Control Issues and Mobile Devices<br />ACC626 Term Paper SlideCast<br />Prepared for: Professor Malik Datardina<br />Sunny...
Introduction<br /><ul><li>At the end of 2010, there were 5.3 billion mobile subscriptions in the world, covering 77% of th...
Survey showed that organizations are reliant on mobile devices and all corporations use them for work on a daily basis</li...
Exclude Tablet PCs</li></ul>Cellular Phones<br /><ul><li>Smartphones
Feature phones</li></ul>Definition of Mobile Devices<br />
Benefits for Enterprises<br /><ul><li>Increased workforce productivity
Improved customer service
Response to customer problems or question at any time
Improved turnaround times for problem resolution
Increased business process efficiency
Employee security and safety
Employee retention</li></li></ul><li>Why should C-Suite Executives and Accountants care?<br /><ul><li>Mobile device risks ...
Mobile devices form a significant part of the client’s IT environment, required for internal control review
Mobile device security affect regulations compliance such as SOX, California SB 1386, and Gramm-Leach-Bliley</li></li></ul...
Data Loss Risk<br />
Implication of Data Loss<br /><ul><li>Exposure of confidential and proprietary data
Financial, operational, and reputational damages
Potential liability and litigations from customers and regulators</li></li></ul><li>Sources of Data Loss<br />
Physical Safeguard<br /><ul><li>Mobile devices are easily misplaced or susceptible to theft
Biggest source of data loss
1/20 corporate devices are lost
Financial consequences
Loss of productivity</li></li></ul><li><ul><li>Use Location-based technology to track devices
Install anti-phone theft software
Develop clear procedures to be taken when a device is lost or stolen</li></ul>Recommendations<br />
Interception of Wirelessly Transmitted Data<br /><ul><li>Transmission through 3G, EDGE, GRPS, Wi-Fi, Bluetooth  all wireless
Can be intercepted if not protected or encrypted
Calls through carrier or VOIP can be eavesdropped</li></li></ul><li><ul><li>Only use password-protected Wi-Fi networks
Use SSL, VPN, or IPSec for transmission of sensitive information
Use Citrix Receiver or VMWare View to connect to corporate network
Make sensitive phone call through landline</li></ul>Recommendations<br />
Unauthorized Access to Devices and Data Flow<br /><ul><li>Unauthorized access if devices do not have strong authentication...
Employee connect and sync devices with non-corporate computers</li></li></ul><li><ul><li>Set passcode for all devices
Avoid easily guessed passcodes
Auto-lock after a period of inactivity
Restrict device connection and syncing with non-corporate computers</li></ul>Recommendations<br />
<ul><li>Encrypt all data using secured encryption protocols (e.g. AES-256)
Upcoming SlideShare
Loading in...5
×

Control Issues and Mobile Devices

850

Published on

Description of major risks and control issues surrounding mobile devices: data losses, device security, application development, relevant control frameworks and auditing considerations

Published in: Business, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
850
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
21
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Control Issues and Mobile Devices

  1. 1. Control Issues and Mobile Devices<br />ACC626 Term Paper SlideCast<br />Prepared for: Professor Malik Datardina<br />Sunny Cheung<br />Due Date: June 30, 2011<br />
  2. 2. Introduction<br /><ul><li>At the end of 2010, there were 5.3 billion mobile subscriptions in the world, covering 77% of the world population
  3. 3. Survey showed that organizations are reliant on mobile devices and all corporations use them for work on a daily basis</li></li></ul><li>Portable Digital Assistances (PDAs)<br /><ul><li>Example: Palm</li></ul>Tablet Devices<br /><ul><li>Example: iPad, PlayBook
  4. 4. Exclude Tablet PCs</li></ul>Cellular Phones<br /><ul><li>Smartphones
  5. 5. Feature phones</li></ul>Definition of Mobile Devices<br />
  6. 6. Benefits for Enterprises<br /><ul><li>Increased workforce productivity
  7. 7. Improved customer service
  8. 8. Response to customer problems or question at any time
  9. 9. Improved turnaround times for problem resolution
  10. 10. Increased business process efficiency
  11. 11. Employee security and safety
  12. 12. Employee retention</li></li></ul><li>Why should C-Suite Executives and Accountants care?<br /><ul><li>Mobile device risks can bring severe financial and reputation damages
  13. 13. Mobile devices form a significant part of the client’s IT environment, required for internal control review
  14. 14. Mobile device security affect regulations compliance such as SOX, California SB 1386, and Gramm-Leach-Bliley</li></li></ul><li>Data Loss Risk<br />Device Software Security Risk<br />Application Development Controls<br />Other Control Issues<br />Relevant Control Frameworks<br />Risks and Control Issues to be Discussed:<br />Topic 1<br />Topic 2<br />Topic 3<br />Topic 4<br />Topic 5<br />
  15. 15. Data Loss Risk<br />
  16. 16. Implication of Data Loss<br /><ul><li>Exposure of confidential and proprietary data
  17. 17. Financial, operational, and reputational damages
  18. 18. Potential liability and litigations from customers and regulators</li></li></ul><li>Sources of Data Loss<br />
  19. 19. Physical Safeguard<br /><ul><li>Mobile devices are easily misplaced or susceptible to theft
  20. 20. Biggest source of data loss
  21. 21. 1/20 corporate devices are lost
  22. 22. Financial consequences
  23. 23. Loss of productivity</li></li></ul><li><ul><li>Use Location-based technology to track devices
  24. 24. Install anti-phone theft software
  25. 25. Develop clear procedures to be taken when a device is lost or stolen</li></ul>Recommendations<br />
  26. 26. Interception of Wirelessly Transmitted Data<br /><ul><li>Transmission through 3G, EDGE, GRPS, Wi-Fi, Bluetooth  all wireless
  27. 27. Can be intercepted if not protected or encrypted
  28. 28. Calls through carrier or VOIP can be eavesdropped</li></li></ul><li><ul><li>Only use password-protected Wi-Fi networks
  29. 29. Use SSL, VPN, or IPSec for transmission of sensitive information
  30. 30. Use Citrix Receiver or VMWare View to connect to corporate network
  31. 31. Make sensitive phone call through landline</li></ul>Recommendations<br />
  32. 32. Unauthorized Access to Devices and Data Flow<br /><ul><li>Unauthorized access if devices do not have strong authentication requirement
  33. 33. Employee connect and sync devices with non-corporate computers</li></li></ul><li><ul><li>Set passcode for all devices
  34. 34. Avoid easily guessed passcodes
  35. 35. Auto-lock after a period of inactivity
  36. 36. Restrict device connection and syncing with non-corporate computers</li></ul>Recommendations<br />
  37. 37. <ul><li>Encrypt all data using secured encryption protocols (e.g. AES-256)
  38. 38. Frequent data backup
  39. 39. Cloud backup
  40. 40. Educate employees about data loss implication and safeguard methods</li></ul>Corporate-wide Policy Recommendations<br />
  41. 41. Devices Software Security Risk<br />
  42. 42. Sources of Mobile Malware<br /><ul><li>Downloading of infected applications
  43. 43. Malware imposter updates
  44. 44. Infected memory cards
  45. 45. Malware-based attack on devices</li></li></ul><li>Implication of Mobile Malware<br /><ul><li>Spread malicious code among corporate servers and systems
  46. 46. Stealing classified information
  47. 47. Propagate other Trojans or viruses
  48. 48. Machine malfunctions</li></li></ul><li><ul><li>Install mobile anti-virus and security software
  49. 49. Use mobile anti-spam filters
  50. 50. Update device firmware and apply patches in a timely basis
  51. 51. Restrict employees from downloading and installing applications
  52. 52. Devices should not be modified (i.e. jailbreaking or rooting)</li></ul>Recommendations<br />
  53. 53. Application Development Controls<br />
  54. 54. Corporate Mobile Applications<br /><ul><li>Allow new ways to work or interact with customers
  55. 55. 39% of organizations already have custom apps with 30% planning to deploy within 2 years
  56. 56. 2 deployment options</li></ul>Web-based applications<br />Native applications<br />
  57. 57. Web-Based Applications<br /><ul><li>Assessed through devices’ web-browser
  58. 58. Advantages:
  59. 59. Use on multiple platforms
  60. 60. No new programming language (HTML/JavaScript)
  61. 61. Variant of desktop version by creating mobile interface</li></li></ul><li>Native Applications<br /><ul><li>Apps on specific platforms
  62. 62. Advantages:
  63. 63. Can use mobile devices’ hardware capabilities (GPS, accelerometer, camera)
  64. 64. Apps can be run offline</li></li></ul><li><ul><li>Choose option that fit corporation’s requirement and infrastructure
  65. 65. Development process should be similar as other enterprise software
  66. 66. Follow software development models
  67. 67. Consult mobile specific guidelines</li></ul>Recommendations<br />
  68. 68. Other Control issues<br />
  69. 69. Platform Selection<br /><ul><li>Corporations allow employee to use any smartphone platforms
  70. 70. Difficult to manage and monitor devices
  71. 71. Recommendations:
  72. 72. Set policy for allowable platform and hardware
  73. 73. Install mobile device management software on corporate devices</li></li></ul><li>Personal and Business Uses <br /><ul><li>63% employees use corporate device for personal activities
  74. 74. Increase risk of malware infection
  75. 75. Recommendations:
  76. 76. Enforce stricter policy on personal uses
  77. 77. Encourage employees to have separate devices</li></li></ul><li>Relevant Control Frameworks<br />
  78. 78. Compliance Framework - COSO<br /><ul><li>Control Environment
  79. 79. Mobile devices form critical part of the environment
  80. 80. Risk Assessment
  81. 81. Management must assess and understand risks that mobile devices bring
  82. 82. Control Activities
  83. 83. Safeguard the unique mobile device risks
  84. 84. Information and communication
  85. 85. Communicate usage and security policies
  86. 86. Monitoring
  87. 87. Device usages should be monitored to ensure compliance</li></li></ul><li>Governance Framework<br /><ul><li>Policy should cover:
  88. 88. What kind of mobile devices can be used (type and ownership)
  89. 89. Who can use the devices (employees, contractors, others)
  90. 90. What information can be stored (customer information, sensitive, internal, public)
  91. 91. What applications can be used and installed
  92. 92. What security protection is required (access control, encryption)
  93. 93. Where they can be used (workplace, home)
  94. 94. What networks can they be used with (internal, public, home)</li></li></ul><li>Use of COBIT<br /><ul><li>Ensure alignment with corporate strategy and objectives
  95. 95. Advantages:
  96. 96. Brings added value by supporting corporate processes
  97. 97. Deployed in a manner that addresses associated risks
  98. 98. Fits corporate culture and technical architecture of the enterprise
  99. 99. Considers external factors
  100. 100. Supported by appropriate resources
  101. 101. Monitored from a corporate perspective</li></li></ul><li>Other Frameworks<br />
  102. 102. Assurance Considerations<br /><ul><li>Policy
  103. 103. Mobile security policy in place including rules for appropriate physical and logical handling
  104. 104. Antivirus Updates
  105. 105. Verify regular definitions update
  106. 106. Encryption
  107. 107. Sensitive data are properly encrypted
  108. 108. Secure Transmission
  109. 109. Connected to enterprise through secured connection
  110. 110. Device Management
  111. 111. Asset management process in place for tracking</li></li></ul><li>Assurance Considerations<br /><ul><li>Access Control
  112. 112. Data synchronization is not set to receive access to shared files or network drives
  113. 113. Awareness Training
  114. 114. Awareness program that addresses importance of securing devices physically and logically
  115. 115. Risk
  116. 116. Organization fully assessed risks and properly mitigated</li></li></ul><li>Conclusion<br /><ul><li>Mobile devices are beneficial but also bring severe risks
  117. 117. Risk management is neither costly nor complex
  118. 118. Similar to current control in place for other IT equipment
  119. 119. New mobile technologies can further enhance competitive advantage and productivity</li></li></ul><li>Thank you!<br />
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×