Harry Contreras – CISSP
Mobility, Risk, Strategy & PolicyAddressing Mobile Business & Technology Issues
ISSA Phoenix Chapter - April, 2011 – Copyright 2011
Orienting mobile strategy to negotiate risk landscape obstacles
April 2011- Presentation Outline• Mobility issues facing businesses today
• Risk and Liability issues • Strategy development• Policy program issues and concerns• Delivery elements
• Summary with Q&A opportunity• Resources & References - Take Away
Mobility Risk, Strategy and Policy
Orienting mobile strategy to negotiate risk landscape obstacles
Risks Strategy Policy Delivery
Develop strategy within the framework of identified risks that impact the business. With stakeholders define the requirements that meet elements for advancing business objectives.
Identify the common and unique risks of mobile technology that are in scope for business use. Consider liability and choices for risks accepted, avoided and transferred.
Authorized and endorsed the corporate policy & standards for mobile technology use in the company. Communicate and train via compliance & security awareness programs.
Identify the actions to deliver a mobile strategy. What it will take to support, maintain and sustain with currency a complete plan for an enterprise.
Mobility Issues to Assess and Address
Risks Strategy Policy Delivery
Mobility Risk, Strategy and Policy
We will follow these four tracks throughout the presentation
Risk & Liability Issues
Risk
Mobility Risk, Strategy and Policy
Assessing company risk with mobile technologies
Establish understanding of company tolerance for risk• Business culture • Company compliance impacts points• Consumer technologies introduce new risk issues
Integrate cross-linkages with existing Compliance issues• Consult with your company Legal department• Corporate governance determines
One of the first areas to “do your homework”.
Risk
Mobility Risk, Strategy and PolicyRisk & Liability Issues
Regulatory, Liability and Risk Landscape
Regulatory “entanglements”• Personal, Health and Card Holder privacy regulations• SEC regulation• Rule 26 / e-Discovery• Forensics and investigations• IRS Regulation and Reporting requirements
Company and Operations specific issues• Corporate Contractual obligations• Business “verticals” - i.e. health industry, government contracting• Global operation regional issues - i.e. European work councils
Other “surprises” both foreign and domestic.
Risk
Mobility Risk, Strategy and PolicyRisk & Liability Issues
Business operating issues and risk posture• Separation of asset ownership- i.e. BYO assets (More on this later.)
• Business owned or employee owned• Ownership and control of platform resident data• Business capitalization concerns
Employee privacy issues or business “enablers”• “Invading technologies” to consider
• Presence• Geo-location• Tracking and utilization reporting
Identity specific usage issues• Business representative – i.e. how phone number associated• Personal, non-Company persona
How much or how little is the Company willing to address.
Risk
Mobility Risk, Strategy and PolicyRisk & Liability Issues
Business issues and risks for BYO assets• How much encroachment do company controls extend?
• Comingled personal and Company information • Are business resources and services being “misappropriated”?
How do employees expect Company services at their disposal?• Truth or fallacy? - Reality Check
• Employees expect free-reign utilization of assets and services• Do not want and will not tolerate limitations
Assessing risk and liability usage issues for BYO assets• HR reports employees are doing “WHAT” with their devices?• Client claims that employee took recording of their conversation• Liability remains for Company regardless of approach
Can you say it with me…“No employee entitlements to Company provisioned services for personal use.”
Risk
Mobility Risk, Strategy and PolicyRisk & Liability Issues
Tablets and smartphones in the enterpriseThere are two types of risk. One, to the organization, of sensitive content being exposed of the device is lost, hacked or otherwise compromised. In some cases there are financial penalties for this, as well as costly notification practices that need to be complied with if it involves any customer data.The other is to the employee. In the event of a legal action involving anything they may have been involved in, or a data call to “…produce any/all records related to XYZ, “ the employees device may be subject to search. This could risk exposing their personal data, including passwords, contacts, browser history and other things they may not want their employer or others to have access to.Comingling business/personal content and activity just plain isn’t good sense. Even a one-person consulting business keeps it personal and business financial assets/accounts independent of each other; why doesn’t it make the same sense to keep your information assets independent?
LarryWith this as a “backdrop” … “Discuss, discuss…”
Industry perspective – “Peersay”, NetworkWorld.com – 3/21/2011
Risk & Liability Issues
Risk
Mobility Risk, Strategy and Policy
Assessing company risk with mobile technologies
Original risk issues for mobile technologies remain• Approaches for laptops and enterprise architected solutions formobile platforms (i.e. RIM, Good Technology) have addressed most of the risks over time
Newer mobile technologies bring added complexity• Consumer grade technologies are introducing and broadening the risk and threat horizon
• “Not ready for enterprise introduction”• Patchwork quilt of solutions to weave together for mixed results and effectiveness• “Consumer use mentality” is the “insider threat” today.
Remember, once you go “Tablet” you can never go back.
Risk & Liability Issues
Risk
Mobility Risk, Strategy and Policy
Assessing company risk with mobile technologies
Presentation points in due diligence for management briefing.Burying your head in the sand – not an option.
Accept or Retain the identified risk. The risk is unlikely or impact does not warrant any further action, the company simply decides to bear any recovery costs.
Avoid or Reject the risk. When costs of likelihood of the risk are great, it is not feasible to continue in that area of activity – product, process or geography.
Transfer or Share the risk. When risk is part of the business operation and cost is predictable then the company may elect to insure, warranty or contract (outsource).
Mitigate or Reduce the risk. The identified risk(s) are core to the business and theimplementation of controls are applied to reduce likelihood and impact to the business.
Ignore the risk. A identified option of choice to consciously do nothing. Potential for catastrophic business impact and serious legal and liability repercussions.
Strategy
Mobility Risk, Strategy and PolicyStrategy Development
Where is your Strategy now? New or inherited Mobile Strategy
• What is in place now?• Functional or “death spiral”
• What is your charter for this initiative?• Build new or patch and repair
What you may need or what may be missing – Resources(Any way you can get them allocated - internal or contracted.)
• Enterprise Architect or IT Strategist • Subject Matter Expert (SME) Engineer • Analyst• Project Manager• Leadership/Management endorsement - oversight
The all important “management underwriting” license for change.
Strategy
Mobility Risk, Strategy and PolicyStrategy Development
What is the approach for “services”?• In-house vs. Hosted
• Will need to build out or negotiate contract(s)• Take opportunity to research each option
• Can business replicate what providers have already built?
Present state analysis and comparison to “to-be” state • Are there any accounting stats or metrics to baseline?• What is Cost of Doing Business today for strategy• Can gains and improvements be attained with volume discounts?• Will outsourcing “provisioning” be beneficial? • Is “standardization” going to be an issue?• Does your Telcom services strategy run parallel or intersect?• Is there an expectation or goal for cost/expense limitation?
Be on the lookout for “scope creep” around every corner.
Strategy
Mobility Risk, Strategy and PolicyStrategy Development
What is the approach for “services”?• In-house vs. Hosted
• Will need to build out or negotiate contract(s)• Take opportunity to research each option
• Can business replicate what providers have already done
Present state analysis and comparison to “to-be” state • Are there any accounting stats or metrics to baseline?• What is Cost of Doing Business today for strategy• Can gains and improvements be attained with volume discounts?• Will outsourcing “provisioning” be beneficial? • Is “standardization” going to be an issue?• Does your Telcom services strategy run parallel or intersect?
How may personal plans on how many providers come into play?The BYO approach compounds the variables & dilutes volume plans.
Ask these same questions with the BYO assets approach
Strategy
Mobility Risk, Strategy and PolicyStrategy Development
$$$$
$$
0+ -
Anything goes Non-functional
Adding Controls
Risk Tolerance Axis
Plotting a Successful Strategy
Unsupportable Model Overly draconianSuccess or Ultimate “Fail”
Mobile Strategy
Compliance Issues
Every Business has its own “Sweet Spot”
Cos
t Tol
eran
ce A
xis
+
Strategy
Mobility Risk, Strategy and PolicyStrategy Development
What are we up against with newer mobile technologies?• Lack of built-in security• Open and easily extensible operating architectures• Poor control over devices• Poor control over connectivity• Weak connection security• Weak authentication of user and device• Poor working practices• Compromise of stored data
Control, Contain, Maintain and Explain…• Asset sprawl, capitalization, operational expense, support costs• Policy, standardization, licensing • Regulatory compliance, content management, security controls• Add to and refine this list…
iPhones, Androids, and Blackberrys… Oh My!
Strategy
Mobility Risk, Strategy and PolicyStrategy Development
Several mobile security strategy approaches available today• Basic device management• Enhanced device management• Walled garden• Risk based management
• Basic device management – use Microsoft Activesync for simple policy management.• Enhanced device management – use mobile device management software for more sophisticated control of company-issue devices.• Walled garden / Virtual workspace – Allow corporate access from personal devices, but wall it off from the device’s personal content.• Risk based management – Set policies that restrict corporate access of phones with high risk factors, like unauthorized apps or out-of-date policies.
The more product solutions are applied – the more profits are eroded.
Strategy
Mobility Risk, Strategy and PolicyStrategy Development
Some focus points for major solutions in your strategy• Set strategy, policies and standards• Deploy standard hardware, apps and security software
• Virus protection, firewalls, disable concurrent connection options• Use device authentication to eliminate “rogue” devices connecting• Consider two-factor authentication – smart cards, imbedded tokens• Harden / lock-down operating systems and device options• White list authorized and support applications – app fingerprinting• Implement software upgrade and patch management solutions• Encrypt stored data and removable storage media• Use remote kill and data wipe solutions• Educate user of mobile use requirements/policy• Provide helpdesk and IT support to mobile users• Scan networks for unauthorized devices and connections
Strategy
Mobility Risk, Strategy and PolicyStrategy Development
Strategy
Mobility Risk, Strategy and PolicyStrategy Development
Technology Landscape Considerations
Which bands, services, operators and where does your solution fit? Wireless Technology Continuum
GSM, UMTS, LTE
HSPA
CDMA, CDMA2000, UMB
3G
4G
WiFi
Bluetooth
WiMax
Strategy
Mobility Risk, Strategy and PolicyStrategy Development
What services and features fit into your business model?• Multiple service bands – which ones are operator specific• Phone / Voice capability with simultaneous Data session capability• What is the bandwidth overhead for the mobile application portfolio?• Email – Single Company source or all services allowed?• Internet browsing allow all or filter? Liabilities?• Are texting and Multi Media Services included in operating costs?• Audio – Allow personal music files? (How will you address licensing?)
• Allow audio recording capability? Liabilities?• Allow video recording capabilities? Liabilities?• Camera phone “follies” – (Your own mental image goes here.)• Limit instant messaging to in-house services or allow all?• Global Positioning Services (GPS) • Tele-presence / Video conferencing• Is unified communications (UC) in your Telcom Plan
All equate to bandwidth – Bandwidth equates to expense.
Strategy Development
Strategy
Mobility Risk, Strategy and Policy
Strategy Analysis:The What, When, Why, How and Who
– What = Identify risks to the business– When = Prioritize actions– Why = Cost justification– How = Solutions/Mitigation approaches– Who = Assign actions to carry out
Famous phrase applies here – “Choose wisely grasshopper.”
Policy
Mobility Risk, Strategy and Policy
Policy ProgramWhat is the approach for mobile “policy” issues?
• First and foremost -• Will need to be endorsed by Corporate representation
• Take opportunity to review and align• Consider the following
• Business culture• Compliance & regulations• Risk mitigation targets
What is required in policy statements • Are policy statements expectation for behavioral controls• Are policy statements declarations of automated enforcement
• It can be one, the other or combination in policy
What did we have to say about that in the Acceptable Use Policy?
Policy
Mobility Risk, Strategy and PolicyPolicy Program
Other considerations for “Mobile Technology Use Policy”• Consult with Legal Team -
• Inclusion of “Opt-In” – Employee sign off on Mobile policy• Where any “personally owned device” enters into the program
• Objective -• Acknowledging company controls and expectations when an “event” condition occurs and implications to personal information and access to personal device.
“Bricking” is a last resort • Rendering a field unit inoperable has consequences• Both good and bad results
• Is it the only communication resource for employee?• Read in health, safety and other personnel issues here…
What did we have to say about that in the Acceptable Use Policy?
IT SecurityStandards
SecurityPosition
Statements
IT SecurityAwarenessMaterials
Overarching Global Policy (Core)Authorized & EndorsedAcceptable Use
IT Security Policy ManualImplementation policy details
Security Position StatementsAddresses new technologiesMitigating immediate business risks
Subordinate Security StandardsDetailed technology specsRequired compliance controls
Security Awareness ContentAwareness Library of Tools & Resources
Privacy and Data
ProtectionPolicy(Core)
&AUP
(AUP) Acceptable Use Policy endorsed by Human Resources, Legal and Compliance
Policy
IT SecurityPolicyManual
Mobility Risk, Strategy and PolicyPolicy Program – Hierarch of Policies
Mobile Technology Policy Opt-In (Sign-Off) to participate in Company plan.
Delivery
Mobility Risk, Strategy and PolicyDelivering the Strategy
What to include in the Delivery plan• First and foremost -
• Must be manageable• Must be supportable• Must be affordable• Must be sustainable• Is it aligned with business use model• Addresses Compliance & regulations
• Can assets be forensically interrogated?• Risk mitigation targets must be addressed
• Data escape controls in place
What next? • Once you embark on a plan of action – course corrections will impact all of the previously defined variable elements
Critical Success Factors
Delivery
Mobility Risk, Strategy and PolicyDelivering the Strategy
Delivery element analysis:The What, When, Why, How and Who
• Why = Business objectives for mobility• What = Strategy, policy and technologies• How = Delivery plan• Who = Resources, personnel and funding• When = Delivery timeline
Critical Success Factors
Security - Be recognized as the visionary security leaders that collaboratively consults with the business.
Security –Enable the business with compliant and consistent security policy and controls focused on secure future computing within the Company.
Security - Ensure governed, integrated protection for entire Company and resources.
Risk Strategy Policy Delivery
Mobility Risk, Strategy and Policy
Summary
Sustaining Security Objectives for the Organization
Protecting colleagues, company assets and reputation
Mobility, Risk, Strategy & PolicyAddressing Mobile Business & Technology Issues
Conclusion – Question & Answers
- Disclaimer -“Not a lawyer.”
This presentation is available at: http://www.slideshare.net/hcontrex
H. Contreras – CISSP ISSA Phoenix Chapter - April, 2011 – Copyright 2011
References – ResourcesInformation Week, Grant Moerschel – Jan 29, 20114 Strategies To Lower Mobile Device Risk
Mobility Risk, Strategy and Policy
NetworkWorld, Toolshed: Mark Gibbs – Feb 7, 2011Mobile Devices: You’re losing controlSCMagazine, Greg Masters – Feb 17, 2010On the go: Mobile Security (http://scmagazineus.com)Information Week, David F. Carr – Dec 6, 2010iPad in the EnterpriseComputerWorld, Security Manager’s Journal – Mathias Thurman – Mar 22, 2010BYOPC won’t be a party for securityComputerWorld, Opinion – Steven J. Vaughan-Nichols – Mar 21, 2011I Want My iPad at Work!ProfitLine, White Paper – Nov, 2009Culture Shift–The most overlooked aspect of deploying smart devices in the enterprise
H. Contreras – CISSP ISSA Phoenix Chapter - April, 2011 – Copyright 2011
This presentation is available at: http://www.slideshare.net/hcontrex