Isaca tech session 19 feb 2013 securing mobile devices rev


Published on

Discussion about ISACA's research publication "Securing Mobil Device using COBIT 5 for Security"

Published in: Education
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Isaca tech session 19 feb 2013 securing mobile devices rev

  1. 1. Securing Mobile DevicesUsing COBIT® 5 for Information Security Dipresentasikan oleh: Sarwono Sutikno, Dr.Eng,CISA,CISSP,CISM
  2. 2. Sarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM• Dosen Sekolah Teknik Elektro dan Informatika ITB• Dosen Universitas Pertahanan RI m.k. Cyber Warfare Dynamics dan Cyber Security Policy and Strategy• ISACA Academy Advocate for ITB• (ISC)2 Information Security Leadership Award 2011 - Senior Information Security Professional• Sedang membuat kurikulum S2 Keamanan Informasi di ITB, akan mulai Agustus 2013• Cyber Security Center ITB - KOICA
  3. 3. Outline• Guiding Principles for Mobile Device Security• What Is a Mobile Device?• Mobile Device Impact on Business and Society• Threats, Vulnerabilities and Associated Risk• Security Governance• Security Management for Mobile Devices• Hardening Mobile Devices• Mobile Device Security Assurance
  4. 4. Guiding Principles for Mobile Device Security1. Know the business value and risk of mobile device use.2. Clearly state the business case for mobile device use.3. Establish systemic security for mobile devices.4. Establish security governance over mobile devices.5. Manage mobile device security using enablers.6. Place security technology in context.7. Know the assurance universe and objectives.8. Provide reasonable assurance over mobile device security.
  5. 5. What Is a Mobile Device? Mobile Device Use—Past, Present and Future• Mobility and Flexibility• Patterns of Work• Organizational Perimeter• Other Impacts
  6. 6. Mobile Device Impact on Business and Society
  7. 7. Threats, Vulnerabilities and Associated Risk• Physical Risk• Organizational Risk• Technical Risk
  8. 8. Security Governance• The Business Case• Standardized Enterprise Solutions – Hardware (front and back end) – OS – Applications – Data and information – User administration – Systems management (direct and remote)• BYOD• Combined Scenario• Private Use of Mobile Devices• Defining the Business Case
  9. 9. Standardized Enterprise Sol.
  10. 10. BYOD
  11. 11. Combined Solution
  12. 12. Security Management for Mobile Devices• Mobile Device Categories and Classification• Existing Security Controls• Principles, Policies and Frameworks• Processes• Organizational Structures• Culture, Ethics and Behavior• Information• Services, Infrastructure and Applications• People, Skills and Competencies
  13. 13. COBIT Enterprise Enabler
  14. 14. Key Operating Procedures• Auditing mobile devices—Procedure to facilitate audit of mobile devices, alignedwith internal/external audit programs• Change management—Procedure describing how general change management (which is usually standardized) should be applied to mobile devices• Patch management—Procedure describing how patches for mobile devices are identified, acquired, tested, deployed• Malware protection—Procedure describing various technical steps and measures for protecting mobile devices against malware• Encryption, VPN, encapsulation—Procedure describing encryption for data at rest and data in flow, VPN tunnels and data encapsulation• Damage, loss, theft—Procedure describing user and organization steps in the event of device loss, damage or theft
  15. 15. Security Management Process
  16. 16. Security Monitoring Process
  17. 17. Organizational Structure
  18. 18. Culture, Ethics and Behavior
  19. 19. Information• Step 1: Categorize information. Identify information unique to the device as opposed to replicated information.• Step 2: Identify what is done with the information— storage, processing, creation, sharing.• Step 3: Determine information and transaction sensitivity.• Step 4: Analyze the protection provided by preapplied controls.• Step 5: Determine requirements for additional controls.• Step 6: Develop and implement an action plan for additional controls.
  20. 20. Protecting Personal Information• Remove/prohibit—This is available only in a centralized management scenario with mobile devices provided by the organization.• Segregate—Take technical steps to separate personal information on the device.• Anonymize—Separate the personal identity of the user from the technical identity of the mobile device.• Permit—Obtain end-user permission to store, process and use personal information.
  21. 21. Skill set
  22. 22. Hardening Mobile Devices• Device and SIM card (if applicable)• Permanent internal storage• Removable or external storage• Connectivity (all channels)• Remote functionality (lockdown, GPS, etc.)
  23. 23. Mobile Device Security Assurance• Auditing and Reviewing Mobile Devices• Investigation and Forensics for Mobile Devices
  24. 24. Investigative Requirements• Develop the proper capabilities to perform forensic and investigative analysis• Forensic and investigative policies and procedures should be established• Identify the multidisciplinary team that will likely be involved
  25. 25. Diskusi