Control Issues and Mobile Devices
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Control Issues and Mobile Devices

on

  • 1,110 views

Description of major risks and control issues surrounding mobile devices: data losses, device security, application development, relevant control frameworks and auditing considerations

Description of major risks and control issues surrounding mobile devices: data losses, device security, application development, relevant control frameworks and auditing considerations

Statistics

Views

Total Views
1,110
Views on SlideShare
1,110
Embed Views
0

Actions

Likes
0
Downloads
19
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Control Issues and Mobile Devices Presentation Transcript

  • 1. Control Issues and Mobile Devices
    ACC626 Term Paper SlideCast
    Prepared for: Professor Malik Datardina
    Sunny Cheung
    Due Date: June 30, 2011
  • 2. Introduction
    • At the end of 2010, there were 5.3 billion mobile subscriptions in the world, covering 77% of the world population
    • 3. Survey showed that organizations are reliant on mobile devices and all corporations use them for work on a daily basis
  • Portable Digital Assistances (PDAs)
    • Example: Palm
    Tablet Devices
    • Example: iPad, PlayBook
    • 4. Exclude Tablet PCs
    Cellular Phones
    • Smartphones
    • 5. Feature phones
    Definition of Mobile Devices
  • 6. Benefits for Enterprises
    • Increased workforce productivity
    • 7. Improved customer service
    • 8. Response to customer problems or question at any time
    • 9. Improved turnaround times for problem resolution
    • 10. Increased business process efficiency
    • 11. Employee security and safety
    • 12. Employee retention
  • Why should C-Suite Executives and Accountants care?
    • Mobile device risks can bring severe financial and reputation damages
    • 13. Mobile devices form a significant part of the client’s IT environment, required for internal control review
    • 14. Mobile device security affect regulations compliance such as SOX, California SB 1386, and Gramm-Leach-Bliley
  • Data Loss Risk
    Device Software Security Risk
    Application Development Controls
    Other Control Issues
    Relevant Control Frameworks
    Risks and Control Issues to be Discussed:
    Topic 1
    Topic 2
    Topic 3
    Topic 4
    Topic 5
  • 15. Data Loss Risk
  • 16. Implication of Data Loss
    • Exposure of confidential and proprietary data
    • 17. Financial, operational, and reputational damages
    • 18. Potential liability and litigations from customers and regulators
  • Sources of Data Loss
  • 19. Physical Safeguard
    • Mobile devices are easily misplaced or susceptible to theft
    • 20. Biggest source of data loss
    • 21. 1/20 corporate devices are lost
    • 22. Financial consequences
    • 23. Loss of productivity
    • Use Location-based technology to track devices
    • 24. Install anti-phone theft software
    • 25. Develop clear procedures to be taken when a device is lost or stolen
    Recommendations
  • 26. Interception of Wirelessly Transmitted Data
    • Transmission through 3G, EDGE, GRPS, Wi-Fi, Bluetooth  all wireless
    • 27. Can be intercepted if not protected or encrypted
    • 28. Calls through carrier or VOIP can be eavesdropped
    • Only use password-protected Wi-Fi networks
    • 29. Use SSL, VPN, or IPSec for transmission of sensitive information
    • 30. Use Citrix Receiver or VMWare View to connect to corporate network
    • 31. Make sensitive phone call through landline
    Recommendations
  • 32. Unauthorized Access to Devices and Data Flow
    • Unauthorized access if devices do not have strong authentication requirement
    • 33. Employee connect and sync devices with non-corporate computers
    • Set passcode for all devices
    • 34. Avoid easily guessed passcodes
    • 35. Auto-lock after a period of inactivity
    • 36. Restrict device connection and syncing with non-corporate computers
    Recommendations
  • 37.
    • Encrypt all data using secured encryption protocols (e.g. AES-256)
    • 38. Frequent data backup
    • 39. Cloud backup
    • 40. Educate employees about data loss implication and safeguard methods
    Corporate-wide Policy Recommendations
  • 41. Devices Software Security Risk
  • 42. Sources of Mobile Malware
    • Downloading of infected applications
    • 43. Malware imposter updates
    • 44. Infected memory cards
    • 45. Malware-based attack on devices
  • Implication of Mobile Malware
    • Spread malicious code among corporate servers and systems
    • 46. Stealing classified information
    • 47. Propagate other Trojans or viruses
    • 48. Machine malfunctions
    • Install mobile anti-virus and security software
    • 49. Use mobile anti-spam filters
    • 50. Update device firmware and apply patches in a timely basis
    • 51. Restrict employees from downloading and installing applications
    • 52. Devices should not be modified (i.e. jailbreaking or rooting)
    Recommendations
  • 53. Application Development Controls
  • 54. Corporate Mobile Applications
    • Allow new ways to work or interact with customers
    • 55. 39% of organizations already have custom apps with 30% planning to deploy within 2 years
    • 56. 2 deployment options
    Web-based applications
    Native applications
  • 57. Web-Based Applications
    • Assessed through devices’ web-browser
    • 58. Advantages:
    • 59. Use on multiple platforms
    • 60. No new programming language (HTML/JavaScript)
    • 61. Variant of desktop version by creating mobile interface
  • Native Applications
    • Apps on specific platforms
    • 62. Advantages:
    • 63. Can use mobile devices’ hardware capabilities (GPS, accelerometer, camera)
    • 64. Apps can be run offline
    • Choose option that fit corporation’s requirement and infrastructure
    • 65. Development process should be similar as other enterprise software
    • 66. Follow software development models
    • 67. Consult mobile specific guidelines
    Recommendations
  • 68. Other Control issues
  • 69. Platform Selection
    • Corporations allow employee to use any smartphone platforms
    • 70. Difficult to manage and monitor devices
    • 71. Recommendations:
    • 72. Set policy for allowable platform and hardware
    • 73. Install mobile device management software on corporate devices
  • Personal and Business Uses
    • 63% employees use corporate device for personal activities
    • 74. Increase risk of malware infection
    • 75. Recommendations:
    • 76. Enforce stricter policy on personal uses
    • 77. Encourage employees to have separate devices
  • Relevant Control Frameworks
  • 78. Compliance Framework - COSO
    • Control Environment
    • 79. Mobile devices form critical part of the environment
    • 80. Risk Assessment
    • 81. Management must assess and understand risks that mobile devices bring
    • 82. Control Activities
    • 83. Safeguard the unique mobile device risks
    • 84. Information and communication
    • 85. Communicate usage and security policies
    • 86. Monitoring
    • 87. Device usages should be monitored to ensure compliance
  • Governance Framework
    • Policy should cover:
    • 88. What kind of mobile devices can be used (type and ownership)
    • 89. Who can use the devices (employees, contractors, others)
    • 90. What information can be stored (customer information, sensitive, internal, public)
    • 91. What applications can be used and installed
    • 92. What security protection is required (access control, encryption)
    • 93. Where they can be used (workplace, home)
    • 94. What networks can they be used with (internal, public, home)
  • Use of COBIT
    • Ensure alignment with corporate strategy and objectives
    • 95. Advantages:
    • 96. Brings added value by supporting corporate processes
    • 97. Deployed in a manner that addresses associated risks
    • 98. Fits corporate culture and technical architecture of the enterprise
    • 99. Considers external factors
    • 100. Supported by appropriate resources
    • 101. Monitored from a corporate perspective
  • Other Frameworks
  • 102. Assurance Considerations
    • Policy
    • 103. Mobile security policy in place including rules for appropriate physical and logical handling
    • 104. Antivirus Updates
    • 105. Verify regular definitions update
    • 106. Encryption
    • 107. Sensitive data are properly encrypted
    • 108. Secure Transmission
    • 109. Connected to enterprise through secured connection
    • 110. Device Management
    • 111. Asset management process in place for tracking
  • Assurance Considerations
    • Access Control
    • 112. Data synchronization is not set to receive access to shared files or network drives
    • 113. Awareness Training
    • 114. Awareness program that addresses importance of securing devices physically and logically
    • 115. Risk
    • 116. Organization fully assessed risks and properly mitigated
  • Conclusion
    • Mobile devices are beneficial but also bring severe risks
    • 117. Risk management is neither costly nor complex
    • 118. Similar to current control in place for other IT equipment
    • 119. New mobile technologies can further enhance competitive advantage and productivity
  • Thank you!