compliance in the mobile enterprise: 5 tips to prepare for your next audit

Compliance in the mobile enterprise:

Five tips to prepare for your next mobile app audit

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.

Connect

Twitter: @NowSecureMobile

—

Subscribe to #MobSec5, our weekly mobile security news digest

http://mobsec5.nowsecure.com/

—

Web: nowsecure.com (check out our new website!)

http://twitter.com/nowsecuremobile



https://www.nowsecure.com


Andrew HoogCEO | NowSecure


Contents

● Overview of key laws

● Consequences of non-compliance

● Five tips for breezing through your audit

● Achieving compliance outcomes with NowSecure

● Q & A


Key laws and regulations that apply to mobile apps

© Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information.http://www.arelaw.com/downloads/ARElaw_MobileDeviceApplications_KeyLawsChart_rev061815.pdf

Laws, regulations, rules applicable to mobile apps

GENERAL CONTENT FINANCIALHEALTH/MEDICAL MINORS OTHERS

FTC Act

Sarbanes-Oxley Electronic Communications Privacy Act (ECPA)

Computer Fraud and Abuse Act (CFAA)

NIAP (Common Criteria for app vetting)

Digital Millennium Copyright Act (DMCA)

Communications Decency Act (CDA)

Restore Online Shoppers’ Confidence Act (ROSCA)

Gramm-Leach-Bliley Act (GLBA)

FFIEC compliance standards

Payment card industry (PCI) standards

Health Insurance Portability and Accountability Act (HIPAA)

Health Information in Technology for Economic and Clinical Health Act (HITECH)

Food and Drug Administration Act (mobile medical apps)

FTC’s Health Breach Notification Rule

Children’s Online Privacy Protection Act (COPPA)

California Online Privacy and Protection Act (CalOPPA)

State data-breach notification, data security, and records disposal statutes

FCC’s Proprietary Network Information (CPNI) Breach Notification Rule

http://www.arelaw.com/downloads/ARElaw_MobileDeviceApplications_KeyLawsChart_rev061815.pdf

http://www.arelaw.com/downloads/ARElaw_MobileDeviceApplications_KeyLawsChart_rev061815.pdf


Recent enforcement actions


FTC v. Wyndham

“A company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury,and retains the profits of their business.”

Circuit Judge Thomas Ambro, United States Court of Appeals for the Third District


Applying FTC v. Wyndham to mobile apps

FTC has authority to bring data security cases

Apple App Store and Google Play store require

privacy policies

Failure to invest in security of those apps (i.e., “do what

you say”) puts you at risk


Snapchat - Complaint filed with FTC and settled

"If a company markets privacy and security as key selling points in pitching its service to consumers, it is critical that it keep those promises. Any company that makes misrepresentations to consumers about its privacy and security practices risks FTC action."

—FTC Chairwoman Edith Ramirez

https://epic.org/privacy/internet/ftc/snapchat/#response

VIOLATION CONSEQUENCE

Did not permanently delete files as claimed

Changed extension to .NOMEDIA

Merely hides files on user’s device

Still recoverable from memory

20 years of privacy audits

Prohibited from making false claims about privacy policies




Dwolla - Consumer Financial Protection Bureau action

http://www.consumerfinance.gov/about-us/newsroom/cfpb-takes-action-against-dwolla-for-misrepresenting-data-security-practices/

VIOLATION CONSEQUENCE

Did not protect data from unauthorized access

Did not encrypt all sensitive data

Did not test security of released apps

Ordered to stop misrepresenting security practices

Required to train employees to protect data and fix mobile app security flaws

Pay $100,000 penalty to CFPB




An ounce of prevention...

Ace your auditProtect your customers Protect your business

Make a painful, time-consuming process less so

Deliver secure apps that protect user data

Avoid data breach, brand damage, and enforcement actions


Five tips for breezing through your audit


1 2 3 4 5

Establish a framework

Set internal requirements for

mobile app security


1 2 3 4 5



mobile app security

Educate staff

Teach developers how to code in compliance with the framework,

and teach security auditors how to test

apps against it


1 2 3 4 5



mobile app security

Educate staff



apps against it

Audit yourself

Audit your mobile apps against the framework


1 2 3 4 5


Educate staff

Audit yourself


Document diligently

Document framework, education materials, and assessments (i.e.,

reports), and make sure it’s all organized and

accessible


mobile app security



apps against it


1 2 3 4 5


Educate staff

Audit yourself

Document diligently

Audit earlier

Integrate audits into the SDLC as part of an

on-going process to save time, money, and

headaches



mobile app security



apps against it

Document framework, education materials, and assessments (i.e.,

reports), and make sure it’s all organized and

accessible


How NowSecure customers achieve compliance outcomes


An audit anecdote as told by a financial institution

Audit guidelines have evolved quickly to take mobile into account. We need to go into detail about the workflow and logistics of each product, and the FFIEC requires many of our clients to vet their products annually.”

Travis Swinford, Product Manager

“


Customers use results mapped to industry standards for validation purposes

Regulatory flags include:

● Common Vulnerability Scoring System (CVSS)

● OWASP top 10 mobile risks

● Common Weakness Enumeration (CWE)

● National Information Assurance Partnership (NIAP)

requirements for mobile apps on sensitive networks


for developing secure mobile apps

A starting point for a framework that also

educates developers about security flaws

and how to avoid them

https://www.nowsecure.com/ebooks/secure-mobile-development-best-practices/

50+ TIPS



Let’s talk

NowSecure+1 312.878.1100

@NowSecureMobilewww.nowsecure.com

Subscribe to #MobSec5 - a collection of the week’s mobile news that matters - http://mobsec5.nowsecure.com/