Upload
nguyendan
View
220
Download
5
Embed Size (px)
Citation preview
Mobile transformation – the journey of converting a concept into reality Performance Food Group, Inc.
PwC
Introductions
2
Amandeep Lamba Director
IT Risk & Security Assurance PwC LLP
(301) 943-8800
Colin Kibler Director
Information Security & Compliance
PFG, Inc.
[email protected] (804) 484-6227
PwC
Session objectives
The session is a case study on PFG’s mobility implementation journey, covering the following four key objectives:
1. Describe the business case and key considerations / challenges
2. Walkthrough the mobility implementation roadmap
3. Discuss key elements of the implementation framework and approach
4. Highlight lessons learned and next steps
3
PwC
Overview of PFG
4
• Food Service distributor/
wholesaler
• Delivers over 98,000 national and proprietary –branded products
• 11,000 Employees
• Markets – Independent/national chain restaurants, quick service eateries, pizzerias, theaters, schools, hotels, healthcare facilities
• A Blackstone and Wellspring portfolio company
• Business Units
• Performance Foodservice
• PFG Customized Distribution
• Vistar
PwC
Overview of PFG (cont.)
5
• HQ – Richmond, VA
• 36 Distribution Centers
• 7 USDA Inspected Meat Cutting Facilities
• Custom Cheese Processing facility in Rice, MN
• Seafood Importing, Processing, and Distribution Facility in Miami, FL
• Nations Largest Pizza and Italian Specialty Distributor
• HQ – Denver, CO
• 21 Distribution Centers
• 13 Merchant Marts (Cash and Carry)
• Leading distributor of Candy, Snacks, & Beverages to Unique Segments:
• Vending
• Theatre
• Office Coffee Service
• Concessions
• HQ - Lebanon, TN
• 9 Distribution Centers
• Logistics/distribution for national customers
• Customers include national brands such as Cracker Barrel®, Outback Steakhouse®, Ruby Tuesday®, and T.G.I. Friday's®
• Services Customers in all 50 states and 41 countries
PwC
Starting the mobility journey
6
PwC
Business case formation
Business Drivers
1. User driven change:
• Board Room and Senior Executives driving usage
• Users demanding enhanced collaboration and productivity
• Increased consumerization fostering a culture of instant gratification
2. Greater convenience:
• Applications moving beyond Email/Contacts/Calendars
• Mobile capabilities and applications aligning with the business model
• Rich content enables quick decisioning
3. Flexibility and employee satisfaction
Impact and Trends
7
Infrastructure to support increased adoption of Smartphones 1
BYOD/approved corporate mobile devices 2
Security, compliance, and legal considerations 3
Mobile/cloud applications, data and services 4
Need for stronger mobile governance and monitoring 5
PwC
Strategic considerations
8
Governance & Oversight
• Program
ownership and management
• Strategic direction
• Risk management
Security & Privacy
• Company’s
control over connected devices
• Acceptable use provisions
• Training and awareness
Implementation Challenges
• Decentralized
workforce • Business
segments with unique requirements
• Resources to support BYOD
Data and Information
• Access to
confidential data
• Adoption of mobile applications
• Personal vs. corporate data
PwC
Challenges and complicating factors
9
MDM – ActiveSync vs. Zenprise?
Proliferation of Devices / Device Diversity
Gap in Governance and Documentation
Security & Compliance – An afterthought!
Infrastructure Implementation Gaps
Privacy Concerns Impacting Adoption
Decentralized and Non-Tech Savvy Workforce
PwC
Mobility implementation
10
PwC
Path to a secure mobility environment
Destination State
Develop a Strategy
Show Quick Wins
Build a Governance Model
Analyze and Address Risk
Deploy Mobile Strategy
Operate and Maintain
• Develop a business case • Develop use cases and patterns • Define implementation roadmap and setup a PMO
• Create policies, standards, and procedures • Secure the mobile environment • Develop stop gap measures to promote consistent deployment
• Develop a model that includes roles, responsibilities, and decision flow charts for managing the direction of the program
• Perform risk assessment • Migrate to consistent MDM platform • Identify BYOD implications
• Implement key processes, technologies, controls, and user awareness initiatives
• Measure and report on key program metrics
• Monitor compliance
Current State
11
PwC
Organizational alignment
12
CIO Leadership and Oversight
Information Security &
Compliance Infrastructure Service Desk End-user
Computing
•Driving overall mobility governance and strategy
•Policies, standards, and procedures
•PMO for mobility implementation
•Monitor compliance and end-user experience
•Implementing MDM and supporting infrastructure
•Production support, patching, upgrades
•Active Directory integration
•MDM policy configuration
•Procurement and acquisition
•Device inventory and EOL management
•Level 2/3 device and service support
•Billing and service provider management
•Process device provisioning and de-provisioning requests
•Incident and problem management
•Level 1 device and service support
•AD user and group management
Legal / HR
•Policy acknowledgement / awareness / training
•Assess legal / privacy / other regulatory implications
•Employment affairs
•On-boarding / off-boarding support
PwC
Mobile policy framework
13
Procurement and Liability
Policies, Procedures, and Controls
Level of Support
Manage and Control Costs
•User training and awareness •Responsibilities and acceptable use •Secure network and data access •Protection of devices •Acquisition and device lifecycle
•Approval for devices and applications •Allowed devices and applications •Device loss, end-of-life, replacements, repairs, and employee terminations
•Usage charges and cost management
•Support and procurement processes •Supported devices •Insurance and contracts •Support from the device provider
•Support team and resources •Security incident response •Backup and retrieval of data •Device replacements and repairs
•Hardware •Service subscription •Usage
Device: •Employee owned vs. company owned •Liability •Procurement and cost management
Subscription: •Employee paid vs. company paid •Usage and monitoring •Allowable limits
•Budgeting •Monitoring •IT cost management
PwC
Mobile deployment
14
Mobile security policy
Mobile device standards
User-to-device interaction
Device management
Device protection
Policy management
•Authentication •Access / privilege / content restrictions
•Encryption •Training / awareness •Policy acknowledgement
•Wireless network
•Provisioning / de-provisioning
•Asset tracking •Patching / updates •Location •Device security support
•Cost management
•Network access control
•Policy enforcement •Anti-malware •Intrusion detection and prevention
•Forensics •Device integrity
•Access control •Policy update •Approved software •Standard config •Backup / Recovery •Audit trails and incident mgmt.
•Compliance
PwC
Approach to mobile device lifecycle
15
Initiation • Approval / authorization • Awareness, training, and
policy acknowledgment • New user vs. new device • License management
Provision • Procurement and acquisition • Establish security policies • Passwords, encryption, anti-
virus, peripheral controls • Install and configure
business applications
Production • Patching and updates • Backup device data • Enforce security policies • Monitor compliance, activity,
security violations, and device inactivity
Decommission • Disable and remotely wipe
lost or stolen device • Disable network / app access • End-of-life device mgmt. • Recycle / reuse corporate
devices
PwC
Implementation summary
Factors Implementation State Key Considerations
Device Ownership Corporate and Personal Devices Corporate-owned devices are issued for specific levels or based on management approval.
MDM Platform Zenprise (now Citrix) Use a Secure Gateway to prevent “back-doors”.
Mobile Operating Systems
iOS and Android Corporate owned devices are all iOS; however, Android is supported for personal devices.
Application Containers
Touchdown for Android Native email is enabled for iOS.
Access to Data •Email, Calendar, Contacts. •VPN access enabled via corporate VPN solution.
Business and IT applications are being considered / developed.
Security Controls and Compliance Monitoring
•Password configuration – length, complexity, expiration, timeouts
•Content restrictions •LDAP integration •Policy violation enforcement
Considering additional security controls: •Application blacklisting •Auto-expiration of inactive devices •Deactivation of non-supported devices
16
PwC
Closing thoughts
17
PwC
Lessons learned
18
Technology (MDM) alone will not solve BYOD challenges:
• Understand your environment - culture, objectives/strategy, infrastructure capabilities
• Don’t downplay the importance of governance, oversight, and strategy
• Find the right owner for MDM and make sure the support team is trained
Right size your mobility implementation:
• Develop a roadmap with a phased implementation approach – start small, with easier capabilities and show some quick wins
• Consider different use-cases, execute pilot / proof of concepts
• Develop a strong knowledge base, including detailed procedures for support teams and end-users
Connect with the end-users:
• Know your end-user community and their affinity for technology – organizations with less tech savvy community can require additional effort
• Communicate, over-communicate, and then some to the end-user community
1
2
3
PwC
Continuing this journey…
Completed Work in progress
Future Plans
19
Mobile device policy, standards, and procedures
Acceptable use policy provisions
MDM infrastructure implementation and configuration
Limited BYOD roll-out and support
Upgrading MDM infrastructure
Enterprise-wide BYOD roll-out
End-user training and awareness
Assessing self-service capabilities
Reviewing security and compliance monitoring features
• Continue expanding BYOD roll-out
• Mobile application development and provisioning to support business and IT needs
• Corporate mobile application store
• Optimize and automate mobile device monitoring controls
PwC
Thank you…
For more information, please contact: Amandeep Lamba Director, IT Risk & Security PwC 301.943.8800 [email protected] Colin Kibler Director, Information Security & Compliance PFG, Inc. 804.484.6227 [email protected]
© 2013 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. PwC refers to the United States member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.