Mobile compliance issues are more complicated as federal regulations become more rigorous and require mobile devices...
to be compliant. Learn some best practices for ensuring mobile compliance.
In last month's tip on regulatory compliance, we explored the impact on mobile workforces of privacy regulations like HIPAA, GLBA and CA SB1386. But once you understand the rules, how do you audit, enforce and demonstrate mobile device compliance?
According to Ponemon Institute research, many IT professionals appreciate the importance of compliance but struggle to develop efficient, effective practices. For example, 58% monitor and test manually instead of using software tools, while 86% execute those tasks in a decentralized fashion, distributing responsibility across departments that may lack understanding of risk management. In the long run, a centralized, automated process would prove far more sustainable and effective.
This common-sense guideline applies to mobile workforces and the devices they carry. Today, more companies acknowledge that PDAs, smartphones and other wireless mobile handhelds are used by their workforce. A growing number have defined security policies for business use, including measures that must be deployed to reduce business risk. But very few have established a fully automated, comprehensive process for documenting whether, when and how those mobile devices touch corporate assets and potentially regulated data.
Identify the players
If your CFO were to lose his iPhone, how would you know -- much less prove --that his mobile device did not carry unencrypted financial data contained in email messages, attachments and contact notes? We're not picking on the iPhone or CFOs here -- we are demonstrating a common-but-critical loophole in existing compliance efforts. Many companies are creating or have already established a process for setting, checking and reporting on the security state of network-attached laptops, including those at the far end of a VPN tunnel. But how many of those laptop-centric processes encompass handheld mobile devices like employee-owned PDAs?
It is crucial to establish a complete inventory of devices that might carry regulated data -- not just on-site servers and desktops, not just off-site Windows laptops, but every device that comes into contact with your network and systems. Don't rely on employees to hand in their PDAs and phones for IT registration and set-up. Invest in centralized, automated tools to comprehensively monitor all points of network attachment, from internal desktop adapters and Wi-Fi access points to Internet-facing VPNs and application gateways.
Keep in mind that the same mobile device may access your network in many ways and the same user may access your network through multiple devices. Gather access records from all entry points and fill gaps for vectors not yet monitored (e.g., mobile-desktop connections via USB or Bluetooth). Then use fingerprinting and correlation techniques to build an inventory of mobile devices, access methods and related user identities.
Define and enforce your mobile security policy
Once mobile users and devices have been enumerated, examine how regulated data may flow to and from those entities and where that sensitive information could possibly be stored, either temporarily or permanently.
By working through mobile usage scenarios, you can develop a concrete picture of potential exposures and associated business risks. But mobile hardware and wireless technologies will continue to change at a rapid pace. To develop a workable mobile security policy, focus on mobile users, groups and their access needs and rights, attempting to identify where risks and regulations apply, independent of specific hardware manufacturers, wireless carriers or device models.
Of course, those details will matter later. Translating your policy into action is likely to require both new tools and processes. It is one thing to establish a policy that requires encryption of mail messages exchanged with or stored on any device your CFO carries. But implementing over-the-air and folder encryption on the CFO's handheld may involve purchasing new products or enabling features specific to a vendor, model or OS version.
To promote consistency, look for opportunities to leverage existing infrastructure and data. Seek out mobile security platforms that integrate with existing user database(s) and reuse inventory management and software distribution systems where possible. When it comes to making new mobile infrastructure investments, some companies may focus on one mobile brand or wireless carrier (e.g., IT-purchased BlackBerrys that connect via AT&T Wireless), banning business use of other devices and blocking corporate access over unapproved interfaces. Others will prefer a broader mobile security platform that can support many heterogeneous mobile devices and wireless technologies.
Either way, look for systems that can automatically detect and perhaps automatically provision new mobile devices, based on centrally defined policy. Choose tools that can verify whether required security measures (e.g., mobile device access controls, data encryption, anti-virus, OS patches) are present, operating and configured correctly, as well as documenting updates and deviations to a central repository. Relying on users to secure their own handhelds -- and keep them secure -- is a recipe for failure. We still have not accomplished that feat with laptops, and mobile devices are less understood and more prone to reset.
Continually assess mobile compliance
While these steps can bring your mobile workforce closer to a compliant state, most regulations require companies to demonstrate compliance. For example, you may need to generate reports which prove that a lost mobile was encrypted or to demonstrate that the device never accessed your customer records database. In fact, compliance is not so much about implementing good security as it is about demonstrating that you have established and followed the requisite policies and procedures.
To that end, one of the most important aspects of ensuring mobile compliance is ongoing vigilance and record-keeping. Here, automation and centralization can really reduce cost and increase effectiveness -- for example, by repeatedly executing the same tests to verify that mobile devices still comply with policy and that new unmitigated vulnerabilities have not popped up since the last check.
Finally, treat mobile assessment as an extension of existing laptop practices. Even if you cannot use the same tools to conduct detailed audits, you'll want to bring results together to paint a single "big picture." After all, most privacy regulations are about protecting sensitive data, no matter where it exists.
About the author: Lisa Phifer is vice president of Core Competence Inc., a consulting firm specializing in network security and management technology. Phifer has been involved in the design, implementation, and evaluation of data communications, internetworking, security, and network management products for nearly 20 years. She teaches about wireless LANs and virtual private networking at industry conferences and has written extensively about network infrastructure and security technologies for numerous publications. She is also a site expert to SearchMobileComputing.com and SearchNetworking.com.