Disa Project Report On Assessing Risks And Formulating Policy For Mobile Computing

PROJECT REPORT

REPORT ON ASSESSING RISKS AND FORMULATING POLICY FOR MOBILE COMPUTING

A) M/S RADISSON LIMITED

Radisson Limited (the Auditee) is a global IT Solutions provider company including designing and developing information technology services including website, web based software solutions, data digitization and processing.

Radisson Ltd is a global Indian IT Solutions provider with development centers in India and marketing offices across, USA, Asia and Europe. It has more than 15,000 employees. It offers both standard and customized products and services to its customers. The company has highly skilled professionals who are in great demand in the highly competitive market. M/s Radisson Limited provide different type of services in application development and maintenance like IT infrastructure services, engineering and industrial services, enterprises solution, Enterprises security and risks development and many more.

1. APS AND ASSOCIATES (AUDIT FIRM)

APS and Associates established in 2001 consisting of three partners. Presently the firm apart from three partners it has two recently qualified Chartered Accountants working as paid assistants and a team of twenty four article assistants and two commerce graduate employees.

The firm is having vast experience in the field of audit and assurance services including tax audits, statutory audits, internal audits, bank audits, due diligence and IS audit. It also provides consulting on various IT issues including mobile computing and cloud computing

Mrs. SB graduated from University of Gujarat in year 1998 and upon qualifying as Chartered Accountant in year 1999 worked with Income Tax Department. She completed the post qualification course on Information Systems Audit (ISA) in the year 2006. Now she is responsible for handling Income Tax Matters and Specialized System Audit.

Mr. PD graduated from Rajasthan University in year 1999. She completed the post qualification course on Information Systems Audit (ISA) in the year 2007. Now he is responsible for handling Auditing and Assurance Service and Bank Audits.

Miss AD graduated from Delhi University in year 2007. She has a working experience of 1.5 years with PWC in the area of Internal Audits. Currently she is responsible for handling Internal Audits.

FOR THIS ASSIGNMENT THE AUDIT TEAM WILL COMPRISE OF FIVE MEMBERS HEADED BY MRS. S.B. (FCA, DISA), OTHER TEAM MEMBER WILL INCLUDE MR. PD (FCA, DISA) AND THREE ARTICLE ASSISTANTS ONE OF WHOM IS A CERTIFIED ETHICAL HACKER.

2. AUDITEE ENVIRONMENT:-

Radisson Ltd is a global Indian IT Solutions provider with development centers in India and marketing offices across, USA, Asia and Europe. It has more than 15,000 employees. It offers both standard and customized products and services to its customers. The company has highly skilled professionals who are in great demand in the highly competitive market. Company service including designing and developing information technology services including Website, Web based Software Solution, Data digitization and processing. The company is regulated by various regulations of the country and some of the major regulations are as under: Income Tax Act Excise Act, Service Tax Regulations, VAT FEMA, FERA and RBI Regulations Information Technology Act Companies Act, 2013 Other Security and Labour Laws

Technology deployed by the Company:

The SYSTEM Software deployed by the company is Microsoft Window, LINUX

The DATABASE Software deployed by the company is MYSQL

The APPLICATION Software deployed by the company are as follow:

Internet Explorer (Web Browser)

Microsoft office 2013

MySQL (Database Software)

VLC Media Player (Audio/Video Software)

World of Warcraft (Game Software)

Security Suite

Backup and Recovery Software

IT Solution Software

3. BACKGROUND AND SITUATION:-

Radisson Ltd is a global Indian IT Solutions provider with development centers in India and marketing offices across, USA, Asia and Europe. It has more than 15,000 employees. It offers both standard and customized products and services to its customers. The company has highly skilled professionals who are in great demand in the highly competitive market. Company service including designing and developing information technology services including Website, Web based Software Solution, Data digitization and processing. The company is regulated by various regulations of the country and some of the major regulations are as under: Income Tax Act Excise Act, Service Tax Regulations, VAT FEMA, FERA and RBI Regulations Information Technology Act Companies Act, 2013 Other Security and Labour Laws

Technology deployed by the Company:

Radisson Ltd is a global Indian IT Solutions provider with development centers in India and marketing offices across, USA, Asia and Europe. It has more than 15,000 employees. It offers both standard and customized products and services to its customers. The company has highly skilled professionals who are in great demand in the highly competitive market. The HR department has recently enforced a strict attendance policy which requires mandatory physical presence at the office premises for specified number of hours.

This has resulted in increasing dis-content from the employees

The client has observed that employee productivity has gone down and several projects have missed the timeline.

There has been increase in employee turnover impacting deliverables to the customers and is leading to loss of reputation and business.

As the productivity of the highly skilled workers can be assessed based on the project plan and deliverables, it has suggested that management has to implement flexible working hours and allow employees to work off-site. The management has decided to explore option of using mobile computing to increase employee productivity and offer convenience of working for employees from any location. However, they are concerned about the risks of allowing access to IT resources of the company from off-site location.

Therefore in order to increase the employee productivity and offer convenience of working for employees from any location the management wants to use mobile computing:
http://www.wifinotes.com/computer-networks1/Mobile-Cloud-Computing.JPG

Mobile computing enables enterprises to connect with their employees at all times resulting in increased productivity and a better return on investments. Some examples business applications are:

      1. There is increase in workforce productivity as mobile device enables employees to work from any ware, anytime by accessing and updating information as required. For examples employees can read / respond to emails using laptops, PDAs and smart phones from office, residence and even when on the move.
      2. Customers’ services can be improved by responding to customer queries on site or off the site. For examples customers complaints can be accessed and responded by accessing past / latest information of client as required.
      3. Incident management can be improved by resolving problems faster without limitation of time as the concerned employees can attend to these regardless of their location. Further, escalations can be updated in real time problems. For examples computer breakdown can be serviced by service engineers from their desks / outside by logging into the specific computer, identifying problems and resolving it online.
      4. Business processes can be transformed by using mobile devices. Enterprises can reengineer core business processes. The new and reengineered processes can focus on “UTILITIES THE KEY” features of location and time independency. Enterprises can focus on providing customers and employees with access to information in different ways and provide the latest information. This enables employees, customers and businesses to be available to one another as per their choice. For examples billing can be done by employees using hand held devices at customers’ site and the information updated online and deliveries to customers can be speeded up.
      5. Enterprises can dynamically modify and update their offerings and offer new products and services altogether. For examples enterprises can implement telecommunication with flexible working hours and locations allowing for cost savings and better efficiency.

4. TERMS AND SCOPE OF ASSIGNMENT:-

We have appointed by the company for Assessing Risks and Formulating Policy for Mobile Computing on the terms and scope mentioned in letter are as under:

Understand the company work practice

Company Technology Infrastructure

Company HR Policies

Access Policies

Assess security requirement and customers deliverables as per project plan

To provide recommendations to implement mobile computing with recommendations of policies and procedures required to meet business needs, compliance and regulatory requirements

5. LOGISTICS ARRANGEMENTS REQUIRED

Details of logistics required for execution of assignment including hardware, system software, application software, data, documentation, CAAT tools etc. Computers/Laptops with internet access LAN connection Access to SAP application software, MS Office 2013 Software, Financial Application, Sales Application, Payroll Application, Inventory Application, Corporate Work Station, Windows Server – Enterprise used by Radisson Ltd. Separate User ID and passwords for the team Adequate seating space for our team and safe storage facility for keeping papers Facilities for discussions amongst our team and company’s designated staff Travelling facility locally and for outstation lodging and boarding and Travelling facility.
CAAT Tools include:
Belarc Advisor Microsoft Baseline Security Analyzer Sqlite Expert CAAT Tools such as IBM Rational rose etc NS Port scanne Utility software, Spreadsheets, SQL Commands etc.

6. METHODOLOGY AND STRATEGY ADOPTED FOR EXECUTION OF ASSIGNMENT

We propose to engage a core team of five audit personnel for this assignment under the leadership of Mrs. S.B.

Radisson Ltd. should designate a person at a senior level to c-ordinate between us. The Company should also depute one personnel each from system & audit group form part of the audit team.

Review of companies policies, objectives and working practices

Review system software, controls that are established in system, all input output processes.

Review the controls of continuity stored data, back-up plan, necessary to ensure that once data is updated to a file, the data remains correct and current on the file.

Review the inbuilt controls for stored data so as to ensure that only authorized person have access to data files.

Detailed systematic audit procedure would be finalized after completing review of the documentation & discussion with the system staff and users.

Review controls established for the development, documentation and amendment of programs so as to ensure that they go live as intended.

We will adopt methodology as per COBIT, relevant guidelines, methods, procedures; standard & accordingly all are followed by us. We also prepared necessary documents.

The above objectives shall be achieved through following methodology.

Obtaining IT resources knowledge at company.

Obtaining knowledge regarding company, its structure & information Architecture.

Obtaining understanding of the internal control system of the company.

Identify company’s existing policies, procedure, methods & practices & all are documented or not.

Application of COBIT.

Check out IT related guidelines & circulars.

Formulate audit report on covering our reviews & findings.

Presentation of final report after discussion with IT management of internal audit team of company.

Company provide all information, resources on time and very co-ordinate for interaction & clarification as required

7. WE REVIEWED FOLLOWIGNDOCUMENTS OF THE COMPANY.

User manual & technical manual which are prepared by company.

Document related to Organization chart & hierarchy and job responsibility.

Access matrix circulars, guidelines issued to employees.

We reviewed contract with vendors.

Any other document as identified by us as required for the audit.

Policy Documents

Information Security Policy

Employee Handbook

Change Management Policy

Accounting Policy

Risk Assessment Policy

Outsourcing Policy

System and application software currently in use

Roles and Responsible policy

Segregation of duties and delegation of authority

8. REFERENCES:-

www.icai.org

www.isaca.org

ISACA IS Auditing Guideline Mobile Computing G 27

COBIT Framework

https://www.wikipedia.org/

https://cloudsecurityalliance.org

9. DELIVERABLES:-

A meeting of the business unit heads was held where it was pointed out that the increased turnover of employees is impacting deliverables to the customers and is leading to loss of reputation and business. The management has to implement flexible working hours and allow employees to work off-site.

Mobile Computing is a technology that allows transmission of data, voice and video via a computer or any other wireless enabled device without having to be connected to a fixed physical link. The main concept involves:

Mobile communication

Mobile hardware

Mobile software

    •  

Mobile Hardware

http://www.tylertech.com/portals/0/images/mobile-computing.jpg

Mobile hardware includes mobile devices or device

Components that receive or access the service of mobility. They would range from portable laptops, smartphones, tablet PCs, Personal Digital Assistants.
These devices will have a receptor medium that is capable of sensing and receiving signals. These devices are configured to operate in full-duplex, whereby they are capable of sending and receiving signals at the same time. They don’t have to wait until one device has finished communicating for the other device to initiate communications. Above mentioned devices use an existing and established network to operate on. In most cases, it would be a wireless network.

Mobile Software

https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcTdHJtltbn7mfRDsQ0pb0Ngbykm4m_wWVBIrGeSQAHsJD9PeKKl

Mobile software is the actual program that runs on the mobile hardware. It deals with the characteristics and requirements of mobile applications. This is the engine of the mobile device. In other terms, it is the operating system of the appliance. It is the essential component that operates the mobile device. Since portability is the main factor, this type of computing ensures that users are not tied or pinned to a single physical location, but are able to operate from anywhere. It incorporates all aspects of wireless communications.

https://encrypted-tbn1.gstatic.com/images?q=tbn:ANd9GcRmFgPiq00iG8VuI0FIe_n1hHMi9Is-hKaOtZbWq-NDsFfcf-2WTg

RISKS:

The management has decided to explore option of using mobile computing to increase employee productivity and offer convenience of working for employees from any location. However, they are concerned about the risks of allowing access to IT resources of the company from off-site location.

BUSINESS RISKS:-

The primary business risks related to the use of Mobile computing:

The loss or theft of sensitive information;

Unauthorized access to sensitive business information or applications;

Loss of control over data, applications, risks and audits

Unintentional disclosure or leakage of sensitive information

Fraud involving the use of mobile computing

Geo-tracking of employees or customers

Customers defections due to misuse or failure of Smartphone and tablet connections

IT Policy Compliance Group, 2011

The other major business risk cited by a majority of those experiencing the best outcomes includes the loss or theft of the devices themselves, and the unintentional disclosure of sensitive information that occurs through these devices. Figure 6: Business risks of smartphones and tablet computers The business risks: loss or theft of sensitive information, unauthorized access, loss of control over data, applications, risks and audits. Source: IT Policy Compliance Group, 2011 The lowest business risks are found to be customer defections due to misuse or failure of the devices, followed by geo-tracking of employees or customers. Although the numbers rank geo-tracking of employees as a low business risk, one-on-one interviews conducted with several senior managers reveal geo-tracking to be a growing risk, especially for high-ranking executives, and in cases where teams of people from an organization are converging in one geographic area. Lopsided results for loss of devices and fraud are considered lower risks among average performing organizations but more risk among the best and worst performing organizations. Interviews revealed that most organizations consider Smartphones to be disposable, as long as the information on these devices is protected from use or reuse. Managing the Benefits and Risks of Mobile Computing 11 Larger organizations tend to focus more on the impacts the devices have on customer loyalty, repeat business, revenue and profitability. These are larger concerns in banking, retail, and transportation industries where entirely new mobile device Apps is being used by customers of firms in these industries. In addition to the business risks, the research findings reveal very significant differences in policies and practices being implemented by organizations, covering a range of activities, including: who owns mobile devices, whether employees are encouraged or allowed to use their own devices, and whether IT manages Smartphones and Tablet computers.

OPERATIONAL RISKS:

Malicious software shutting down or taking over mobile devices

Ineffective vulnerability, configuration and penetration testing practices

Inability to detect or prevent rogue applications on mobile devices

Inability to wipe sensitive data from or lock, stolen

Ineffective patching and remediation of mobile devices

Inability to track – or located – stolen or lost mobile devices

Inability to control or limit access to sensitive information or applications

Ineffective detection or knowledge of mobile device in the environment

LEGAL AND REGULATORY CHALLENGES

Inability to conduct information security audits

Exposure to civil or criminal action due to inadequate due care finding

Inability to comply with cross border date privacy regulations or laws

Loss of ownership of data due to differences in legal jurisdiction

Inability to deliver forensic information for investigation

Exposure to civil or criminal action due to inadequate due care

Inability to deliver policy and control evidence for audits

Inability to respond to subpoenas or legal electronics discovery request.

ACTION TAKEN TO MANAGE THE RISKS:

Use of mobile devices is limited to specific employees

Limit access to sensitive information and applications

Geo-track devices to aid in recovery or destruction of information

Protect and back up information from devices

Wipe stolen or lost devices information and credentials

Prevent and record unauthorized logon attempts

Deliver and measures policy and security awareness training for users

Prohibit customs ROMs for rooted devices and access to App-markets.

Use Anti virus and anti malware

Protect sensitive information on devices with encryption

Prevent unauthorized devices and people from accessing information / applications

Patch system software on devices

Test configuration and setting on devices

10. FORMAT OF REPORT / FINDINGS AND RECOMMENDATIONS

The responsibility of proper and effective implementation of mobile computing with recommendations of policies and procedures required to meet business needs, compliance and regulatory requirements lies with the Management and to the service providers as per different SLA’s. The report is based on the management request to explore option of using mobile computing to increase employee productivity and offer convenience of working for employees from any location.

RiskControlRisk CategoryRecommendation
Loss of highly skilled personnel and employees leading to loss of reputation and revenueManagement is exploring option of using Mobile CommputingHighHR Department should change its strict attendance policy. Flexible working hours should be implemented.
Unauthorized access to companies confidential data / informationThe Logical Access Controls including password policy is well defined by the company.Low

The password policy should be regularly updated.

all systems and application as per the

Unauthorized access to information system and data.The user access control matrixes are defined and entitlements are reviewed time to time by authority.LowThe user access control matrix should be reviewed periodically
Data Loss from Lost, Stolen or Decommissioned DevicesDevices are password protected.HighStrong Password with encryption can prevent data leakage on the devices.
Data Loss and Data Leakage through poorly written applicationsSecurity checks are establihed.MediumTrusted Applications with properly defined and documented security checks in applications should be used.
Vulnerabilities in Hardware, OS, Application and Third Party ApplicationsLicenced software are purchased.MediumUse secure, tamper-proof hardware (e.g. secure micro-SD) to store credentials, always ensure credentials are encrypted using a private key which is password protected by a high entropy password (this should usually be the device unlock PIN to ensure minimum usability cost).
Unsecured WiFi, Network Access, Rogue Access PointsWiFi security measures are establishedHighWiFi access should be made available to only authorised personnel and regularly monitored.
Insufficient Access to APIs, Management Tools and Multi-Personas Medium 
NFC and Proximity Based Hacking Low 
Organization’s network is not protected from external attack or worm.The Firewall, routers and IDS are installed and properly configured to protect the network perimeter from potential external attack from Internet and audit trail is enabled on the firewall to detect external attack.MediumThe Firewall, routers and IDS should be installed and properly configured to protect the network perimeter from potential external attack from Internet. The audit trail should enabled on the firewall to detect external attack.
Exposure due to Information interception through wireless sniffers/intrusion resulting in a loss or breach of sensitive data, privacy impacting enterprise reputationand legal implicationsIt has password policy, IDS and firewall configure for traffic inbound and outbound.LowIt should have password policy, IDS and firewall configure for traffic inbound and outbound.
Physical damage to devices, data corruption, data leakage, interception of calls and possible exposure of sensitive information.Radisson Ltd. has not provided protection to devices, data and sensitive information.HighRadisson Ltd. should have all possible protection to devices, data and sensitive information. Devices, data and sensitive information should be kept at secure place.
Possibility of fraud through remote access and inability to prevent/detect it.No Limited access provided and access is provided to authorised users only.HighIt should provided access to authorised users only on the basis of need to know and need to do basis.
Lost devices or unauthorised access to unsecured devicesRadisson Ltd. has not provided protection to devicesHighRadisson Ltd. should have all possible protection to devices.

Additional Recommended Countermeasures to Attacks

1.Physical access to storage (allows attacker to circumvent PIN throttling)

Use secure, tamper-proof hardware (e.g. secure micro-SD) to store credentials, always ensure credentials are encrypted using a private key which is password protected by a high entropy password (this should usually be the device unlock PIN to ensure minimum usability cost).

Always use disk encryption for all sensitive data on mobile memory.

Enforce password rules for unlock PINs (use ASCII, entropy, > 6 digit, dictionary resistant). Bear in mind that unlock pins often also give access to (decrypt) encryption keys, such as disk encryption keys and other credentials stored on the device. User-to-device authentication is therefore especially important.

Do not use insecure biometric device unlock mechanisms without liveness detection, such as face recognition, for sensitive applications.

Never store passwords in plain text—use salted hash13

Decommissioning/loss/theft procedures should be in place (e.g. remote-kill, locate, lock

Always enforce use of PIN-lock.

2.OTP theft/relay

Do not use OTP generators on same device as primary login (e.g. Google authenticator)

Ensure all anti-malware measures are in place on primary and secondary device (e.g. PC and mobile phone)

3. Malware on device

Take all possible measures to ensure malware does not reach the device – e.g. disallow jailbreak, use app-whitelist + pre-test enterprise apps.

Use MDM software with jailbreak detection/ other health check support

Never store passwords in plain text—use salted hash

4.Side channel attacks (e.g. smudge attack, accelerometer attack)

App and OS developers should block access to accelerometer during password entry

Use of PIN is more secure than pattern.

Use reverse patterns (covering the same digit more than once) where possible (although this is not allowed on Android), wipe screen regularly.

5. NFC authentication failure – e.g. relay attack

Use time-bounding protocols to prevent relay attacks

 

6. User->Device specific attacks:

Biometric spoof o Do not use biometric device-lock or other biometric systems which operate without any sophisticated liveness detection.

No pin-lock o Enforce pin-lock

Data not encrypted o Enforce disk encryption

The applicability of the Acceptable Use Policy (AUP) to the use of personal devices should be clearly defined along

with any other existing policies that me directly impacting.

The use of cloud backup solutions should be limited to personal data.

A stance on jailbreaking/rooting should be set.

The treatment of policy violations should be clearly defined.

Appropriate steps to be taken prior to device disposal should be outlined.

The trust boundary diagram is a simple visual that highlights the separations between the user of a mobile system, the mobile device itself (operating system), the applications on the mobile device, and the corporate network. Other components can be substituted or added as desired for various audiences, but these are the primary components in question

Next, the authentication types possible between each layer will be added (at the trust boundary). This will give a visual indication of how each type of authentication can be used at different layers of the mobile ecosystem, e.g. from the user to the device one can employ password, PIN, face-recognition, voice recognition, etc.

11. SUMMARY / CONCLUSION

Today, all organizations to some degree are mobile—in the work they do, the products they sell, the services they deliver. Mobility enables people to take their business with them wherever they go – including proprietary company information, intellectual capital, and sensitive customer data.

Mobile devices empower employees to do what they need to do — whenever and wherever. People can work and collaborate “in the field” with customers, partners, patients or students and each other. But they need to be supported with always current operational processes and information, whether from apps, the Internet, or documents from other people. Let’s face it: mobile devices today “house” the company just as much as an office building does.

Today’s computing has rapidly grown from being confined to a single location. With mobile computing, people can work from the comfort of any location they wish to as long as the connection and the security concerns are properly factored. People can work and collaborate “in the field” with customers, partners, patients or students and each other.In the same light, the presence of high speed connections has also promoted the use of mobile computing.

Being an ever growing and emerging technology, mobile computing will continue to be a core service in computing, and Information and Communications Technology. Mobile devices today “house” the company just as much as an office building does today house

Allowing employees to use their preferred, personally-owned devices in the course of their work can increase productivity and retention, but it also brings additional risk. With a clear, well-communicated policy, both parties can be more comfortable with the situation. The policy should be written in easily understood language and should be thorough but not so long as to become unapproachable. The policy should be appropriate to the needs of the business, as an over-controlling policy may expose the company to increased legal liability. It should also clearly define which systems, applications, and data are permitted to be accessed from mobile devices and which would create an unacceptable security posture. Such a clear and concise policy creates a solid foundation for a successful Mobile Computing program.

DISA 3.0 Project Report on:

1.       IS Audit of Banking Application
2.       Migrating to cloud based ERP solution
3.       Security control review of railway reservation system
4.       Review of cyber security policies and procedure
5.       Security and control risk assessment of toll bridge operations
6.       System audit of a hospital automation system
7.       Review of vendor proposal for SaaS services
8.       Information Systems audit of a mutual fund systems
9.       Audit of outsourced software development
10.   Network security audit of remote operations including WFH
11.   Infrastructure audit of a Bank data Centre
12.   Conducting vulnerability assessment and penetration testing
13.   Auditing Business continuity plan for Manufacturing system
14.   Assessing risk and formulating policy for mobile computing
15.   Auditing robotic process automation system
16.   Implementation of adequate governance in hotel management system
17.   Outsourced migration audit of merger of Banks
18.   Audit of an E-Commerce web site
19.   Audit of Online booking system for a hotel chain
20.   Audit of Business Continuity Planning of a financial institution
21.   Audit of online brokerage firm
22.   Audit of Security Operation Centre of a Bank
23.   Audit of Cyber Security Framework of a PSB
24.   EVALUATION OF OUTSOURCING IT OPERATIONS
25.   Auditing SWIFT operations in a Bank
26.   Project Report Template and Guidelines on Project Report Submission
27.   Information Systems Audit of ERP Software
28.   Implementing Grc As Per Clause 49 Listing Requirements
29.   Review of IT Security Policies and Procedures in audit
30.   Evaluation Of Software Development Project
31.   Auditing Business Continuity Plan