sample Audit Objectives
Provide management with an assessment of BYOD policies and procedures and their operating effectiveness
Identify internal control and regulatory deficiencies that could affect the organization
Identify information security control concerns that could affect the reliability, accuracy and security of the enterprise data due to weaknesses in mobile computing controls
AuditNet® BYOD Resources and Tools
Mobile Device Checklist www.sans.org/score/checklists/mobile-device-checklist.xls
Security Guidance for Critical Areas of Mobile Computing https://downloads.cloudsecurityalliance.org/.../Mobile_Guid
ance_v1.pdf
Guidelines for Managing the Security of Mobile Devices in the Enterprise http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.
800-124r1.pdf
9/11/2014
15
AuditNet® Templates
Bring Your Own Device (BYOD) Audit July 2014 Bring Your Own Device (BYOD) Assurance
Audit Program July 2014 BYOD (Bring Your Own Device) Maturity
Assessment (June 2014) Security of Mobile Devices BYOD (Bring Your Own Device) Security
Audit Program (Source FastITTools)
Contact Information
Jim Kaplan CIA, CFE [email protected]://www.auditnet.org
9/11/2014
16
BYOD Questions