Category Archives: Technology Issues

AICPA ISSUES NEW TRUST SERVICES PRINCIPLES

The AICPA recently issued new Trust Services Principles (TSP Section 100) in April 2016 which supersedes the previous version issued in 2014. The most significant changes to the TSP include the following:

Restructures and creates a new set of privacy criteria that is incorporated as part of the common criteria method of assessment and reporting. As such, privacy principles is now consolidated into a more concise set of additional criteria for privacy that is to be reported as part of the common criteria report instead of a separate report for Generally Accepted Private Principles.

Revised Appendix B, “Illustration of Risks and Controls for Sample Entity” to include additional privacy criteria and examples of risks that may prevent the privacy criteria from being met as well as controls designed to address those risks.

Modified criteria CC3.1 and CC3.2 to specifically require the need to address potential threats including those arising from the use of vendors and other third parties providing goods and services. This also includes threats from customer personnel and others with access to the system.

Eliminated CC3.3, it was merged into CC3.1 and CC3.2 for redundancy.

Two new confidential requirements (C1.7 and C1.8) were introduced to address the retention and disposal of confidential information.

The new trust services principles and criteria are effective for periods ending on or after December 15, 2016, with early implementation permitted. You can also see the full guidance for purchase through the AICPA website.

Bill Long

Feel free to contact Bill Long with your questions.
wlong@norrislong.com
(941) 284-1380

Risk Management in a Mobile World

SmartphoneIntroduction

Mobile devices are rapidly becoming the primary end-user computing platform at area companies. The broad user-experience, computing capabilities, and always-on connectivity combined make mobile devices very compelling PC replacements.  However, this shift to mobile computing represents a challenge to existing secure IT environments.  IT management must consider new approaches to securing corporate data and minimizing risk when so many new variables are introduced.  “How do these mobile devices expose our company?” is a common question.  Because organizations want to take a mobile first approach, many employees and managers are enjoying resulting benefits which include efficiency, competitive differentiation and heightened innovation.  Finally, every new approach needs to be evaluated for new risks and benefits, so let’s take a minute to survey this new landscape of risk/benefit.

Going Mobile

Consider the two key reasons why IT needs to adopt new strategies for securing corporate data on mobile, as compared to PCs, when pursuing a strategy to heighten user productivity.

Reduced IT control over mobile devices: The mobile era is all about the end user. They get to pick a mobile platform that best meets their personal preferences, with the expectation that the device should also work in a business context for the full range of apps and content needed to stay productive. This is in stark contrast from the PC era where IT offered end-users an approved PC with a set of pre-selected apps. End-users had very limited say on what the PC was able to access and IT had the ability to control every aspect of the corporate-owned device from physical ports, to software and application versions. For mobile, end-users make the decision for many of these variables and IT can only recommend devices and applications. IT has no way to enforce a standard OS, device or app across the organization.  In fact, the more IT tries to lock down devices, the more end-users will try to by-pass policies, increasing risk to the organization.

Old security models must adapt to stay relevant: In the PC operating system scenario, the agent-based security method worked well. This involved a piece of software residing on the PC that controlled the process and data belonging to other applications. Unfortunately, this agent-based security model cannot be used to secure Mobile because of the differences in the way these operating systems are designed. Mobile operating systems are designed using a sandboxed architecture which enables for isolation of apps and associated data which can only interact and share data through very well-defined mechanisms. This allows for greater security than the open-file system used by PC OS, and needs new tools that leverage specific security capabilities made available by the device vendor itself.

Threats to Mobility

As trends such as the use of Mobile devices to enhance enterprise productivity, organizations are being exposed to a variety of information security risks and threats. Threats introduced by mobile can be grouped in to three categories:

Device based threat vectors

Mobile devices enable end-users to perform a variety of business-related tasks such as receiving email and accessing, editing and sharing corporate content via a variety of productivity apps. As a result, mobile devices store a significant amount of sensitive data. This data can be compromised in a variety of ways due to:

  • Always-on connectivity which could allow unauthorized parties to access business data.
  • Software that allows “jailbreak” or “rooting” of devices, compromising data security.
  • Portability making the devices susceptible to theft and misplacement.

Network based threat vectors

The always-on model requires mobile devices to be constantly connected to the internet. As a result, end-users might rely on untrusted public networks enabling malicious parties to access and intercept transmitted data using

  • Rouge access points
  • Wi-Fi sniffing tools
  • Sophisticated Man-in-the-Middle attacks

User based threat vectors

Mobile empowers end-users. While this is great for user-choice, well-meaning end-users often indulge in risky behaviors that could compromise business data. Examples of risky behaviors include:

  • Using un-approved cloud-based apps to share and sync data
  • Using un-approved productivity apps that maintain copies of corporate data
  • Jail breaking/ rooting devices to bypass security controls
  • Using malicious apps from un-approved app-stores
  • Exposing business data with malicious intent

While one may argue that the list of threat vectors introduced by Mobile devices are similar to those introduced by laptops and similar portable PC-based devices, the fundamental differences between Mobile and PC operating systems require IT to adopt purpose-built Enterprise Mobility Platforms to mitigate risks introduced by Mobile.

Countermeasures for New Risks

Implementing data loss prevention on mobile devices requires a layered security approach. This layered security approach can be implemented using the controls listed below:

1) Secure operating system

2) Strong Authentication

3) Remote wipe

4) Device Encryption

5) Data sharing

6) Network security

7) Application lifecycle management

8) Secure browsing

Below are descriptions of the data loss prevention requirements and specific controls.  Each class of controls can include basic controls, which directly address the requirements, supplemental controls, which strengthen the basic controls, and compensating controls, which apply when no basic control is available. These layered security controls, together, establish a data loss prevention model for Mobile.

Secure operating system

Secure applications to prevent malware from accessing application data – Configure apps to access data only when essential.

Provide a safe application ecosystem – Stores such as Google Play and the Apple App Store are tightly curated to minimize the likelihood of malware in posted apps. Apple prohibits certain backdoors, like the download of new, executable code into an already approved app. Apps can also be immediately revoked from app stores if they are later found to break to violate policies.  Add additional tools to ensure malware is minimized.

Patch OS vulnerabilities quickly – Ensure devices are configured to automatically update as patches are released.

Strong Authentication

Remotely configure password policy

Auto-wipe device after a certain number of failed authentication attempts

Enforce identity for enterprise services

Remote wipe

For company-owned devices, remotely wipe all the data on the device

For employee-owned devices, remotely wipe ONLY if enterprise data is the device

Encryption

Encrypt all enterprise data-at-rest on the device

Encrypt all enterprise data-in-motion to and from the device

Encrypt all enterprise data in secure apps

Data sharing

For corporate email in the native email app:

  • Do not allow attachments to be opened in an unauthorized app
  • Do not allow forwarding through a personal email account
  • Do not allow copy/paste, printing, or screenshots of email text
  • Do not allow backup of email outside IT control

For corporate apps:

  • Do not allow app data to be accessed by unauthorized apps
  • Do not allow copy/paste, printing, or screenshots of app data
  • Do not allow backup of app data outside IT control

Network security

Prevent data loss as enterprise data traffic travels through public cellular and Wi-Fi networks outside IT control.  VPN: For companies that have standardized on device-wide VPN technology from vendors like Cisco and Juniper, the VPN service should be configured to provide a secure channel for data.

Application lifecycle management

Prevent rogue apps from being downloaded to device

Blacklist unauthorized apps

Whitelist authorized apps

Publish and distribute enterprise apps

Update enterprise apps

Secure browsing

Allow secure access to enterprise web apps located behind the firewall

Prevent data loss of downloaded documents and cached web content

Protect against “drive by” malware browser attacks

Conclusion

The pressure to support new mobile operating systems will be a constant challenge for IT departments because operating system and device choice are now determined by the consumer, not by the enterprise, and can change frequently.  Mobile operating systems such as Android and iOS as an enterprise mobility management (EMM) platform have matured to provide the layered security controls enterprise requires to mitigate the risk of data loss on both corporate-owned and personally-owned devices.   As a result of these controls, organizations can now support the new generation of mobile operating systems and devices that their user communities demand.

Feel free to contact Jeff Sheets or Bill Long with your questions about mobile device security.

jsheets@packerthomas.com

wlong@packerthomas.com

(800) 943-4278
(330) 533-9777