REPORT ON ASSESSING RISKS AND FORMULATING POLICY FOR MOBILE COMPUTING
A) M/S RADISSON LIMITED
Radisson Limited (the Auditee) is a global IT Solutions provider company including designing and developing information technology services including website, web based software solutions, data digitization and processing.
Radisson Ltd is a global Indian IT Solutions provider with development centers in India and marketing offices across, USA, Asia and Europe. It has more than 15,000 employees. It offers both standard and customized products and services to its customers. The company has highly skilled professionals who are in great demand in the highly competitive market. M/s Radisson Limited provide different type of services in application development and maintenance like IT infrastructure services, engineering and industrial services, enterprises solution, Enterprises security and risks development and many more.
1. APS AND ASSOCIATES (AUDIT FIRM)
APS and Associates established in 2001 consisting of three partners. Presently the firm apart from three partners it has two recently qualified Chartered Accountants working as paid assistants and a team of twenty four article assistants and two commerce graduate employees.
The firm is having vast experience in the field of audit and assurance services including tax audits, statutory audits, internal audits, bank audits, due diligence and IS audit. It also provides consulting on various IT issues including mobile computing and cloud computing
Mrs. SB graduated from University of Gujarat in year 1998 and upon qualifying as Chartered Accountant in year 1999 worked with Income Tax Department. She completed the post qualification course on Information Systems Audit (ISA) in the year 2006. Now she is responsible for handling Income Tax Matters and Specialized System Audit.
Mr. PD graduated from Rajasthan University in year 1999. She completed the post qualification course on Information Systems Audit (ISA) in the year 2007. Now he is responsible for handling Auditing and Assurance Service and Bank Audits.
Miss AD graduated from Delhi University in year 2007. She has a working experience of 1.5 years with PWC in the area of Internal Audits. Currently she is responsible for handling Internal Audits.
FOR THIS ASSIGNMENT THE AUDIT TEAM WILL COMPRISE OF FIVE MEMBERS HEADED BY MRS. S.B. (FCA, DISA), OTHER TEAM MEMBER WILL INCLUDE MR. PD (FCA, DISA) AND THREE ARTICLE ASSISTANTS ONE OF WHOM IS A CERTIFIED ETHICAL HACKER.
2. AUDITEE ENVIRONMENT:-
Technology deployed by the Company:
The SYSTEM Software deployed by the company is Microsoft Window, LINUX
The DATABASE Software deployed by the company is MYSQL
The APPLICATION Software deployed by the company are as follow:
Internet Explorer (Web Browser)
Microsoft office 2013
MySQL (Database Software)
VLC Media Player (Audio/Video Software)
World of Warcraft (Game Software)
Backup and Recovery Software
IT Solution Software
3. BACKGROUND AND SITUATION:-
Technology deployed by the Company:
Radisson Ltd is a global Indian IT Solutions provider with development centers in India and marketing offices across, USA, Asia and Europe. It has more than 15,000 employees. It offers both standard and customized products and services to its customers. The company has highly skilled professionals who are in great demand in the highly competitive market. The HR department has recently enforced a strict attendance policy which requires mandatory physical presence at the office premises for specified number of hours.
This has resulted in increasing dis-content from the employees
The client has observed that employee productivity has gone down and several projects have missed the timeline.
There has been increase in employee turnover impacting deliverables to the customers and is leading to loss of reputation and business.
As the productivity of the highly skilled workers can be assessed based on the project plan and deliverables, it has suggested that management has to implement flexible working hours and allow employees to work off-site. The management has decided to explore option of using mobile computing to increase employee productivity and offer convenience of working for employees from any location. However, they are concerned about the risks of allowing access to IT resources of the company from off-site location.
Therefore in order to increase the employee productivity and offer convenience of working for employees from any location the management wants to use mobile computing:
Mobile computing enables enterprises to connect with their employees at all times resulting in increased productivity and a better return on investments. Some examples business applications are:
- There is increase in workforce productivity as mobile device enables employees to work from any ware, anytime by accessing and updating information as required. For examples employees can read / respond to emails using laptops, PDAs and smart phones from office, residence and even when on the move.
- Customers’ services can be improved by responding to customer queries on site or off the site. For examples customers complaints can be accessed and responded by accessing past / latest information of client as required.
- Incident management can be improved by resolving problems faster without limitation of time as the concerned employees can attend to these regardless of their location. Further, escalations can be updated in real time problems. For examples computer breakdown can be serviced by service engineers from their desks / outside by logging into the specific computer, identifying problems and resolving it online.
- Business processes can be transformed by using mobile devices. Enterprises can reengineer core business processes. The new and reengineered processes can focus on “UTILITIES THE KEY” features of location and time independency. Enterprises can focus on providing customers and employees with access to information in different ways and provide the latest information. This enables employees, customers and businesses to be available to one another as per their choice. For examples billing can be done by employees using hand held devices at customers’ site and the information updated online and deliveries to customers can be speeded up.
- Enterprises can dynamically modify and update their offerings and offer new products and services altogether. For examples enterprises can implement telecommunication with flexible working hours and locations allowing for cost savings and better efficiency.
4. TERMS AND SCOPE OF ASSIGNMENT:-
We have appointed by the company for Assessing Risks and Formulating Policy for Mobile Computing on the terms and scope mentioned in letter are as under:
Understand the company work practice
Company Technology Infrastructure
Company HR Policies
Assess security requirement and customers deliverables as per project plan
To provide recommendations to implement mobile computing with recommendations of policies and procedures required to meet business needs, compliance and regulatory requirements
5. LOGISTICS ARRANGEMENTS REQUIRED
CAAT Tools include:Belarc Advisor Microsoft Baseline Security Analyzer Sqlite Expert CAAT Tools such as IBM Rational rose etc NS Port scanne Utility software, Spreadsheets, SQL Commands etc.
6. METHODOLOGY AND STRATEGY ADOPTED FOR EXECUTION OF ASSIGNMENT
We propose to engage a core team of five audit personnel for this assignment under the leadership of Mrs. S.B.
Radisson Ltd. should designate a person at a senior level to c-ordinate between us. The Company should also depute one personnel each from system & audit group form part of the audit team.
Review of companies policies, objectives and working practices
Review system software, controls that are established in system, all input output processes.
Review the controls of continuity stored data, back-up plan, necessary to ensure that once data is updated to a file, the data remains correct and current on the file.
Review the inbuilt controls for stored data so as to ensure that only authorized person have access to data files.
Detailed systematic audit procedure would be finalized after completing review of the documentation & discussion with the system staff and users.
Review controls established for the development, documentation and amendment of programs so as to ensure that they go live as intended.
We will adopt methodology as per COBIT, relevant guidelines, methods, procedures; standard & accordingly all are followed by us. We also prepared necessary documents.
The above objectives shall be achieved through following methodology.
Obtaining IT resources knowledge at company.
Obtaining knowledge regarding company, its structure & information Architecture.
Obtaining understanding of the internal control system of the company.
Identify company’s existing policies, procedure, methods & practices & all are documented or not.
Application of COBIT.
Check out IT related guidelines & circulars.
Formulate audit report on covering our reviews & findings.
Presentation of final report after discussion with IT management of internal audit team of company.
Company provide all information, resources on time and very co-ordinate for interaction & clarification as required
7. WE REVIEWED FOLLOWIGNDOCUMENTS OF THE COMPANY.
User manual & technical manual which are prepared by company.
Document related to Organization chart & hierarchy and job responsibility.
Access matrix circulars, guidelines issued to employees.
We reviewed contract with vendors.
Any other document as identified by us as required for the audit.
Information Security Policy
Change Management Policy
Risk Assessment Policy
System and application software currently in use
Roles and Responsible policy
Segregation of duties and delegation of authority
A meeting of the business unit heads was held where it was pointed out that the increased turnover of employees is impacting deliverables to the customers and is leading to loss of reputation and business. The management has to implement flexible working hours and allow employees to work off-site.
Mobile Computing is a technology that allows transmission of data, voice and video via a computer or any other wireless enabled device without having to be connected to a fixed physical link. The main concept involves:
Mobile hardware includes mobile devices or device
Components that receive or access the service of mobility. They would range from portable laptops, smartphones, tablet PCs, Personal Digital Assistants.
These devices will have a receptor medium that is capable of sensing and receiving signals. These devices are configured to operate in full-duplex, whereby they are capable of sending and receiving signals at the same time. They don’t have to wait until one device has finished communicating for the other device to initiate communications. Above mentioned devices use an existing and established network to operate on. In most cases, it would be a wireless network.
Mobile software is the actual program that runs on the mobile hardware. It deals with the characteristics and requirements of mobile applications. This is the engine of the mobile device. In other terms, it is the operating system of the appliance. It is the essential component that operates the mobile device. Since portability is the main factor, this type of computing ensures that users are not tied or pinned to a single physical location, but are able to operate from anywhere. It incorporates all aspects of wireless communications.
The management has decided to explore option of using mobile computing to increase employee productivity and offer convenience of working for employees from any location. However, they are concerned about the risks of allowing access to IT resources of the company from off-site location.
The primary business risks related to the use of Mobile computing:
The loss or theft of sensitive information;
Unauthorized access to sensitive business information or applications;
Loss of control over data, applications, risks and audits
Unintentional disclosure or leakage of sensitive information
Fraud involving the use of mobile computing
Geo-tracking of employees or customers
Customers defections due to misuse or failure of Smartphone and tablet connections
IT Policy Compliance Group, 2011
The other major business risk cited by a majority of those experiencing the best outcomes includes the loss or theft of the devices themselves, and the unintentional disclosure of sensitive information that occurs through these devices. Figure 6: Business risks of smartphones and tablet computers The business risks: loss or theft of sensitive information, unauthorized access, loss of control over data, applications, risks and audits. Source: IT Policy Compliance Group, 2011 The lowest business risks are found to be customer defections due to misuse or failure of the devices, followed by geo-tracking of employees or customers. Although the numbers rank geo-tracking of employees as a low business risk, one-on-one interviews conducted with several senior managers reveal geo-tracking to be a growing risk, especially for high-ranking executives, and in cases where teams of people from an organization are converging in one geographic area. Lopsided results for loss of devices and fraud are considered lower risks among average performing organizations but more risk among the best and worst performing organizations. Interviews revealed that most organizations consider Smartphones to be disposable, as long as the information on these devices is protected from use or reuse. Managing the Benefits and Risks of Mobile Computing 11 Larger organizations tend to focus more on the impacts the devices have on customer loyalty, repeat business, revenue and profitability. These are larger concerns in banking, retail, and transportation industries where entirely new mobile device Apps is being used by customers of firms in these industries. In addition to the business risks, the research findings reveal very significant differences in policies and practices being implemented by organizations, covering a range of activities, including: who owns mobile devices, whether employees are encouraged or allowed to use their own devices, and whether IT manages Smartphones and Tablet computers.
Malicious software shutting down or taking over mobile devices
Ineffective vulnerability, configuration and penetration testing practices
Inability to detect or prevent rogue applications on mobile devices
Inability to wipe sensitive data from or lock, stolen
Ineffective patching and remediation of mobile devices
Inability to track – or located – stolen or lost mobile devices
Inability to control or limit access to sensitive information or applications
Ineffective detection or knowledge of mobile device in the environment
LEGAL AND REGULATORY CHALLENGES
Inability to conduct information security audits
Exposure to civil or criminal action due to inadequate due care finding
Inability to comply with cross border date privacy regulations or laws
Loss of ownership of data due to differences in legal jurisdiction
Inability to deliver forensic information for investigation
Exposure to civil or criminal action due to inadequate due care
Inability to deliver policy and control evidence for audits
Inability to respond to subpoenas or legal electronics discovery request.
ACTION TAKEN TO MANAGE THE RISKS:
Use of mobile devices is limited to specific employees
Limit access to sensitive information and applications
Geo-track devices to aid in recovery or destruction of information
Protect and back up information from devices
Wipe stolen or lost devices information and credentials
Prevent and record unauthorized logon attempts
Deliver and measures policy and security awareness training for users
Prohibit customs ROMs for rooted devices and access to App-markets.
Use Anti virus and anti malware
Protect sensitive information on devices with encryption
Prevent unauthorized devices and people from accessing information / applications
Patch system software on devices
Test configuration and setting on devices
10. FORMAT OF REPORT / FINDINGS AND RECOMMENDATIONS
The responsibility of proper and effective implementation of mobile computing with recommendations of policies and procedures required to meet business needs, compliance and regulatory requirements lies with the Management and to the service providers as per different SLA’s. The report is based on the management request to explore option of using mobile computing to increase employee productivity and offer convenience of working for employees from any location.
|Loss of highly skilled personnel and employees leading to loss of reputation and revenue||Management is exploring option of using Mobile Commputing||High||HR Department should change its strict attendance policy. Flexible working hours should be implemented.|
|Unauthorized access to companies confidential data / information||The Logical Access Controls including password policy is well defined by the company.||Low|
The password policy should be regularly updated.
all systems and application as per the
|Unauthorized access to information system and data.||The user access control matrixes are defined and entitlements are reviewed time to time by authority.||Low||The user access control matrix should be reviewed periodically|
|Data Loss from Lost, Stolen or Decommissioned Devices||Devices are password protected.||High||Strong Password with encryption can prevent data leakage on the devices.|
|Data Loss and Data Leakage through poorly written applications||Security checks are establihed.||Medium||Trusted Applications with properly defined and documented security checks in applications should be used.|
|Vulnerabilities in Hardware, OS, Application and Third Party Applications||Licenced software are purchased.||Medium||Use secure, tamper-proof hardware (e.g. secure micro-SD) to store credentials, always ensure credentials are encrypted using a private key which is password protected by a high entropy password (this should usually be the device unlock PIN to ensure minimum usability cost).|
|Unsecured WiFi, Network Access, Rogue Access Points||WiFi security measures are established||High||WiFi access should be made available to only authorised personnel and regularly monitored.|
|Insufficient Access to APIs, Management Tools and Multi-Personas||Medium|
|NFC and Proximity Based Hacking||Low|
|Organization’s network is not protected from external attack or worm.||The Firewall, routers and IDS are installed and properly configured to protect the network perimeter from potential external attack from Internet and audit trail is enabled on the firewall to detect external attack.||Medium||The Firewall, routers and IDS should be installed and properly configured to protect the network perimeter from potential external attack from Internet. The audit trail should enabled on the firewall to detect external attack.|
|Exposure due to Information interception through wireless sniffers/intrusion resulting in a loss or breach of sensitive data, privacy impacting enterprise reputationand legal implications||It has password policy, IDS and firewall configure for traffic inbound and outbound.||Low||It should have password policy, IDS and firewall configure for traffic inbound and outbound.|
|Physical damage to devices, data corruption, data leakage, interception of calls and possible exposure of sensitive information.||Radisson Ltd. has not provided protection to devices, data and sensitive information.||High||Radisson Ltd. should have all possible protection to devices, data and sensitive information. Devices, data and sensitive information should be kept at secure place.|
|Possibility of fraud through remote access and inability to prevent/detect it.||No Limited access provided and access is provided to authorised users only.||High||It should provided access to authorised users only on the basis of need to know and need to do basis.|
|Lost devices or unauthorised access to unsecured devices||Radisson Ltd. has not provided protection to devices||High||Radisson Ltd. should have all possible protection to devices.|
Additional Recommended Countermeasures to Attacks
1.Physical access to storage (allows attacker to circumvent PIN throttling)
Use secure, tamper-proof hardware (e.g. secure micro-SD) to store credentials, always ensure credentials are encrypted using a private key which is password protected by a high entropy password (this should usually be the device unlock PIN to ensure minimum usability cost).
Always use disk encryption for all sensitive data on mobile memory.
Enforce password rules for unlock PINs (use ASCII, entropy, > 6 digit, dictionary resistant). Bear in mind that unlock pins often also give access to (decrypt) encryption keys, such as disk encryption keys and other credentials stored on the device. User-to-device authentication is therefore especially important.
Do not use insecure biometric device unlock mechanisms without liveness detection, such as face recognition, for sensitive applications.
Never store passwords in plain text—use salted hash13
Decommissioning/loss/theft procedures should be in place (e.g. remote-kill, locate, lock
Always enforce use of PIN-lock.
Do not use OTP generators on same device as primary login (e.g. Google authenticator)
Ensure all anti-malware measures are in place on primary and secondary device (e.g. PC and mobile phone)
3. Malware on device
Take all possible measures to ensure malware does not reach the device – e.g. disallow jailbreak, use app-whitelist + pre-test enterprise apps.
Use MDM software with jailbreak detection/ other health check support
Never store passwords in plain text—use salted hash
4.Side channel attacks (e.g. smudge attack, accelerometer attack)
App and OS developers should block access to accelerometer during password entry
Use of PIN is more secure than pattern.
Use reverse patterns (covering the same digit more than once) where possible (although this is not allowed on Android), wipe screen regularly.
5. NFC authentication failure – e.g. relay attack
Use time-bounding protocols to prevent relay attacks
6. User->Device specific attacks:
Biometric spoof o Do not use biometric device-lock or other biometric systems which operate without any sophisticated liveness detection.
No pin-lock o Enforce pin-lock
Data not encrypted o Enforce disk encryption
The applicability of the Acceptable Use Policy (AUP) to the use of personal devices should be clearly defined along
with any other existing policies that me directly impacting.
The use of cloud backup solutions should be limited to personal data.
A stance on jailbreaking/rooting should be set.
The treatment of policy violations should be clearly defined.
Appropriate steps to be taken prior to device disposal should be outlined.
The trust boundary diagram is a simple visual that highlights the separations between the user of a mobile system, the mobile device itself (operating system), the applications on the mobile device, and the corporate network. Other components can be substituted or added as desired for various audiences, but these are the primary components in question
Next, the authentication types possible between each layer will be added (at the trust boundary). This will give a visual indication of how each type of authentication can be used at different layers of the mobile ecosystem, e.g. from the user to the device one can employ password, PIN, face-recognition, voice recognition, etc.
11. SUMMARY / CONCLUSION
Today, all organizations to some degree are mobile—in the work they do, the products they sell, the services they deliver. Mobility enables people to take their business with them wherever they go – including proprietary company information, intellectual capital, and sensitive customer data.
Mobile devices empower employees to do what they need to do — whenever and wherever. People can work and collaborate “in the field” with customers, partners, patients or students and each other. But they need to be supported with always current operational processes and information, whether from apps, the Internet, or documents from other people. Let’s face it: mobile devices today “house” the company just as much as an office building does.
Today’s computing has rapidly grown from being confined to a single location. With mobile computing, people can work from the comfort of any location they wish to as long as the connection and the security concerns are properly factored. People can work and collaborate “in the field” with customers, partners, patients or students and each other.In the same light, the presence of high speed connections has also promoted the use of mobile computing.
Being an ever growing and emerging technology, mobile computing will continue to be a core service in computing, and Information and Communications Technology. Mobile devices today “house” the company just as much as an office building does today house
Allowing employees to use their preferred, personally-owned devices in the course of their work can increase productivity and retention, but it also brings additional risk. With a clear, well-communicated policy, both parties can be more comfortable with the situation. The policy should be written in easily understood language and should be thorough but not so long as to become unapproachable. The policy should be appropriate to the needs of the business, as an over-controlling policy may expose the company to increased legal liability. It should also clearly define which systems, applications, and data are permitted to be accessed from mobile devices and which would create an unacceptable security posture. Such a clear and concise policy creates a solid foundation for a successful Mobile Computing program.