SlideShare a Scribd company logo

Bring Your Own Device 2014 TeamMate User Conference Palm Desert California

Jim Kaplan CIA CFE
Jim Kaplan CIA CFE

A presentation for the 2014 TeamMate User Conference as a guide for auditors on bring your own device and mobile device management – an important and timely topic for auditors in all organizations.

Business
1 of 16
Download to read offline
9/11/2014 1 BYOD Guide for Auditors TeamMate 2014 User Conference Palm Springs, CA Jim Kaplan CIA CFE  Founder: AuditNet®  IIA Bradford Cadmus Award Recipient  Local Government Auditors Lifetime Achievement Award  Chief Audit Executive  Internet for Auditors Pioneer  Author: The Auditor’s Guide to Internet Resources  editor@auditnet.org
9/11/2014 2 Objectives  Define BYOD and MDM  Identify Risks and Internal Audit Considerations  Identify Controls  Provide a Framework for Mobile Device Auditing  Resources Mobile Devices and BYOD  Many organizations have now opted to allow employees to procure their own devices which will ultimately connect to enterprise data and resources  What does your organization allow?
9/11/2014 3 BYOD comes in different shades  BYOD or bring your own device: employees are allowed to use their privately owned hard- and software. IT-applications and company data of the employer are made available on the platform of the end-user.  CYOD or choose your own device: the employer still provides the hardware and the employee can choose e.g. the model.  SYOD or smuggle your own device: this means that people are using a second tablet, smartphone or tablet, and use that one also for company purposes next to the one provided by the employer. BYOD Terminology  BYOD bring your own device (or bring your own disaster)  BYOT bring your own technology (or now tablet)  BYOP bring your own phone  BYOPC bring your own pc  CYOD choose your own device  SYOD smuggle your own device  MDM mobile device management  a range of products and services that enables organizations to deploy and support corporate applications to mobile devices, such as smartphones and tablets, possibly for personal use — enforcing policies and maintaining the desired level of IT control across multiple platforms  MDS mobile device security  Endpoint Security
9/11/2014 4 BYOD Where Do We Start BYOD Mobile Device Picture  A Cisco study says in 2014 the average number of connected devices per knowledge worker will reach an average of 3.3 devices, up from 2.8 in 2012  Gartner predicts by 2017, half of employers will require employees to supply their own device for work purposes  By a show of hands how many of you have at least 1 mobile device?
9/11/2014 5 BYOD Statistics  67% of people use personal devices at work, regardless of the office’s official BYOD policy (Source: Microsoft via CBS News)  42% of companies surveyed already use BYO (Source: Moka5 Survey, July 2013)  46% of end users surveyed said network performance negatively affects mobile devices the most (Source: Cisco) Tweet this.  77% of employees haven’t received any education about the risks related to BYOD (Source: 2013 Data Protection Trends Research, conducted by Ponemon Institute via AllThingsD)  78% of employees believe that having a single mobile device helps balance employees’ work and personal lives (Source: Samsung)  62% of companies surveyed plan to support BYOD by the year’s end (Source: TechRepublic via ZDNet)  Only 11% of end users access business applications from the corporate office 100% of the time (Source: Cisco)  24% of consumers surveyed currently use a smartphone or tablet as their primary, work-related computing device (Source: Samsung)  95% of surveyed organizations were permitting employees to use their own devices in some form in the workplace. According to the same study, each connected worker will have as many as three devices connected to employer networks by 2014.” Setting the Stage  Gartner Group predicted Bring Your Own Device (BYOD) would be a top technology trend for 2013 with mobile devices surpassing PCs as the most common web access tool, and it appears they were right.
9/11/2014 6 Mobile Device Facts  Consumer focused technology is not a fad, the benefits outweigh the costs  Researchers estimate 159.9 million smartphone users in US by the end of 2014  Gartner Worldwide sales of tablets to end users reached 195.4 million units in 2013  Gartner Says Mobile App Stores Will See Annual Downloads Reach 102 Billion in 2013 BYOD Could Spell Trouble:  More than half the organizations responding to the ITIC survey (March 2014) said they have no response ready for a hack into data on notebooks, tablets and smartphones their staff is using as “bring your own devices”. http://www.cutimes.com/2014/03/10/byod-could-spell-trouble-survey
9/11/2014 7 Why is this important?  Growth of mobile device use means increased risks for organizations  Increased risks for organizations means audit must address  Audit needs to add BYOD to the audit plan to address policy, controls and risks. AuditNet® 2014 BYOD Survey • April 2014 AuditNet® launched a Survey of Bring your own Device (BYOD) Control, Risk and Audit • Responses from 339 auditors from eight different organization sectors • Organizations ranging from less than 100 to over 10,000 with the median being 1,000-5,000 • Staff size from 1 to over 50 with the median being 11-25 • More than 70% reported that their companies/organizations permitted the use of mobile devices.
9/11/2014 8 Survey Key Findings  •Close to 3/4 of those who responded indicated that their employer allowed employees to bring their own devices to work.  •The primary BYOD service allowed by companies and organization as reported by survey respondents was e-mail followed by application access via a Virtual Private Network (VPN). Almost half the organizations allowed access to social media.  •Close to 80% said that their employer provides company owned mobile devices to employees while more than half said that they did not have a policy for mobile devices (commonly referred to as “bring your own device” or BYOD  •More than half that said their employer had a policy indicated that it was not well communicated to staff.  •Almost two thirds of those who said their employer had a policy felt that it was not thorough or lacked the basic best practice elements  •Slightly more than half required employees to sign a written agreement that outlines employer and employee rights and obligations with respect to the devices and a code of conduct.  •Greatest concern expressed by the auditors was confidentiality of information followed by data breach or misuse  •More than 80% of the auditors indicated that:  a risk evaluation covering mobile devices has not been performed  a training or awareness program covering BYOD risks or control has been conducted  they have not audited this area  they have not included this area in their current or future audit plans Survey Conclusion  BYOD and MDM has not been a high priority for IA  Risk tolerance is high and perceived threat is low  Pace of BYOD adoption has clearly outpaced senior management and BOD vision  IA should evaluate controls, educate on risks, and plans audits for this area
9/11/2014 9 BYOD Risks - SPI  Security – Privacy – Incident Response  Malware infection, which may result in leakage, corruption, or unavailability of data  Leakage or compromise of sensitive data due to lost or improperly secured devices  Negative publicity, loss of reputation, noncompliance with statues or industry requirements, fines, and lawsuits  Access controls and control over device security  Ability to eliminate sensitive data upon termination or loss of the device  Management issues related to supporting many different types of devices and applications  Ensuring that employee-owned devices are properly backed up. Security Concerns  Lack of Physical Security Controls  Use of Untrusted Mobile Devices  Use of Untrusted Networks  Use of Apps Created by Unknown Parties  Interaction with Other Systems  Use of Untrusted Content  Use of Location Services
9/11/2014 10 Risks Associated with Mobile Devices NIST Characteristics Illustrative Risks Small form factor Loss or theft of data Wireless network interface for Internet access Exposure to untrusted and unsecured networks Local built‐in (non‐removable) data storage Loss or theft of data Operating system that is not a full‐fledged desktop/laptop operating system Reduced technical controls Apps available through multiple methods Exposure to untrusted and malicious apps Built‐in features for synchronizing local data Interactions with other untrusted and unsecured systems Policy 1. Voluntary of Mandatory 2. Scope 3. Device support 4. Security 5. Consent Must be monitored and enforced
9/11/2014 11 BYOD policy should at a minimum:  Clearly articulate the company's rights with respect to monitoring and accessing all the data stored on employees' mobile devices  Address an employee's obligations regarding device security, password requirements, and procedures for lost or stolen devices.  Include specific language about approved and non-approved business usage. For example, a company might allow the use of personal devices for emailing but prohibit their use for recording meetings.  Develop reasonable restrictions  Advise users that they may be required to disclose passwords to websites and applications.  Restrict the use of company data to legitimate company purposes. BYOD Controls  Protection of sensitive data and intellectual property  Protection of networks to which BYOD devices connect  Responsibility and accountability for the device and the information contained on it  Removal of the organization’s data from employee-owned devices upon termination of employment or loss of the device  Malware protection
9/11/2014 12 BYOD Audit Issues  Risk Assessment  Policies  Legal Issues  Technical and User Support  Governance  Training  Device Security  Connectivity Security  Device Management Source: AzzurriCommunications.com
9/11/2014 13 Audit’s Role in BYOD  Assessing the organization’s BYOD risks  Evaluate MDM and other policy solution  determine their adequacy to protect the organization’s proprietary and sensitive information.  Ensure that the organization’s BYOD practices comply with privacy and data security requirements imposed by applicable industry standards, laws, and regulations. BYOD Threats – IA Focus Threats Internal Audit Focus 1. Review Anti Malware and firewall policy 2. Review Operating system/ Application update policies 3. Ensure that the contents of the device are encrypted and secured. 4. Ensure that Bluetooth feature is in non discoverable mode or disabling it altogether if it is not needed in organization 5. Verify awareness on protection against unauthorized observation of sensitive information in public places 1. Increased risk of information loss A security incident is easier with a smart device because of the theft or loss of that device. 2. Monitoring An ever-increasing range of malware and espionage software is being created for mobile devices. 3. Awareness and communication It’s increasingly important to educate staff and other users about the use of poor security practices 4. Treatment of devices as any other end-point Routes into the corporate network are created by mobile device architecture, which could result in the leakage of highly sensitive information
9/11/2014 14 Sample Audit Objectives  Provide management with an assessment of BYOD policies and procedures and their operating effectiveness  Identify internal control and regulatory deficiencies that could affect the organization  Identify information security control concerns that could affect the reliability, accuracy and security of the enterprise data due to weaknesses in mobile computing controls AuditNet® BYOD Resources and Tools  Mobile Device Checklist  www.sans.org/score/checklists/mobile-device-checklist.xls  Security Guidance for Critical Areas of Mobile Computing  https://downloads.cloudsecurityalliance.org/.../Mobile_Guid ance_v1.pdf  Guidelines for Managing the Security of Mobile Devices in the Enterprise  http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP. 800-124r1.pdf
9/11/2014 15 AuditNet® Templates  Bring Your Own Device (BYOD) Audit July 2014  Bring Your Own Device (BYOD) Assurance Audit Program July 2014  BYOD (Bring Your Own Device) Maturity Assessment (June 2014)  Security of Mobile Devices  BYOD (Bring Your Own Device) Security Audit Program (Source FastITTools) Contact Information Jim Kaplan CIA, CFE jkaplan@auditnet.org http://www.auditnet.org
9/11/2014 16 BYOD Questions

Recommended

Survey Report: Managing BYOD in Corporate Environments
Survey Report: Managing BYOD in Corporate EnvironmentsSurvey Report: Managing BYOD in Corporate Environments
Survey Report: Managing BYOD in Corporate Environments
Osterman Research, Inc.
 
4514ijmnct01
4514ijmnct014514ijmnct01
4514ijmnct01
ijmnct
 
2013 Mobile Application Security Survey
2013 Mobile Application Security Survey2013 Mobile Application Security Survey
2013 Mobile Application Security Survey
Bee_Ware
 
Importance of Enterprise Mobility Solution in Healthcare
Importance of Enterprise Mobility Solution in HealthcareImportance of Enterprise Mobility Solution in Healthcare
Importance of Enterprise Mobility Solution in Healthcare
ChromeInfo Technologies
 
Backing up Android and iOs devices
Backing up Android and iOs devicesBacking up Android and iOs devices
Backing up Android and iOs devices
iSSAL
 
BYOD SCOPE: A Study of Corporate Policies in Pakistan
BYOD SCOPE: A Study of Corporate Policies in PakistanBYOD SCOPE: A Study of Corporate Policies in Pakistan
BYOD SCOPE: A Study of Corporate Policies in Pakistan
Shuja Ahmad
 
Byod in the middle east
Byod in the middle eastByod in the middle east
Byod in the middle east
team-abr
 
IT Position of Trust Designation
IT Position of Trust DesignationIT Position of Trust Designation
IT Position of Trust Designation
Murray Security Services
 

Recommended

Survey Report: Managing BYOD in Corporate Environments
Survey Report: Managing BYOD in Corporate EnvironmentsSurvey Report: Managing BYOD in Corporate Environments
Survey Report: Managing BYOD in Corporate Environments
Osterman Research, Inc.
 
4514ijmnct01
4514ijmnct014514ijmnct01
4514ijmnct01
ijmnct
 
2013 Mobile Application Security Survey
2013 Mobile Application Security Survey2013 Mobile Application Security Survey
2013 Mobile Application Security Survey
Bee_Ware
 
Importance of Enterprise Mobility Solution in Healthcare
Importance of Enterprise Mobility Solution in HealthcareImportance of Enterprise Mobility Solution in Healthcare
Importance of Enterprise Mobility Solution in Healthcare
ChromeInfo Technologies
 
Backing up Android and iOs devices
Backing up Android and iOs devicesBacking up Android and iOs devices
Backing up Android and iOs devices
iSSAL
 
BYOD SCOPE: A Study of Corporate Policies in Pakistan
BYOD SCOPE: A Study of Corporate Policies in PakistanBYOD SCOPE: A Study of Corporate Policies in Pakistan
BYOD SCOPE: A Study of Corporate Policies in Pakistan
Shuja Ahmad
 
Byod in the middle east
Byod in the middle eastByod in the middle east
Byod in the middle east
team-abr
 
IT Position of Trust Designation
IT Position of Trust DesignationIT Position of Trust Designation
IT Position of Trust Designation
Murray Security Services
 
“The Impact of Mobile Devices on Information Security: A Survey of IT and Sec...
“The Impact of Mobile Devices on Information Security: A Survey of IT and Sec...“The Impact of Mobile Devices on Information Security: A Survey of IT and Sec...
“The Impact of Mobile Devices on Information Security: A Survey of IT and Sec...
Thierry Labro
 
VMware Emerging Strategies for Managing Mobility
VMware Emerging Strategies for Managing MobilityVMware Emerging Strategies for Managing Mobility
VMware Emerging Strategies for Managing Mobility
VMware
 
Cloud Service Security using Two-factor or Multi factor Authentication
Cloud Service Security using Two-factor or Multi factor AuthenticationCloud Service Security using Two-factor or Multi factor Authentication
Cloud Service Security using Two-factor or Multi factor Authentication
IRJET Journal
 
AN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVES
AN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVESAN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVES
AN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVES
ijcsit
 
A Business-Driven Approach to Mobile Enterprise Security
A Business-Driven Approach to Mobile Enterprise SecurityA Business-Driven Approach to Mobile Enterprise Security
A Business-Driven Approach to Mobile Enterprise Security
Транслируем.бел
 
A Bring Your Own Device Risk Assessment Model
A Bring Your Own Device Risk Assessment ModelA Bring Your Own Device Risk Assessment Model
A Bring Your Own Device Risk Assessment Model
CSCJournals
 
When Worlds Collide: Tracking the Trends at the Intersection of Social, Mobil...
When Worlds Collide: Tracking the Trends at the Intersection of Social, Mobil...When Worlds Collide: Tracking the Trends at the Intersection of Social, Mobil...
When Worlds Collide: Tracking the Trends at the Intersection of Social, Mobil...
mkeane
 
Top cited managing information technology articles
Top cited managing information technology articlesTop cited managing information technology articles
Top cited managing information technology articles
IJMIT JOURNAL
 
Idge dell reignite2014 qp #2
Idge dell reignite2014 qp #2Idge dell reignite2014 qp #2
Idge dell reignite2014 qp #2
jmariani14
 
Weathering mobile-storm-report-october-2014
Weathering mobile-storm-report-october-2014Weathering mobile-storm-report-october-2014
Weathering mobile-storm-report-october-2014
Spiceworks Ziff Davis
 
Juniper Trusted Mobility Index 2012
Juniper Trusted Mobility Index 2012Juniper Trusted Mobility Index 2012
Juniper Trusted Mobility Index 2012
Juniper Networks
 
The Information Disruption Industry and the Operational Environment of the Fu...
The Information Disruption Industry and the Operational Environment of the Fu...The Information Disruption Industry and the Operational Environment of the Fu...
The Information Disruption Industry and the Operational Environment of the Fu...
Vincent O'Neil
 
I018145157
I018145157I018145157
I018145157
IOSR Journals
 
Developing surveillance challenges in theinternet of things
Developing surveillance challenges in theinternet of thingsDeveloping surveillance challenges in theinternet of things
Developing surveillance challenges in theinternet of things
Dr. Raghavendra GS
 
I Series User Management
I Series User ManagementI Series User Management
I Series User Management
SJeffrey23
 
Secure your Future with IoT Security Testing | Application Security
Secure your Future with IoT Security Testing | Application SecuritySecure your Future with IoT Security Testing | Application Security
Secure your Future with IoT Security Testing | Application Security
Cigniti Technologies Ltd
 
The impact of mobile devices on information security
The impact of mobile devices on information securityThe impact of mobile devices on information security
The impact of mobile devices on information security
Bee_Ware
 
Security risk analysis of bring your own device system in manufacturing compa...
Security risk analysis of bring your own device system in manufacturing compa...Security risk analysis of bring your own device system in manufacturing compa...
Security risk analysis of bring your own device system in manufacturing compa...
TELKOMNIKA JOURNAL
 
F-LOCKER: An Android Face Recognition Applocker Using Local Binary Pattern Hi...
F-LOCKER: An Android Face Recognition Applocker Using Local Binary Pattern Hi...F-LOCKER: An Android Face Recognition Applocker Using Local Binary Pattern Hi...
F-LOCKER: An Android Face Recognition Applocker Using Local Binary Pattern Hi...
IJCSIS Research Publications
 
Mobile Workplace Risks
Mobile Workplace RisksMobile Workplace Risks
Mobile Workplace Risks
Parag Deodhar
 
Connections 2013 change your thinking - integrating analytics into the audit ...
Connections 2013 change your thinking - integrating analytics into the audit ...Connections 2013 change your thinking - integrating analytics into the audit ...
Connections 2013 change your thinking - integrating analytics into the audit ...
Jim Kaplan CIA CFE
 
Technology ahia 2012 jmk
Technology ahia 2012 jmkTechnology ahia 2012 jmk
Technology ahia 2012 jmk
Jim Kaplan CIA CFE
 

More Related Content

What's hot

AN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVES
AN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVESAN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVES
AN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVES
ijcsit
 
A Business-Driven Approach to Mobile Enterprise Security
A Business-Driven Approach to Mobile Enterprise SecurityA Business-Driven Approach to Mobile Enterprise Security
A Business-Driven Approach to Mobile Enterprise Security
Транслируем.бел
 
A Bring Your Own Device Risk Assessment Model
A Bring Your Own Device Risk Assessment ModelA Bring Your Own Device Risk Assessment Model
A Bring Your Own Device Risk Assessment Model
CSCJournals
 
The Information Disruption Industry and the Operational Environment of the Fu...
The Information Disruption Industry and the Operational Environment of the Fu...The Information Disruption Industry and the Operational Environment of the Fu...
The Information Disruption Industry and the Operational Environment of the Fu...
Vincent O'Neil
 
Security risk analysis of bring your own device system in manufacturing compa...
Security risk analysis of bring your own device system in manufacturing compa...Security risk analysis of bring your own device system in manufacturing compa...
Security risk analysis of bring your own device system in manufacturing compa...
TELKOMNIKA JOURNAL
 
F-LOCKER: An Android Face Recognition Applocker Using Local Binary Pattern Hi...
F-LOCKER: An Android Face Recognition Applocker Using Local Binary Pattern Hi...F-LOCKER: An Android Face Recognition Applocker Using Local Binary Pattern Hi...
F-LOCKER: An Android Face Recognition Applocker Using Local Binary Pattern Hi...
IJCSIS Research Publications
 

What's hot (20)

“The Impact of Mobile Devices on Information Security: A Survey of IT and Sec...
“The Impact of Mobile Devices on Information Security: A Survey of IT and Sec...“The Impact of Mobile Devices on Information Security: A Survey of IT and Sec...
“The Impact of Mobile Devices on Information Security: A Survey of IT and Sec...
 
VMware Emerging Strategies for Managing Mobility
VMware Emerging Strategies for Managing MobilityVMware Emerging Strategies for Managing Mobility
VMware Emerging Strategies for Managing Mobility
 
Cloud Service Security using Two-factor or Multi factor Authentication
Cloud Service Security using Two-factor or Multi factor AuthenticationCloud Service Security using Two-factor or Multi factor Authentication
Cloud Service Security using Two-factor or Multi factor Authentication
 
AN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVES
AN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVESAN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVES
AN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVES
 
A Business-Driven Approach to Mobile Enterprise Security
A Business-Driven Approach to Mobile Enterprise SecurityA Business-Driven Approach to Mobile Enterprise Security
A Business-Driven Approach to Mobile Enterprise Security
 
A Bring Your Own Device Risk Assessment Model
A Bring Your Own Device Risk Assessment ModelA Bring Your Own Device Risk Assessment Model
A Bring Your Own Device Risk Assessment Model
 
When Worlds Collide: Tracking the Trends at the Intersection of Social, Mobil...
When Worlds Collide: Tracking the Trends at the Intersection of Social, Mobil...When Worlds Collide: Tracking the Trends at the Intersection of Social, Mobil...
When Worlds Collide: Tracking the Trends at the Intersection of Social, Mobil...
 
Top cited managing information technology articles
Top cited managing information technology articlesTop cited managing information technology articles
Top cited managing information technology articles
 
Idge dell reignite2014 qp #2
Idge dell reignite2014 qp #2Idge dell reignite2014 qp #2
Idge dell reignite2014 qp #2
 
Weathering mobile-storm-report-october-2014
Weathering mobile-storm-report-october-2014Weathering mobile-storm-report-october-2014
Weathering mobile-storm-report-october-2014
 
Juniper Trusted Mobility Index 2012
Juniper Trusted Mobility Index 2012Juniper Trusted Mobility Index 2012
Juniper Trusted Mobility Index 2012
 
The Information Disruption Industry and the Operational Environment of the Fu...
The Information Disruption Industry and the Operational Environment of the Fu...The Information Disruption Industry and the Operational Environment of the Fu...
The Information Disruption Industry and the Operational Environment of the Fu...
 
I018145157
I018145157I018145157
I018145157
 
Developing surveillance challenges in theinternet of things
Developing surveillance challenges in theinternet of thingsDeveloping surveillance challenges in theinternet of things
Developing surveillance challenges in theinternet of things
 
I Series User Management
I Series User ManagementI Series User Management
I Series User Management
 
Secure your Future with IoT Security Testing | Application Security
Secure your Future with IoT Security Testing | Application SecuritySecure your Future with IoT Security Testing | Application Security
Secure your Future with IoT Security Testing | Application Security
 
The impact of mobile devices on information security
The impact of mobile devices on information securityThe impact of mobile devices on information security
The impact of mobile devices on information security
 
Security risk analysis of bring your own device system in manufacturing compa...
Security risk analysis of bring your own device system in manufacturing compa...Security risk analysis of bring your own device system in manufacturing compa...
Security risk analysis of bring your own device system in manufacturing compa...
 
F-LOCKER: An Android Face Recognition Applocker Using Local Binary Pattern Hi...
F-LOCKER: An Android Face Recognition Applocker Using Local Binary Pattern Hi...F-LOCKER: An Android Face Recognition Applocker Using Local Binary Pattern Hi...
F-LOCKER: An Android Face Recognition Applocker Using Local Binary Pattern Hi...
 
Mobile Workplace Risks
Mobile Workplace RisksMobile Workplace Risks
Mobile Workplace Risks
 

Viewers also liked

Using Microsoft Excel in Your Next Internal and External Audit - Learning The...
Using Microsoft Excel in Your Next Internal and External Audit - Learning The...Using Microsoft Excel in Your Next Internal and External Audit - Learning The...
Using Microsoft Excel in Your Next Internal and External Audit - Learning The...
Jim Kaplan CIA CFE
 
Using benford's law for fraud detection and auditing
Using benford's law for fraud detection and auditingUsing benford's law for fraud detection and auditing
Using benford's law for fraud detection and auditing
Jim Kaplan CIA CFE
 

Viewers also liked (8)

Connections 2013 change your thinking - integrating analytics into the audit ...
Connections 2013 change your thinking - integrating analytics into the audit ...Connections 2013 change your thinking - integrating analytics into the audit ...
Connections 2013 change your thinking - integrating analytics into the audit ...
 
Technology ahia 2012 jmk
Technology ahia 2012 jmkTechnology ahia 2012 jmk
Technology ahia 2012 jmk
 
Cch social media risk audit control october 29, 2013
Cch social media risk audit control october 29, 2013Cch social media risk audit control october 29, 2013
Cch social media risk audit control october 29, 2013
 
It52015 slides
It52015 slidesIt52015 slides
It52015 slides
 
2013 audit net guide to audit planning
2013 audit net guide to audit planning2013 audit net guide to audit planning
2013 audit net guide to audit planning
 
Using Microsoft Excel in Your Next Internal and External Audit - Learning The...
Using Microsoft Excel in Your Next Internal and External Audit - Learning The...Using Microsoft Excel in Your Next Internal and External Audit - Learning The...
Using Microsoft Excel in Your Next Internal and External Audit - Learning The...
 
How technology continues to revolutionize auditing tmuc 2011
How technology continues to revolutionize auditing tmuc 2011How technology continues to revolutionize auditing tmuc 2011
How technology continues to revolutionize auditing tmuc 2011
 
Using benford's law for fraud detection and auditing
Using benford's law for fraud detection and auditingUsing benford's law for fraud detection and auditing
Using benford's law for fraud detection and auditing
 

Similar to Bring Your Own Device 2014 TeamMate User Conference Palm Desert California

Bring Your Own Device is a disruptive phenomenon that is a significant IT trend
Bring Your Own Device is a disruptive phenomenon that is a significant IT trendBring Your Own Device is a disruptive phenomenon that is a significant IT trend
Bring Your Own Device is a disruptive phenomenon that is a significant IT trend
Martin Perry
 
OC CIO Roundtable BYOD
OC CIO Roundtable BYODOC CIO Roundtable BYOD
OC CIO Roundtable BYOD
Jim Sutter
 
Security attacks taxonomy on
Security attacks taxonomy onSecurity attacks taxonomy on
Security attacks taxonomy on
ijmnct
 
Ten Commandments of BYOD
Ten Commandments of BYODTen Commandments of BYOD
Ten Commandments of BYOD
K Singh
 
Pete Wassell (Augmate Corportation) Security in the Enterprise Smart Glasses
Pete Wassell (Augmate Corportation) Security in the Enterprise Smart GlassesPete Wassell (Augmate Corportation) Security in the Enterprise Smart Glasses
Pete Wassell (Augmate Corportation) Security in the Enterprise Smart Glasses
AugmentedWorldExpo
 
Exploring byod approaches for mobile learning
Exploring byod approaches for mobile learningExploring byod approaches for mobile learning
Exploring byod approaches for mobile learning
Debbie Richards
 

Similar to Bring Your Own Device 2014 TeamMate User Conference Palm Desert California (20)

Bring Your Own Device (BYOD)
Bring Your Own Device (BYOD)Bring Your Own Device (BYOD)
Bring Your Own Device (BYOD)
 
Bring Your Own Device is a disruptive phenomenon that is a significant IT trend
Bring Your Own Device is a disruptive phenomenon that is a significant IT trendBring Your Own Device is a disruptive phenomenon that is a significant IT trend
Bring Your Own Device is a disruptive phenomenon that is a significant IT trend
 
OC CIO Roundtable BYOD
OC CIO Roundtable BYODOC CIO Roundtable BYOD
OC CIO Roundtable BYOD
 
OC CIO BYOD
OC CIO BYODOC CIO BYOD
OC CIO BYOD
 
BYOD - Secure the data, not the device
BYOD - Secure the data, not the deviceBYOD - Secure the data, not the device
BYOD - Secure the data, not the device
 
BYOD
BYODBYOD
BYOD
 
Leveraging byod
Leveraging byodLeveraging byod
Leveraging byod
 
5 Steps to Successful BYOD Implementation
5 Steps to Successful BYOD Implementation5 Steps to Successful BYOD Implementation
5 Steps to Successful BYOD Implementation
 
Security attacks taxonomy on
Security attacks taxonomy onSecurity attacks taxonomy on
Security attacks taxonomy on
 
The challenges of BYOD for campus network by Leonard Raphael
The challenges of BYOD for campus network by Leonard RaphaelThe challenges of BYOD for campus network by Leonard Raphael
The challenges of BYOD for campus network by Leonard Raphael
 
Top Risks of Enterprise Mobility
Top Risks of Enterprise MobilityTop Risks of Enterprise Mobility
Top Risks of Enterprise Mobility
 
Ten Commandments of BYOD
Ten Commandments of BYODTen Commandments of BYOD
Ten Commandments of BYOD
 
BYOD: Six Essentials for Success
BYOD: Six Essentials for SuccessBYOD: Six Essentials for Success
BYOD: Six Essentials for Success
 
Pete Wassell (Augmate Corportation) Security in the Enterprise Smart Glasses
Pete Wassell (Augmate Corportation) Security in the Enterprise Smart GlassesPete Wassell (Augmate Corportation) Security in the Enterprise Smart Glasses
Pete Wassell (Augmate Corportation) Security in the Enterprise Smart Glasses
 
Guide Preview: Ensuring your enterprise image-viewer if fully secure
Guide Preview: Ensuring your enterprise image-viewer if fully secureGuide Preview: Ensuring your enterprise image-viewer if fully secure
Guide Preview: Ensuring your enterprise image-viewer if fully secure
 
Develop and Enforce a Bring-Your-Own-Device (BYOD) Policy
Develop and Enforce a Bring-Your-Own-Device (BYOD) PolicyDevelop and Enforce a Bring-Your-Own-Device (BYOD) Policy
Develop and Enforce a Bring-Your-Own-Device (BYOD) Policy
 
Mobile Security: The 5 Questions Modern Organizations Are Asking
Mobile Security: The 5 Questions Modern Organizations Are AskingMobile Security: The 5 Questions Modern Organizations Are Asking
Mobile Security: The 5 Questions Modern Organizations Are Asking
 
Top Seven Risks of Enterprise Mobility - How to protect your business
Top Seven Risks of Enterprise Mobility - How to protect your businessTop Seven Risks of Enterprise Mobility - How to protect your business
Top Seven Risks of Enterprise Mobility - How to protect your business
 
Evaluate Top Seven Risks of Enterprise Mobility
Evaluate Top Seven Risks of Enterprise MobilityEvaluate Top Seven Risks of Enterprise Mobility
Evaluate Top Seven Risks of Enterprise Mobility
 
Exploring byod approaches for mobile learning
Exploring byod approaches for mobile learningExploring byod approaches for mobile learning
Exploring byod approaches for mobile learning
 

More from Jim Kaplan CIA CFE

Enhanced fraud detection with data analytics
Enhanced fraud detection with data analyticsEnhanced fraud detection with data analytics
Enhanced fraud detection with data analytics
Jim Kaplan CIA CFE
 
mplementing and Auditing GDPR Series (10 of 10)
mplementing and Auditing GDPR Series (10 of 10) mplementing and Auditing GDPR Series (10 of 10)
mplementing and Auditing GDPR Series (10 of 10)
Jim Kaplan CIA CFE
 
Touchstone Research for Internal Audit 2020 – A Look at the Now and Tomorrow ...
Touchstone Research for Internal Audit 2020 – A Look at the Now and Tomorrow ...Touchstone Research for Internal Audit 2020 – A Look at the Now and Tomorrow ...
Touchstone Research for Internal Audit 2020 – A Look at the Now and Tomorrow ...
Jim Kaplan CIA CFE
 
Implementing and Auditing GDPR Series (9 of 10)
Implementing and Auditing GDPR Series (9 of 10) Implementing and Auditing GDPR Series (9 of 10)
Implementing and Auditing GDPR Series (9 of 10)
Jim Kaplan CIA CFE
 
How to detect fraud like a pro detective slides
How to detect fraud like a pro detective slides How to detect fraud like a pro detective slides
How to detect fraud like a pro detective slides
Jim Kaplan CIA CFE
 
Implementing and Auditing GDPR Series (8 of 10)
Implementing and Auditing GDPR Series (8 of 10) Implementing and Auditing GDPR Series (8 of 10)
Implementing and Auditing GDPR Series (8 of 10)
Jim Kaplan CIA CFE
 
How to get auditors performing basic analytics using excel
How to get auditors performing basic analytics using excel How to get auditors performing basic analytics using excel
How to get auditors performing basic analytics using excel
Jim Kaplan CIA CFE
 
CyberSecurity Update Slides
CyberSecurity Update SlidesCyberSecurity Update Slides
CyberSecurity Update Slides
Jim Kaplan CIA CFE
 
Implementing and Auditing General Data Protection Regulation
Implementing and Auditing General Data Protection RegulationImplementing and Auditing General Data Protection Regulation
Implementing and Auditing General Data Protection Regulation
Jim Kaplan CIA CFE
 
When is a Duplicate not a Duplicate? Detecting Errors and Fraud
When is a Duplicate not a Duplicate? Detecting Errors and FraudWhen is a Duplicate not a Duplicate? Detecting Errors and Fraud
When is a Duplicate not a Duplicate? Detecting Errors and Fraud
Jim Kaplan CIA CFE
 
General Data Protection Regulation Webinar 6
General Data Protection Regulation Webinar 6 General Data Protection Regulation Webinar 6
General Data Protection Regulation Webinar 6
Jim Kaplan CIA CFE
 
General Data Protection Regulation for Auditors 5 of 10
General Data Protection Regulation for Auditors 5 of 10General Data Protection Regulation for Auditors 5 of 10
General Data Protection Regulation for Auditors 5 of 10
Jim Kaplan CIA CFE
 
Ethics and the Internal Auditor
Ethics and the Internal AuditorEthics and the Internal Auditor
Ethics and the Internal Auditor
Jim Kaplan CIA CFE
 
How analytics should be used in controls testing instead of sampling
How analytics should be used in controls testing instead of sampling How analytics should be used in controls testing instead of sampling
How analytics should be used in controls testing instead of sampling
Jim Kaplan CIA CFE
 
How analytics should be used in controls testing instead of sampling
How analytics should be used in controls testing instead of samplingHow analytics should be used in controls testing instead of sampling
How analytics should be used in controls testing instead of sampling
Jim Kaplan CIA CFE
 
GDPR Series Session 4
GDPR Series Session 4GDPR Series Session 4
GDPR Series Session 4
Jim Kaplan CIA CFE
 
Cybersecurity Slides
Cybersecurity SlidesCybersecurity Slides
Cybersecurity Slides
Jim Kaplan CIA CFE
 
Implementing and Auditing GDPR Series (3 of 10)
Implementing and Auditing GDPR Series (3 of 10) Implementing and Auditing GDPR Series (3 of 10)
Implementing and Auditing GDPR Series (3 of 10)
Jim Kaplan CIA CFE
 

More from Jim Kaplan CIA CFE (20)

Enhanced fraud detection with data analytics
Enhanced fraud detection with data analyticsEnhanced fraud detection with data analytics
Enhanced fraud detection with data analytics
 
mplementing and Auditing GDPR Series (10 of 10)
mplementing and Auditing GDPR Series (10 of 10) mplementing and Auditing GDPR Series (10 of 10)
mplementing and Auditing GDPR Series (10 of 10)
 
Touchstone Research for Internal Audit 2020 – A Look at the Now and Tomorrow ...
Touchstone Research for Internal Audit 2020 – A Look at the Now and Tomorrow ...Touchstone Research for Internal Audit 2020 – A Look at the Now and Tomorrow ...
Touchstone Research for Internal Audit 2020 – A Look at the Now and Tomorrow ...
 
Implementing and Auditing GDPR Series (9 of 10)
Implementing and Auditing GDPR Series (9 of 10) Implementing and Auditing GDPR Series (9 of 10)
Implementing and Auditing GDPR Series (9 of 10)
 
How to detect fraud like a pro detective slides
How to detect fraud like a pro detective slides How to detect fraud like a pro detective slides
How to detect fraud like a pro detective slides
 
Implementing and Auditing GDPR Series (8 of 10)
Implementing and Auditing GDPR Series (8 of 10) Implementing and Auditing GDPR Series (8 of 10)
Implementing and Auditing GDPR Series (8 of 10)
 
How to get auditors performing basic analytics using excel
How to get auditors performing basic analytics using excel How to get auditors performing basic analytics using excel
How to get auditors performing basic analytics using excel
 
Tracking down outliers
Tracking down outliersTracking down outliers
Tracking down outliers
 
CyberSecurity Update Slides
CyberSecurity Update SlidesCyberSecurity Update Slides
CyberSecurity Update Slides
 
Implementing and Auditing General Data Protection Regulation
Implementing and Auditing General Data Protection RegulationImplementing and Auditing General Data Protection Regulation
Implementing and Auditing General Data Protection Regulation
 
When is a Duplicate not a Duplicate? Detecting Errors and Fraud
When is a Duplicate not a Duplicate? Detecting Errors and FraudWhen is a Duplicate not a Duplicate? Detecting Errors and Fraud
When is a Duplicate not a Duplicate? Detecting Errors and Fraud
 
General Data Protection Regulation Webinar 6
General Data Protection Regulation Webinar 6 General Data Protection Regulation Webinar 6
General Data Protection Regulation Webinar 6
 
Focused agile audit planning using analytics
Focused agile audit planning using analyticsFocused agile audit planning using analytics
Focused agile audit planning using analytics
 
General Data Protection Regulation for Auditors 5 of 10
General Data Protection Regulation for Auditors 5 of 10General Data Protection Regulation for Auditors 5 of 10
General Data Protection Regulation for Auditors 5 of 10
 
Ethics and the Internal Auditor
Ethics and the Internal AuditorEthics and the Internal Auditor
Ethics and the Internal Auditor
 
How analytics should be used in controls testing instead of sampling
How analytics should be used in controls testing instead of sampling How analytics should be used in controls testing instead of sampling
How analytics should be used in controls testing instead of sampling
 
How analytics should be used in controls testing instead of sampling
How analytics should be used in controls testing instead of samplingHow analytics should be used in controls testing instead of sampling
How analytics should be used in controls testing instead of sampling
 
GDPR Series Session 4
GDPR Series Session 4GDPR Series Session 4
GDPR Series Session 4
 
Cybersecurity Slides
Cybersecurity SlidesCybersecurity Slides
Cybersecurity Slides
 
Implementing and Auditing GDPR Series (3 of 10)
Implementing and Auditing GDPR Series (3 of 10) Implementing and Auditing GDPR Series (3 of 10)
Implementing and Auditing GDPR Series (3 of 10)
 

Recently uploaded

12 Conversion Rate Optimization Strategies for Ecommerce Websites.pdf
12 Conversion Rate Optimization Strategies for Ecommerce Websites.pdf12 Conversion Rate Optimization Strategies for Ecommerce Websites.pdf
12 Conversion Rate Optimization Strategies for Ecommerce Websites.pdf
SOFTTECHHUB
 
FINAL PRESENTATION.pptx12143241324134134
FINAL PRESENTATION.pptx12143241324134134FINAL PRESENTATION.pptx12143241324134134
FINAL PRESENTATION.pptx12143241324134134
LR1709MUSIC
 
Memorandum Of Association Constitution of Company.ppt
Memorandum Of Association Constitution of Company.pptMemorandum Of Association Constitution of Company.ppt
Memorandum Of Association Constitution of Company.ppt
seri bangash
 
20240425_ TJ Communications Credentials_compressed.pdf
20240425_ TJ Communications Credentials_compressed.pdf20240425_ TJ Communications Credentials_compressed.pdf
20240425_ TJ Communications Credentials_compressed.pdf
tjcomstrang
 
Skye Residences | Extended Stay Residences Near Toronto Airport
Skye Residences | Extended Stay Residences Near Toronto AirportSkye Residences | Extended Stay Residences Near Toronto Airport
Skye Residences | Extended Stay Residences Near Toronto Airport
marketingjdass
 
Enterprise Excellence is Inclusive Excellence.pdf
Enterprise Excellence is Inclusive Excellence.pdfEnterprise Excellence is Inclusive Excellence.pdf
Enterprise Excellence is Inclusive Excellence.pdf
KaiNexus
 
Sustainability: Balancing the Environment, Equity & Economy
Sustainability: Balancing the Environment, Equity & EconomySustainability: Balancing the Environment, Equity & Economy
Sustainability: Balancing the Environment, Equity & Economy
Operational Excellence Consulting
 
Communicative rationality and the evolution of business ethics: corporate soc...
Communicative rationality and the evolution of business ethics: corporate soc...Communicative rationality and the evolution of business ethics: corporate soc...
Communicative rationality and the evolution of business ethics: corporate soc...
BOHR International Journal of Business Ethics and Corporate Governance
 

Recently uploaded (20)

Transforming Max Life Insurance with PMaps Job-Fit Assessments- Case Study
Transforming Max Life Insurance with PMaps Job-Fit Assessments- Case StudyTransforming Max Life Insurance with PMaps Job-Fit Assessments- Case Study
Transforming Max Life Insurance with PMaps Job-Fit Assessments- Case Study
 
12 Conversion Rate Optimization Strategies for Ecommerce Websites.pdf
12 Conversion Rate Optimization Strategies for Ecommerce Websites.pdf12 Conversion Rate Optimization Strategies for Ecommerce Websites.pdf
12 Conversion Rate Optimization Strategies for Ecommerce Websites.pdf
 
Maximizing Efficiency Migrating AccountEdge Data to QuickBooks.pdf
Maximizing Efficiency Migrating AccountEdge Data to QuickBooks.pdfMaximizing Efficiency Migrating AccountEdge Data to QuickBooks.pdf
Maximizing Efficiency Migrating AccountEdge Data to QuickBooks.pdf
 
FINAL PRESENTATION.pptx12143241324134134
FINAL PRESENTATION.pptx12143241324134134FINAL PRESENTATION.pptx12143241324134134
FINAL PRESENTATION.pptx12143241324134134
 
Affordable Stationery Printing Services in Jaipur | Navpack n Print
Affordable Stationery Printing Services in Jaipur | Navpack n PrintAffordable Stationery Printing Services in Jaipur | Navpack n Print
Affordable Stationery Printing Services in Jaipur | Navpack n Print
 
Filing Your Delaware Franchise Tax A Detailed Guide
Filing Your Delaware Franchise Tax A Detailed GuideFiling Your Delaware Franchise Tax A Detailed Guide
Filing Your Delaware Franchise Tax A Detailed Guide
 
G-Mica Wood Chip Particle board Table Design
G-Mica Wood Chip Particle board Table DesignG-Mica Wood Chip Particle board Table Design
G-Mica Wood Chip Particle board Table Design
 
Team-Spandex-Northern University-CS1035.
Team-Spandex-Northern University-CS1035.Team-Spandex-Northern University-CS1035.
Team-Spandex-Northern University-CS1035.
 
Global Interconnection Group Joint Venture[960] (1).pdf
Global Interconnection Group Joint Venture[960] (1).pdfGlobal Interconnection Group Joint Venture[960] (1).pdf
Global Interconnection Group Joint Venture[960] (1).pdf
 
Memorandum Of Association Constitution of Company.ppt
Memorandum Of Association Constitution of Company.pptMemorandum Of Association Constitution of Company.ppt
Memorandum Of Association Constitution of Company.ppt
 
IPTV Subscription in Ireland: Elevating Your Entertainment Experience
IPTV Subscription in Ireland: Elevating Your Entertainment ExperienceIPTV Subscription in Ireland: Elevating Your Entertainment Experience
IPTV Subscription in Ireland: Elevating Your Entertainment Experience
 
Business Valuation Principles for Entrepreneurs
Business Valuation Principles for EntrepreneursBusiness Valuation Principles for Entrepreneurs
Business Valuation Principles for Entrepreneurs
 
20240425_ TJ Communications Credentials_compressed.pdf
20240425_ TJ Communications Credentials_compressed.pdf20240425_ TJ Communications Credentials_compressed.pdf
20240425_ TJ Communications Credentials_compressed.pdf
 
Unveiling the Secrets How Does Generative AI Work.pdf
Unveiling the Secrets How Does Generative AI Work.pdfUnveiling the Secrets How Does Generative AI Work.pdf
Unveiling the Secrets How Does Generative AI Work.pdf
 
Skye Residences | Extended Stay Residences Near Toronto Airport
Skye Residences | Extended Stay Residences Near Toronto AirportSkye Residences | Extended Stay Residences Near Toronto Airport
Skye Residences | Extended Stay Residences Near Toronto Airport
 
Enterprise Excellence is Inclusive Excellence.pdf
Enterprise Excellence is Inclusive Excellence.pdfEnterprise Excellence is Inclusive Excellence.pdf
Enterprise Excellence is Inclusive Excellence.pdf
 
Sustainability: Balancing the Environment, Equity & Economy
Sustainability: Balancing the Environment, Equity & EconomySustainability: Balancing the Environment, Equity & Economy
Sustainability: Balancing the Environment, Equity & Economy
 
Communicative rationality and the evolution of business ethics: corporate soc...
Communicative rationality and the evolution of business ethics: corporate soc...Communicative rationality and the evolution of business ethics: corporate soc...
Communicative rationality and the evolution of business ethics: corporate soc...
 
IPTV Subscription UK: Your Guide to Choosing the Best Service
IPTV Subscription UK: Your Guide to Choosing the Best ServiceIPTV Subscription UK: Your Guide to Choosing the Best Service
IPTV Subscription UK: Your Guide to Choosing the Best Service
 
HR and Employment law update: May 2024.
HR and Employment law update: May 2024.HR and Employment law update: May 2024.
HR and Employment law update: May 2024.
 

Bring Your Own Device 2014 TeamMate User Conference Palm Desert California

  • 1. 9/11/2014 1 BYOD Guide for Auditors TeamMate 2014 User Conference Palm Springs, CA Jim Kaplan CIA CFE  Founder: AuditNet®  IIA Bradford Cadmus Award Recipient  Local Government Auditors Lifetime Achievement Award  Chief Audit Executive  Internet for Auditors Pioneer  Author: The Auditor’s Guide to Internet Resources  editor@auditnet.org
  • 2. 9/11/2014 2 Objectives  Define BYOD and MDM  Identify Risks and Internal Audit Considerations  Identify Controls  Provide a Framework for Mobile Device Auditing  Resources Mobile Devices and BYOD  Many organizations have now opted to allow employees to procure their own devices which will ultimately connect to enterprise data and resources  What does your organization allow?
  • 3. 9/11/2014 3 BYOD comes in different shades  BYOD or bring your own device: employees are allowed to use their privately owned hard- and software. IT-applications and company data of the employer are made available on the platform of the end-user.  CYOD or choose your own device: the employer still provides the hardware and the employee can choose e.g. the model.  SYOD or smuggle your own device: this means that people are using a second tablet, smartphone or tablet, and use that one also for company purposes next to the one provided by the employer. BYOD Terminology  BYOD bring your own device (or bring your own disaster)  BYOT bring your own technology (or now tablet)  BYOP bring your own phone  BYOPC bring your own pc  CYOD choose your own device  SYOD smuggle your own device  MDM mobile device management  a range of products and services that enables organizations to deploy and support corporate applications to mobile devices, such as smartphones and tablets, possibly for personal use — enforcing policies and maintaining the desired level of IT control across multiple platforms  MDS mobile device security  Endpoint Security
  • 4. 9/11/2014 4 BYOD Where Do We Start BYOD Mobile Device Picture  A Cisco study says in 2014 the average number of connected devices per knowledge worker will reach an average of 3.3 devices, up from 2.8 in 2012  Gartner predicts by 2017, half of employers will require employees to supply their own device for work purposes  By a show of hands how many of you have at least 1 mobile device?
  • 5. 9/11/2014 5 BYOD Statistics  67% of people use personal devices at work, regardless of the office’s official BYOD policy (Source: Microsoft via CBS News)  42% of companies surveyed already use BYO (Source: Moka5 Survey, July 2013)  46% of end users surveyed said network performance negatively affects mobile devices the most (Source: Cisco) Tweet this.  77% of employees haven’t received any education about the risks related to BYOD (Source: 2013 Data Protection Trends Research, conducted by Ponemon Institute via AllThingsD)  78% of employees believe that having a single mobile device helps balance employees’ work and personal lives (Source: Samsung)  62% of companies surveyed plan to support BYOD by the year’s end (Source: TechRepublic via ZDNet)  Only 11% of end users access business applications from the corporate office 100% of the time (Source: Cisco)  24% of consumers surveyed currently use a smartphone or tablet as their primary, work-related computing device (Source: Samsung)  95% of surveyed organizations were permitting employees to use their own devices in some form in the workplace. According to the same study, each connected worker will have as many as three devices connected to employer networks by 2014.” Setting the Stage  Gartner Group predicted Bring Your Own Device (BYOD) would be a top technology trend for 2013 with mobile devices surpassing PCs as the most common web access tool, and it appears they were right.
  • 6. 9/11/2014 6 Mobile Device Facts  Consumer focused technology is not a fad, the benefits outweigh the costs  Researchers estimate 159.9 million smartphone users in US by the end of 2014  Gartner Worldwide sales of tablets to end users reached 195.4 million units in 2013  Gartner Says Mobile App Stores Will See Annual Downloads Reach 102 Billion in 2013 BYOD Could Spell Trouble:  More than half the organizations responding to the ITIC survey (March 2014) said they have no response ready for a hack into data on notebooks, tablets and smartphones their staff is using as “bring your own devices”. http://www.cutimes.com/2014/03/10/byod-could-spell-trouble-survey
  • 7. 9/11/2014 7 Why is this important?  Growth of mobile device use means increased risks for organizations  Increased risks for organizations means audit must address  Audit needs to add BYOD to the audit plan to address policy, controls and risks. AuditNet® 2014 BYOD Survey • April 2014 AuditNet® launched a Survey of Bring your own Device (BYOD) Control, Risk and Audit • Responses from 339 auditors from eight different organization sectors • Organizations ranging from less than 100 to over 10,000 with the median being 1,000-5,000 • Staff size from 1 to over 50 with the median being 11-25 • More than 70% reported that their companies/organizations permitted the use of mobile devices.
  • 8. 9/11/2014 8 Survey Key Findings  •Close to 3/4 of those who responded indicated that their employer allowed employees to bring their own devices to work.  •The primary BYOD service allowed by companies and organization as reported by survey respondents was e-mail followed by application access via a Virtual Private Network (VPN). Almost half the organizations allowed access to social media.  •Close to 80% said that their employer provides company owned mobile devices to employees while more than half said that they did not have a policy for mobile devices (commonly referred to as “bring your own device” or BYOD  •More than half that said their employer had a policy indicated that it was not well communicated to staff.  •Almost two thirds of those who said their employer had a policy felt that it was not thorough or lacked the basic best practice elements  •Slightly more than half required employees to sign a written agreement that outlines employer and employee rights and obligations with respect to the devices and a code of conduct.  •Greatest concern expressed by the auditors was confidentiality of information followed by data breach or misuse  •More than 80% of the auditors indicated that:  a risk evaluation covering mobile devices has not been performed  a training or awareness program covering BYOD risks or control has been conducted  they have not audited this area  they have not included this area in their current or future audit plans Survey Conclusion  BYOD and MDM has not been a high priority for IA  Risk tolerance is high and perceived threat is low  Pace of BYOD adoption has clearly outpaced senior management and BOD vision  IA should evaluate controls, educate on risks, and plans audits for this area
  • 9. 9/11/2014 9 BYOD Risks - SPI  Security – Privacy – Incident Response  Malware infection, which may result in leakage, corruption, or unavailability of data  Leakage or compromise of sensitive data due to lost or improperly secured devices  Negative publicity, loss of reputation, noncompliance with statues or industry requirements, fines, and lawsuits  Access controls and control over device security  Ability to eliminate sensitive data upon termination or loss of the device  Management issues related to supporting many different types of devices and applications  Ensuring that employee-owned devices are properly backed up. Security Concerns  Lack of Physical Security Controls  Use of Untrusted Mobile Devices  Use of Untrusted Networks  Use of Apps Created by Unknown Parties  Interaction with Other Systems  Use of Untrusted Content  Use of Location Services
  • 10. 9/11/2014 10 Risks Associated with Mobile Devices NIST Characteristics Illustrative Risks Small form factor Loss or theft of data Wireless network interface for Internet access Exposure to untrusted and unsecured networks Local built‐in (non‐removable) data storage Loss or theft of data Operating system that is not a full‐fledged desktop/laptop operating system Reduced technical controls Apps available through multiple methods Exposure to untrusted and malicious apps Built‐in features for synchronizing local data Interactions with other untrusted and unsecured systems Policy 1. Voluntary of Mandatory 2. Scope 3. Device support 4. Security 5. Consent Must be monitored and enforced
  • 11. 9/11/2014 11 BYOD policy should at a minimum:  Clearly articulate the company's rights with respect to monitoring and accessing all the data stored on employees' mobile devices  Address an employee's obligations regarding device security, password requirements, and procedures for lost or stolen devices.  Include specific language about approved and non-approved business usage. For example, a company might allow the use of personal devices for emailing but prohibit their use for recording meetings.  Develop reasonable restrictions  Advise users that they may be required to disclose passwords to websites and applications.  Restrict the use of company data to legitimate company purposes. BYOD Controls  Protection of sensitive data and intellectual property  Protection of networks to which BYOD devices connect  Responsibility and accountability for the device and the information contained on it  Removal of the organization’s data from employee-owned devices upon termination of employment or loss of the device  Malware protection
  • 12. 9/11/2014 12 BYOD Audit Issues  Risk Assessment  Policies  Legal Issues  Technical and User Support  Governance  Training  Device Security  Connectivity Security  Device Management Source: AzzurriCommunications.com
  • 13. 9/11/2014 13 Audit’s Role in BYOD  Assessing the organization’s BYOD risks  Evaluate MDM and other policy solution  determine their adequacy to protect the organization’s proprietary and sensitive information.  Ensure that the organization’s BYOD practices comply with privacy and data security requirements imposed by applicable industry standards, laws, and regulations. BYOD Threats – IA Focus Threats Internal Audit Focus 1. Review Anti Malware and firewall policy 2. Review Operating system/ Application update policies 3. Ensure that the contents of the device are encrypted and secured. 4. Ensure that Bluetooth feature is in non discoverable mode or disabling it altogether if it is not needed in organization 5. Verify awareness on protection against unauthorized observation of sensitive information in public places 1. Increased risk of information loss A security incident is easier with a smart device because of the theft or loss of that device. 2. Monitoring An ever-increasing range of malware and espionage software is being created for mobile devices. 3. Awareness and communication It’s increasingly important to educate staff and other users about the use of poor security practices 4. Treatment of devices as any other end-point Routes into the corporate network are created by mobile device architecture, which could result in the leakage of highly sensitive information
  • 14. 9/11/2014 14 Sample Audit Objectives  Provide management with an assessment of BYOD policies and procedures and their operating effectiveness  Identify internal control and regulatory deficiencies that could affect the organization  Identify information security control concerns that could affect the reliability, accuracy and security of the enterprise data due to weaknesses in mobile computing controls AuditNet® BYOD Resources and Tools  Mobile Device Checklist  www.sans.org/score/checklists/mobile-device-checklist.xls  Security Guidance for Critical Areas of Mobile Computing  https://downloads.cloudsecurityalliance.org/.../Mobile_Guid ance_v1.pdf  Guidelines for Managing the Security of Mobile Devices in the Enterprise  http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP. 800-124r1.pdf
  • 15. 9/11/2014 15 AuditNet® Templates  Bring Your Own Device (BYOD) Audit July 2014  Bring Your Own Device (BYOD) Assurance Audit Program July 2014  BYOD (Bring Your Own Device) Maturity Assessment (June 2014)  Security of Mobile Devices  BYOD (Bring Your Own Device) Security Audit Program (Source FastITTools) Contact Information Jim Kaplan CIA, CFE jkaplan@auditnet.org http://www.auditnet.org
  • 16. 9/11/2014 16 BYOD Questions