TIM 2000 words
information security and compliance case study: managing issues arising from DEVICE PROLIFERATION and adoption of “BRING your own device” policies in Smb Non-profits
1
Device Proliferation Complicates Security and Privacy
Tools for unified security management aren’t adequate to enforce the following.
Encryption
Password policy
Inactivity timeout and screen lock
Users mix personal and sensitive company data on the same device complicating
Legal discovery
Remote wipe
Ability to attest to a known security state
A“bad day” looks like…..
A personal MacBook with company e-mail containing sensitive data (donor list / patient information) is lost. A disgruntled employee reports this to: your Board / the Department of Health and Human Services / the San Francisco Business Times. Upon investigation it is discovered:
There was no policy prohibiting e-mail on unmanaged devices
Your helpdesk set up e-mail on the device
The device was not password protected
The device was not encrypted
The device can not be remotely erased
IT had never informed management of the risks of allowing e-mail to synchronize to unmanaged devices
Your organization is now publically on the wall of shame at
Privacyrights.org
The Department of Health and Human Services
The Office of the California Attorney General
YOU
The risk of an incident is very real
Target
Loss of nearly 110M customer’s payments cards
Home Depot
56M customer’s payments cards compromised
Anthem Health Insurance
Cyber-attack resulting in exposure of over 80M people’s health and SS infomation
Thousands of other examples
http://www.privacyrights.org/data-breach
http://oag.ca.gov/ecrime/databreach/list
Legal Mandates to disclose increase the consequences of a privacy breach
Department of Health and Human Services HITECH
Health Information Technology (HITECH) Act section 13402
HIPAA covered entities
Federal Trade Commission
FTC 16 C.F.R. Part 318: Health Breach Notification Rule
Health Information
California Privacy Act:
Civil Code 1798.80-1798.84
Broad variety of personal information
The California Privacy Act covers a very broad range of personal information
Name, Signature, physical characteristics or description
Social security number, passport number
Driver's license or state identification card number
Address, telephone number
Insurance policy number
Education, employment, employment history
Bank account number, credit card number, debit card number
Any other financial information
Any other medical information
Any other health insurance information
Does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records
Source: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html
Loss and Theft of devices is the biggest cause of incidents
Sources of HIPAA Data Breaches 2010 to 2013 and Recommended Controls
Hacking / IT Error [PERCENTAGE]
Insider Disclosure [PERCENTAGE] Hacking/IT Incident Unauthorized Disclosure Loss / Improper Disposal Theft 54 127 99 321
| = Endpoints, encrypt | |
| = Servers and Backups, locate in data centers |
Loss and theft occurs for all types of network equipment, each needs to be properly protected.
Desktop Laptop Phone / tablet Server Backup Media 23.75 181.25 73 28.75 7
Small to Mid Sized Non-Profits have a particularly big problem
Often have sensitive information
Donor lists
Client information subject to HIPAA controls
Client information subject to California Privacy Act
Cost considerations prohibit providing a dedicated company phone / tablet. Users are encouraged to use personal devices
Cultural norms limit ability of IT to enforce policy
Budget and lack of scale exacerbate issues of having a heterogeneous set of devices
Don’t do this!
Recruit allies who can drive adoption of security best practices
CPA’s (auditors)
Homogeneity eases HIPAA or SSAE 16 compliance
Legal Counsel
Inadequate data protection practices increase legal liability
Insurance Brokers
Inability to attest to certain controls will increase insurance costs or make coverage unavailable
IT Consultants
Confirm for management the challenges and costs of supporting multiple platforms
Help identify and the best tools to manage various platforms
Manage Risks Holistically
Educate top management
Get sign-off on a risk based security and privacy policy.
Budget for tools to support new devices
Control risks of user ignorance or anger at the firm
Educate employees on legal and ethical requirements for protecting sensitive data
Encourage good human resource practices to improve employee satisfaction
Security requirements
Restrict data storage to only those devices that can be physically secured or affirmatively encrypted
Restrict uncontrolled devices to streaming only access
Reduce Legal Liability
Get audited for HIPAA or SSAE 16 compliance
Buy Insurance
Security leads to Supportability
Pushing back against having to support a new device is often a problem IT has to face alone.
Security of company and customer data should be an organization wide issue everyone can get behind.
By ensuring that everyone is on-board with security you will have the buy-in you need to restrict access to a supportable environment.
Appendix
Some MDM Solutions
Exchange ActiveSync
Citrix XenMobile
AirWatch
Mobile Iron
Good
Meraki
Mobile Iron has caveats and limitations
One-size-fits-all device management is not practical. Fractured set of device policies is required for implementation in heterogeneous environments.
Problem is even more obvious if you wish to extend product beyond phones/tablets. OS X support is very limited.
Implementation, scoping , and application of device security policies is not intuitive. Administrator, support staff, and end user training/retraining is required.
General “out of compliance” notifications are vague. Advanced administrator knowledge of product is required to interpret findings and act on potential security risks.
Support response time is slow. Update are released infrequently even in response to acknowledged problems with product.
866.926.8746
866.926.8746
www.xantrion.com
www.xantrion.com