ISACA has come up with a new whitepaper covering security threats related to the use of mobile devices in enterprise environments. This whitepaper (titled 'Securing Mobile Devices') mainly outlines the risks,
Requires Free Membership to View
threats and vulnerabilities
pertaining to use of mobile devices, and suggests guidelines for devising strategies to ensure
security for mobile devices.
|
||||
The use of wireless networks, typically less secure than
wired networks, leaves information at greater risk for interception, notes ISACA. From smart phones
to USB sticks, many devices store unencrypted data, which can result in sensitive information being
compromised through interception and device theft or loss. Mobile devices can also be the targets
of malware attacks, as employees carry them beyond the protection of their company's network. Lack
of enterprise control of physical devices, along with the growing practice of employees using
personal devices for business, has increased mobile device risk levels.
As mobile devices become a prominent tool for business operations, security managers need to
consider ways to manage the associated risks. IT professionals should update existing, or create
new strategies
that provide security for mobile devices.
While creating
the mobile device security strategy as an infosec manager, you must think about issues such as
organizational culture, technology and governance. A sound mobile device security strategy
will include asset management, policy, technical controls, and awareness training.
While forming the policy to secure mobile devices, the following aspects should be
considered:
• Define the allowed device types (enterprise-issued only versus allowing personal devices and
types of devices such as BlackBerry or iPhone)
• Define the nature of services accessible through these devices, taking into account your existing
IT architecture
• Identify how people use these devices. Factor in the fact that corporate culture as well as human
factors and execution of processes through the use of mobile devices may lead to unpredictable
risks
• Integrate all enterprise-issued mobile devices into an asset management program
• Describe the type of authentication and encryption that must be present on the mobile
devices
• Outline tasks for which employees may use the mobile devices as well as the types of allowed
applications
• Clarify how to securely store and transmit data
Security
for mobile devices must be comprehensive and cover the full device lifecycle support. The
security controls for mobile devices should include strong (multifactor) authentication, data
ciphering, warranty of application integrity, service lifecycle management, as well as traceability
of usage for all mobile devices and applications used inside the enterprise infrastructure. While
forming the security policy for mobile devices, the information security manager must keep in
mind that it has to be enforceable on varied devices, centrally manageable, simple to implement and
support, flexible for administering users and devices, focused on hindering loss or theft,
auditable, tested and verified in disaster response, and attentive to possible external
threats.
This was first published in August 2010