Isaca tech session 19 feb 2013 securing mobile devices rev
Securing Mobile DevicesUsing COBIT® 5 for Information Security Dipresentasikan oleh: Sarwono Sutikno, Dr.Eng,CISA,CISSP,CISM email@example.com
Sarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM• Dosen Sekolah Teknik Elektro dan Informatika ITB• Dosen Universitas Pertahanan RI m.k. Cyber Warfare Dynamics dan Cyber Security Policy and Strategy• ISACA Academy Advocate for ITB• (ISC)2 Information Security Leadership Award 2011 - Senior Information Security Professional• Sedang membuat kurikulum S2 Keamanan Informasi di ITB, akan mulai Agustus 2013• Cyber Security Center ITB - KOICA
Outline• Guiding Principles for Mobile Device Security• What Is a Mobile Device?• Mobile Device Impact on Business and Society• Threats, Vulnerabilities and Associated Risk• Security Governance• Security Management for Mobile Devices• Hardening Mobile Devices• Mobile Device Security Assurance
Guiding Principles for Mobile Device Security1. Know the business value and risk of mobile device use.2. Clearly state the business case for mobile device use.3. Establish systemic security for mobile devices.4. Establish security governance over mobile devices.5. Manage mobile device security using enablers.6. Place security technology in context.7. Know the assurance universe and objectives.8. Provide reasonable assurance over mobile device security.
What Is a Mobile Device? Mobile Device Use—Past, Present and Future• Mobility and Flexibility• Patterns of Work• Organizational Perimeter• Other Impacts
Security Governance• The Business Case• Standardized Enterprise Solutions – Hardware (front and back end) – OS – Applications – Data and information – User administration – Systems management (direct and remote)• BYOD• Combined Scenario• Private Use of Mobile Devices• Defining the Business Case
Security Management for Mobile Devices• Mobile Device Categories and Classification• Existing Security Controls• Principles, Policies and Frameworks• Processes• Organizational Structures• Culture, Ethics and Behavior• Information• Services, Infrastructure and Applications• People, Skills and Competencies
Key Operating Procedures• Auditing mobile devices—Procedure to facilitate audit of mobile devices, alignedwith internal/external audit programs• Change management—Procedure describing how general change management (which is usually standardized) should be applied to mobile devices• Patch management—Procedure describing how patches for mobile devices are identified, acquired, tested, deployed• Malware protection—Procedure describing various technical steps and measures for protecting mobile devices against malware• Encryption, VPN, encapsulation—Procedure describing encryption for data at rest and data in flow, VPN tunnels and data encapsulation• Damage, loss, theft—Procedure describing user and organization steps in the event of device loss, damage or theft
Information• Step 1: Categorize information. Identify information unique to the device as opposed to replicated information.• Step 2: Identify what is done with the information— storage, processing, creation, sharing.• Step 3: Determine information and transaction sensitivity.• Step 4: Analyze the protection provided by preapplied controls.• Step 5: Determine requirements for additional controls.• Step 6: Develop and implement an action plan for additional controls.
Protecting Personal Information• Remove/prohibit—This is available only in a centralized management scenario with mobile devices provided by the organization.• Segregate—Take technical steps to separate personal information on the device.• Anonymize—Separate the personal identity of the user from the technical identity of the mobile device.• Permit—Obtain end-user permission to store, process and use personal information.
Hardening Mobile Devices• Device and SIM card (if applicable)• Permanent internal storage• Removable or external storage• Connectivity (all channels)• Remote functionality (lockdown, GPS, etc.)
Mobile Device Security Assurance• Auditing and Reviewing Mobile Devices• Investigation and Forensics for Mobile Devices
Investigative Requirements• Develop the proper capabilities to perform forensic and investigative analysis• Forensic and investigative policies and procedures should be established• Identify the multidisciplinary team that will likely be involved