ISACA issues mobile smartphone security policy guidance

ISACA recently issued new guidance, warning users of the dangers of smartphones, and giving guidance on creating a policy for their secure use.

Growing concern over the use of smartphones for business has prompted the professional body Information Systems Audit and Control Association (ISACA) to produce guidance for organisations to help them manage smartphone information security risks.

Our policy is to lock down corporate smartphones. But people now want to use their own devices both for personal and business purposes.
Marcus Alldrick
Senior IT managerLloyd's of London
In a new white paper called Securing Mobile Devices, ISACA writes that, while mobile computing devices such as smartphones, laptops, personal digital assistants and USB memory sticks can help boost productivity, they can also open up organisations to new dangers.

The paper says, if companies want to take advantage of the benefits of mobile devices, they need to build a governance framework, including a mobile smartphone security policy, to ensure proper use, rather than allowing the growth of mobile usage to go unchecked.

But one of the report's contributors, Peter Wood, partner and CEO of West Sussex penetration testing company First Base Technologies LLP, as well as a expert, conceded that smartphones especially pose a tough problem.

ISACA's checklist for a smartphone security policy
  • Define allowable device types (enterprise-issued only vs. allowing personal devices, as well as types of devices, such as a BlackBerry or iPhone).
  • Define what services -- such as email and Web applications -- can be accessed through the devices, taking into account the existing IT architecture.
  • Identify the way people use the devices, considering the corporate culture as well as human factors and how the execution of processes through the use of mobile devices may lead to unpredictable risks. Make sure to get business leaders' to sign-off for acceptance of these potential risks.
  • Integrate all enterprise-issued devices into an asset-management programme so that they can be properly managed and maintained.
  • Describe the type of authentication and encryption that must be present on the devices.
  • Outline the tasks for which employees may use the devices and the types of applications that are allowed.
  • Clarify how data should be securely stored and transmitted
"Companies are finding it hard to control people who want to use the sexy phone of the day," Wood said. "And we see that happening right at the top of organisations, with senior management buying the latest devices, which certainly doesn't help."

Many organisations have managed to enforce policies and security controls on company-owned laptops, he said, but smartphones now pose a whole new set of problems.

"While the BlackBerry allows good security, staff is now demanding iPhones and Android phones which we can't control in the same way at the moment. It is a nightmare for those people tasked with trying to manage it from a security perspective," Wood said. "We are at the beginning with this new generation of devices. People are storing data on these devices and there isn't any encryption. It's like taking a step backwards."

The ISACA paper sets out a checklist of factors for companies to consider, and proposes using a recognised governance framework, such as COBIT or Risk IT, to provide a structured, risk-based approach to tackling the problem. It says: "Mobile devices have the potential to become the biggest threat for leakage of confidential information. Their protection, very much neglected until now, will become a primary task for enterprises."

Recognising that there are few security products currently available for smartphones, the paper emphasises that companies need to build strong enforceable policies that enable them to gain the benefits of mobile usage while minimising risks. For instance, if data cannot be encrypted on the mobile endpoint, then data access should be restricted.

"There is no easy solution available yet. With a laptop you can put on an encryption package and manage it centrally. You can also do that on a BlackBerry, but how do you do that on an iPhone or iPad?" Wood asked. "How do you mitigate the problems of roaming Wi-Fi connections? You can lock it down on a laptop and put in some good controls, but how to do that on an iPhone or iPad? That's the challenge."

Many organisations are already wrestling with the smartphone problem, especially when users want to use their own devices for work. Marcus Alldrick, senior IT manager for Lloyd's of London, the insurance market, said that pressure is mounting to allow users to use their own phones for work. "Our policy is to lock down corporate smartphones," he said, "But people now want to use their own devices both for personal and business purposes. We have global users, so we'd need an approach that deals with multiple operating systems, so that we can connect securely into our networks."

Until data can be protected and connections secured on a range of smartphones, however, he said the current policy will remain in place.

Read more on Hackers and cybercrime prevention