One office's experience auditing government's management of mobile device usage ... w.r.t. to information security and privacy!
Where? British Columbia.
When? 2016.
Who, what, why and how:
- What is a mobile device
- Why even the audit title was critical
- Why you must scope the devices that are in and the ones that are out
- How (for us) scoping allowed 'outsourcing' some work
- What Lines of Enquiry and Criteria we chose
- Why you WILL run into auditees who don't understand the risks
- Why you WILL run into auditors who don't understand the risks
- Who we 'outsourced' work to
- What was our value-add
2. 2/29 PNIAF 2017‐03‐17
• mobile device audit gotchas
• cybersecurity & privacy insights specific to mobile
• perspective of both security practitioner & auditor
• mobile device enthusiast
• audit enthusiast
what's in it for me
what's in it for you
14. names/words matter
• flash drive?
• laptop?
• tablet?
Name of audit: MDM or MMD?
• Mobile Device Management is a product
What is a mobile device?
• Management of Mobile Devices
• allowed for Policies, Procedures, Standards,
Guidelines, and Practices.
• dumb (i.e. feature) phone, cell phone, smartphone?
14/29 PNIAF 2017‐03‐17
26. 1. Password protect your device
2. Lock your screen
3. Encrypt it
4. Limit password attempts
5. Use anti‐malware software
6. Don't jailbreak or root your
device
7. Be choosy with apps
8. Limit app permissions
9. Keep software up‐to‐date
10. Limit location information
11. Review voice commands
12. Promptly report lost/stolen
devices
13. Bluetooth, Wi‐Fi, NFC
14. Safely dispose of your device
15. Consider using Find My
Phone
26/29
Summary of
Mobile Devices:
Tips for Security
& Privacy