ISMS for Mobile Devices Page 1 ISO/IEC Information Security Management System (ISMS) for Mobile Devices Why apply ISMS to Mobile Devices? Overview ISMS Templates 69 Risks Identified 26 Risk Mitigations 7 Templates > 250 pages Password & Mobile Device Security SOPs Applicable Cyberlaw AGENDA
ISMS for Mobile Devices Stacy (Dene’) Nelson Student ID # Page 2 What is ISO/IEC 27001? INTERNATIONAL ISO/IEC STANDARD Information technology – Security Techniques – information security risk management ISO IEC INTERNATIONAL ISO/IEC STANDARD Information technology – Security Techniques – Code of practice for Information security management ISO IEC INTERNATIONAL ISO/IEC STANDARD Information technology – Security Techniques – information security Management systems - requirements ISO IEC ISO/IEC gold standard guidance for information security management
ISMS for Mobile Devices Stacy (Dene’) Nelson Student ID # Page 3 What are Mobile Devices? Who uses them? Leverage ISO/IEC ISMS to address new information security risks created when workers use Mobile Devices around the world
ISMS for Mobile Devices Stacy (Dene’) Nelson Student ID # Page 4 New Risks Associated with Mobile Devices Small size -> easy to lose, easy to steal Bad mobile social media posts can ruin reputations, leak information, violate privacy and intellectual property laws… Malware downloaded from the cloud, communications networks, desktop synchronization and tainted storage media Spam Spyware can be used for electronic eavesdropping on phone calls, texts… Geotagging & location tracking allow the whereabouts of registered cell phones to be known and monitored Server-resident content such as may expose sensitive information via server vulnerabilities
ISMS for Mobile Devices Page 5 Overview of ISMS Mobile 7 templates (>250 pages) per ISO/IEC Section 4.3 list of documents for robust security management, identification of risks & countermeasures, & support of ISMS certification: ISMS Mobile Policy (MS Word) ISMS Mobile Scope (MS Word) ISMS Mobile Project Plan (MS Project) ISMS Mobile Risk Assessment Methodology (MS Word) ISMS Mobile Risk Assessment (MS Excel) ISMS Mobile Risk Treatment Plan (MS Word) ISMS Mobile Statement of Applicability (SoA) (MS Word) Additional templates: ISMS Mobile Password Policy Template (MS Word) ISMS Mobile SOP - Mobile Device Security Template (MS Word) ISMS Mobile formally tested by an independent quality control specialist ISMS Mobile can jumpstart safeguarding mobile information for organizations
ISMS for Mobile Devices Page 6 Overview of ISMS Mobile ISMS Mobile templates are password protected files that can be downloaded from the ISMS Mobile website
ISMS for Mobile Devices Page 7 Example from the ISMS Mobile Policy
ISMS for Mobile Devices Page 8 Risk Level: 1,2,3 Detectability: Low, Medium, High Risk Prioritization Risk Level Likelihood: Low, Medium, High Impact: Low, Medium, High ISMS Mobile Risk Evaluation
ISMS for Mobile Devices Page 9 Example from the ISMS Mobile Project Plan
ISMS for Mobile Devices Page 10 Example from the ISMS Mobile Risk Register
ISMS for Mobile Devices Page 11 Correlating Risk to Risk Treatment Ris k ID Risk Scenario (In order by Priority from High to Low) Likelihood (High 1.0, Medium 0.5 Low 0.1) Impact (High 100, Medium 50 Low 10) Clas s (1,2,3 ) Detecta bility (High 100, Mediu m 50, Low 10) Priorit y (High, Mediu m, Low) Risk Treatment 1 Mobile device victim of "hacking defaults" because the default settings were not changed HighT1: Change Defaults ISMS Mobile Risk Register ISMS Mobile Risk Treatment Plan Find Risk Treatment Name & Number in Risk Treatment Column of Risk Register
ISMS for Mobile Devices Page 12 Example from the ISMS Mobile Statement of Applicability - Implemented
ISMS for Mobile Devices Page 13 Example from the ISMS Mobile Statement of Applicability – Outside Scope
ISMS for Mobile Devices Page 14 Special Strategies Used in ISMS Mobile Process used at NASA for safety-critical software was applied to security of mobile devices
ISMS for Mobile Devices Page 15 What is Included in ISMS for Mobile Devices 110 ISO/IEC Annex A Security Controls Investigated: 25 deemed out of ISMS Mobile project scope 85 security controls addressed 69 Risks Identified for Mobile Devices: 2 high priority 25 medium priority 42 low priority (but high impact should they occur) 26 Risk Treatments Devised & Justified (eg. cost vs. risk, already in use…) 2 Additional Templates: - ISMS Mobile Password Policy template - ISMS Mobile SOP - Mobile Devices Security template
ISMS for Mobile Devices Stacy (Dene’) Nelson Student ID # Page 16 Systems Security – 26 Risk Treatments for Mobile Devices – page 1 (Alphabetical Order) T1: Change Defaults T2: Disciplinary Action Procedure T3: Event Log T4: Forensics T5: Information Access Control Procedure T6: Mobile Malware Protection and Detection Software T7: Prevent Unauthorized Electronic Tracking T8: Prevention of Attagging T9: Prevention of Electronic Eavesdropping T10: Prevention of Jailbreaking T11: Prevention of Tapjacking (clickjacking) T12: Procedure for Lost or Stolen Mobile Device T13: Proper use of Geotagging
ISMS for Mobile Devices Stacy (Dene’) Nelson Student ID # Page 17 Systems Security – 26 Risk Treatments for Mobile Devices – page 2 T14: Retrieval of Information - Lost or Forgotten Passwords T15: Safeguarding Mobile Data T16: Secure Bluetooth T17: Secure Mobile Device Enterprise Server T18: Secure Wired Network T19: Secure Wireless Network Transactions T20: Securing Mobile Cloud Computing T21: Security Incident T22: Synchronization – ActiveSync T23: Synchronization Configuration T24: Synchronization - HotSync T25: Test Data Password Protected T26: Training for Mobile Social Media Usage (Alphabetical Order)
ISMS for Mobile Devices Page 18 Security Planning and Management Not always a 1-1 relationship between risks and countermeasures Security controls must be planned, implemented, tested, & monitored to ensure they protect data 1 SOP covers many risks 1 countermeasure for changing defaults required for many mobile devices
ISMS for Mobile Devices Stacy (Dene’) Nelson Student ID # Page 19 Applicable Cyberlaw, Regulations and Compliance – page 1 Cyberlaw struggles with privacy concepts such as when the needs of the many supercede the rights of the individual, for example: ECPA Section 2709 allows FBI to issue National Security Letters to ISPs ordering disclosure of customer records (Electronic Communications Privacy Act of 1986, 2012) In the USA, laws are specific to certain industries, for example: FISMA - Federal Information Systems Management Act of 2002 Graham-Leach-Bliley Act – personal financial security (Graham-Leach-Bliley Act, 2012) HIPAA - privacy of health data (Health Insurance Portability and Accountability Act, 2012) Sarbanes-Oxley Act of 2002 (SOX) – public financial security (Sarbanes-Oxley Act, 2012)
ISMS for Mobile Devices Page 20 Applicable Cyberlaw, Regulations and Compliance – page 2 ISO/IEC (ISMS) ISO/IEC (Security Controls) ISO/IEC Information Security Risk Management NIST Guidelines on Mobile Security NIST Guidelines on PDA Forensics NIST National Vulnerability Database Generally Accepted Information Security Principles Guidelines Used for ISMS Mobile:
ISMS for Mobile Devices Stacy (Dene’) Nelson Student ID # Page 21 Electronic Communications Privacy Act. (2012). Retrieved from Federal Information Security Management Act of (2012). Retrieved from GAISP. (2004). Generally Accepted Information Security Principles. Retrieved from Graham-Leach-Bliley Act. (2012). Retrieved from Health Insurance Portability and Accountability Act. (2012). Retrieved from ISO/IEC (2005). Information Technology — Security Techniques — Information Security Management Systems – Requirements. Retrieved from ISO/IEC (2012). Information Technology — Security Techniques — Information Security Risk Management (Second Edition). Retrieved from NIST SP (2002). Risk Management Guide for Information Technology Systems. Retrieved from Sarbanes–Oxley Act. (2012). Retrieved from References