Security for mobile devices: ISACA guidelines for Infosec managers

ISACA has come up with a new whitepaper covering security threats related to the use of mobile devices in enterprise environments. This whitepaper (titled ‘Securing Mobile Devices’) mainly outlines the risks, threats and vulnerabilities pertaining to use of mobile devices, and suggests guidelines for devising strategies to ensure security for mobile devices.

The use of wireless networks, typically less secure than wired networks, leaves information at greater risk for interception, notes ISACA. From smart phones to USB sticks, many devices store unencrypted data, which can result in sensitive information being compromised through interception and device theft or loss. Mobile devices can also be the targets of malware attacks, as employees carry them beyond the protection of their company’s network. Lack of enterprise control of physical devices, along with the growing practice of employees using personal devices for business, has increased mobile device risk levels.

As mobile devices become a prominent tool for business operations, security managers need to consider ways to manage the associated risks. IT professionals should update existing, or create new strategies that provide security for mobile devices.

While creating the mobile device security strategy as an infosec manager, you must think about issues such as organizational culture, technology and governance. A sound mobile device security strategy will include asset management, policy, technical controls, and awareness training.

While forming the policy to secure mobile devices, the following aspects should be considered:
• Define the allowed device types (enterprise-issued only versus allowing personal devices and types of devices such as BlackBerry or iPhone)
• Define the nature of services accessible through these devices, taking into account your existing IT architecture
• Identify how people use these devices. Factor in the fact that corporate culture as well as human factors and execution of processes through the use of mobile devices may lead to unpredictable risks
• Integrate all enterprise-issued mobile devices into an asset management program
• Describe the type of authentication and encryption that must be present on the mobile devices
• Outline tasks for which employees may use the mobile devices as well as the types of allowed applications
• Clarify how to securely store and transmit data

Security for mobile devices must be comprehensive and cover the full device lifecycle support. The security controls for mobile devices should include strong (multifactor) authentication, data ciphering, warranty of application integrity, service lifecycle management, as well as traceability of usage for all mobile devices and applications used inside the enterprise infrastructure. While forming the security policy for mobile devices, the information security manager must keep in mind that it has to be enforceable on varied devices, centrally manageable, simple to implement and support, flexible for administering users and devices, focused on hindering loss or theft, auditable, tested and verified in disaster response, and attentive to possible external threats.