Simple tips can be taken to mitigate risks from Mobile Devices
Mobile devices are changing the business landscape. Deployment of mobile devices can present a significant amount of risk to the overall enterprise security posture. Ironically, many of the risks associated with mobile devices exist because of their biggest benefit: portability.
Deploying mobile devices cannot be addressed solely as a technical activity, as they affect the organizational information flow and the business processes of the enterprise from many perspectives. Some special considerations that organizations should bear in mind when considering deployment of mobile devices include:
Policy: Does a security policy exist for mobile devices? Does it include rules for appropriate physical and logical handling? The enterprise should have a policy addressing mobile device use and specifying the type of information and kind of devices and information services that may be accessible through the devices. The policy should also cover devices that are owned by the organization as well as devices that are owned by staff, contractors or other external entities.
Network access control: How do you know if the mobile device meets the appropriate software standards before allowing access to the network? If the device is an organization-owned device, there should be regular updates to the antivirus software, or other protection, before allowing a connection to the organizational network to prevent perpetuation of malware. Verify that data synchronization of mobile devices is not set to receive access to shared files or network drives that contain data that are prohibited for mobile use by the policy.
Encryption: Verify that any sensitive information is properly secured while in transit or at rest.
Secure transmission: Determine whether mobile device users are connecting to the enterprise network via a secure connection. Virtual private network (VPN), Internet Protocol Security (IPsec) or Secure Sockets Layer (SSL) can offer some protection.
Device and information management: Is there is an asset management process in place for tracking mobile devices? This asset management program should detail procedures for lost and stolen devices as well as procedures for employees who have been terminated or have resigned from the enterprise. If the device is owned by a staff member, contractor or other external entity, the organization should provide procedures for protecting the information to which it is allowed access.
Awareness training: As a part of a regular awareness program, make clear the importance of securing mobile devices physically and logically. The awareness and training should also make clear the types of information that can and cannot be stored on such devices.
Risk—Mobile devices have the capability to store large amounts of data and present a high risk of data leakage and loss.
As such, mobile device policies should be created and enforced to ensure that information assets are not exposed. At the time of the writing of this article, there were no publicly available standards specific to mobile device management; however, frameworks such as COBIT® and Risk IT: Based on COBIT® can provide a strong foundation for mobile device management.
To find additional resources related to mobile devices, visit the Securing Mobile Devices page of the ISACA web site.