IT 833 INFORMATION GOVERNANCE
Dr. Isaac T. Gbenle
Chapter 15 – Information Governance for Cloud Computing
*
*
[email protected] Asante, 2019
[email protected] Asante, 2019
CHAPTER GOALSBe able to define cloud computingWhat are the key characteristics of cloud computing?What are the four cloud deployment models?Describe common security threats with cloud computingContrast the concerns of cloud computing with the benefitsExplain the guidelines for managing documents and records using cloud computingExplain IG guidelines for cloud computing
*
WHY IS CLOUD COMPUTING SUCH A “BIG DEAL”?
*
Changes our entire way of thinking about computing and IT
Provides scalable, adjustable resources
Cost savings to business
Combines newest architectures, system software, hardware speeds, and lower storage costs
Instant resources at the disposal of business
Frees up the IT Department to focus on business functional unit needs
Concerns for privacy and security are overlooked
What is Cloud Computing?
“Cloud Computing is a shared resource that provides dynamic access to computing services that may range from raw computing power to basic infrastructure to fully operational and supported applications”
Smallwood, Information Governance: Concepts, Strategies and Best Practices, page 286
*
What is Cloud Computing?
“A model for enabling convenient on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction”Peter Mell and Tim Grance, “NIST Definition of Cloud Computing, Version 15, 10-07-09, www.nist.gov
“Shared resource that proavides dynamic access to computing services that may range from raw computing power, to basic infrastructure, to fully operational and supported applications”. –from your textbook page 286
*
*
[email protected] Asante, 2019
[email protected] Asante, 2019
CHARACTERISTICS OF CLOUD COMPUTINGOn-Demand Self-ServiceBroad network accessResource pooling Rapid ElasticityMeasured Service
*
Misconceptions of Cloud ComputingCloud Computing is a service-oriented architectureMisconception: Cloud Computing does not “move the organization to the cloud”Misconception: If you don’t migrate to a cloud solution you are protected from the dangers of cloud computing
*
CLOUD DEPLOYMENT MODELSPrivate Cloud –Dedicated to and operated by a single enterpriseCommunity Cloud – Where Cloud infrastructure is shared by several organizationsPublic Cloud – Cloud infrastructure is made available to the general public or industrial groupHybrid Cloud – Combined approach – composition of two or more clouds
*
THREATS OF CLOUD COMPUTING
Information Loss
Fix: Agreement by provider to follow standard operating procedure for data backup, archival and retention
Data Loss Insurance
Information Breaches
Fix: DLS Implementation
Strong Encryption
Secure Storage, management and doc destruction procedures
Contractual Agreements
Insurance C ...
IT 833 INFORMATION GOVERNANCEDr. Isaac T. GbenleChapte
1. IT 833 INFORMATION GOVERNANCE
Dr. Isaac T. Gbenle
Chapter 15 – Information Governance for Cloud Computing
*
*
[email protected] Asante, 2019
[email protected] Asante, 2019
CHAPTER GOALSBe able to define cloud computingWhat are
the key characteristics of cloud computing?What are the four
cloud deployment models?Describe common security threats
with cloud computingContrast the concerns of cloud computing
with the benefitsExplain the guidelines for managing documents
and records using cloud computingExplain IG guidelines for
cloud computing
*
WHY IS CLOUD COMPUTING SUCH A “BIG DEAL”?
*
Changes our entire way of thinking about computing and IT
Provides scalable, adjustable resources
Cost savings to business
2. Combines newest architectures, system software, hardware
speeds, and lower storage costs
Instant resources at the disposal of business
Frees up the IT Department to focus on business functional unit
needs
Concerns for privacy and security are overlooked
What is Cloud Computing?
“Cloud Computing is a shared resource that provides dynamic
access to computing services that may range from raw
computing power to basic infrastructure to fully operational and
supported applications”
Smallwood, Information Governance: Concepts, Strategies and
Best Practices, page 286
*
What is Cloud Computing?
“A model for enabling convenient on-demand network access to
a shared pool of configurable computing resources that can be
rapidly provisioned and released with minimal management
effort or service provider interaction”Peter Mell and Tim
Grance, “NIST Definition of Cloud Computing, Version 15, 10-
07-09, www.nist.gov
“Shared resource that proavides dynamic access to computing
services that may range from raw computing power, to basic
infrastructure, to fully operational and supported applications”.
–from your textbook page 286
*
3. *
[email protected] Asante, 2019
[email protected] Asante, 2019
CHARACTERISTICS OF CLOUD COMPUTINGOn-Demand
Self-ServiceBroad network accessResource pooling Rapid
ElasticityMeasured Service
*
Misconceptions of Cloud ComputingCloud Computing is a
service-oriented architectureMisconception: Cloud Computing
does not “move the organization to the cloud”Misconception: If
you don’t migrate to a cloud solution you are protected from the
dangers of cloud computing
*
CLOUD DEPLOYMENT MODELSPrivate Cloud –Dedicated to
and operated by a single enterpriseCommunity Cloud – Where
Cloud infrastructure is shared by several organizationsPublic
Cloud – Cloud infrastructure is made available to the general
public or industrial groupHybrid Cloud – Combined approach –
composition of two or more clouds
*
THREATS OF CLOUD COMPUTING
Information Loss
Fix: Agreement by provider to follow standard operating
4. procedure for data backup, archival and retention
Data Loss Insurance
Information Breaches
Fix: DLS Implementation
Strong Encryption
Secure Storage, management and doc destruction procedures
Contractual Agreements
Insurance Coverage
*
THREATS OF CLOUD COMPUTING
Insider Threats
Fix: Screening
Assessment of supplier’s practices
Hacking and Rogue Intrusions
Fix: IG policies and monitoring controls
Total Network Monitoring
Requirement that cloud provider regularly monitor public
blacklists to check for exploitation
*
THREATS OF CLOUD COMPUTING
Insecure Points of Cloud Connection
Fix: Thoroughly test the API to ensure that all connections
abide by standard policy
Utilization of multiple logon authentication steps
Encryption of sensitive data during transmission
*
THREATS OF CLOUD COMPUTING
5. Issues with Multitenancy and Technology Sharing
Fix: Control and verification of access
Enforceable service-level agreements for patching software
bugs etc.
IG policy that requires full disclosure of activities and usage
logs and related information.
*
THREATS OF CLOUD COMPUTING
Lack of clarity about who owns the information
Risk of large failures of cloud providers
Inability to closely follow user’s retention schedule
Lack of RM Functionality for many cloud based applications
Inability to implement legal holds
Poor response time
Limited ability to ensure cloud provider meets your duties to
follow regulations
Jurisdictional and Political issues
Storage of PII on foreign services with various restrictions, and
prohibitions
*
BENEFITS OF CLOUD COMPUTINGAllows for more
flexibility in technology/devicesWorkers can access information
via mobile devicesProvides a mechanism to support
collaboration with external partnersFile Storage solutions
provide better alternatives to remove information access than
copying to unsecured devices, or sending via email Key to
organization’s disaster recovery/business continuity plan
*
6. GUIDELINES FOR CREATING STANDARDS AND POLICIES
FOR MANAGEMENT OF E-DOCS IN CLOUD
Include Chief Records Management Officer /Lead RM staff in
all stages
Define which copy of record will be the organization’s “official
copy”
Include instructions for determining if records are covered
under retention policy
Include instructions for record capture, management, retention,
etc.
Include instructions on records analysis, development and
submitting records schedules for unscheduled records in cloud
environment
Include instructions to periodically test transfers of records to
other environments to ensure they remain portable
Include instructions for migration to a new platform, operating
system, etc. so records remain readable throughout their
lifecycle
Resolve portability and accessibility issues through good
records management policies
*
IG GUIDELINES FOR CLOUD COMPUTING
Define Business Objectives first and then select a provider that
meets your objectives
Document roles and responsibilities
Make sure to incorporate the investigation and application of
required fixes – incorporate that into your negotiations with
cloud provider
If concept is new to your organization develop processes that
can be reused in subsequent cloud computing projects. Things
like:
How to migrate information to the cloud
7. How to get information back when you quit using the cloud
How to implement legal holds
*
THE END
*
Chapter 13
Information Governance for Social Media
Isaac T. Gbenle PhD
Information
Information is the lifeblood of every organization, and an
increasing volume of information today is created and
exchanged through the use of social networks and Web 2.0 tools
like blogs, microblogs, and wikis.
Corporations use public social media technology to create a
visible brand, strengthen relations with current customers while
attracting new connections and clients, highlight their products
and services, and gather intelligence that can be used in
decision making.
Governments use public social media technologies to consult
with and engage citizens, provide services, and keep pace with
fast-moving events (e.g., natural disasters).
Both types of enterprises also benefit from the use of internal
social media solutions that facilitate communication and
collaboration, improve employee engagement, and boost
productivity and efficiency.
8. Information Contd
Content created through or posted to these new social media
platforms must be managed, monitored, and, quite often,
archived. Content that meets the organization's definition of a
record (i.e., documents business activities) must be retained in
accordance with the organization's records retention and
disposition policy.
Too often, social media content is not managed by information
governance (IG) policies or monitored with controls that ensure
protection of the brand and critical information assets and
preservation of business records.
According to the U.S. National Archives and Records
Administration:
Social media platforms can be grouped into the categories
below. Some specific platforms may fit into more than one
category depending on how the platform is used.
Web Publishing. Platforms used to create, publish, and reuse
content.
Microblogging (Twitter, Plurk)
Blogs (WordPress, Blogger)
Wikis (Wikispaces, PBWiki)
Mashups (Google Maps, popurls)
Social networking. Platforms used to provide interactions and
collaboration among users.
Social networking tools (Facebook, LinkedIn)
Social bookmarks (Delicious, Digg)
Virtual worlds (Second Life, OpenSim)
Crowdsourcing/Social voting (IdeaScale, Chaordix)
9. File sharing/storage. Platforms used to share files and host
content storage.
Photo libraries (Flickr, Picasa)
Video sharing (YouTube, Vimeo)
Storage (Google Drive, Dropbox)
Social Media in the Enterprise
Implementing security is more manageable and practical with
enterprise social networking software.
Public-facing social media integrates Internet-based
applications, technology, social interaction, and content
creation to enable communication, collaboration, and content
sharing within and across subnetworks of millions of public
users. Implementing tight security on these types of mass
networks would likely slow response time and inhibit the user
experience, and it may not provide a sufficient level of security
to warrant the investment on the part of the social media
provider.
Enterprise social networking is being adopted by business and
public-sector entities at a rapid rate. With the entry
of Generation Gmail into the workforce, many of these
initiatives took on an experimental, "cool" image. However, it
is crucial to establish social media business objectives, to
define time-limited metrics, and to measure progress. There
does need to be some leeway, as calculating return on
investment (ROI) for enterprise social networks is very new,
and all the benefits (and pitfalls) have not yet been discovered
or defined. Certainly the network load and required bandwidth
for e-mail and attachments will decrease; instead of sending a
10. 25MB PowerPoint file back and forth among 10 coworkers, the
file can sit in a common workspace for collaboration.
Social media differs greatly from e-mail use. E-mail is mature
and stable. Social media is not. These distinctions have
important ramifications for IG policy development.
Biggest Risks of Social Media
Social media is the Wild West of collaboration and
communication. Vulnerabilities still are being exposed, and
rules still are being established. Users often are unsure of
exactly who can see what they have posted. They may believe
that they have posted a comment only for the eyes of a friend or
colleague, not realizing it may have been posted publicly. "One
of the biggest risks that social networking poses to
organizations is that employees may be exposing information
that's not meant for public consumption, especially in highly
regulated environments like banking and healthcare, in
industries that rely heavily on proprietary research and
development, or even in the military"
Lack of a social media policy. Many organizations are just now
discovering the extent to which social media has popped up in
various pockets of their organization. They may believe that
their e-mail and communications policy will pretty much cover
social media use and that it is not worth the time and expense to
update IG policies to include social media.
Employees—the accidental and intentional insider threat. This
may be in part due to lack of social media policy or due to lack
of monitoring and enforcement. Sometimes an employee harms
an organization intentionally. Remember Private Bradley
11. Manning's release of hundreds of thousands of classified
government documents to WikiLeaks?[
But most times employees do not realize the negative impact of
their behavior in posting to social media sites. People might use
social media to vent about a bad day at work, but the underlying
message can damage the company's reputation and alienate
coworkers and clients. Other times a post that is seemingly
unrelated to work can backfire and take a toll on business.
We're all human and sometimes emotion gets the better of us,
before we have rationally thought out the consequences. And
that is especially true in the new world of social media, where it
may be unclear exactly who can see a comment.
Legal Risks of Social Media Posts
Two of the biggest threats of social media use for organizations
come from the lack of a social media policy and threats
presented by employee use.
With no IG policy, guidelines, monitoring, or governance, legal
risks of using social media increase significantly. This is an
avoidable risk.
Just when compliance and records managers thought they had
nailed down IG for e-mail, IM, and electronic records, social
media came on the scene creating new, dynamic challenges!
IG Considerations for Social Media
An IG framework for social media should incorporate social
media policy, controls, and operational guidelines as well as
spell out consequences for violations. Best practices for social
media still are being established, and those that have been
12. established are evolving. In addition to establishing policies to
govern the use of social media across the organization, best
practices should include industry-specific, vertical market
considerations. A cross-section of functional groups within the
enterprise should provide input into the policy-making process.
At the very minimum, internal audit, marketing, finance,
information technology (IT), legal, human resources, and RM
must be consulted, and all business units should be represented.
Clear roles and responsibilities must be spelled out, and
controls must be established to govern acceptable use—
essentially what is allowed and what is not. Even writing style,
logo format, branding, and other marketing considerations
should be weighed. The enterprise's image and brand are at risk,
and prudent steps must be taken to protect this valuable,
intangible asset. And most important, all legal and regulatory
considerations must be folded into the new IG policy governing
the use of social media.
Key Social Media Policy Guidelines
An IG framework for social media should incorporate social
media policy, controls, and operational guidelines, and spell out
consequences for violations.
A prudent and properly crafted social media policy:
Specifies who is authorized to create social media accounts for
the organization.
Authorizes specifically who can speak on the organization's
behalf and who cannot (by role/responsibility).
Outlines the types of negative impact on the company's brand
and reputation that unscreened, poorly considered posts may
have.[24]
Draws clear distinctions between business and personal use of
social media and specifies whether personal access is allowed
13. during work hours.
Underscores the fact that employees should not have any
expectation of privacy when using social media for corporate
purposes, just as in using other forms of communications such
as e-mail, IM, and voicemail, which may be monitored.
Clearly states what is proper and allowed on the organization's
behalf and what is forbidden in social media posts or using
organization resources.
Instructs employees to always avoid engaging in company-
confidential or even controversial discussions.
Encourages/requires employees to include a standard disclaimer
when publishing content that makes clear the views shared are
representative of the employee and not the organization.
Strictly forbids the use of profanity and uses a professional
business tone, albeit more informal than in other corporate
communications.
Strictly forbids any statements that could be construed as
defamatory, discriminative, or inflammatory.
Outlines clear punishments and negative actions that will occur
to enforce social media policy.
Draws clear rules on the use of the company name and logo
Electronic records management (ERM).
Marking an electronic document as a read-only electronic record
Protecting the record against modification or tampering
Filing a record against an organiza tional file plan or taxonomy
for categorization
14. Marking records as vital records
Assigning disposal (archival or destruction rules) to records
Freezing and unfreezing disposal rules
Applying access and security controls (Security rules may differ
from the source electronic document in an electronic document
management system or enterprise content management [ECM]
software.)
Executing disposal processing (usually an administrative
function)
Maintaining organizational/historical metadata that preserves
the business context of the record in the case of organizational
change
Providing a history/audit trail
Records Retention Guidelines
Some basic records retention guidelines:
Make records threshold determinations. Examine the content to
see if it in fact constitutes a record by your own organization's
definition of a record, which should be contained in your IG
policies. This records determination process likely also will
require consultation with your legal counsel. If the social media
site has not been kept operating, or it was used for a specific
project that has been completed (and all pertinent records for
that project have been retained), then its content may not
require retention of records.
Use existing retention schedules if they apply. If your
organization already has retention policies for, say, e-mail, then
any e-mail sent by social media should adhere to that same
scheduling guideline, unless there is some legal reason to
change it.
Apply basic content management principles. Focus on capturing
all related content for social media posts, including
conversation threads, and associated metadata that may be
required in legal discovery to provide context and maintain the
15. completeness, authenticity, and integrity of the records.
Risk avoidance in content creation. Instruct and reinforce the
message to employees participating in corporate social media
that content on the Web stays there indefinitely and that it
carries potential legal risks. In addition, once something is
posted on the Web, completely erasing and destroying the
content at the end of its retention period is nearly impossible.
Emerging Best Practices for Managing Social Media Records
Identify records during the social media planning stage. Both a
social media policy and the records and information policy
should refer to a form to be completed by the person or unit
proposing a new social media initiative. The person completing
the form should indicate if records will be created and, if so,
how they will be managed.
Promote cross-functional communications. A social media team
of representatives from various departments, such as IT, social
media, legal, compliance, records management, and other
stakeholders, is formed, and communication and collaboration is
encouraged and supported.
Require consultation in policy development. Extending beyond
the social media team, input and advice from multiple
stakeholder groups is essential for creating IG policies that
cover social media records management.
Establish clear roles and responsibilities. The cross-functional
social media team must lay out clear expectations and
responsibilities and draw lines of accountability so
that stakeholders understand what is expected of them.
Utilize content management principles. Management of social
media content should fall under an ECM software
implementation, which can capture and track content, including
associated metadata and external content, and manage that
social media content through its life cycle.
16. Implement RM functionality. Management by an ERM system
that offers features that enable records retention and
disposition, implementation of legal holds, and lifting of legal
holds is essential.
Control the content. Clear guidelines and monitoring
mechanisms must be in place to control and manage
content before it gets published on the Web, when possible
(e.g., static content on blogs and profiles in social networks) if
there is any potential legal risk at all.
Capture content in real time. By implementing a real-time
content capture solution for content posted directly to social
media (e.g., comments on blogs and posting of someone else's
content or retweets), organizations will begin their control and
management of the content at soonest point and can more easily
prove it is authentic and reliable from a legal perspective
Champion search capabilities. After capture and preservation of
records and associated metadata, search capabilities are the
single most important feature that the technology must provide.
Train, train, train. Social media is a new and emerging
technology that changes rapidly. Users must be trained, and that
training must be updated and reinforced on a regular basis so
that employees have clear guidelines, understand the
technology, and understand the business objectives for its use.
Organizations are increasingly using social media and Web 2.0
platforms to connect people to companies and government.
Social media use presents unique challenges because of key
differences with other electronic communications systems, such
as e-mail and IM.
Two of the biggest risks that social networking poses to
organizations are (1) not having a social media policy; and (2)
employees may be—intentionally or not—exposing information
17. that is not meant for public consumption.
Enterprise social networking software has many of the features
of consumer social applications such as Facebook, but with
more oversight and control, and they come with analytics
features to measure adoption and use.
Various software tools have become available in recent years
for archiving social media posts and followers for RM purposes.
An IG framework provides the overarching policies, guidelines,
and boundaries for social media initiatives, so that they may be
controlled, monitored, and archived.
Social media posts are more than the post itself; they include
metadata and also include hyperlinks to external content —and
that external content must be preserved in its native format to
meet legal standards.
Robust search capabilities are the most crucial component of a
social media ERM or archiving solution.
Social media policy will be unique to each particular
organization.
Best practices for managing social media business records are
still evolving but include forming cross-functional social media
teams with clear responsibilities, encouraging communication,
and capturing complete content in real time.
18. ITS 833 – INFORMATION GOVERNANCE
Chapter 14 –Information Governance for Mobile Devices.
Dr. Isaac T. Gbenle
1
1
CHAPTER GOALS AND OBJECTIVES
Challenges facing businesses with a mobile workforce
Greatest challenges to mobile device users
Trends in mobile computing
What is a push-button application for mobile devices?
What is MDM?
What function does MDM serve?
Trends in MDM?
Guidelines for IG for mobile devices
Best practices to secure mobile devices
How do you go about developing mobile device policies in your
organization?
2
On the slide is a list of the types of things that you need to take
away from this Chapter.
2
Information Governance for Mobile Devices
326 million mobile devices in use at the end of 2012-beginning
of 2013
19. Significant Growth. Why?
Improved network coverage
Physically smaller devices
Improved processing power
Better pricing
Newer generation operating systems
A more mobile workforce
3
Mobile devices are everywhere! Per your author, there was over
326 million mobile devices in use in the United States. You
would have to question this statistic considering this number is
greater than the number of people in the United States at that
time. The explanation is that many users have more than one
mobile device. Over the prior decade the growth of mobile
devices exploded. Why? A number of reasons: Improved
network coverage, physically smaller devices, improved
processing power, better pricing, newer generation operating
systems, and the fact that the workforce was becoming more
mobile, all contributed to this explosion.
3
THE NEED FOR INFORMATION GOVERNANCE WITH THE
NEW MOBILE WORKFORCE
Greatest Challenges for IG due to heightened security risks with
a mobile workforce
Data leakage and loss estimated to be in excess of $400,000.00
Mobile devices were not designed with security in mind
Androids running on different platforms/hardware are
particularly susceptible
Social Engineering is widespread
Users are the weakest link
The key is:
Awareness and education of the criminal threats
20. Biometric Authentication –Retina, Voice, Fingerprint
Mobile Device Management
4
With all these new devices and the information that resides on
them outside the realm of the traditional organization, comes a
whole new set of challenges for information security, and
therefore an entirely new set of issues related to information
governance. This has become one of the greatest security
challenges for companies with a mobile workforce. The risk for
compromising confidential information is greatest in this arena.
Experts estimate that data loss can cost an organizations as
much as $400,000 per year from breaches related to mobile
devices.
Consider that for the most part mobile devices were not
designed with security in mind. In fact, the fact that androids
were designed to run on different hardware makes those devices
more susceptible to security breaches.
It is particularly vexing that smartphone viruses are more
difficult to detect that viruses that infect your computer and
they are more difficult to get rid of.
The rate of technological development on smartphones is
changing almost daily, which makes it more difficult to keep up
with ways to prevent security breaches.
Think about just the area of banking where you can now make
remote deposits using your cell phone. Imagine what an
opportunity this is for thieves and what a security challenge just
that one change presents.
Social Engineering is a common approach used by hackers when
dealing with mobile devices. Remember, social engineering
involves using different ways of fooling the user into providing
21. his private information. The user is the weakest link in
preventing cyber crimes as it relates to mobile devices
The key to all this is awareness of the threat that exists and an
appreciation for cybercriminal techniques. Of course it new
biometric techniques that are used to identify the owner of the
mobile device such as finger prints goes a long way to offset the
occurrence of cyber threats.
The IT departments really have to stay on top of this. They need
to remain vigilant and make sure their employees who have
mobile devices containing sensitive information have the newest
technology to protect the information, and that it is deployed
and they know how to use it.
The term that has been coined for this area of security for
mobile devices is “Mobile Device Management”.
4
TRENDS IN MOBILE COMPUTING
Long Term Evolution (LTE)
4G
WiMax [Worldwide Interoperability for Microwave access]
RFID and increased wireless support
3g and 4g Interoperability
Sprint’s dual mode cards
Smartphone Applications
Increased software for mobile devices from 3rd party vendors
GPS
More mobile devices with GPS built-in
5
This area of mobile computing is changing so rapidly that it is
crucial to make sure your users understand the direction of
current trends so they will better know what developments to
anticipate and how to plan for them. In 2011 CIOZone.com
22. predicted the trending areas of mobile computing and they have
been right on target so far. They predicted at that time the
following trend:
Long Term Evolution (LTE) – In 2011 it was predicted that 4th
generation mobile computing would be made possible. It was.
WiMax [Worldwide Interoperability for Microwave access]-
there is the expectation that as more and more 4G devices
popped up in the US and more and more netbooks and laptops
would be sold that are equipped with built-in radio frequency id
(RFID) and more wireless support. Surely we are seeing the
trend with regard to wireless support.
3g and 4g Interoperability-Sprint developed the duel mode card
that enabled mobile devices to run on either 3G or 4G networks,
depending on what was available in the particular roaming area
where the user is at the time.
Smartphone Applications-Third party software has grown by
leaps and bounds. Nearly every type of software you can
imagine is available for mobile devices today
GPS This is exploded. Nearly every mobile device today will
have GPS to identify the user’s whereabouts
5
TRENDS IN MOBILE COMPUTING
Security
VPN software and hardware-based VPNs
Antivirus
Improved and expanded antivirus software for mobile devices
Push-button Applications
More like the pull down commands generally seen on desktop
computer
Supplemental Broadband
Sprint – Expanding wireless broadband capabilities
Solid State Drives
Improved controllers and firmware built into the SSDs
6
23. Security-To rise to the growing challenge corporate IT
departments are expected to being using more of a combination
of Virtual Private Network software and hardware based VPNs
Antivirus-The need for greater and smarter antivirus will be
realized by executives and this will drive the creation of newer
and improved antivirus software that will reside on the mobile
devices
Push-button Applications – I am not so sure that the author was
able to convey what he meant by a “push-button application”
with the example he gave in the book, so we will try here.
Traditionally, when you talk about a push-button being built
into a software application on your desktop computer you are
talking about a menu of commands where when you click on an
application button a menu of commands is displayed.
Generally, the menu contains file-related commands such as
Open, Save, Print, and Exit. So I think what the author is trying
to say here is that you will have more applications on your
mobile device that will function like that and will be more
automatic. In the example the author gave on page 274, this
would mean that the driver would not have to actually dial his
dispatcher and request assistance to have the obstruction moved.
He would have a more automatic application on his mobile
device where he would just need to push the button to take care
of the situation.
Supplemental Broadband-This comes with extended LTE and
WiMax. Innovators and leaders in the industry such as Sprint
are expected to expand their wireless broadband capabilities to
small business that don’t have access to fiberoptics
Solid State Drives – This is a prediction that there will be
improved technology in the area of controllers and firmware
built into the solid state devices in the hardware.
6
24. Security Risks and Securing Mobile Devices
Contributing Factors for Security Risks
Increased storage capabilities
Advancements in SSD technology
Easier to lose and more susceptible to theft
More susceptible to intrusion during wireless communication.
Securing Mobile Data
Remove the confidential information from the device
Encrypt the confidential information
7
There are particular and unique security risks related to mobile
devices. Things like the increased storage capacity caused by
the shrinking circuits and advanced SSD technology. Further by
their very nature they are more susceptible to being lost or
stolen. In addition, they are more susceptible to having their
communications stolen while in transit using wireless
communications.
The smartest thing you can do to secure mobile data seems
obvious. It is to remove the confidential information off the
device when it is no longer needed. Don’t leave it residing on
that particularly vulnerable device.
While it must reside on the device, encrypt the confidential
information.
7
MOBILE DEVICE MANAGEMENT
What is Mobile Device Management?
Software used to manage mobile devices remote
What can MDM do?
Improve security
Streamline managing remote devices in mass or individually
Provides management in the BYOD environment
Can control configuration settings
25. 8
Mobile Device Management comes in the form of software
generally. This helps organizations to remotely monitor, secure
and manage their mobile devices such smartphones, tablets and
PCS. It improves security and streamlines the process of
managing remote devices since the manager has the option of
managing individual devices, a portion of the mobile devices or
all of them at the same time. It can be used to manage the
company owned devices that are all the same, and in addition,
can be used to manage the employees devices that they bring to
the workplace.
MDM can be used to remotely wipe the device clean, or to
control the configuration settings, and a variety of other
functions
8
TRENDS IN MDM
MDM Software Expansion and Maturity
Consolidation of MDM major players
Cloud-Based MDM
Emphasis on mobile device policies
Diversity/Expanded mobile monitoring and security
Infrastructure Consolidation
9
Certain trends have been identified in the area of MDM. They
include things such as the following:
MDM Software Expansion and Maturity-Most experts believe
this will become much more sophisticated and will emerge as a
technology that begin with the purchase of the device and will
follow it through the retirement of the device
Consolidation of MDM major players-Fewer but stronger
developers of MDM software resulting from mergers of the big
26. players
Cloud-Based MDM-It is expected to become the norm with
MDM software
Emphasis on mobile device policies-More formalized policies
and awareness and education and training in the organization
Diversity/Expanded mobile monitoring and security- Will
expand beyond the current types of mobile devices that are
controlled with MDM software and will begin to be possible
with such things as other types of machines and equipment like
things used in transportation management
Infrastructure Consolidation-This is very disjointed today. It is
expected that these different pieces, like mobile computing,
social computing and cloud computing will merge to form a new
infrastructure paradigm.
9
GUIDELINES FOR IG FOR MOBILE DEVICES
Smartphone and Tablets
Encrypt Communications and Storage
Password protections
Timeout – self locking after being idle for a period of time
Updates – Keep patches and updates current
Protect from hacking-Make sure not jailbroken or rooted
Manage –Operated in a managed environment
10
Some of the guidelines for assisting in the IG for mobile
devices are relatively easy to implement. It is just a matter of
awareness and forethought. These includes such things as:
Smartphone and Tablets
Encrypt Communications and Storage
27. Password protections
Timeout – self locking after being idle for a period of time
Updates – Keep patches and updates current
Protect from hacking-Make sure not jailbroken or rooted
Manage –Operated in a managed environment
10
GUIDELINES FOR IG FOR MOBILE DEVICES … Continued
For Portable Storage Devices:
Create User Names
Create Passwords
Utilize Encryption
Use additional levels of authentication
Use Biometric Identification
11
Some of the guidelines for assisting in the IG for mobile
devices are relatively easy to implement. It is just a matter of
awareness and forethought. These includes such things as:
For Portable Storage Devices – Create User names and
passwords to protect the device from unauthorized access,
Utilize encryption to protect the data, use additional levels of
authentication and management, use biometric identification
11
GUIDELINES FOR IG FOR MOBILE DEVICES
For Laptops, Netbooks, Tablets, and Portable Computers
28. Password protection in the form of user names and passwords
Timeout
Encrypt
Secure physically
12
Some of the guidelines for assisting in the IG for mobile
devices are relatively easy to implement. It is just a matter of
awareness and forethought. These includes such things as:
For Laptops, Netbooks, Tablets and Portable Computers:
Password protect-create a user name and password
Timeouts- after a period of time the machine will timeout and
require the user to reenter the password
Encrypt
Physical Security –physical locks
12
MOBILE APPLICATIONS
Examples:
Mobile e-commerce
Mobile banking
Increases security risks
Make sure the data is secure
Make sure the mobile app is secure
13
Mobile applications themselves are sources of security threats.
This includes such things as mobile banking apps and mobile e-
commerce, for example. So while you may take measures to
secure your mobile data, people are too frequently forgetting to
secure their mobile apps.
13
29. BEST PRACTICES TO SECURE MOBILE APPS
Use seasoned app developers trained in secure-coding and who
use secure software development life cycle
Use enhanced authentication methods
Require employees to reenter credentials after a period of time
Use information security expert to assess security around
mobile application server
Encrypt sensitive data
Use security expert to test security of mobile app before
deploying it in your organization
14
While this is a new and emerging area of best practices for
mobile apps some have been identified as follows:
Make sure to use seasoned app developers who have secure-
code training and who use secure software development life
cycle (SDLC)
Use enhanced authentication methods available for the industry
or type of app
Make sure the user is required to re-enter his or her credentials
after a period of time
Hire an information security expert to assess the security of the
mobile app server
Encrypt sensitive data
Hire a security expert to test the security of a mobile
application before you implement it company wide
14
BEST PRACTICES FOR DEVELOPING A MOBILE DEVICE
POLICY FOR THE ORGANIZATION
Form a cross-functional mobility strategy team
Clarify goals for your mobile strategy – that is start with a
discussion of the big picture. Looks at your mobile device
business needs.
30. Drill down into policy requirement details. – Talk to people in
peer organizations who have a policy in place to really get an
in-depth feel for what kind of policy you want to have. Then
begin with the basics.
Budget and control expenses. Think about whether your
company will purchase all the devices and pay the monthly
bills? If so, what cost controls will you need to put into place?
Consider the legal aspects and the liability issues related to
mobile devices in the hands of your employees. Where could
your employees run into trouble using their own devices instead
of yours? Think about your policy for wiping clean devices and
will that run afoul of the law.
Weigh device and data security issues. Is it worth having the
mobile device? Will they create such a great risk of security
breaches that you want to chance using them?
Develop your communications and training plan.
Update and fine tune – that is evaluate the plan. See where you
have left loopholes open. See where you have made missteps.
Always continuously evaluate your plan and tweak it where
there are issues or where you have been shortsighted.
15
So how do you go about developing the mobile device policy
for your organization? How do you even start? Begin by getting
input and representation from the stakeholders. Best practices
are of course also just evolving and being developed in this area
but there are a few that are recommended regardless of your
industry. They include the following:
Form a cross-functional mobility strategy team
Clarify goals for your mobile strategy – that is start with a
discussion of the big picture. Looks at your mobile device
business needs.
Drill down into policy requirement details. – Talk to people in
peer organizations who have a policy in place to really get an
31. indepth feel for what kind of policy you want to have. Then
begin with the basics.
Budget and control expenses. Think about whether your
company will purchase all the devices and pay the monthly
bills? If so, what cost controls will you need to put into place?
Consider the legal aspects and the liability issues related to
mobile devices in the hands of your employees. Where could
your employees run into trouble using their own devices instead
of yours? Think about your policy for wiping clean devices and
will that run afoul of the law.
Weigh device and data security issues. Is it worth having the
mobile device? Will they create such a great risk of security
breaches that you want to chance using them?
Develop your communications and training plan.
Update and fine tune – that is evaluate the plan. See where you
have left loopholes open. See where you have made missteps.
Always continuously evaluate your plan and tweak it where
there are issues or where you have been shortsighted.
15
The End
16
16