isaca tech session 19 feb 2013 securing mobile devices rev

Securing Mobile DevicesUsing COBIT® 5 for Information Security

Dipresentasikan oleh:Sarwono Sutikno, Dr.Eng,CISA,CISSP,CISM

ssarwono@gmail.com

Sarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM

• Dosen Sekolah Teknik Elektro dan Informatika ITB• Dosen Universitas Pertahanan RI m.k. Cyber Warfare

Dynamics dan Cyber Security Policy and Strategy• ISACA Academy Advocate for ITB• (ISC)2 Information Security Leadership Award 2011 -

Senior Information Security Professional• Sedang membuat kurikulum S2 Keamanan Informasi

di ITB, akan mulai Agustus 2013• Cyber Security Center ITB - KOICA

Outline

• Guiding Principles for Mobile Device Security• What Is a Mobile Device?• Mobile Device Impact on Business and Society• Threats, Vulnerabilities and Associated Risk• Security Governance• Security Management for Mobile Devices• Hardening Mobile Devices• Mobile Device Security Assurance

Guiding Principles for Mobile Device Security

1. Know the business value and risk of mobile device use.2. Clearly state the business case for mobile device use.3. Establish systemic security for mobile devices.4. Establish security governance over mobile devices.5. Manage mobile device security using enablers.6. Place security technology in context.7. Know the assurance universe and objectives.8. Provide reasonable assurance over mobile device

security.

What Is a Mobile Device?Mobile Device Use—Past, Present and Future

• Mobility and Flexibility

• Patterns of Work• Organizational

Perimeter• Other Impacts

Mobile Device Impact on Business and Society

Threats, Vulnerabilities and Associated Risk

• Physical Risk• Organizational Risk• Technical Risk

Security Governance• The Business Case• Standardized Enterprise Solutions

– Hardware (front and back end)– OS– Applications– Data and information– User administration– Systems management (direct and remote)

• BYOD• Combined Scenario• Private Use of Mobile Devices• Defining the Business Case

Standardized Enterprise Sol.

BYOD

Combined Solution

Security Management for Mobile Devices

• Mobile Device Categories and Classification• Existing Security Controls• Principles, Policies and Frameworks• Processes• Organizational Structures• Culture, Ethics and Behavior• Information• Services, Infrastructure and Applications• People, Skills and Competencies

COBIT Enterprise Enabler

Key Operating Procedures• Auditing mobile devices—Procedure to facilitate audit of mobile

devices, alignedwith internal/external audit programs• Change management—Procedure describing how general change

management (which is usually standardized) should be applied to mobile devices

• Patch management—Procedure describing how patches for mobile devices are identified, acquired, tested, deployed

• Malware protection—Procedure describing various technical steps and measures for protecting mobile devices against malware

• Encryption, VPN, encapsulation—Procedure describing encryption for data at rest and data in flow, VPN tunnels and data encapsulation

• Damage, loss, theft—Procedure describing user and organization steps in the event of device loss, damage or theft

Security Management Process

Security Monitoring Process

Organizational Structure

Culture, Ethics and Behavior

Information

• Step 1: Categorize information. Identify information unique to the device as opposed to replicated information.

• Step 2: Identify what is done with the information—storage, processing, creation, sharing.

• Step 3: Determine information and transaction sensitivity.• Step 4: Analyze the protection provided by preapplied

controls.• Step 5: Determine requirements for additional controls.• Step 6: Develop and implement an action plan for

additional controls.

Protecting Personal Information

• Remove/prohibit—This is available only in a centralized management scenario with mobile devices provided by the organization.

• Segregate—Take technical steps to separate personal information on the device.

• Anonymize—Separate the personal identity of the user from the technical identity of the mobile device.

• Permit—Obtain end-user permission to store, process and use personal information.

Skill set

Hardening Mobile Devices

• Device and SIM card (if applicable)• Permanent internal storage• Removable or external storage• Connectivity (all channels)• Remote functionality (lockdown, GPS, etc.)

Mobile Device Security Assurance

• Auditing and Reviewing Mobile Devices• Investigation and Forensics for Mobile Devices

Investigative Requirements

• Develop the proper capabilities to perform forensic and investigative analysis

• Forensic and investigative policies and procedures should be established

• Identify the multidisciplinary team that will likely be involved

Diskusi