Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Mobile Information Security


Published on

It's not our job to tell business not to use mobile devices, even personally-owned mobile devices. It's our job to enable business to use mobile devices securely for the benefit of the organization, customers, employees, and contractors.

In this presentation, given on April 30 at techpulse 2013, Evan Francen from FRSecure teaches how to secure mobile devices in today's business environments.

Published in: Technology
  • Be the first to comment

Mobile Information Security

  1. 1. FRSECURE.COMMobile InformationSecurityEvan Francen CISSP, CISMFRSecure President & Co-founder
  2. 2. FRSECURE.COMWhat’s on the Menu?1. Who are these guys?2. Should you allow personal mobile devices?3. An example of why stealing is bad.4. John hacks a laptop…seriously…here…in real time.5. Encryption.6. A helpful security thought process.
  3. 3. FRSECURE.COMWho Are These Guys?• Plain-spoken experts.• Information security consulting is all we do.• Established in 2008 by people who have earned theirstripes in the field.• Work with small to medium sized organizations in allindustries everywhere.“We get paid to tell people the truth”
  4. 4. FRSECURE.COMWho Is This Guy?Evan Francen: CISSP, CISM• President & co-founder of FRSecure• Information security expert:• 20 years of experience• 700+ published articles• 150+ public & private organizations served
  5. 5. FRSECURE.COMShould Personal Mobile Devices Be Allowed?We think so…1. Cost efficiency2. Employee satisfaction3. Increased productivity4. It’s happening anywayBut, there are risks you need to consider…
  6. 6. FRSECURE.COMPop Quiz?Lost and/or stolen mobile devices suchas phones, laptops, thumb drives andtablets accounted for how manysensitive records compromised in2012* in the U.S.?*According to Privacy Rights Clearing House
  7. 7. FRSECURE.COMAnswer2,614,908Social Security Numbers Intellectual PropertyAccess Codes Medical FilesProtected Health InformationEmployee FilesCredit Card NumbersBank Account Numbers
  8. 8. FRSECURE.COMBreach ExampleA laptop is stolen from an employee of Accretive Health (FairviewHealth Services Collections Vendor).• The laptop was inside a locked car in a Minneapolisrestaurant parking lot.• The laptop was NOT encrypted (and therefore notprotected by Safe Harbor Rule).• The laptop contained 14,000 private records of Fairviewpatients.- Social Security Numbers- Diagnoses- Names, Addresses, DOB’s
  9. 9. FRSECURE.COMBreach Fallout1. Fairview sent a letter to the 14,000 patients telling them theirinformation was stolen.2. Accretive was sued by the State of Minnesota, settled the casefor $2.5 million and were “banned” for 6 years.3. Fairview CEO retires when company doesn’t renew his contractafter the incident.4. Fairview was in the news for about a year for this and othernegative incidents regarding the care of patient information.5. 14,000 people (that we know of) are victims.
  10. 10. FRSECURE.COMJohn Hacks a LaptopWe Need a Volunteer
  11. 11. FRSECURE.COMEncryptionEffective and inexpensive.Sustainable with solid policy backing.Keys must be managed correctly.More involved than downloading and enabling software.
  12. 12. FRSECURE.COMEncryption is Not an Easy ButtonThere’s also….• Policy & Governance• Mobile Device Management• Training & Awareness• Alignment with the Big Picture
  13. 13. FRSECURE.COMPolicy & Governance• Information Security Policy• Encryption Policy• Mobile Device Policy• Bring Your Own Device (“BYOD”) Policy• Standards, Guidelines & Procedures (exceptions)
  14. 14. FRSECURE.COMMobile Device ManagementNumerous technological solutions on the market today toassist in enforcing what we say in policy.• If we can’t enforce what we stated in policy, howeffective is our policy?• Regulators will require evidence of compliance withour policies.• People are people, sometimes we need to protectthem from themselves.
  15. 15. FRSECURE.COMTraining & AwarenessIt’s hard to over-invest in training & awareness.Do your people know what to do if:• They lose their mobile device• Their mobile device is stolen• If their mobile device is infected (or suspected tobe infected)All of these things should feed into a process for incidentresponse…How is your incident response?
  16. 16. FRSECURE.COMConsider a Business-like Approach toSecurity Decisions1. Find the starting point.2. Have a way to measure progress.3. Apply a risk-based thought process.4. Expect continuous evolution.5. Consider other business factors.6. Make informed, aligned decisions.
  17. 17. FRSECURE.COMThank You!