AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
Securing Mobile Devices with COBIT 5
1. Securing Mobile Devices
Using COBIT® 5 for Information Security
Dipresentasikan oleh:
Sarwono Sutikno, Dr.Eng,CISA,CISSP,CISM
ssarwono@gmail.com
2. Sarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM
• Dosen Sekolah Teknik Elektro dan Informatika ITB
• Dosen Universitas Pertahanan RI m.k. Cyber
Warfare Dynamics dan Cyber Security Policy and
Strategy
• ISACA Academy Advocate for ITB
• (ISC)2 Information Security Leadership Award
2011 - Senior Information Security Professional
• Sedang membuat kurikulum S2 Keamanan
Informasi di ITB, akan mulai Agustus 2013
• Cyber Security Center ITB - KOICA
3. Outline
• Guiding Principles for Mobile Device Security
• What Is a Mobile Device?
• Mobile Device Impact on Business and Society
• Threats, Vulnerabilities and Associated Risk
• Security Governance
• Security Management for Mobile Devices
• Hardening Mobile Devices
• Mobile Device Security Assurance
4. Guiding Principles for Mobile Device Security
1. Know the business value and risk of mobile device
use.
2. Clearly state the business case for mobile device use.
3. Establish systemic security for mobile devices.
4. Establish security governance over mobile devices.
5. Manage mobile device security using enablers.
6. Place security technology in context.
7. Know the assurance universe and objectives.
8. Provide reasonable assurance over mobile device
security.
5. What Is a Mobile Device?
Mobile Device Use—Past, Present and Future
• Mobility and
Flexibility
• Patterns of Work
• Organizational
Perimeter
• Other Impacts
16. Security Governance
• The Business Case
• Standardized Enterprise Solutions
– Hardware (front and back end)
– OS
– Applications
– Data and information
– User administration
– Systems management (direct and remote)
• BYOD
• Combined Scenario
• Private Use of Mobile Devices
• Defining the Business Case
23. Security Management for Mobile
Devices
• Mobile Device Categories and Classification
• Existing Security Controls
• Principles, Policies and Frameworks
• Processes
• Organizational Structures
• Culture, Ethics and Behavior
• Information
• Services, Infrastructure and Applications
• People, Skills and Competencies
34. Key Operating Procedures
• Auditing mobile devices—Procedure to facilitate audit of mobile
devices, alignedwith internal/external audit programs
• Change management—Procedure describing how general change
management (which is usually standardized) should be applied to
mobile devices
• Patch management—Procedure describing how patches for mobile
devices are identified, acquired, tested, deployed
• Malware protection—Procedure describing various technical steps
and measures for protecting mobile devices against malware
• Encryption, VPN, encapsulation—Procedure describing encryption
for data at rest and data in flow, VPN tunnels and data
encapsulation
• Damage, loss, theft—Procedure describing user and organization
steps in the event of device loss, damage or theft
42. Information
• Step 1: Categorize information. Identify information unique
to the device as opposed to replicated information.
• Step 2: Identify what is done with the information—
storage, processing, creation, sharing.
• Step 3: Determine information and transaction sensitivity.
• Step 4: Analyze the protection provided by preapplied
controls.
• Step 5: Determine requirements for additional controls.
• Step 6: Develop and implement an action plan for
additional controls.
43. Protecting Personal Information
• Remove/prohibit—This is available only in a
centralized management scenario with mobile
devices provided by the organization.
• Segregate—Take technical steps to separate
personal information on the device.
• Anonymize—Separate the personal identity of
the user from the technical identity of the mobile
device.
• Permit—Obtain end-user permission to
store, process and use personal information.
45. Hardening Mobile Devices
• Device and SIM card (if applicable)
• Permanent internal storage
• Removable or external storage
• Connectivity (all channels)
• Remote functionality (lockdown, GPS, etc.)
46. Mobile Device Security Assurance
• Auditing and Reviewing Mobile Devices
• Investigation and Forensics for Mobile Devices
47.
48.
49.
50.
51.
52.
53.
54. Investigative Requirements
• Develop the proper capabilities to perform
forensic and investigative analysis
• Forensic and investigative policies and
procedures should be established
• Identify the multidisciplinary team that will
likely be involved