compliance in the mobile enterprise: 5 tips to prepare for your next audit
TRANSCRIPT
Compliance in the mobile enterprise:
Five tips to prepare for your next mobile app audit
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Connect
Twitter: @NowSecureMobile
—
Subscribe to #MobSec5, our weekly mobile security news digest
http://mobsec5.nowsecure.com/
—
Web: nowsecure.com (check out our new website!)
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Andrew HoogCEO | NowSecure
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Contents
● Overview of key laws
● Consequences of non-compliance
● Five tips for breezing through your audit
● Achieving compliance outcomes with NowSecure
● Q & A
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Key laws and regulations that apply to mobile apps
© Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.http://www.arelaw.com/downloads/ARElaw_MobileDeviceApplications_KeyLawsChart_rev061815.pdf
Laws, regulations, rules applicable to mobile apps
GENERAL CONTENT FINANCIALHEALTH/MEDICAL MINORS OTHERS
FTC Act
Sarbanes-Oxley Electronic Communications Privacy Act (ECPA)
Computer Fraud and Abuse Act (CFAA)
NIAP (Common Criteria for app vetting)
Digital Millennium Copyright Act (DMCA)
Communications Decency Act (CDA)
Restore Online Shoppers’ Confidence Act (ROSCA)
Gramm-Leach-Bliley Act (GLBA)
FFIEC compliance standards
Payment card industry (PCI) standards
Health Insurance Portability and Accountability Act (HIPAA)
Health Information in Technology for Economic and Clinical Health Act (HITECH)
Food and Drug Administration Act (mobile medical apps)
FTC’s Health Breach Notification Rule
Children’s Online Privacy Protection Act (COPPA)
California Online Privacy and Protection Act (CalOPPA)
State data-breach notification, data security, and records disposal statutes
FCC’s Proprietary Network Information (CPNI) Breach Notification Rule
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Recent enforcement actions
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
FTC v. Wyndham
“A company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury,and retains the profits of their business.”
Circuit Judge Thomas Ambro, United States Court of Appeals for the Third District
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Applying FTC v. Wyndham to mobile apps
FTC has authority to bring data security cases
Apple App Store and Google Play store require
privacy policies
Failure to invest in security of those apps (i.e., “do what
you say”) puts you at risk
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Snapchat - Complaint filed with FTC and settled
"If a company markets privacy and security as key selling points in pitching its service to consumers, it is critical that it keep those promises. Any company that makes misrepresentations to consumers about its privacy and security practices risks FTC action."
—FTC Chairwoman Edith Ramirez
https://epic.org/privacy/internet/ftc/snapchat/#response
VIOLATION CONSEQUENCE
Did not permanently delete files as claimed
Changed extension to .NOMEDIA
Merely hides files on user’s device
Still recoverable from memory
20 years of privacy audits
Prohibited from making false claims about privacy policies
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Dwolla - Consumer Financial Protection Bureau action
http://www.consumerfinance.gov/about-us/newsroom/cfpb-takes-action-against-dwolla-for-misrepresenting-data-security-practices/
VIOLATION CONSEQUENCE
Did not protect data from unauthorized access
Did not encrypt all sensitive data
Did not test security of released apps
Ordered to stop misrepresenting security practices
Required to train employees to protect data and fix mobile app security flaws
Pay $100,000 penalty to CFPB
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
An ounce of prevention...
Ace your auditProtect your customers Protect your business
Make a painful, time-consuming process less so
Deliver secure apps that protect user data
Avoid data breach, brand damage, and enforcement actions
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Five tips for breezing through your audit
© Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
1 2 3 4 5
Establish a framework
Set internal requirements for
mobile app security
© Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
1 2 3 4 5
Establish a framework
Set internal requirements for
mobile app security
Educate staff
Teach developers how to code in compliance with the framework,
and teach security auditors how to test
apps against it
© Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
1 2 3 4 5
Establish a framework
Set internal requirements for
mobile app security
Educate staff
Teach developers how to code in compliance with the framework,
and teach security auditors how to test
apps against it
Audit yourself
Audit your mobile apps against the framework
© Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
1 2 3 4 5
Establish a framework
Educate staff
Audit yourself
Audit your mobile apps against the framework
Document diligently
Document framework, education materials, and assessments (i.e.,
reports), and make sure it’s all organized and
accessible
Set internal requirements for
mobile app security
Teach developers how to code in compliance with the framework,
and teach security auditors how to test
apps against it
© Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
1 2 3 4 5
Establish a framework
Educate staff
Audit yourself
Document diligently
Audit earlier
Integrate audits into the SDLC as part of an
on-going process to save time, money, and
headaches
Audit your mobile apps against the framework
Set internal requirements for
mobile app security
Teach developers how to code in compliance with the framework,
and teach security auditors how to test
apps against it
Document framework, education materials, and assessments (i.e.,
reports), and make sure it’s all organized and
accessible
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
How NowSecure customers achieve compliance outcomes
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
An audit anecdote as told by a financial institution
Audit guidelines have evolved quickly to take mobile into account. We need to go into detail about the workflow and logistics of each product, and the FFIEC requires many of our clients to vet their products annually.”
Travis Swinford, Product Manager
“
© Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Customers use results mapped to industry standards for validation purposes
Regulatory flags include:
● Common Vulnerability Scoring System (CVSS)
● OWASP top 10 mobile risks
● Common Weakness Enumeration (CWE)
● National Information Assurance Partnership (NIAP)
requirements for mobile apps on sensitive networks
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
for developing secure mobile apps
A starting point for a framework that also
educates developers about security flaws
and how to avoid them
https://www.nowsecure.com/ebooks/secure-mobile-development-best-practices/
50+ TIPS
Let’s talk
NowSecure+1 312.878.1100
@NowSecureMobilewww.nowsecure.com
Subscribe to #MobSec5 - a collection of the week’s mobile news that matters - http://mobsec5.nowsecure.com/