2. Definition of Mobile Devices Mobile phones with computer-like functionality or smartphones Laptops, netbooks, tablet computers Portable digital assistants (PDAs) Portable universal serial bus (USB) devices for storage and for connectivity Radio frequency identification (RFID) devices for data storage, identification and asset management Infrared-enabled (IrDA) devices
3. Definition of Mobile Devices Mobile phones with computer-like functionality or smartphones Laptops, netbooks, tablet computers Portable digital assistants (PDAs) Portable universal serial bus (USB) devices for storage and for connectivity Radio frequency identification (RFID) devices for data storage, identification and asset management Infrared-enabled (IrDA) devices
4. Definition of Mobile Devices Mobile phones with computer-like functionality or smartphones Laptops, netbooks, tablet computers Portable digital assistants (PDAs) Portable universal serial bus (USB) devices for storage and for connectivity Radio frequency identification (RFID) devices for data storage, identification and asset management Infrared-enabled (IrDA) devices
5. Definition of Mobile Devices Mobile phones with computer-like functionality or smartphones Laptops, netbooks, tablet computers Portable digital assistants (PDAs) Portable universal serial bus (USB) devices for storage and for connectivity Radio frequency identification (RFID) devices for data storage, identification and asset management Infrared-enabled (IrDA) devices
6.
7. Definition of Mobile Devices Mobile phones with computer-like functionality or smartphones Laptops, netbooks, tablet computers Portable digital assistants (PDAs) Portable universal serial bus (USB) devices for storage and for connectivity Radio frequency identification (RFID) devices for data storage, identification and asset management Infrared-enabled (IrDA) devices
8. Current Environment Business Performance Management (BPM) Study: 25% of all mobile devices used in the organizations are contain vital applications and information 40% of the organizations do not manage mobile data tracking, backup, and archiving for regulatory purposes Only 32.4% of small businesses ($100 million in revenue and under) implement formal mobile compliance policies Source: Refer to references
9.
10.
11. Current Environment Business Performance Management (BPM) Study: 25% of all mobile devices used in the organizations are contain vital applications and information 40% of the organizations do not manage mobile data tracking, backup, and archiving for regulatory purposes Only 32.4% of small businesses ($100 million in revenue and under) implement formal mobile compliance policies Source: Refer to references
12. Current Environment Findings from 22nd AICPA Top Technology Initiative Survey and India Study: 90% said the biggest challenge confronting IT professionals is the control and use of mobile devices No companies reported that improving data security is among their board’s top three priorities 6% said they have an IT or data security committee 47% said they have a Chief Information Security Officer 50% have not implemented policies or systems to mitigate the threat Source: Refer to references
13.
14.
15. Current Environment Findings from 22nd AICPA Top Technology Initiative Survey and India Study: 90% said the biggest challenge confronting IT professionals is the control and use of mobile devices No companies reported that improving data security is among their board’s top three priorities 6% said they have an IT or data security committee 47% said they have a Chief Information Security Officer 50% have not implemented policies or systems to mitigate the threat Source: Refer to references
16.
17. Benefits Increased workforce productivity Improved customer service Improved turnaround times for problem resolutions Response to customer problems and questions Increased business process efficiency Improved employee security and safety Improved employee retention Source: ISACA – Securing Mobile Devices
18. Benefits Increased workforce productivity Improved customer service Improved turnaround times for problem resolutions Response to customer problems and questions Increased business process efficiency Improved employee security and safety Improved employee retention Source: ISACA – Securing Mobile Devices
19. Benefits Increased workforce productivity Improved customer service Improved turnaround times for problem resolutions Response to customer problems and questions Increased business process efficiency Improved employee security and safety Improved employee retention Source: ISACA – Securing Mobile Devices
20.
21. Benefits Increased workforce productivity Improved customer service Improved turnaround times for problem resolutions Response to customer problems and questions Increased business process efficiency Improved employee security and safety Improved employee retention Source: ISACA – Securing Mobile Devices
22.
23.
24. Benefits Increased workforce productivity Improved customer service Improved turnaround times for problem resolutions Response to customer problems and questions Increased business process efficiency Improved employee security and safety Improved employee retention Source: ISACA – Securing Mobile Devices
25. Risks Types of Risks: Financial Financial losses Legal & Regulatory Stolen confidential information Inaccurate reporting Vulnerabilities Loss, theft, and corruption of data or device
26. Risks Types of Risks: Financial Financial losses Legal & Regulatory Stolen confidential information Inaccurate reporting Vulnerabilities Loss, theft, and corruption of data or device
27. Risks Types of Risks: Financial Financial losses Legal & Regulatory Stolen confidential information Inaccurate reporting Vulnerabilities Loss, theft, and corruption of data or device
28. Risks Types of Risks: Financial Financial losses Legal & Regulatory Stolen confidential information Inaccurate reporting Vulnerabilities Loss, theft, and corruption of data or device
29. Risk Mitigation Update existing or create new mobile device strategies while considering the organizational culture, technology and governance as it will help ensure risks are appropriately accounted for and managed. Establish policies to support the mobile device strategy’s goals while leveraging available technology and mitigating risks. When introducing a mobile device, ensure it fits the corporate strategy and objectives by using a proven framework(i.e. COBIT). Source: ISACA – Securing Mobile Devices
30. Mobile Device Strategy Should be tailored to address risks specific to the company. Consider the company’s: Technology Culture Governance
31. Mobile Device Policy Define allowable device types Defining the nature of services accessible through the devices Identifying the way people use the devices Integrating all enterprise-issued devices into an asset management program Describing the authentication and encryption needed on the devices Outlining the tasks for which employees may use the devices and the types of applications that are allowed Clarifying how data should be securely stored and transmitted Simple to implement and support Centrally managed by the company itself Flexible for administering users and devices Focused on hindering loss or theft Auditable in all of its parts Tested and verified in disaster response Attentive to possible external threats Source: ISACA – Securing Mobile Devices
32. Proven Frameworks (COBIT) Implementation is aligned with corporate strategy and objectives Value adding Risks are addressed Fits the corporate culture Compatible with users of the company Compatible with the technical architecture of the company External factors are considered Sufficient support with appropriate resources Monitored with appropriate performance metrics Source: ISACA – Securing Mobile Devices
33. Proven Frameworks (COBIT) Implementation is aligned with corporate strategy and objectives Value adding Risks are addressed Fits the corporate culture Compatible with users of the company Compatible with the technical architecture of the company External factors are considered Sufficient support with appropriate resources Monitored with appropriate performance metrics Source: ISACA – Securing Mobile Devices
34. Proven Frameworks (COBIT) Implementation is aligned with corporate strategy and objectives Value adding Risks are addressed Fits the corporate culture Compatible with users of the company Compatible with the technical architecture of the company External factors are considered Sufficient support with appropriate resources Monitored with appropriate performance metrics Source: ISACA – Securing Mobile Devices
35. Proven Frameworks (COBIT) Implementation is aligned with corporate strategy and objectives Value adding Risks are addressed Fits the corporate culture Compatible with users of the company Compatible with the technical architecture of the company External factors are considered Sufficient support with appropriate resources Monitored with appropriate performance metrics Source: ISACA – Securing Mobile Devices
36. Proven Frameworks (COBIT) Implementation is aligned with corporate strategy and objectives Value adding Risks are addressed Fits the corporate culture Compatible with users of the company Compatible with the technical architecture of the company External factors are considered Sufficient support with appropriate resources Monitored with appropriate performance metrics Source: ISACA – Securing Mobile Devices
37. Proven Frameworks (COBIT) Implementation is aligned with corporate strategy and objectives Value adding Risks are addressed Fits the corporate culture Compatible with users of the company Compatible with the technical architecture of the company External factors are considered Sufficient support with appropriate resources Monitored with appropriate performance metrics Source: ISACA – Securing Mobile Devices
38. Proven Frameworks (COBIT) Implementation is aligned with corporate strategy and objectives Value adding Risks are addressed Fits the corporate culture Compatible with users of the company Compatible with the technical architecture of the company External factors are considered Sufficient support with appropriate resources Monitored with appropriate performance metrics Source: ISACA – Securing Mobile Devices
39. Proven Frameworks (COBIT) Implementation is aligned with corporate strategy and objectives Value adding Risks are addressed Fits the corporate culture Compatible with users of the company Compatible with the technical architecture of the company External factors are considered Sufficient support with appropriate resources Monitored with appropriate performance metrics Source: ISACA – Securing Mobile Devices
40. Proven Frameworks (COBIT) Implementation is aligned with corporate strategy and objectives Value adding Risks are addressed Fits the corporate culture Compatible with users of the company Compatible with the technical architecture of the company External factors are considered Sufficient support with appropriate resources Monitored with appropriate performance metrics Source: ISACA – Securing Mobile Devices
41. Proven Frameworks (COBIT) Implementation is aligned with corporate strategy and objectives Value adding Risks are addressed Fits the corporate culture Compatible with users of the company Compatible with the technical architecture of the company External factors are considered Sufficient support with appropriate resources Monitored with appropriate performance metrics Source: ISACA – Securing Mobile Devices
42. Implications – Chartered Accountants (CAs) CAs assess internal controls to determine the appropriate audit approach. Mobile devices pose risks to internal controls failing to achieve: Reliability on financial reporting Efficiency and effectiveness of its operations Compliance with laws and regulations
43. Implications – Chartered Accountants Procedures: Ensure that mobile device management software is running the latest approved software and patches Verify that mobile clients have protective features enabled if they are required by your mobile device security policy. Determine the effectiveness of device security controls around protecting data when a hacker has physical access to the device Evaluate the use of security monitoring software and processes Verify that unmanaged devices are not used on the network. Evaluate controls over unmanaged devices. Evaluate procedures in place for tracking end user trouble tickets Ensure that appropriate security policies are in place for your mobile devices Evaluate the disaster recovery plan in place to restore mobile device access should a disaster happen Evaluate whether effective change management processes exist Source: Davis, C., & Schiller, M.
44. Implications – Chartered Accountants Procedures: Ensure that mobile device management software is running the latest approved software and patches Verify that mobile clients have protective features enabled if they are required by your mobile device security policy. Determine the effectiveness of device security controls around protecting data when a hacker has physical access to the device Evaluate the use of security monitoring software and processes Verify that unmanaged devices are not used on the network. Evaluate controls over unmanaged devices. Evaluate procedures in place for tracking end user trouble tickets Ensure that appropriate security policies are in place for your mobile devices Evaluate the disaster recovery plan in place to restore mobile device access should a disaster happen Evaluate whether effective change management processes exist Source: Davis, C., & Schiller, M.
45. Implications – Chartered Accountants Procedures: Ensure that mobile device management software is running the latest approved software and patches Verify that mobile clients have protective features enabled if they are required by your mobile device security policy. Determine the effectiveness of device security controls around protecting data when a hacker has physical access to the device Evaluate the use of security monitoring software and processes Verify that unmanaged devices are not used on the network. Evaluate controls over unmanaged devices. Evaluate procedures in place for tracking end user trouble tickets Ensure that appropriate security policies are in place for your mobile devices Evaluate the disaster recovery plan in place to restore mobile device access should a disaster happen Evaluate whether effective change management processes exist Source: Davis, C., & Schiller, M.
46.
47.
48. Implications – Chartered Accountants Procedures: Ensure that mobile device management software is running the latest approved software and patches Verify that mobile clients have protective features enabled if they are required by your mobile device security policy. Determine the effectiveness of device security controls around protecting data when a hacker has physical access to the device Evaluate the use of security monitoring software and processes Verify that unmanaged devices are not used on the network. Evaluate controls over unmanaged devices. Evaluate procedures in place for tracking end user trouble tickets Ensure that appropriate security policies are in place for your mobile devices Evaluate the disaster recovery plan in place to restore mobile device access should a disaster happen Evaluate whether effective change management processes exist Source: Davis, C., & Schiller, M.
49. Implications – Chartered Accountants Procedures: Ensure that mobile device management software is running the latest approved software and patches Verify that mobile clients have protective features enabled if they are required by your mobile device security policy. Determine the effectiveness of device security controls around protecting data when a hacker has physical access to the device Evaluate the use of security monitoring software and processes Verify that unmanaged devices are not used on the network. Evaluate controls over unmanaged devices. Evaluate procedures in place for tracking end user trouble tickets Ensure that appropriate security policies are in place for your mobile devices Evaluate the disaster recovery plan in place to restore mobile device access should a disaster happen Evaluate whether effective change management processes exist Source: Davis, C., & Schiller, M.
50. Implications – Chartered Accountants Procedures: Ensure that mobile device management software is running the latest approved software and patches Verify that mobile clients have protective features enabled if they are required by your mobile device security policy. Determine the effectiveness of device security controls around protecting data when a hacker has physical access to the device Evaluate the use of security monitoring software and processes Verify that unmanaged devices are not used on the network. Evaluate controls over unmanaged devices. Evaluate procedures in place for tracking end user trouble tickets Ensure that appropriate security policies are in place for your mobile devices Evaluate the disaster recovery plan in place to restore mobile device access should a disaster happen Evaluate whether effective change management processes exist Source: Davis, C., & Schiller, M.
51. Implications – Chartered Accountants Procedures: Ensure that mobile device management software is running the latest approved software and patches Verify that mobile clients have protective features enabled if they are required by your mobile device security policy. Determine the effectiveness of device security controls around protecting data when a hacker has physical access to the device Evaluate the use of security monitoring software and processes Verify that unmanaged devices are not used on the network. Evaluate controls over unmanaged devices. Evaluate procedures in place for tracking end user trouble tickets Ensure that appropriate security policies are in place for your mobile devices Evaluate the disaster recovery plan in place to restore mobile device access should a disaster happen Evaluate whether effective change management processes exist Source: Davis, C., & Schiller, M.
52.
53. Implications – Chartered Accountants (CAs) Consider the following items when confirming operational efficiency: Policy Antivirus updates Encryption Secure transmission Device management Access control Awareness training Risk
54. Implications – Chartered Accountants (CAs) Consider the following items when confirming operational efficiency: Policy Antivirus updates Encryption Secure transmission Device management Access control Awareness training Risk
55. Implications – Chartered Accountants (CAs) Consider the following items when confirming operational efficiency: Policy Antivirus updates Encryption Secure transmission Device management Access control Awareness training Risk
56. Implications – Chartered Accountants (CAs) Consider the following items when confirming operational efficiency: Policy Antivirus updates Encryption Secure transmission Device management Access control Awareness training Risk
57. Implications – Chartered Accountants (CAs) Consider the following items when confirming operational efficiency: Policy Antivirus updates Encryption Secure transmission Device management Access control Awareness training Risk
58. Implications – Chartered Accountants (CAs) Consider the following items when confirming operational efficiency: Policy Antivirus updates Encryption Secure transmission Device management Access control Awareness training Risk
59. Implications – Chartered Accountants (CAs) Consider the following items when confirming operational efficiency: Policy Antivirus updates Encryption Secure transmission Device management Access control Awareness training Risk
60. Implications – Chartered Accountants (CAs) Consider the following items when confirming operational efficiency: Policy Antivirus updates Encryption Secure transmission Device management Access control Awareness training Risk
61. Implications – Chartered Accountants (CAs) Consider the following items when confirming operational efficiency: Policy Antivirus updates Encryption Secure transmission Device management Access control Awareness training Risk
62. Conclusion Mobile devices has definitely enhanced availability, productivity, and efficiency of business processes. However, the device and its data can be lost, corrupted, damaged, or stolen which may do harm to the exact items it was originally enhancing. Many executives recognize there is a risk associated with these devices, but do not implement sufficient controls to mitigate the risks. Recommendation: Develop a strategy to manage mobile devices Develop policies to support the strategy Use proven frameworks to assess IT technology when using or introducing new devices
63. References All music used were attained from: http://www.partnersinrhyme.com/pir/free_music_loops.shtml AICPA. (2011, February 15). Surging Business Use of Mobile Devices is Top Business IT Challenge; AICPA Survey. Retrieved May 5, 2011, from AICPA: http://www.aicpa.org/PRESS/PRESSRELEASES/2011/Pages/2011TopTechnologySurvey.aspx Blank, P. (2010, July 2). Compliance concerns delay banks introducing iPhone trading. Retrieved May 5, 2011, from Finextra: http://www.finextra.com/community/fullblog.aspx?blogid=4236 Brenner, B. (2006, October 20). Infected iPods a threat to corporate networks. Retrieved May 5, 2011, from SearchSecurityChannel.com: http://searchsecurity.techtarget.com/news/1225559/Infected-iPods-a-threat-to-corporate-networks Cobb, M. (2009, January 8). Can USB compromise the security of an embedded mobile device? Retrieved May 5, 2011, from SearchSecurity.com: http://searchsecurity.techtarget.com/answer/Can-USB-compromise-the-security-of-an-embedded-mobile-device Computer Security Update. (2007, January 1). Mobile Devices Expose Firms to Compliance/Security Risks. Computer Security Update: Vol. 8. Issue. 1. COSO. (n.d.). Internal Control - Integrated Framework. Retrieved June 30, 2011, from COSO.org: http://www.coso.org/IC-IntegratedFramework-summary.htm Davis, C., & Schiller, M. (2011, April 12). 10 Steps for Auditing Mobile Computing Security. Retrieved May 5, 2011, from Enterprise Systems: http://esj.com/Articles/2011/04/12/IT-Auditing-Mobile-Security.aspx?p=1 Expert Names Top 10 Audit Issues of 2009. (2009). Retrieved May 5, 2011, from InternetNews.com: http://www.internetnews.com/government/article.php/3819156/Expert-Names-Top-10-Audit-Issues-of-2009.htm Fell, J. (2011, April 19). Mobile devices and the law: What are the legal issues? Retrieved May 5, 2011, from computing.co.uk: http://www.computing.co.uk/ctg/feature/2044628/mobile-devices-law
64. References Gupta, U. (2011, June 6). How Effective are Mobile Security Policies? Retrieved June 8, 2011, from Bank Info Security: http://blogs.bankinfosecurity.asia/posts.php?postID=967 Hernacki, B. (2006). Improving Bluetooth Security: What IT Managers and Mobile Device Users Can do. Information Security Journal. Vol 15. Issue 4. , 39-42. ISACA. (n.d.). COBIT - IT Governance Framework. Retrieved June 30, 2011, from ISACA: http://www.isaca.org/Knowledge-Center/COBIT/Pages/Overview.aspx ISACA. (2011, June 1). ISACA Survey: IT Leaders in India Believe Mobile Devices Pose Serious Risk to Enterprises. Retrieved June 7, 2011, from Asia Pulse Pty Ltd.: http://proquest.umi.com.proxy.lib.uwaterloo.ca/pqdweb?index=5&did=2363825061&SrchMode=2&sid=2&Fmt=3&VInst=PROD&VType=PQD&RQT=309&VName=PQD&TS=1307655836&clientId=16746 ISACA. (2010). Securing Mobile Devices. An ISACA Emerging Technology White Paper , 1-10. Juniper Networks. (2011, January). Mobile Device Security - Emerging Threats, Essential Strategies: Key Capabilities for Safeguarding Mobile Devices and Corporate Assets. Retrieved May 5, 2011, from Juniper Networks: http://www.juniper.net/us/en/local/pdf/whitepapers/2000372-en.pdf Levick, R. S. (2011, May 3). Sony's Cyberattack and How Companies Fail in Data Security. Retrieved May 5, 2011, from FastCompany.com: http://www.fastcompany.com/1751318/directors-are-disengaged-on-data-security Parizo, E. (2008, April 7). HP: Would you like some malware with your server? Retrieved May 5, 2011, from IT Knowledge Exchange: http://itknowledgeexchange.techtarget.com/security-bytes/hp-would-you-like-some-malware-with-your-server/ Vijayan, J. (2011, March 29). BP employee loses laptop containing data on 13,000 oil spill claimants. Retrieved May 5, 2011, from ComputerWorld: http://www.computerworld.com/s/article/9215316/BP_employee_loses_laptop_containing_data_on_13_000_oil_spill_claimants White, M. (2010, June 30). Drunk oil trader banned and fined. Retrieved May 5, 2011, from finextra: http://www.finextra.com/news/fullstory.aspx?newsitemid=21554