1. Going Mobile: Handling Devices
in the Public Sector
Steven C. Markey,MSIS,PMP,CISSP,CIPP,CISM,CISA,STS-EV,CCSK
Principal,nControl,LLC
AdjunctProfessor
2. • Presentation Overview
– Mobile Computing Overview
• Mobile Device Overview
• Security Guidance
• Bring Your Own Device (BYOD)
• Mobile Applications (Social Media, etc.)
– Case Studies
• Fairfax County Public School (FCPS)
Going Mobile
8. • What is Mobile Computing?
– (Relatively) New Business Model
• Taking remote computing (laptops) to the next level
• Includes Smartphones & Tablets
• OEMs, Content & (Connectivity) Service Providers
– Causing the Blur of Business & Personal Use
• Personal content / access on business device
• Business content / access on personal device
• Personal use has driven business use
Going Mobile
9. • Mobile Computing
– Pros
• Enhanced Productivity
• Enables Remote Work
• Potential Cost Savings
• Enhanced Worker / Customer Satisfaction
– Cons
• Security, Legal & Privacy Issues Abound
• Blurred Ownership for BYOD
• Immature Technology
• Lack of Strategy, Tactics & Policies
Going Mobile
10. • Security Guidance
– To Go or Not To Go Mobile
• Go
– Customers Are Asking / Begging for It!
– Budget & Executive Support
• Do Not Go
– To Be Cool / Bleeding Edge
– Save Money
» Mobile technology is usually an enhancement/added functionality
– Without a Strategy, Tactics & Policies
Going Mobile
11. Going Mobile
• Data Breaches & Security Incidents
– Average Cost: $7.2 million
– http://www.networkworld.com/news/2011/030811-
ponemon-data-breach.html
– Leading Cause: Negligence, 41%; Hacks, 31%
– http://www.networkworld.com/news/2011/030811-
ponemon-data-breach.html
– Responsible Party: Vendors, 39%
– http://www.theiia.org/chapters/index.cfm/view.news_detail/
cid/197/newsid/13809
– Increased Frequency: 2010-2011, 58%
– http://www.out-law.com/en/articles/2011/october/personal-
data-breaches-on-the-increase-in-private-sector-reports-ico/
14. • Security Guidance
– Mobile Device Digital Forensics
• Policy
– City of Ontario, CA v. Quon
• Vendor / Counsel Due Diligence
– Physical Security
• Screen Filters
Going Mobile
15. Going Mobile
Outdated Thinking:
75% of companies have not addressed smartphone security*
(60% cite security as biggest mobility obstacle*)
IT is Organizing:
Ad hoc deployment giving way
to centralized policies that
include all endpoints
(Server, PC, Laptop and Mobile)
Mobile/wireless IT spending likely
to exceed IT budget growth in
many organizations: 12.5% avg.
growth rate
(Source: Gartner)
Increasing Mobile Device Threats:
Mobile virus variants have doubled
every 6 months since 2004
(235 mobile virus variants in H1’06)
(Source: Symantec Security
Response)
Enterprise Faith:
80% of companies are
allowing corporate
data on devices, yet
continue to not secure
the data*
Fastest Growing Device Segment:
Smartphone growth = 77%
Other mobiles = 27%
Mobiles out ship PC’s 5:1 in 2006
(Source: Canalys for H1’05 to H1’06,
IDC & Gartner)
Source: Symantec
16. • BYOD
– Affects all with devices and access to your network
• Employees / Contractors / Vendors
– Strategy First, Policy Second, Technology Third
• Deployment
– Who can and who cannot use BYOD?
– Devices & applications supported?
– Data wipes?
– Replace procured devices (BlackBerries)?
– Reimbursements?
– Functionality?
• Acceptable Use
– Jailbreaking?
– Back-ups?
– Indemnity?
Going Mobile
33. • Mobile Applications
– Strategy First, Technology Second
• Strategy
– Centralized / De-centralized Departmental Deployments
– End-User: Internal, External or Both
– Development: Internal, External or Both
– Mobile Device Platform(s)
– Administration & Management
• Technologies
– Social Media
– Custom Apps
– Commercial Off the Shelf (COTS) Apps
– Modified Apps
Going Mobile
40. Seven Mobile App Development Tips
• Keep it simple — Don’t overdo it. The app should mean one thing when you publicize it.
Multiple functions may require a separate app or system.
• Be open to ideas — Engage other departments in the design and functionality of the app.
• Know your audience — The Internet is accessed more frequently via mobile solutions by
people below the poverty line (due to the low initial price point). You’re involving a new
group and need to plan your outreach accordingly.
• Make it relevant — Know what functions and issues are of concern to the community and
make your app more than just a problem reporting program.
• Location, location, location — If your app doesn’t have a spatial component to it and you don’t
have an ability to extract GIS information from the app, you’re more than missing the boat
— you don’t know where the water is.
• Data integration — Make sure the mobile app can feed into your existing work order or
dispatch systems. You don’t want to waste staff time trying to bridge systems.
• Cross-platform support — Don’t leave two-thirds of your public unable to interact with their
local government easily because you decide to only develop
Going Mobile
Source: GovTech
41. Going Mobile
• Mobile AppDev Vendor Due Diligence
– Certifications, Attestations & Best Practices
• SAS 70 Type II / SSAE 16 SOC I-II-III / ISAE 3402
• ISO 27001 / 2
• ISO 27036
• ISO 9000
• Capability Maturity Model Integration, CMMi
• Building Security In Maturity Model, BSIMM
42. • Case Study: FCPS
– Background
– Drivers
– Technologies
– Limitations
– Risks
– Lessons Learned
– Next Steps
Going Mobile
43. • Case Study: FCPS
– Background
–Push BYOD to 180k Students, 23k Staff
– Drivers
–Cost
– Technologies
–iOS, Android, BlackBerry Devices
–WiFi via WPA2-Enterprise
–XpressConnect WLAN
Going Mobile
45. • Case Study: FCPS
– Lessons Learned
–(Assumed) Choose Your Battles
–(Assumed) Policy First
– Nest Steps
–(Assumed) Malware Detection
–(Assumed) White Listing of Apps
Going Mobile
46. Going Mobile
• Presentation Take Aways
– Mobile is here to stay.
–With New Bells & Whistles (Big Data, etc.)
– Paradigm Shift Towards Empowerment
– Strategy & Due Diligence Are VERY Important
–Must Consider the Ecosystem
–Probably Not Cost Effective, Yet Productive