November 14, 2012 Securely Manage your devices, applications and data. Deploy your corporate...
-
Upload
madison-vallance -
Category
Documents
-
view
214 -
download
0
Transcript of November 14, 2012 Securely Manage your devices, applications and data. Deploy your corporate...
AUDITING SMART DEVICES
November 14, 2012
Securely Manage your devices,
applications and data. Deploy your
corporate policies on smart devices.
Comply with Regulatory Laws.
Detroit Chapter of the IIA in Partnership with Securely Yours,
LLC Presents
Auditing the Security and Management of Smart Devices
If You Have Questions…If you have questions during the webcast:
– If necessary,exit Full Screen Viewby pressing the Esc key
– Submit questionsthrough the“Ask a Question” button
– Questions will be answered after the presentation portion is concluded
Earning CPE Credit
In order to receive CPE credit for this webcast, participants must:
Attend the webcast on individual computers (one person per computer)Answer polling questions asked throughout the webcast
When answering polling questions, select your answer and the click “Vote” button (next to the “Ask a Question” button) to submit / save your answer.
CPE certificates will be sent to the e-mail address on your BrightTALK account within two weeks of this webinar.
4
Poll Questions
5
AgendaEvolution of Smart Device
usageAudit ApproachQ&A
6
EvolutionMost Organizations relied
on blackberryiPhone and iPad changed
the executive landscapeIT under pressure to also
supportiOS (Apple)Android (Google)Windows Mobile (Microsoft)
It is projected that Android and iOS will be the leading operating system for smart devices from 2011 on.
7
PIM (Plan, Implement, Manage) methodology provides a comprehensive approach to organizations to manage and secure the smart devices.
Step 1Plan:Usage Policy
Step 2Plan:IT
Architecture
Step 3Plan:
Security Policy
Step 4Implement
:IT
ArchitectureStep 5
Implement:
Enable Email,
Contact, & Calendar
Step 6Implement
:Enable
Application
Deployment
Step 7Implement
:Enable
Network Connectio
n
Step 8Manage:
Regulatory Complianc
e Governanc
e
Step 9Manage:
Reports & Dashboard
Step 10Manage:
Monitor & Audit
Implementation
Methodology
8
Audit Step 1Collect the following
documents:Smart Device Use PolicySmart Device security PolicyIT Infrastructure architecture
documentsMDM proceduresReports produced from MDM
Without the smart device use policy, it is difficult to communicate the organization’s posture on the use of such devices. This is a key first step and usually involves IT and businesses.
9
Audit Step 2Understand the smart device
environment: Is the device a corporate device or is BYOD (Bring Your
Own Device) is allowed? Is the corporate data separated from the personal data? Is personal use of the device allowed (Can you play
Angry Bird on your device? Is an agreement in place where the employee abides
with the corporate security policy? Has the employee agreed to remote wipe of the device Record of their phone calls may be viewed by corporate?
Is confidential data residing on the device? If so, what are the procedures in place to monitor and control the confidential data?
What type of smart devices are allowed? Apple only? Android only? Others?
Is there a backup strategy and procedure in place for smart devices?
Is the smart device connecting to the corporate network? How is it being connected?
How are applications pushed to the device? Is the corporation developing its own apps? Do they have their own app store? Marketplace?
Without the smart device use policy, it is difficult to communicate the organization’s posture on the use of such devices. This is a key first step and usually involves IT and businesses.
10
Poll Question
11
Audit Step 3Understand the IT
architecture supporting the smart device environment: Is the MDM solution cloud
based solution or internally deployed?
Is the solution hosted by a third party or self supported?
Is there a business associate agreement in place with the vendor?
Once it is known how the smart devices will be used, designing the supporting IT architecture is the logical next step. This architecture maps to the existing IT architecture.
12
Audit Step 4Understand the smart device
security features: Verify that the password policy is meeting industry
standards Review the encryption requirements (specially for
confidential data) and how encryption is deployed Is there a requirement for port controls on a device
(camera usage, bluetooth usage, WiFi controls)? What procedure is in place for remote wipe/locking
and unlocking of device What procedure is in place for reporting of lost
devices How the devices are tracked and monitored What device configuration is pushed as profile to
the device (VPN? Email? Etc.) How are the delivery of applications controlled to
the device? Does the corporation use blacklisting? Whitelisting? How are the features implemented?
What audit and monitoring features are turned on? What reports are being generated?
Once the use policy is defined and the IT architecture designed, then the security policy needs to be documented to determine how the smart device will be secured to protect organization’s crown jewels.
13
Poll Question
14
Audit Step 5Understand how the devices
are enrolled into the MDM software Does the organization use self-
registry? How do users register their device?
How do users re-register when they purchase new device or replace an existing device? What happens to the old device? Is the data wiped off the device?
How is it verified that the appropriate security policy has been pushed to the device?
Once the use policy and security policy is documented, now is the time to deploy the solution to register the devices and deploy the security policy.
15
Audit Step 6Review the email,
calendar and contact informationHow is email synced with the
corporate servers? Is the email encrypted?
Where and how is virus checking performed?
The next step is to make email, calendar and contact information available to the device. With BB, it was easy using the BES Server, SM makes it easy for Android and iOS using Middle-server.
16
Audit Step 7Review the corporate apps
running on the deviceReview the homegrown
applications and how the data is stored and encrypted on the device?
Review the whitelisting and blacklisting deployment
Review the authentication procedure for the applications – passwords? How are they authenticated? Is there an authorization process with corporate data?
Is your organization making mobile apps available for everyone? Are your customers will be using your apps? Are these apps browser based? Are these critical apps?
17
Poll Questions
18
Audit Step 8Review the device
connection to the corporate networkWhat type of remote
connection is used?What authentication is used
prior to allowing access to corporate network?
What encryption protocols are in place for the remote connection?
Do you want to allow the device to access your corporate network to access corporate data/files/folders? What is your remote access policy? What security is required to allow the devices access the network?
19
Audit Step 9Review the regulatory and
compliance requirementsWhat reports and controls
are in place to support the HIPAA, SOX, PCI and other regulatory and compliance requirements
Most organizations have to comply with several regulations and governance requirements. SM’s management framework provides for compliance and governance activities customized for our clients.
20
Audit Step 10Review management reports
What reports are reviewed by management?
What key statistics are monitored and reviewed?
SM’s management framework provides for customized reports and dashboards. The dashboard can be deployed at an executive level, or at a detail level.
21
Audit Step 11Review other device
support services like eDiscovery, litigation hold etc.
Making sure that the proper audit support is provided and the appropriate monitoring is performed is an important step of SM’s management framework.
22
Audit Step 12Document the risks and
draft a reportMaking sure that the proper audit support is provided and the appropriate monitoring is performed is an important step of SM’s management framework.
23
THANK YOU!
Please join us for additional chapter events:
Dec 11, 2012 - IIA & ISACA December Joint Chapter Meeting
MAR 11-13, 2013 - 2013 IIA and ISACA Spring Conference
Visit www.iiadetroit.org for additional information and registration details
Please Take a Moment to Rate the Webinar• Click on “Rate This”• Rate this webinar with 1 to 5 stars• Provide any comments• Click “Send Rating”