Reining In Enterprise Mobile Computing Risks

Thursday, October 07, 2010

Rebecca Herold

65be44ae7088566069cc3bef454174a7
As demonstrated over and over again over the past several years, mobile computing devices and storage media present a huge risk to business and personal information.

Because of the portability of these devices, organizations are basically entrusting the security of the information stored upon them into the hands of the people using them.

It is vital that an effective mobile computing device and storage media security and privacy management program is in place.

A mobile computing device and storage media security and privacy management program should be able to answer these questions:

    * How many people within your organization use mobile computing devices, such as laptops, Blackberry devices, iPads, iPhones and smart phones?
    * How many people within your organization use mobile storage devices, such as USB drives, external hard drives, CDs and DVDs, to store business data?
    * What have you told them about how to properly secure these devices, and the information stored in them?
    * Do you just rely upon having published a policy about this topic?
    * Have you gone a step further and actually trained them about how to secure these highly vulnerable mobile goldmines of information and access paths into your network?
    * Do you provide ongoing awareness communications to your mobile computer users about how to properly secure them?

Make Your Personnel Aware! Mobile Computing Device Self-Assessment

Making sure your personnel understand how to protect mobile computing devices is a critical part of any information assurance program. Consider giving your mobile computer users the following short self-assessment as just one of your ongoing awareness activities.

Put this online to not only allow each individual an easy and convenient way to take it, but also to allow you to compile the results and determine where you need to beef up your mobile computing security efforts.

Provide feedback to each of the answers based upon your own organization, policies and procedures. I have provided some examples of the feedback you could use, but be sure to modify it to meet your own organization’s needs.

Also consider some descriptions of actual incidents within your feedback to make it more interesting.  Allow for each individual to take it anonymously to encourage him or her to provide the most honest answers.

Instructions:
For each of the following questions, choose all the answers that apply to you. Please answer honestly; your responses will help us to more successfully and efficiently implement ways to protect the personal and sensitive information stored on mobile computing devices, such as a laptop, Blackberry, iPhone, smart phone and so on, as well as on mobile storage media, such as DVDs, CDs, USB thumb drives, backup disks and tapes, and so on.

Which of the following the ways do you use to protect confidential information on your mobile computing device and mobile storage media?

  a. Encrypt the data using a strong encryption solution provided by the organization

  b. Encrypt the data using a scrambling method developed by you or someone else in-house

  c. Use a login password

  d. Use a BIOS/boot password

  e. I don’t do any of these things; I didn’t know I needed to

  f. I don’t do any of these things; they are too hard to do and slow me down

  g. I don’t know whether any of these things are done or not

General feedback for each of the above answers (remember, you need to expand upon these to fit your own organization):

  a. This is great!  You are following the corporate policies.  You need to also use passwords, as per policy.

  b. You are on the right track, but using proprietary scrambling methods can be easily defeated.  Use the corporate encryption solution to better secure your data and to be in  compliance with corporate policies.

  c. This is one very good component of overall data security for mobile devices, and follows our corporate policy.  Be sure you also use in conjunction with encryption.

  d. This is very good.  Using a BIOS, or boot, password is one of the layers of security you need to protect the information on your mobile computing device.  See the corporate policy for the other ways in which you need to be protecting the data on you mobile devices.

  e. Many significant incidents have occurred with mobile computing devices and storage media.  It is critical that you take appropriate measures to protect the data on your devices.  You should use boot and login passwords, in addition to encrypting the data.  See the corporate policy for details.

  f. Yes, some security measures do seem to make it a little more difficult to use your computer or storage media.  However, we have worked hard to implement technologies that are as easy and transparent to use as possible.  Please contact the Information Security department if you are having trouble implementing using encryption or setting your passwords.  You can also see the “Mobile Device Encryption and Password FAQ” we have on our information security knowledge portal.  Using passwords and encryption on your mobile devices is not only important for protecting our business and the data we are entrusted to protect, it is also required by our corporate information security policy, which you can also find on our information security knowledge portal.

  g. The Information Security team can help you determine whether or not you are using encryption or passwords on your mobile devices.  You can also see the “Mobile Device Encryption and Password FAQ” and the corporate “Mobile Computing Device and Storage Media Policy” we have on our information security knowledge portal.

In which of the following ways do you physically protect your mobile computing device and mobile storage media?

  a. Keep the mobile computing device and storage media out of view of others.

  b. Carry the mobile computing device and storage media with you at all times.

  c. Lock your car when leaving the laptop in it.

  d. Use something other than a recognizable laptop case, such as a padded backpack, travel bag or tote bag, to put your mobile computer and mobile storage in.

  e. Use a cable to physically secure your mobile devices when leaving in an unattended location.

  f. Ask someone to watch it for you in public areas, such as the airport, while you go to the snack bar or restroom.

  g. None of the above.

General feedback for each of the above (remember, you need to expand upon these to fit your own organization):

  a. Keeping your laptop out of view is a good start.  How you keep it out of view is key.  See the “Mobile Device Physical Security FAQ” and the corporate “Mobile Computing Device and Storage Media Policy” we have on our information security knowledge portal for more details about this.

  b. This is a very good practice.  Keeping your mobile devices with you is one of the best ways you can physically secure them.  This is particularly important in airports, restaurants, conferences, and other public locations where many people are milling about.

  c. Well, it is good you lock your car, but where you keep your mobile device within your car is key.  Do not leave it where it is visible from outside the car…and covering it with newspapers is not an acceptable way to hide it!  Put your device in a container that does not indicate it is a mobile computing device, and lock it in your truck or lock in the glove compartment if you absolutely have to leave it in your car.  Many laptop theft incidents have occurred in people’s cars parked right by their own homes.  The best practice is to take the mobile computing device and mobile storage media with you.

  d. It is a great practice to use something other than a recognizable laptop case, such as a padded backpack, travel bag or tote bag.  This helps to keep you from becoming a target of thieves looking from computing devices.  But be sure to take additional precautions as well.

  e. Using a cable is a good way to secure your mobile devices when you have to leave them in an unattended location, such as within a hotel room or in a meeting room.  It is best, however, if you take the mobile device with you.

  f. Ooh…this one is risky.  If you ask just any stranger sitting close to you to watch it, as many people do, you run a very large risk of having the your device and the person gone when you return.  If you ask your trusted friend, family member, or business colleague, this is an acceptable practice; the key to this is that you can actually trust them to keep their eye on your stuff and not get distracted.

  g. Yikes!  If you are outside the corporate facilities you are putting your mobile computing devices and storage media at great risk.  See the “Mobile Device Physical Security FAQ” and the corporate “Mobile Computing Device and Storage Media Policy” we have on our information security knowledge portal for more details about this, or call our Information Security team to discuss.

Ongoing Awareness

There are many more types of questions that you can use on an ongoing basis to keep information security issues in the minds of your personnel.  I provided just a couple to you just to get you going.

Such short, two- to three-question self-assessments provide a non-intimidating way in which you can effectively raise the awareness of information security issues within your organization and help lessen the probability of incidents occurring from personnel mistakes or lack of knowledge.

Additionally, doing such activities will address the many regulatory and legal requirements for providing such ongoing awareness.

You can either make taking these self-assessments mandatory, or you can motivate personnel to take them by offering prizes, such as a restaurant or bookstore gift certificate, for participating. This can be done in such a way that anonymity is preserved.

Protect Your Mobile Computing Devices and Storage Media

The rest of this paper lists precautions for you to take, as appropriate and applicable to your organization, to help ensure the security of the mobile computing devices and storage media used within your organization.

Checking for these when doing audits or internal reviews will help to significantly mitigate mobile computing risks, resulting in a much stronger overall information security program.

Awareness and Training

    * Train your personnel and provide ongoing awareness messages regarding how to effectively secure mobile computing devices and storage media.  Make sure they know how to protect their mobile computing device passwords.
    * Do not allow mobile computing devices to be shared; this significantly increases the risks for incidents and breaches.  Shared devices eliminate responsibility for each of the devices, and everyone using it may assume someone else is protecting it.
    * Communicate personnel responsibility for the security of mobile computing devices and storage media.  Implement a clearly written and well-communicated policy outlining personnel responsibility and have each indicate in some form (written or electronic) their understanding of this policy and their agreement to follow it.
    * Require personnel to store only the minimal amount of data necessary on the mobile computing devices and storage media.  Many well-publicized incidents have occurred with laptops containing information about hundreds of thousands of people.

Physical Protection

    * Require personnel to keep their mobile computing devices and storage media with them at all times while they are away from your facilities.  Tell them not to leave the devices in cars, unattended meeting rooms, and so on.  There are portable safes you may want to consider using, based upon the risk involved with your travelers who are carrying your sensitive information.
    * Provide physical security mechanisms, such as locks or cables, to your personnel who take mobile computing devices away from your facilities.
    * If your mobile computers and storage devices contain highly sensitive information consider installing motion sensors or alarms on your mobile computing devices.  The last thing a thief wants in a populated area is to have a 110 or more decibel bringing everyone’s attention to him or her.  Of course you would need to also train your personnel how to use them so they don’t accidentally blast their own eardrums.

Policies and Device Management

    * Maintain an inventory of all your mobile computing devices and storage media and the people who are authorized to use them.
    * Use tracking labels and tags on all mobile computing devices and storage media so you can tell where they are located and who is responsible for each at all times.
    * Is there an ‘Acceptable Use’ policy for handheld devices? If there is, does it specify that:
    * o Only specified software is allowed on the device by the security policy?
    * o Device backup software must be operating as defined by the security policy?
    * o All corporate data must be removed from a user’s personal device when that user leaves the organization?
    * Do not allow mobile computing devices and storage media to be used for personal use, or limit personal use to the amount that is reasonable.
    * Do not allow employee-owned mobile computing devices and storage media to be used for business purposes or storing business data.
    * Ensure all mobile computing activities meet compliance with all applicable data protection laws, regulations and contractual commitments.

Encryption

    * Require all confidential and personal information stored on mobile computing devices and storage media to be strongly encrypted.  Provide the encryption software to your personnel, and provide them with training about the importance of using it as well as how to use it.
    * Use encryption for data transfers from mobile computing devices. Never send/receive sensitive data over a wireless link unless another more secure end-to-end encryption technology is also being used. Mobile devices that retain company sensitive information must implement a form of a company’s standard encryption to safeguard such information.
    * Require the data stored on all USB devices to be encrypted.

Data Issues

    * Do not allow entire databases containing personal information to be stored on mobile computing devices.  If personal data is necessary, use only the data the mobile user truly needs for business purposes.
    * Do not allow real personal data to be used for demonstration purposes, particularly on mobile computing devices. This is an especially common risk with sales and marketing personnel; I’ve seen incredibly large amounts of real customer data being used over the years at conferences and sales demos.

Miscellaneous Technology Protections

    * Install and activate a firewall in all mobile devices. Mobile devices must include a software firewall for protection.
    * Activate virus detection and malware prevention system software, including a procedure to ensure that the software is maintained and up to date.
    * Implement a user identification and password authentication mechanism in order to control user access to the system.
    * Use a boot/BIOS password for all mobile devices and laptops, making that the system accessible only to authorized users.
    * Also use a login password for all mobile computing devices.  The more roadblocks you can establish for preventing unauthorized use of a mobile computing device the better.
    * Install operating system updates that reduce high risks by fixing discovered vulnerabilities.  Make sure they are installed in a timely matter and in all devices.
    * Disable all unused and unnecessary services.
    * Password-protect the system administrator and/or root account.
    * Install and activate an inactivity timer or automatic logoff mechanism.
    * Set wireless connectivity features at the strongest level that is possible.
    * Update all anti-spyware software for mobile devices with the same frequency as the organization’s non-mobile assets.
    * Disable peer-to-peer (P2P) and file sharing on all mobile devices.
    * Auditing and logging on mobile device must be enabled.
    * Disable last user logon name.
    * Unused user accounts should also be disabled.
    * Set the device to lock after a set period of inactivity.  A recommended inactive period setting is 10 minutes or less.
    * Turn off “beaming”(infrared data transmission).
    * Implement technology to allow you to destroy the data remotely if the mobile computing device or storage media is stolen or lost.

Cross-posted from The Privacy Professor
Possibly Related Articles:
11818
Policy
Information Security
Training Mobile Devices
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.