isaca tech session 19 feb 2013 securing mobile devices rev
DESCRIPTION
Discussion about ISACA's research publication "Securing Mobil Device using COBIT 5 for Security"TRANSCRIPT
Securing Mobile DevicesUsing COBIT® 5 for Information Security
Dipresentasikan oleh:Sarwono Sutikno, Dr.Eng,CISA,CISSP,CISM
Sarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM
• Dosen Sekolah Teknik Elektro dan Informatika ITB• Dosen Universitas Pertahanan RI m.k. Cyber Warfare
Dynamics dan Cyber Security Policy and Strategy• ISACA Academy Advocate for ITB• (ISC)2 Information Security Leadership Award 2011 -
Senior Information Security Professional• Sedang membuat kurikulum S2 Keamanan Informasi
di ITB, akan mulai Agustus 2013• Cyber Security Center ITB - KOICA
Outline
• Guiding Principles for Mobile Device Security• What Is a Mobile Device?• Mobile Device Impact on Business and Society• Threats, Vulnerabilities and Associated Risk• Security Governance• Security Management for Mobile Devices• Hardening Mobile Devices• Mobile Device Security Assurance
Guiding Principles for Mobile Device Security
1. Know the business value and risk of mobile device use.2. Clearly state the business case for mobile device use.3. Establish systemic security for mobile devices.4. Establish security governance over mobile devices.5. Manage mobile device security using enablers.6. Place security technology in context.7. Know the assurance universe and objectives.8. Provide reasonable assurance over mobile device
security.
What Is a Mobile Device?Mobile Device Use—Past, Present and Future
• Mobility and Flexibility
• Patterns of Work• Organizational
Perimeter• Other Impacts
Mobile Device Impact on Business and Society
Threats, Vulnerabilities and Associated Risk
• Physical Risk• Organizational Risk• Technical Risk
Security Governance• The Business Case• Standardized Enterprise Solutions
– Hardware (front and back end)– OS– Applications– Data and information– User administration– Systems management (direct and remote)
• BYOD• Combined Scenario• Private Use of Mobile Devices• Defining the Business Case
Standardized Enterprise Sol.
BYOD
Combined Solution
Security Management for Mobile Devices
• Mobile Device Categories and Classification• Existing Security Controls• Principles, Policies and Frameworks• Processes• Organizational Structures• Culture, Ethics and Behavior• Information• Services, Infrastructure and Applications• People, Skills and Competencies
COBIT Enterprise Enabler
Key Operating Procedures• Auditing mobile devices—Procedure to facilitate audit of mobile
devices, alignedwith internal/external audit programs• Change management—Procedure describing how general change
management (which is usually standardized) should be applied to mobile devices
• Patch management—Procedure describing how patches for mobile devices are identified, acquired, tested, deployed
• Malware protection—Procedure describing various technical steps and measures for protecting mobile devices against malware
• Encryption, VPN, encapsulation—Procedure describing encryption for data at rest and data in flow, VPN tunnels and data encapsulation
• Damage, loss, theft—Procedure describing user and organization steps in the event of device loss, damage or theft
Security Management Process
Security Monitoring Process
Organizational Structure
Culture, Ethics and Behavior
Information
• Step 1: Categorize information. Identify information unique to the device as opposed to replicated information.
• Step 2: Identify what is done with the information—storage, processing, creation, sharing.
• Step 3: Determine information and transaction sensitivity.• Step 4: Analyze the protection provided by preapplied
controls.• Step 5: Determine requirements for additional controls.• Step 6: Develop and implement an action plan for
additional controls.
Protecting Personal Information
• Remove/prohibit—This is available only in a centralized management scenario with mobile devices provided by the organization.
• Segregate—Take technical steps to separate personal information on the device.
• Anonymize—Separate the personal identity of the user from the technical identity of the mobile device.
• Permit—Obtain end-user permission to store, process and use personal information.
Skill set
Hardening Mobile Devices
• Device and SIM card (if applicable)• Permanent internal storage• Removable or external storage• Connectivity (all channels)• Remote functionality (lockdown, GPS, etc.)
Mobile Device Security Assurance
• Auditing and Reviewing Mobile Devices• Investigation and Forensics for Mobile Devices
Investigative Requirements
• Develop the proper capabilities to perform forensic and investigative analysis
• Forensic and investigative policies and procedures should be established
• Identify the multidisciplinary team that will likely be involved
Diskusi