1. Mobility, Risk, Strategy & Policy
Addressing Mobile Business & Technology Issues
Orienting mobile strategy to negotiate risk landscape obstacles
Harry Contreras – CISSP
ISSA Phoenix Chapter - April, 2011 – Copyright 2011
2. Mobility Risk, Strategy and Policy
April 2011- Presentation Outline
• Mobility issues facing businesses today
• Risk and Liability issues
• Strategy development
• Policy program issues and concerns
• Delivery elements
• Summary with Q&A opportunity
• Resources & References - Take Away
Orienting mobile strategy to negotiate risk landscape obstacles
3. Mobility Risk, Strategy and Policy
Mobility Issues to Assess and Address
Risks Strategy Policy Delivery
Identify the common and Develop strategy within Authorized and endorsed Identify the actions to
unique risks of mobile the framework of the corporate policy & deliver a mobile strategy.
technology that are in identified risks that standards for mobile What it will take to
scope for business use. impact the business. technology use in the support, maintain and
Consider liability and With stakeholders define company. sustain with currency a
choices for risks the requirements that Communicate and train complete plan for an
accepted, avoided and meet elements for via compliance & security enterprise.
transferred. advancing business awareness programs.
objectives.
We will follow these four tracks throughout the presentation
Risks Strategy Policy Delivery
4. Mobility Risk, Strategy and Policy
Risk & Liability Issues
Assessing company risk with mobile technologies
Establish understanding of company tolerance for risk
• Business culture
• Company compliance impacts points
• Consumer technologies introduce new risk issues
Integrate cross-linkages with existing Compliance issues
• Consult with your company Legal department
• Corporate governance determines
One of the first areas to “do your homework”.
Risk
5. Mobility Risk, Strategy and Policy
Risk & Liability Issues
Regulatory, Liability and Risk Landscape
Regulatory “entanglements”
• Personal, Health and Card Holder privacy regulations
• SEC regulation
• Rule 26 / e-Discovery
• Forensics and investigations
• IRS Regulation and Reporting requirements
Company and Operations specific issues
• Corporate Contractual obligations
• Business “verticals” - i.e. health industry, government contracting
• Global operation regional issues - i.e. European work councils
Other “surprises” both foreign and domestic.
Risk
6. Mobility Risk, Strategy and Policy
Risk & Liability Issues
Business operating issues and risk posture
• Separation of asset ownership- i.e. BYO assets (More on this later.)
• Business owned or employee owned
• Ownership and control of platform resident data
• Business capitalization concerns
Employee privacy issues or business “enablers”
• “Invading technologies” to consider
• Presence
• Geo-location
• Tracking and utilization reporting
Identity specific usage issues
• Business representative – i.e. how phone number associated
• Personal, non-Company persona
How much or how little is the Company willing to address.
Risk
7. Mobility Risk, Strategy and Policy
Risk & Liability Issues
Business issues and risks for BYO assets
• How much encroachment do company controls extend?
• Comingled personal and Company information
• Are business resources and services being “misappropriated”?
How do employees expect Company services at their disposal?
• Truth or fallacy? - Reality Check
• Employees expect free-reign utilization of assets and services
• Do not want and will not tolerate limitations
Assessing risk and liability usage issues for BYO assets
• HR reports employees are doing “WHAT” with their devices?
• Client claims that employee took recording of their conversation
• Liability remains for Company regardless of approach
Can you say it with me…
“No employee entitlements to Company provisioned services for personal use.”
Risk
8. Mobility Risk, Strategy and Policy
Risk & Liability Issues
Industry perspective – “Peersay”, NetworkWorld.com – 3/21/2011
Tablets and smartphones in the enterprise
There are two types of risk. One, to the organization, of sensitive content being
exposed of the device is lost, hacked or otherwise compromised. In some cases
there are financial penalties for this, as well as costly notification practices that need
to be complied with if it involves any customer data.
The other is to the employee. In the event of a legal action involving anything they
may have been involved in, or a data call to “…produce any/all records related to
XYZ, “ the employees device may be subject to search. This could risk exposing
their personal data, including passwords, contacts, browser history and other things
they may not want their employer or others to have access to.
Comingling business/personal content and activity just plain isn’t good sense. Even a
one-person consulting business keeps it personal and business financial
assets/accounts independent of each other; why doesn’t it make the same sense to
keep your information assets independent?
Larry
With this as a “backdrop” … “Discuss, discuss…”
Risk
9. Mobility Risk, Strategy and Policy
Risk & Liability Issues
Assessing company risk with mobile technologies
Original risk issues for mobile technologies remain
• Approaches for laptops and enterprise architected solutions for
mobile platforms (i.e. RIM, Good Technology) have addressed most of
the risks over time
Newer mobile technologies bring added complexity
• Consumer grade technologies are introducing and broadening the
risk and threat horizon
• “Not ready for enterprise introduction”
• Patchwork quilt of solutions to weave together for mixed results and
effectiveness
• “Consumer use mentality” is the “insider threat” today.
Remember, once you go “Tablet” you can never go back.
Risk
10. Mobility Risk, Strategy and Policy
Risk & Liability Issues
Assessing company risk with mobile technologies
Accept or Retain the identified risk. The risk is unlikely or impact does not warrant
any further action, the company simply decides to bear any recovery costs.
Avoid or Reject the risk. When costs of likelihood of the risk are great, it is not
feasible to continue in that area of activity – product, process or geography.
Transfer or Share the risk. When risk is part of the business operation and cost is
predictable then the company may elect to insure, warranty or contract (outsource).
Mitigate or Reduce the risk. The identified risk(s) are core to the business and the
implementation of controls are applied to reduce likelihood and impact to the business.
Ignore the risk. A identified option of choice to consciously do nothing. Potential
for catastrophic business impact and serious legal and liability repercussions.
Burying your head in the sand – not an option.
Presentation points in due diligence for management briefing.
Risk
11. Mobility Risk, Strategy and Policy
Strategy Development
Where is your Strategy now?
New or inherited Mobile Strategy
• What is in place now?
• Functional or “death spiral”
• What is your charter for this initiative?
• Build new or patch and repair
What you may need or what may be missing – Resources
(Any way you can get them allocated - internal or contracted.)
• Enterprise Architect or IT Strategist
• Subject Matter Expert (SME) Engineer
• Analyst
• Project Manager
• Leadership/Management endorsement - oversight
The all important “management underwriting” license for change.
Strategy
12. Mobility Risk, Strategy and Policy
Strategy Development
What is the approach for “services”?
• In-house vs. Hosted
• Will need to build out or negotiate contract(s)
• Take opportunity to research each option
• Can business replicate what providers have already built?
Present state analysis and comparison to “to-be” state
• Are there any accounting stats or metrics to baseline?
• What is Cost of Doing Business today for strategy
• Can gains and improvements be attained with volume discounts?
• Will outsourcing “provisioning” be beneficial?
• Is “standardization” going to be an issue?
• Does your Telcom services strategy run parallel or intersect?
• Is there an expectation or goal for cost/expense limitation?
Be on the lookout for “scope creep” around every corner.
Strategy
13. Mobility Risk, Strategy and Policy
Strategy Development
Ask these same questions with the BYO assets approach
What is the approach for “services”?
• In-house vs. Hosted
• Will need to build out or negotiate contract(s)
• Take opportunity to research each option
• Can business replicate what providers have already done
Present state analysis and comparison to “to-be” state
• Are there any accounting stats or metrics to baseline?
• What is Cost of Doing Business today for strategy
• Can gains and improvements be attained with volume discounts?
• Will outsourcing “provisioning” be beneficial?
• Is “standardization” going to be an issue?
• Does your Telcom services strategy run parallel or intersect?
How may personal plans on how many providers come into play?
The BYO approach compounds the variables & dilutes volume plans.
Strategy
14. Mobility Risk, Strategy and Policy
Strategy Development
Adding Controls
Plotting a Successful Strategy
$$$$ +
Cost Tolerance Axis
y
teg
tra
S es
$$ b ile
Is su
Mo ce
an
m pli
Co
Every Business has its own “Sweet Spot”
0
+ Risk Tolerance Axis -
Anything goes Non-functional
Unsupportable Model Overly draconian
Success or Ultimate “Fail”
Strategy
15. Mobility Risk, Strategy and Policy
Strategy Development
What are we up against with newer mobile technologies?
• Lack of built-in security
• Open and easily extensible operating architectures
• Poor control over devices
• Poor control over connectivity
• Weak connection security
• Weak authentication of user and device
• Poor working practices
• Compromise of stored data
Control, Contain, Maintain and Explain…
• Asset sprawl, capitalization, operational expense, support costs
• Policy, standardization, licensing
• Regulatory compliance, content management, security controls
• Add to and refine this list…
iPhones, Androids, and Blackberrys… Oh My!
Strategy
16. Mobility Risk, Strategy and Policy
Strategy Development
Several mobile security strategy approaches available today
• Basic device management
• Enhanced device management
• Walled garden
• Risk based management
• Basic device management – use Microsoft Activesync for simple
policy management.
• Enhanced device management – use mobile device management
software for more sophisticated control of company-issue devices.
• Walled garden / Virtual workspace – Allow corporate access from
personal devices, but wall it off from the device’s personal content.
• Risk based management – Set policies that restrict corporate access
of phones with high risk factors, like unauthorized apps or out-of-date
policies.
The more product solutions are applied – the more profits are eroded.
Strategy
17. Mobility Risk, Strategy and Policy
Strategy Development
Some focus points for major solutions in your strategy
• Set strategy, policies and standards
• Deploy standard hardware, apps and security software
• Virus protection, firewalls, disable concurrent connection options
• Use device authentication to eliminate “rogue” devices connecting
• Consider two-factor authentication – smart cards, imbedded tokens
• Harden / lock-down operating systems and device options
• White list authorized and support applications – app fingerprinting
• Implement software upgrade and patch management solutions
• Encrypt stored data and removable storage media
• Use remote kill and data wipe solutions
• Educate user of mobile use requirements/policy
• Provide helpdesk and IT support to mobile users
• Scan networks for unauthorized devices and connections
Strategy
19. Mobility Risk, Strategy and Policy
Strategy Development
Technology Landscape Considerations
GSM, UMTS, LTE
HSPA
CDMA, CDMA2000, UMB
3G
4G
WiFi
WiMax
Bluetooth
Wireless Technology Continuum
Which bands, services, operators and where does your solution fit?
Strategy
20. Mobility Risk, Strategy and Policy
Strategy Development
What services and features fit into your business model?
• Multiple service bands – which ones are operator specific
• Phone / Voice capability with simultaneous Data session capability
• What is the bandwidth overhead for the mobile application portfolio?
• Email – Single Company source or all services allowed?
• Internet browsing allow all or filter? Liabilities?
• Are texting and Multi Media Services included in operating costs?
• Audio – Allow personal music files? (How will you address licensing?)
• Allow audio recording capability? Liabilities?
• Allow video recording capabilities? Liabilities?
• Camera phone “follies” – (Your own mental image goes here.)
• Limit instant messaging to in-house services or allow all?
• Global Positioning Services (GPS)
• Tele-presence / Video conferencing
• Is unified communications (UC) in your Telcom Plan
All equate to bandwidth – Bandwidth equates to expense.
Strategy
21. Mobility Risk, Strategy and Policy
Strategy Development
Strategy Analysis:
The What, When, Why, How and Who
– What = Identify risks to the business
– When = Prioritize actions
– Why = Cost justification
– How = Solutions/Mitigation approaches
– Who = Assign actions to carry out
Famous phrase applies here – “Choose wisely grasshopper.”
Strategy
22. Mobility Risk, Strategy and Policy
Policy Program
What is the approach for mobile “policy” issues?
• First and foremost -
• Will need to be endorsed by Corporate representation
• Take opportunity to review and align
• Consider the following
• Business culture
• Compliance & regulations
• Risk mitigation targets
What is required in policy statements
• Are policy statements expectation for behavioral controls
• Are policy statements declarations of automated enforcement
• It can be one, the other or combination in policy
What did we have to say about that in the Acceptable Use Policy?
Policy
23. Mobility Risk, Strategy and Policy
Policy Program
Other considerations for “Mobile Technology Use Policy”
• Consult with Legal Team -
• Inclusion of “Opt-In” – Employee sign off on Mobile policy
• Where any “personally owned device” enters into the program
• Objective -
• Acknowledging company controls and expectations when an
“event” condition occurs and implications to personal information
and access to personal device.
“Bricking” is a last resort
• Rendering a field unit inoperable has consequences
• Both good and bad results
• Is it the only communication resource for employee?
• Read in health, safety and other personnel issues here…
What did we have to say about that in the Acceptable Use Policy?
Policy
24. Mobility Risk, Strategy and Policy
Policy Program – Hierarch of Policies
Overarching Global Policy (Core)
Authorized & Endorsed
Acceptable Use Privacy and
Data (AUP) Acceptable Use Policy
IT Security Policy Manual Protection
Implementation policy details endorsed by Human Resources,
Policy Legal and Compliance
Security Position Statements (Core)
Addresses new technologies &
Mitigating immediate business risks
AUP Mobile Technology Policy
Subordinate Security Standards Opt-In (Sign-Off) to participate
Detailed technology specs
Required compliance controls in Company plan.
Security Awareness Content
Awareness Library of Tools & Resources
Security IT Security IT Security IT Security
Position Policy Standards Awareness
Statements Manual Materials
Policy
25. Mobility Risk, Strategy and Policy
Delivering the Strategy
What to include in the Delivery plan
• First and foremost -
• Must be manageable
• Must be supportable
• Must be affordable
• Must be sustainable
• Is it aligned with business use model
• Addresses Compliance & regulations
• Can assets be forensically interrogated?
• Risk mitigation targets must be addressed
• Data escape controls in place
What next?
• Once you embark on a plan of action – course corrections will
impact all of the previously defined variable elements
Critical Success Factors
Delivery
26. Mobility Risk, Strategy and Policy
Delivering the Strategy
Delivery element analysis:
The What, When, Why, How and Who
• Why = Business objectives for mobility
• What = Strategy, policy and technologies
• How = Delivery plan
• Who = Resources, personnel and funding
• When = Delivery timeline
Critical Success Factors
Delivery
27. Mobility Risk, Strategy and Policy
Summary
Sustaining Security Objectives for the Organization
Security - Be recognized as the visionary security leaders that collaboratively
consults with the business.
Security –Enable the business with compliant and consistent security policy
and controls focused on secure future computing within the Company.
Security - Ensure governed, integrated protection for entire Company and
resources.
Protecting colleagues, company assets and reputation
Risk Strategy Policy Delivery
28. Mobility, Risk, Strategy & Policy
Addressing Mobile Business & Technology Issues
Conclusion – Question & Answers
- Disclaimer -
“Not a lawyer.”
This presentation is available at: http://www.slideshare.net/hcontrex
H. Contreras – CISSP ISSA Phoenix Chapter - April, 2011 – Copyright 2011
29. Mobility Risk, Strategy and Policy
References – Resources
Information Week, Grant Moerschel – Jan 29, 2011
4 Strategies To Lower Mobile Device Risk
NetworkWorld, Toolshed: Mark Gibbs – Feb 7, 2011
Mobile Devices: You’re losing control
SCMagazine, Greg Masters – Feb 17, 2010
On the go: Mobile Security (http://scmagazineus.com)
Information Week, David F. Carr – Dec 6, 2010
iPad in the Enterprise
ComputerWorld, Security Manager’s Journal – Mathias Thurman – Mar 22, 2010
BYOPC won’t be a party for security
ComputerWorld, Opinion – Steven J. Vaughan-Nichols – Mar 21, 2011
I Want My iPad at Work!
ProfitLine, White Paper – Nov, 2009
Culture Shift–The most overlooked aspect of deploying smart devices in the
enterprise
This presentation is available at: http://www.slideshare.net/hcontrex
H. Contreras – CISSP ISSA Phoenix Chapter - April, 2011 – Copyright 2011