Mobility Risk, Strategy and Policy
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Mobility Risk, Strategy and Policy

on

  • 1,093 views

 

Statistics

Views

Total Views
1,093
Views on SlideShare
1,092
Embed Views
1

Actions

Likes
0
Downloads
23
Comments
0

1 Embed 1

http://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Mobility Risk, Strategy and Policy Presentation Transcript

  • 1. Mobility, Risk, Strategy & Policy Addressing Mobile Business & Technology IssuesOrienting mobile strategy to negotiate risk landscape obstacles Harry Contreras – CISSP ISSA Phoenix Chapter - April, 2011 – Copyright 2011
  • 2. Mobility Risk, Strategy and Policy April 2011- Presentation Outline • Mobility issues facing businesses today • Risk and Liability issues • Strategy development • Policy program issues and concerns • Delivery elements • Summary with Q&A opportunity • Resources & References - Take AwayOrienting mobile strategy to negotiate risk landscape obstacles
  • 3. Mobility Risk, Strategy and Policy Mobility Issues to Assess and Address Risks Strategy Policy DeliveryIdentify the common and Develop strategy within Authorized and endorsed Identify the actions tounique risks of mobile the framework of the corporate policy & deliver a mobile strategy.technology that are in identified risks that standards for mobile What it will take toscope for business use. impact the business. technology use in the support, maintain andConsider liability and With stakeholders define company. sustain with currency achoices for risks the requirements that Communicate and train complete plan for anaccepted, avoided and meet elements for via compliance & security enterprise.transferred. advancing business awareness programs. objectives. We will follow these four tracks throughout the presentation Risks Strategy Policy Delivery
  • 4. Mobility Risk, Strategy and Policy Risk & Liability Issues Assessing company risk with mobile technologiesEstablish understanding of company tolerance for risk • Business culture • Company compliance impacts points • Consumer technologies introduce new risk issuesIntegrate cross-linkages with existing Compliance issues • Consult with your company Legal department • Corporate governance determines One of the first areas to “do your homework”. Risk
  • 5. Mobility Risk, Strategy and Policy Risk & Liability Issues Regulatory, Liability and Risk LandscapeRegulatory “entanglements” • Personal, Health and Card Holder privacy regulations • SEC regulation • Rule 26 / e-Discovery • Forensics and investigations • IRS Regulation and Reporting requirementsCompany and Operations specific issues • Corporate Contractual obligations • Business “verticals” - i.e. health industry, government contracting • Global operation regional issues - i.e. European work councils Other “surprises” both foreign and domestic. Risk
  • 6. Mobility Risk, Strategy and Policy Risk & Liability IssuesBusiness operating issues and risk posture • Separation of asset ownership- i.e. BYO assets (More on this later.) • Business owned or employee owned • Ownership and control of platform resident data • Business capitalization concernsEmployee privacy issues or business “enablers” • “Invading technologies” to consider • Presence • Geo-location • Tracking and utilization reportingIdentity specific usage issues • Business representative – i.e. how phone number associated • Personal, non-Company persona How much or how little is the Company willing to address. Risk
  • 7. Mobility Risk, Strategy and Policy Risk & Liability Issues Business issues and risks for BYO assets • How much encroachment do company controls extend? • Comingled personal and Company information • Are business resources and services being “misappropriated”? How do employees expect Company services at their disposal? • Truth or fallacy? - Reality Check • Employees expect free-reign utilization of assets and services • Do not want and will not tolerate limitations Assessing risk and liability usage issues for BYO assets • HR reports employees are doing “WHAT” with their devices? • Client claims that employee took recording of their conversation • Liability remains for Company regardless of approach Can you say it with me…“No employee entitlements to Company provisioned services for personal use.” Risk
  • 8. Mobility Risk, Strategy and Policy Risk & Liability IssuesIndustry perspective – “Peersay”, NetworkWorld.com – 3/21/2011Tablets and smartphones in the enterpriseThere are two types of risk. One, to the organization, of sensitive content beingexposed of the device is lost, hacked or otherwise compromised. In some casesthere are financial penalties for this, as well as costly notification practices that needto be complied with if it involves any customer data.The other is to the employee. In the event of a legal action involving anything theymay have been involved in, or a data call to “…produce any/all records related toXYZ, “ the employees device may be subject to search. This could risk exposingtheir personal data, including passwords, contacts, browser history and other thingsthey may not want their employer or others to have access to.Comingling business/personal content and activity just plain isn’t good sense. Even aone-person consulting business keeps it personal and business financialassets/accounts independent of each other; why doesn’t it make the same sense tokeep your information assets independent? Larry With this as a “backdrop” … “Discuss, discuss…” Risk
  • 9. Mobility Risk, Strategy and Policy Risk & Liability Issues Assessing company risk with mobile technologiesOriginal risk issues for mobile technologies remain • Approaches for laptops and enterprise architected solutions for mobile platforms (i.e. RIM, Good Technology) have addressed most of the risks over timeNewer mobile technologies bring added complexity • Consumer grade technologies are introducing and broadening the risk and threat horizon • “Not ready for enterprise introduction” • Patchwork quilt of solutions to weave together for mixed results and effectiveness • “Consumer use mentality” is the “insider threat” today. Remember, once you go “Tablet” you can never go back. Risk
  • 10. Mobility Risk, Strategy and Policy Risk & Liability Issues Assessing company risk with mobile technologiesAccept or Retain the identified risk. The risk is unlikely or impact does not warrantany further action, the company simply decides to bear any recovery costs.Avoid or Reject the risk. When costs of likelihood of the risk are great, it is notfeasible to continue in that area of activity – product, process or geography.Transfer or Share the risk. When risk is part of the business operation and cost ispredictable then the company may elect to insure, warranty or contract (outsource).Mitigate or Reduce the risk. The identified risk(s) are core to the business and theimplementation of controls are applied to reduce likelihood and impact to the business.Ignore the risk. A identified option of choice to consciously do nothing. Potentialfor catastrophic business impact and serious legal and liability repercussions. Burying your head in the sand – not an option. Presentation points in due diligence for management briefing. Risk
  • 11. Mobility Risk, Strategy and Policy Strategy Development Where is your Strategy now? New or inherited Mobile Strategy • What is in place now? • Functional or “death spiral” • What is your charter for this initiative? • Build new or patch and repair What you may need or what may be missing – Resources (Any way you can get them allocated - internal or contracted.) • Enterprise Architect or IT Strategist • Subject Matter Expert (SME) Engineer • Analyst • Project Manager • Leadership/Management endorsement - oversightThe all important “management underwriting” license for change. Strategy
  • 12. Mobility Risk, Strategy and Policy Strategy DevelopmentWhat is the approach for “services”? • In-house vs. Hosted • Will need to build out or negotiate contract(s) • Take opportunity to research each option • Can business replicate what providers have already built?Present state analysis and comparison to “to-be” state • Are there any accounting stats or metrics to baseline? • What is Cost of Doing Business today for strategy • Can gains and improvements be attained with volume discounts? • Will outsourcing “provisioning” be beneficial? • Is “standardization” going to be an issue? • Does your Telcom services strategy run parallel or intersect? • Is there an expectation or goal for cost/expense limitation? Be on the lookout for “scope creep” around every corner. Strategy
  • 13. Mobility Risk, Strategy and Policy Strategy DevelopmentAsk these same questions with the BYO assets approach What is the approach for “services”? • In-house vs. Hosted • Will need to build out or negotiate contract(s) • Take opportunity to research each option • Can business replicate what providers have already done Present state analysis and comparison to “to-be” state • Are there any accounting stats or metrics to baseline? • What is Cost of Doing Business today for strategy • Can gains and improvements be attained with volume discounts? • Will outsourcing “provisioning” be beneficial? • Is “standardization” going to be an issue? • Does your Telcom services strategy run parallel or intersect? How may personal plans on how many providers come into play?The BYO approach compounds the variables & dilutes volume plans. Strategy
  • 14. Mobility Risk, Strategy and Policy Strategy Development Adding Controls Plotting a Successful Strategy$$$$ +Cost Tolerance Axis y teg tra S es $$ b ile Is su Mo ce an m pli Co Every Business has its own “Sweet Spot” 0 + Risk Tolerance Axis - Anything goes Non-functional Unsupportable Model Overly draconian Success or Ultimate “Fail” Strategy
  • 15. Mobility Risk, Strategy and Policy Strategy DevelopmentWhat are we up against with newer mobile technologies? • Lack of built-in security • Open and easily extensible operating architectures • Poor control over devices • Poor control over connectivity • Weak connection security • Weak authentication of user and device • Poor working practices • Compromise of stored dataControl, Contain, Maintain and Explain… • Asset sprawl, capitalization, operational expense, support costs • Policy, standardization, licensing • Regulatory compliance, content management, security controls • Add to and refine this list… iPhones, Androids, and Blackberrys… Oh My! Strategy
  • 16. Mobility Risk, Strategy and Policy Strategy Development Several mobile security strategy approaches available today • Basic device management • Enhanced device management • Walled garden • Risk based management • Basic device management – use Microsoft Activesync for simple policy management. • Enhanced device management – use mobile device management software for more sophisticated control of company-issue devices. • Walled garden / Virtual workspace – Allow corporate access from personal devices, but wall it off from the device’s personal content. • Risk based management – Set policies that restrict corporate access of phones with high risk factors, like unauthorized apps or out-of-date policies.The more product solutions are applied – the more profits are eroded. Strategy
  • 17. Mobility Risk, Strategy and Policy Strategy DevelopmentSome focus points for major solutions in your strategy• Set strategy, policies and standards• Deploy standard hardware, apps and security software • Virus protection, firewalls, disable concurrent connection options• Use device authentication to eliminate “rogue” devices connecting• Consider two-factor authentication – smart cards, imbedded tokens• Harden / lock-down operating systems and device options• White list authorized and support applications – app fingerprinting• Implement software upgrade and patch management solutions• Encrypt stored data and removable storage media• Use remote kill and data wipe solutions• Educate user of mobile use requirements/policy• Provide helpdesk and IT support to mobile users• Scan networks for unauthorized devices and connections Strategy
  • 18. Mobility Risk, Strategy and Policy Strategy Development Strategy
  • 19. Mobility Risk, Strategy and Policy Strategy Development Technology Landscape Considerations GSM, UMTS, LTE HSPA CDMA, CDMA2000, UMB 3G 4G WiFi WiMax Bluetooth Wireless Technology ContinuumWhich bands, services, operators and where does your solution fit? Strategy
  • 20. Mobility Risk, Strategy and Policy Strategy DevelopmentWhat services and features fit into your business model?• Multiple service bands – which ones are operator specific• Phone / Voice capability with simultaneous Data session capability• What is the bandwidth overhead for the mobile application portfolio?• Email – Single Company source or all services allowed?• Internet browsing allow all or filter? Liabilities?• Are texting and Multi Media Services included in operating costs?• Audio – Allow personal music files? (How will you address licensing?) • Allow audio recording capability? Liabilities?• Allow video recording capabilities? Liabilities?• Camera phone “follies” – (Your own mental image goes here.)• Limit instant messaging to in-house services or allow all?• Global Positioning Services (GPS)• Tele-presence / Video conferencing• Is unified communications (UC) in your Telcom Plan All equate to bandwidth – Bandwidth equates to expense. Strategy
  • 21. Mobility Risk, Strategy and Policy Strategy Development Strategy Analysis: The What, When, Why, How and Who – What = Identify risks to the business – When = Prioritize actions – Why = Cost justification – How = Solutions/Mitigation approaches – Who = Assign actions to carry outFamous phrase applies here – “Choose wisely grasshopper.” Strategy
  • 22. Mobility Risk, Strategy and Policy Policy Program What is the approach for mobile “policy” issues? • First and foremost - • Will need to be endorsed by Corporate representation • Take opportunity to review and align • Consider the following • Business culture • Compliance & regulations • Risk mitigation targets What is required in policy statements • Are policy statements expectation for behavioral controls • Are policy statements declarations of automated enforcement • It can be one, the other or combination in policyWhat did we have to say about that in the Acceptable Use Policy? Policy
  • 23. Mobility Risk, Strategy and Policy Policy ProgramOther considerations for “Mobile Technology Use Policy” • Consult with Legal Team - • Inclusion of “Opt-In” – Employee sign off on Mobile policy • Where any “personally owned device” enters into the program• Objective - • Acknowledging company controls and expectations when an “event” condition occurs and implications to personal information and access to personal device.“Bricking” is a last resort • Rendering a field unit inoperable has consequences • Both good and bad results • Is it the only communication resource for employee? • Read in health, safety and other personnel issues here…What did we have to say about that in the Acceptable Use Policy? Policy
  • 24. Mobility Risk, Strategy and Policy Policy Program – Hierarch of PoliciesOverarching Global Policy (Core) Authorized & Endorsed Acceptable Use Privacy and Data (AUP) Acceptable Use PolicyIT Security Policy Manual Protection Implementation policy details endorsed by Human Resources, Policy Legal and ComplianceSecurity Position Statements (Core) Addresses new technologies & Mitigating immediate business risks AUP Mobile Technology PolicySubordinate Security Standards Opt-In (Sign-Off) to participate Detailed technology specs Required compliance controls in Company plan.Security Awareness Content Awareness Library of Tools & Resources Security IT Security IT Security IT Security Position Policy Standards Awareness Statements Manual Materials Policy
  • 25. Mobility Risk, Strategy and Policy Delivering the StrategyWhat to include in the Delivery plan • First and foremost - • Must be manageable • Must be supportable • Must be affordable • Must be sustainable • Is it aligned with business use model • Addresses Compliance & regulations • Can assets be forensically interrogated? • Risk mitigation targets must be addressed • Data escape controls in placeWhat next? • Once you embark on a plan of action – course corrections will impact all of the previously defined variable elements Critical Success Factors Delivery
  • 26. Mobility Risk, Strategy and Policy Delivering the Strategy Delivery element analysis:The What, When, Why, How and Who • Why = Business objectives for mobility • What = Strategy, policy and technologies • How = Delivery plan • Who = Resources, personnel and funding • When = Delivery timeline Critical Success Factors Delivery
  • 27. Mobility Risk, Strategy and Policy Summary Sustaining Security Objectives for the OrganizationSecurity - Be recognized as the visionary security leaders that collaborativelyconsults with the business.Security –Enable the business with compliant and consistent security policyand controls focused on secure future computing within the Company.Security - Ensure governed, integrated protection for entire Company andresources. Protecting colleagues, company assets and reputation Risk Strategy Policy Delivery
  • 28. Mobility, Risk, Strategy & Policy Addressing Mobile Business & Technology Issues Conclusion – Question & Answers - Disclaimer - “Not a lawyer.” This presentation is available at: http://www.slideshare.net/hcontrexH. Contreras – CISSP ISSA Phoenix Chapter - April, 2011 – Copyright 2011
  • 29. Mobility Risk, Strategy and Policy References – ResourcesInformation Week, Grant Moerschel – Jan 29, 20114 Strategies To Lower Mobile Device RiskNetworkWorld, Toolshed: Mark Gibbs – Feb 7, 2011Mobile Devices: You’re losing controlSCMagazine, Greg Masters – Feb 17, 2010On the go: Mobile Security (http://scmagazineus.com)Information Week, David F. Carr – Dec 6, 2010iPad in the EnterpriseComputerWorld, Security Manager’s Journal – Mathias Thurman – Mar 22, 2010BYOPC won’t be a party for securityComputerWorld, Opinion – Steven J. Vaughan-Nichols – Mar 21, 2011I Want My iPad at Work!ProfitLine, White Paper – Nov, 2009Culture Shift–The most overlooked aspect of deploying smart devices in theenterprise This presentation is available at: http://www.slideshare.net/hcontrex H. Contreras – CISSP ISSA Phoenix Chapter - April, 2011 – Copyright 2011