Tip

Security for mobile devices: ISACA guidelines for Infosec managers

Searchsecurity.in Editorial Staff

ISACA has come up with a new whitepaper covering security threats related to the use of mobile devices in enterprise environments. This whitepaper (titled 'Securing Mobile Devices') mainly outlines the risks,

Requires Free Membership to View

threats and vulnerabilities pertaining to use of mobile devices, and suggests guidelines for devising strategies to ensure security for mobile devices.  
 

More resources on security for mobile devices
Mobile security threats

Defining your mobile security policy

Mobile security policies: Why a policy is important

What are some of the best ways to ensure mobile security?

 The use of wireless networks, typically less secure than wired networks, leaves information at greater risk for interception, notes ISACA. From smart phones to USB sticks, many devices store unencrypted data, which can result in sensitive information being compromised through interception and device theft or loss. Mobile devices can also be the targets of malware attacks, as employees carry them beyond the protection of their company's network. Lack of enterprise control of physical devices, along with the growing practice of employees using personal devices for business, has increased mobile device risk levels. 

As mobile devices become a prominent tool for business operations, security managers need to consider ways to manage the associated risks. IT professionals should update existing, or create new strategies that provide security for mobile devices.

While creating the mobile device security strategy as an infosec manager, you must think about issues such as organizational culture, technology and governance.  A sound mobile device security strategy will include asset management, policy, technical controls, and awareness training.

While forming the policy to secure mobile devices, the following aspects should be considered:
• Define the allowed device types (enterprise-issued only versus allowing personal devices and types of devices such as BlackBerry or iPhone)
• Define the nature of services accessible through these devices, taking into account your existing IT architecture
• Identify how people use these devices. Factor in the fact that corporate culture as well as human factors and execution of processes through the use of mobile devices may lead to unpredictable risks
• Integrate all enterprise-issued mobile devices into an asset management program
• Describe the type of authentication and encryption that must be present on the mobile devices
• Outline tasks for which employees may use the mobile devices as well as the types of allowed applications
• Clarify how to securely store and transmit data

Security for mobile devices must be comprehensive and cover the full device lifecycle support. The security controls for mobile devices should include strong (multifactor) authentication, data ciphering, warranty of application integrity, service lifecycle management, as well as traceability of usage for all mobile devices and applications used inside the enterprise infrastructure. While forming the security policy for mobile devices, the information  security manager must keep in mind that it has to be enforceable on varied devices, centrally manageable, simple to implement and support, flexible for administering users and devices, focused on hindering loss or theft, auditable, tested and verified in disaster response, and attentive to possible external threats.

This was first published in August 2010

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.