1

MOBILE SECURITY IN THE

ENTERPRISE: TACKLING THE RISKS
OF MOBILE PROLIFERATION
MARK FORD, PRINCIPAL
DELOITTE & TOUCHE LLP

TERRY CORCORAN, SENIOR MANAGER

DELOITTE & TOUCHE LLP

KEVIN POTTER, VICE PRESIDENT - INTERNAL AUDIT SERVICES

BROOKDALE SENIOR LIVING INC.

AUGUST 26, 2013

AHIA 32nd Annual Conference – August 25-28, 2013 – Chicago, Illinois

www.ahia.org
 Shift to a consumer-focused market and mHealth
2
01011000 010110001000101110101100011001100100010101001000010010011010110001
00100001001001010110001100110010 110010001010100100001001001011000100010111001001001011
01010100100001110010101110010000000010010010110 101011000110011001000101010010000100100101100010001011100100100101
0
010110001100110010001010100100 100100001001001010110001100110
01001001011000 00101010010000111001010111001000000001001001011
0101100011001100101011100101010101000010 1010110001100110010001010100
010010000100100101100 001001001011
010110001100110 10101100011001100101011100101010101000
10001010100100001001 101011000110011001000101010010000100100101100010001011100100100101
01011000
The image part with relationship ID rId4 was not found in the file.

11000100010111001001001011000 100100001001001010110001100110
00100001001001010110001100110010 00101010010000111001010111001000000001001001011
01010100100001110010101110010000000010010010110 1010110001100110010001010100
0 001001001011
010110001100110010001010100100 10101100011001100101011100101010101000
01001001011000
0101100011001100101011100101010101000010
0100100001001001011000
010110001100110
10001010100100001001
01011000

Consumerism and the rise of consumer

consumer-supporting
supporting technologies (e.g.,
mHealth, Personal Health Records [PHR], and direct Electronic Medical Record
[EMR] access) further pressure security, compliance, and access issues.
Drivers of the shift in consumerism
3

$$$
Health Insurance
mHealth Consumerism growth Meaningful Use (MU)
g ((HIX))
Exchanges
Background
g
4

Device
D i 172 25% $ 180
sales million  growth million 
in 2009 in 2016

Mobile
data
$ 35 514% $ 215
Usage
billion  growth billion 
in 2009 in 2016

More consumers want to be involved

Clinicians use personal smartphones at nearly all in their health care by using mobile.
providers, but few have a formal mobile policy.1
100%
77% 75%
75%
38%
Formal
93% mobile 50% 41%
Access EMR via personal policy
smartphone
25%

0%
1- HIMSS. “HIMSS Mobile Technology Survey,” December 2011. Strong interest in Would like to get Want to digitally
2- Deloitte Center for Health Solutions, Keckley, P., Coughlin, S., and Eselius, L. “Consumerism in Health Care.” Deloitte Review, 11, health monitoring
2012, 70-83.
appointment email schedule an
devices2 reminders3 appointment3
3-“Few Patients Use Online Services, But Most Want Them, Poll Finds.” Wall Street Journal, September 12, 2006.
Background
g
5

62% 25% 87% 44yrs. 86% 56%

17% 44%
Employed Earn more Insured Average Some Race/ More
Retired than$100K age (vs. 46 College / ethnicity women
years similar to
College US
U.S. tthan
a men
e
nationally)
i ll )
Diploma distribution
compared to
U.S.
averages

41 30
of consumers
“If you value
developedself-
an ongoing health But, more than 30% of
monitoringcondition
devicesthat needed to be checked or
that respondents feel that
treated regularly, how interested
offer connectivity to mobile apps are likely to
would you be in using the following
their physician
tools or supports on a regular basis if
have or lead to potential
the technology became available to errors
you?”
How can this impact security and privacy for an
organization’ss business and consumer interactions?
organization
6

Text Email

Direct
Access to Skype
EMR
101011000110011001000101010010000100100101100010001011100100100101100010
101100011001100100010101001000010010010110001010110001100110010001010100
Health
110000100100010101010101001011010110100000000000010101100011001100100010
Personal
101001000010010010110001010110001100110010001010100100001001101011000110
Health Insurance
011001010111001010110001100110010101110010101100011001110001100110010101
Exchanges
Record 1

mHealth Identity
Security Theft

Cyber
Encryption Security
 What technologies can be put in place to secure ePHI*?
7

Health Care
Organizations and
Business Partners Consumers
101011000110011001000101010010000100100101100010001011100100100101100010
0110001100110010001010100100001001001011000101011000110011001000101010010
0001001000101010101010010110101101000000000000101011000110011001000101010
0100001001001011000101011000110011001000101010010000100110101100011001100
101011100101011000110011001010111001010110001100110010101110000010101010
010010110101101000000000000
10101010100001010101100011001100100
010101001000010010010110001010110001100
1001000101010010000
10010001010
1010101001011010

10101100011001100100010101001000010010010110011
0001100110010001010100100001001001011000101011000110
0010001011100100100101100010101100100010101001000100010111001001001011000
* Electronic Protected Health Information
1010010001011100100100101100010100100010111001001001011000101
The Mobility Landscape
8

Mobile computing has been growing at a staggering rate across all age groups, income
groups, industries,
i d i geographies hi and d cultures
l and
d is
i widely
id l expected
d to continue
i its
i
exponential growth rate over the next five years.
Current mobile landscape Expected growth
 Mobile cellular subscriptions surpassed 5B  By
B endd off 2011,
2011 over 85% off the
th
in 2010 (Gartner) handsets will be able to access the
mobile web (Gartner)
 300M smartphones sold globally in 2010
((Forrester))  Smartphone unit sales will surpass
laptop unit sales in 2012 (Gartner)
 One of the major device vendors has sold
20M smartphones in Q2 2011 and 15M  Approximately 470M smartphones will
tablets since product launch in 2010 be sold globally in 2011 (IDC)
(Strategy Analytics)  Approximately 980M smartphones will
 83% of US population owns cellphones; be sold globally in 2016 (IMS)
35% of these are smartphones (Pew  By 2015, global mobile data traffic
Research) volume will be approximately 25 times
2010 volume (FCC)
Mobility and mobility services are not only gaining ground among consumers but
also among enterprises
 Internal drivers for mobility & mobility security considerations
It is not only consumers but employees and enterprises as well who want to take advantage of everything
mobility has to offer. However there are some security challenges to consider when adopting mobility
within an enterprise.
9

Drivers for Mobile Security Strategy Potential Enterprise Impact

Co-mingling of business and personal use of Expanding “gray area” between enterprise mobile device
mobile devices management/acceptable use and personal use activities.
activities

Enterprises are no longer able to enforce the Shift from ‘one-size-fits-all’ tactical response to building a strategy
single brand restrictions of the past across multiple platforms.

Employee and customer facing mobile

New strategies and solutions to enable secure handling and
applications will potentially access critical
processing of highly sensitive data.
corporate systems

Supporting today’s
today s enterprise mobile environment
Mobile security strategies will need to account for integration into
will ultimately involve integration with the broader
various infrastructure levels.
mobile ecosystem
Mobility
y Risk Categories
g
10

Mobility risk categories

What makes mobile devices valuable

4 Infrastructure &
4. from a business p perspective
p –
1. Operational
Device portability, usability and connectivity to
the internet and corporate infrastructure
– also presents significant risk.
N
New risks
i k hhave b
been iintroduced
d d at the
h
device, application and infrastructure
3. Legal & 2. Technology & levels requiring changes in corporate
Regulatory
g y Data Protection security policy and strategy.
 4. Infrastructure &
1. Operational
Device

1. Operational
p 2. Technology
3. Legal & &
11 Regulatory Data
Protection

Mobility poses unique risks to an organization:

A. Executives, users and customers are driving mobility decisions; operational
risk considerations are not driving mobile security strategy
B. Securityy controls can negatively
g y impact usability,
y causing
g friction with
employees and slowing adoption
C. Increasing support demands may in turn outpace resource skill sets and technical
capabilities
D. Varied mobile OS implementations make it difficult to deploy singular
security solution
E. Existing
g operational
p processes mayy not be efficientlyy designed
p g or “mobile-ready”
y
which can hinder expected productivity
In one case study, implementation of significant security controls led to 20% of the company’s
mobile device users voluntarily opting out of the corporate program .. however it is unlikely users
stopped using a mobile device
 4. Infrastructure &
1. Operational
Device

2. Technology
gy and Data Protection
2. Technology
3. Legal & &
12 Regulatory Data
Protection

Mobile devices result in greater potential exposure for the organization:

A. End users may have the ability to modify device security parameters thus weakening
the security controls
B. Devices and memoryy cards are not encrypted
y byy default or configured
g
appropriately thus leading to data leakage/loss
C. With use of cloud based applications, data protection becomes increasingly
complex
D. Many organizations are not able to enforce mobile OS patching and updating which
may result in vulnerable devices
E. Users often install unapproved
pp applications
pp or applications
pp containing
g
malware which poses information security risks
Recently, 58 malicious apps were uploaded to an app store and then
downloaded to around 260,000 devices before the app store removed the
affected apps
 4. Infrastructure &
1. Operational
Device

3. Legal
g & Regulatory
g y 2. Technology
3. Legal & &
13 Regulatory Data
Protection

Mobile devices increase an organization’s legal & regulatory risks:

A. Employees using corporate devices for personal purposes and vice versa
may give rise to significant data privacy issues
B. The “bringg yyour own device” trend raises ethical and legal questions around
monitoring, device wiping, etc., upon employee termination
C. Corporate usage of mobile devices by hourly employees can/will raise
concerns around overtime labor law considerations
D. Regulatory requirements to address e-discovery, monitoring, data archiving etc., can
be complex and difficult to implement
E. Data ownershipp and liabilityy for corporate
p and employee
p y owned devices used for
business purposes is yet to determined
In the Massachusetts data protection law (MA 201), responsibilities for
protecting information on employee-owned devices used to access company
resources may apply equally to the enterprise and the individual
 4. Infrastructure &
1. Operational
Device

4. Infrastructure and Device 2. Technology

3. Legal & &
14 Regulatory Data
Protection

The diversity of device options and underlying operating system/application platforms

introduces a myriad of security risks and challenges:

A. Mobile device attacks and varying attack vectors increases the overall risk
exposure
B. Multiple choices in the devices, OS platforms, apps, etc., requires
companies to employ diverse technologies expanding the attack surface
C. Third party apps installed on corporate devices may contain vulnerabilities caused
by developer mistakes or re-packaged malware
D. Securing of mobile transmissions and channels is complex given a varied protocol
landscape and the newer communication channels
E. Mobile devices are easily lost or stolen in comparison with other IT assets (e.g.,
laptops) and remote wipe efforts frequently fail

According to a recent survey, 36% of consumers in the US have either

lost their mobile phone or had it stolen
Strategic
g Choices
15

After determining the right approach to meet your overall mobile security
objectives a critical next step to consider is to address a few key strategic choices
objectives,
and/or decisions that your organization should make.

Bring your own

Bring-your-own vs
vs. Corporate provided

Manage security in-house vs. Outsource security

3rd party tools vs

vs. Native platform tools

Application management vs. Application guidance

Full data access vs. Restricted data access

Bring-Your-Own vs. Corporate Provided
16

Below are some of the pros and cons associated with Bring-your-own v. Corporate
Provided:

Bring-your-own Corporate provided

 Device and ppossibly
y line costs incurred  Tighter device oversight and control
by employee  Streamlining devices, platforms and OSes
Pros  Addresses increased demand by simplifies IT support
employees to connect personal devices  Service fees negotiated with service
to corporate networks providers; increased purchasing power
 Limited device oversight and control  Cost of providing devices
 Increased challenges with enforcing legal  High employee demand for broader
and regulatory requirements diversity in devices can lead to lower
 Device and data ownership questions satisfaction and adoption
Cons
Co s  May
M require i potential
i l iincrease iin IT support
staffing and skill set requirements
 Privacy considerations with monitoring
of employee usage and activity, etc.
Manage security in-house vs. Outsource security
17

Below are some of the pros and cons associated with managing security in-house
v outsourcing:
v.
Manage security in-house Outsource security
 Tighter control and flexibility  One stop shop for mobile security
 Greater visibility into ongoing operations management
 Potentially lower overall cost  More viable option for larger fleets
Pros
 More sustainable for smaller IT  Various mobile device and app
organizations and small fleets management packages available with
service provider
 May require increased IT staffing  Restricted control and flexibility for internal
 Requires specialized mobile security IT
expertise  Not much visibility into ongoing operations
Cons  IT will have to develop mobile security  Potentially higher overall cost, recurring
management processes from scratch annual spend
 Significant time and effort involvement from  Less sustainable for smaller IT organizations
IT is required
3rd Party Tools vs. Native Platform Tools
18

Below are some of the pros and cons associated with 3rd Party Toos v. Native
Platform Tools:

3rd party tools Native platform tools

 Ease of deployment  Highly customizable
 Support
S t for
f implementation
i l t ti and d  Possibly
P ibl titighter
ht control
t l and
d visibility
i ibilit
complex/specific issues  Potentially lower long term costs
Pros  Potentially lower infrastructure costs using a  Immediate support and issue resolution
service provider model potential
 Ease of IT administrator training
 Limited ability to customize  Potential lack of skill set, expertise for
 Reliance on Service Level Agreements (SLA) custom development
and contractual terms  Initial infrastructure investment may be high
 Out of the box security functionality may not  Recurring cost of maintenance/upkeep in
C
Cons meet corporate standards certain cases
 Long term costs may be higher  Increase in IT support staff requirements
 Potential integration issues with existing
infrastructure
Application Management vs. Application Guidance
19

Below are some of the pros and cons associated with application management vs.
application guidance:

Application management Application guidance

 Increased control over what gets installed  Less of an IT burden and significantly lower
and prevention of potential risks associated cost for deployment and maintenance
with 3rd party applications  More viable approach for larger fleet sizes
Pros  IT has increased visibility over the mobile and BYO models
application landscape and connectivity to  Does not require increased IT staffing
the internal network
 Potentially lower user satisfaction  IT has less oversight over devices and
 Increased IT oversight burden reduced visibility into internal network
 Increased difficulty in operationalizing this connectivity
Cons in a BYO model; easier if devices are  Increased exposure to potential security
corporate owned risks
i k associated
i d withi h 3rd
3 d party applications
li i
 Significantly higher cost of deployment,
management and maintenance
Full data access vs. Restricted data access
20
Below are some of the pros and cons associated with full data access vs. restricted data
access:

Full data access Restricted data access

 Enhanced corporate mobility  Lower risk of data leakage
 Higher
Hi h employee
l productivity
d ti it  Easier
E i tto manage datad t
 Expanded capabilities for application usage  Less potential for data integrity and quality
Pros and development issues
 Supports extension of the corporate mobile  Lower risk/impact if device is lost or stolen
application landscape
 Higher risk of data leakage  Restricted data access may limit mobility
 Potential legal and regulatory impact if business enablement
device is lost or stolen and data is  Limited data usage capabilities particularly
inappropriately
pp p y accessed in ‘offline’ mode
C
Cons  Higher potential for data integrity and  Potentially limited increase in employee
quality issues productivity
 Complex to manage and monitor  Restricted capabilities for application usage
and development
 This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business,
financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional
advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any
decision or taking any action that may affect your business, you should consult a qualified professional advisor.
 Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation.

 About Deloitte
 Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of
member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description
of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see www.deloitte.com/us/about for a detailed
description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the
rules
l and d regulations
l ti off public
bli accounting.
ti


Copyright © 2013 Deloitte Development LLC. All rights reserved.

Member of Deloitte Touche Tohmatsu Limited
 Save the Date
S
September
b 21-24,
2 2 2014
2

33rd Annual Conference

Austin, Texas

22
 MOBILE TECHNOLOGY:
AN AUDITOR’S TOOLKIT
PHYLLIS A. PATRICK, MBA, FACHE, CHC
PRESIDENT
PHYLLIS A. PATRICK & ASSOCIATES LLC

AHIA 32nd Annual Conference – August 25-28, 2013 – Chicago, Illinois

www.ahia.org
 Our Topics
p
2

 Mobile Technology: Risks and Challenges

 The Auditor’s Perspective
 Introduction to the ISACA Mobile Computing
Security Audit/Assurance Program

Phyllis A. Patrick & Associates LLC

 Mobile is pervasive
p
3

“ Mobile is more p pervasive than ever before and soon

nearly everything around us, people and things, will be
connected. Mobile has forever changed the way we
communicate the way we conduct business,
communicate, business the way we
manage our lives, and the way we are entertained.
The possibilities for future innovations are nearly
endless.”

Phyllis A. Patrick & Associates LLC

 “Mobile” is more than mobile devices
4

People

Technology Process

Policy Safeguards

Phyllis A. Patrick & Associates LLC

 Innovation vs. Disruption
p
5

 Patient Care Applications

 Life Sciences and Pharma Industries
 Personal Health Records
 Managing personal health using mobile technologies
 Support and guidance from virtual communities
(e.g., smoking cessation)

Phyllis A. Patrick & Associates LLC

 Innovation vs. Disruption
p (Cont’d)
( )
6

 “Pill
Pill in a chip
chip”
 Disease management
 Consumer expectations
 New and emerging technologies
 Big data/data analytics

Phyllis A. Patrick & Associates LLC

 mHealth
7

 Practice of medicine and public health, supported by

mobile devices
 Use of information and communication technologygy to
provide health services and information to
practitioners, researchers, and patients
 Telemedicine

 What is a “medical device”?

 FDA Interest and Guidelines

Phyllis A. Patrick & Associates LLC

 Federal Trade Commission Initiatives
8

 FTC began considering mobile technology use by

consumers in 2000.
 National Telecommunications and Information
Agency (“NTIA”), within the U.S. Department of
Commerce, initiated a multi-stakeholder p
process to
develop a code of conduct on mobile application
transparency.
 FTC hosted mobile privacy panel discussion (2012.)

Phyllis A. Patrick & Associates LLC

 FTC Initiatives (Cont’d)
( )
9

 FTC assembled a Mobile Technology Unit that conducts

research, monitors the various platforms, app stores,
and applications, and trains FTC staff on mobile issues.
 Goal is to ensure that FTC has the “necessary technical
expertise, understanding of the marketplace, and tools
to monitor,
i iinvestigate,
i and
d prosecute deceptive
d i and d
unfair practices in the mobile arena.”
 FTC educates consumers and businesses about mobile
privacy.

Phyllis A. Patrick & Associates LLC

 FTC Initiatives (Cont’d)
( )
10

 FTC has brought

g several enforcement actions
against companies operating in the mobile
environment:
 Social networking service deceived consumers
regarding collection of their address book information
and illegally
g y collected information from children under
13 in violation of the Children’s Online Privacy
Protection Act (COPPA).
 Peer-to-peer
P t fil h i application
file-sharing li ti d developer
l whose
h
software caused consumers to unknowingly expose
personal files stored on mobile devices.

Phyllis A. Patrick & Associates LLC

 Risks and Challenges
g
11

Lots of devices
devices, untrained users
users, difficulties in
achieving security

Phyllis A. Patrick & Associates LLC

 Risks and Challenges
g (cont’d)
( )
12

 Technical protections, while improving, are not

mature.
 Confidentiality, Availability, and Integrity issues.
 Separating personal data from organizational
data.
 Users may have multiple devices.
 Balancing workforce privacy with organizational
needs.

Phyllis A. Patrick & Associates LLC

 Risks and Challenges
g (cont’d)
( )
13

 Need to understand stakeholder views and

requirements (e.g., clinicians, HR, legal, security)
when designing
g g and implementing
p g securityy policies.
p
 Define user responsibilities (usage statement).
 Consistency with data and record retention and
archiving policies.

Phyllis A. Patrick & Associates LLC

 Risks and Challenges
g (cont’d)
( )
14

 BYOD program can be device agnostic.

 Use virtual environments and network segmentation
to limit the impact of events.
 Consider separating networks for BYOD devices
(e.g., guest wireless network concept).
 Conduct PHI/ePHI/PII mapping to determine what
information exists on devices.
 Analyze and implement a mobile device
management (MDM) solution.
Phyllis A. Patrick & Associates LLC
 Strategies
g to Reduce Risks
15

 Develop mobile strategy as critical component of

overall enterprise-wide IT strategic plan.
 Conduct risk assessments
 How widespread is use of mobile devices?
 What risks are created?

 Which users (workforce, vendors) are most vulnerable?

 Encrypt devices.
 Analyze malware risks. Implement preventive
measures.
Phyllis A. Patrick & Associates LLC
 Strategies
g to Reduce Risks (cont’d)
( )
16

 Implement device management plan (encryption,

wiping, monitoring).
 Use device entry authentication (e.g., PIN).
 Backup device-based ePHI.
 Don’tt store ePHI on devices.
Don devices
 Monitor connections to internal networks.
 T i staff
Train ff on d
device
i security
i and d evaluate
l training.
i i

Phyllis A. Patrick & Associates LLC

 Comprehensive
p Policy
y Parameters
17

 Develop and provide for a centrally managed program.

 Ensure that the program can be easily implemented and
provides support
p pp for users.
 Focus on hindering loss or theft of devices.
 Policy should be enforceable on different types of
devices.

Phyllis A. Patrick & Associates LLC

 Comprehensive
p Policy
y Parameters
18

 Securityy controls should be included ((strong

g authentication,,
usage traceability, application and platform integrity,
antivirus updates, secure transmission, access control,
awareness training, g, encryption,
yp , etc..))
 Controls should be auditable.
 Controls should be tested and verified in disaster
response.

 SSecurity
i M Management Program
P for
f Mobile
M bil Devices
D i
should be a key component of Security Governance.

Phyllis A. Patrick & Associates LLC

 BYOD Phenomenon
19

 Mobile device management and security rank

as #1 or #2 concern by information security
professionals in most surveys.
 Mobile Device Protection Methods include:
 Policyy
 Technology (encryption, network access
control (NAC), mobile VPNs, remote lock-&-
wipe functionality, mobile anti-malware,
digital rights management (DRM))

Phyllis A. Patrick & Associates LLC

 How Organizations Protect Mobile Devices
20

 49% do nothing.
 46% have policies governing proper use of devices.
 25% install antivirus products.
products
 23% install encryption.
 21% use passwords d or keypad
k d locks.
l k
 12% use “other” protections.

Source: Ponemon Institute’s 2011 Benchmark Study on Patient Privacy and Data
y, December 2011.
Security,

Phyllis A. Patrick & Associates LLC

 Mobility
y as a Technology
gy Strategy
gy
21

 Mobility
y is a critical component
p of the Information
Technology planning process.
 Mobile strategy development
 Budget and staffing
 Security of devices, networks
 Managing workforce devices (BYOD)
 Addressing Lifecycle management
 eDiscovery and Freedom of Information Act issues
 Managing mobility-driven big data (research,
collaborations across organizations)
 The Plan needs to be updated frequently (twice/year?)
Phyllis A. Patrick & Associates LLC
 Designing
g g a Mobile Device Strategy
gy
22

 Define allowable device types (enterprise

(enterprise-issued
issued only
vs. personal devices).
 Define the nature of services accessible through
g the
devices.
 Identifyy how employees
p y mayy use devices,, taking
g into
account the organization’s corporate culture, as well
as human factors.

Phyllis A. Patrick & Associates LLC

 Mobile Device Strategy
gy (Cont’d)
( )
23

 Integrate all enterprise

enterprise-issued
issued devices into an asset
management program.
 Describe the types
yp of authentication and encryption
yp
that must be present on devices.
 Clarifyy how data should be securelyy stored and
transmitted.

Phyllis A. Patrick & Associates LLC

 Defining
g Mobile Devices (ISACA)
( )
24

 Full-featured mobile phones with personal computer-like

functionality, or “smart phones”
 Laptops and netbooks
 Tablet computers
p
 Portable digital assistants (PDAs)
 Portable Universal Serial Bus (USB) devices for storage (such as
“thumb
thumb drives”
drives and MP3 devices) and for connectivity (such as
Wi-Fi, Bluetooth and HSDPA/UMTS/EDGE/GPRS modem cards)
 Digital cameras
 R di frequency
Radio f id
identification
tifi ti (RFID) and d mobile
bil RFID (M
(M-RFID)
RFID)
devices for data storage, identification, and asset management
 Infrared-enabled (IrDA) devices such as printers and smart cards

Phyllis A. Patrick & Associates LLC

 Mobile Computing Security
Audit/Assurance Program
25

 Assists audit and assurance

professional
f i l iin d designing
i i and d
executing a review/audit
 Planning and scoping the
audit
 Mobile Computing Security
 Policy
 Risk Management
 Device Management
 Access Control
 Stored Data
 Malware Avoidance
 Secure Transmission
 Awareness Training

Phyllis A. Patrick & Associates LLC

 Objectives
j of the Review/Audit
/
26

 Provide management with an assessment of mobile

computing security policies and procedures and
their operating
p g effectiveness.
 Identify internal control and regulatory deficiencies
that could affect the organization.
g
 Identify information security controls concerns that
could affect reliability, accuracy, and security of
enterprise data due to weaknesses in mobile
computing controls.

Phyllis A. Patrick & Associates LLC

 Scope
p of the Review/Audit
/
27

 Mobile devices connected to the enterprise network

or containing enterprise data
 Mobile devices
 Alltypes of devices or
 Limit types of devices (limit the audit)

 ISACA notes that mobile computing security focuses

on general IT controls and ”should be performed by
an IT auditor with a general IT background.”
Phyllis A. Patrick & Associates LLC
 Maturity
y Model for Internal Control
28
 0 Non-existent --- no intent to assess need for IC.
 1 Initial/ad
/ hoc --- No awareness of need for IC. Addresses only
actual incident.
 2 Repeatable but intuitive --- Occurs only when needed for
selected IT processes, target levels, and gaps.
 3 Defined --- Critical IT processes identified. Tools used and
interviews performed.
 4 Managed and Measurable --- IT process criticality regularly
defined Assessment based on policy
defined. policy. Accountability clear.
clear
Performance monitored.
 5 Optimized --- IT process owners regularly perform self-
assessments to confirm controls are at right level of maturity.
Independent reviews forPhyllis critical
A. Patrick & processes.
Associates LLC
 Focus on Key
y Audit Program
g Steps
p
29

Phyllis A. Patrick & Associates LLC

 Risk Management
g
30

 Management
g assures that risks associated with
mobile computing are thoroughly evaluated and
that mobile security risk is minimized.
 Risk assessments performed prior to implementation of
new mobile security devices
 Continuous risk monitoring program evaluated changes
in or new risks
 Risk assessments for different devices
 Risk assessment governance – who sponsors risk
management and reviews risk assessments?

Phyllis A. Patrick & Associates LLC

 Device Management
g
31

 Central management and administration for devices

containing sensitive enterprise data
 Asset management process to track mobile devices
 Procedures for lost or stolen devices, remote wiping,
storage of data
 Device provisioning/de-provisioning – devices set
up for users based on job description; hiring,
transfer, terminations processes

Phyllis A. Patrick & Associates LLC

 Access Control
32

 Access control is “assigned

assigned to and managed for
mobile security devices according to their risk of
enterprise
p data loss.”
 Access control rules for each mobile device type
 Appropriateness of access authentication and
complexity
 Access control rules and access rights by job function
and
d applications
l installed
ll d
 Central administration and disablement of access rights

Phyllis A. Patrick & Associates LLC

 Stored Data
33

 Sensitive data is protected from unauthorized access

and distribution while stored on a mobile device.
 Encryption
 Data
D transfer
f (to
( mobile
b l device)
d ) – controls
l and
d monitoring
 Data retention policies specific to mobile devices, e.g., data
retention, data destruction
 Malware avoidance – mobile computing not disrupted and
mobile devices don’t introduce malware into the enterprise
 Secure transmission – secure connections (e.g, VPN, IPSec)

Phyllis A. Patrick & Associates LLC

 Awareness Training
g
34

 Mobile Computing
p g Awareness Training g
 Customized training (role-specific)
 Training revised to reflect new technologies and
organizational policies
 Documentation of Awareness Training
 M
Mobile Computing
C Awareness
A Governance,
G i.e., processes
for management feedback to understand usage and risks
identified byy device users;; and accountability,
y,
responsibility and communication with device users
through feedback to management
 W kf
Workforce members
b and d contractors
Phyllis A. Patrick & Associates LLC
 Final Thoughts
g
35

 Mobility is a significant risk area for health care

entities.
 Mobilityy and Mobile Securityy should be addressed as
key strategies in the organization’s overall strategic
planning efforts.
 Mobile Security requires more than a policy.
 Mobility has many facets and will continue to drive
innovation in health care.

Phyllis A. Patrick & Associates LLC

 Final Thoughts
g (Cont’d)
( )
36

 Internal Audit can bring value to the mobile

computing environment.
 Staying
y g on top
p of risks
 Communicating risks to stakeholders and
governance
 Incorporating mobile security risks into annual risk
assessment process
 Reviewing/auditing mobile security (focused audits)

Phyllis A. Patrick & Associates LLC

 Final Thoughts
g (Cont’d)
( )
37

 Mobile computing risks and challenges will increase

before they are solved through technology and
adoption.
p
 Awareness is key – governance, stakeholders, users.
 The ISACA Audit/Assurance Program is a
reasonable tool to use to analyze and mitigate
mobile computing risks.

Phyllis A. Patrick & Associates LLC

 Final Thoughts
g (Cont’d)
( )
38

 The standards and implementation specifications of

the HIPAA Security Rule can be applied to auditing
mobile security.
y
 Organizations may wish to consider using an
independent,
p neutral resource to conduct aspects
p of
mobile security auditing (e.g., technical controls).

Phyllis A. Patrick & Associates LLC

 Final Thoughts
g (Cont’d)
( )
39

 Internal Audit should consider including mobility and

mobile security in annual work plans, with focused
audits as appropriate
pp p to the defined risk to the
organization.
 Ag good mobilityy and mobile securityy auditing
g
program can prevent breaches to confidential
information, serve as a source for mitigating
controls; and, should a breach occur, result in more
favorable disposition with regulators.

Phyllis A. Patrick & Associates LLC

 Resources
40

 Mobile Computing Security Audit/Assurance

/ Program,
ISACA, October, 2010
 Securing Mobile Devices White Paper, ISACA
 Managing Mobile Devices and Relevant Framework
Processes, ISACA
 NIST Special Publication 800-124: Guidelines on Cell
Phone and PDA A
 Mobile Privacy Disclosures, Building Trust Through
p
Transparency,y, FTC Staff Report,
p , Februaryy 2013
 Managing Mobile Devices in Your Health Care
Organization, HealthIT.gov

Phyllis A. Patrick & Associates LLC

 Security | Privacy | Culture

[email protected]
h lli @ h lli t i k
914‐696‐3622
www.phyllispatrick,com

41 Phyllis A. Patrick & Associates LLC

 Save the Date
S
September
b 21-24,
2 2 2014
2

33rd Annual Conference

Austin, Texas

42 Phyllis A. Patrick & Associates LLC