Project 1: Mobile Device Management (MDM) Policy Start Here Transcript Mobile Device Management Policy As a recent graduate of the UMGC Master's in Cybersecurity program, you have received a well-dese
Project 1: Mobile Device Management (MDM) Policy
Start Here
Transcript
Mobile Device Management Policy
As a recent graduate of the UMGC Master's in Cybersecurity program, you have received a well-deserved promotion to chief information security officer (CISO) at the global financial institution where you work. The role is new for you and the company. It reports directly to the chief information officer (CIO), which for the purposes of this course, is the instructor. Much of what you will be doing in the next couple of months is centered around the policy aspects of the bank.
The CIO has lobbied for your role to be created as a result of four concerns that will require your expertise and focus. In general, you are told you will be addressing the following four projects:
Mobile Device Management (MDM)
Identity Theft
Digital Currency
Enterprise Policy
Now that you have an idea of the tasks ahead, the first project will be developing recommendations for mobile device management, which will include written comments and a presentation for the company's leadership. This is the first of four sequential projects in this course and should be completed in about two weeks. There are 11 steps to complete in Project 1. Contact the CIO (your instructor) with any questions. Proceed to Step 1 to begin.
Competencies
Your work will be evaluated using the competencies listed below.
1.1: Organize document or presentation clearly in a manner that promotes understanding and meets the requirements of the assignment.
2.4: Consider and analyze information in context to the issue or problem.
8.1: Report on current developments in cybersecurity management and policy.
Project 1: Mobile Device Management (MDM) Policy
Step 1: Prepare a Scope of Work Overview
Since the CEO has agreed for you to update the company's mobile device management (MDM) Policy, the CIO has requested you first provide a scope of work to determine the level of effort that your team will face.
Prepare an overview of the scope of work by posting a brief paragraph (three to five sentences) explaining the approach and deliverable for this project with a few bullet points that address general financial industry concerns with cybersecurity and MDM.
Post the overview to the scope of work discussion for feedback. Afterward, move to the next step, in which you will consider critical infrastructure and how it will affect compliance.
Mobile Device Management
Mobile device management consists of the policies and procedures used to minimize risks presented by smartphones, tablets, and laptops. Both company-owned and personal devices used in the workplace or to perform work-related tasks can present threats to cybersecurity, physical security, and intellectual property.
Cyber criminals who gain access to mobile devices can track the locations and activities of users. Data can be stolen from the device or other devices and databases in a network. Sometimes, the device can be used to access physical facilities. Additionally, users can be denied access to their device or network, often as a form of cyber blackmail.
Scope of Work
A mobile device management scope of work is the agreement portion of an enterprise cyber program presentation that establishes the terms and conditions between the provider and client when implementing a project. It should also describe activities, deliverables, milestones, timelines for such items, and other related criteria. It may address elements such as but not limited to infrastructure, delivery, devices, content, innovation, and governance within the business needs.
General Requirements
Allocation of Equipment and Funding
Deliverable and Milestone Terms
Support Guidelines
Adherence to Appropriate Code, Licensing, and Permit Regulations
Security Provisions
Fair Opportunity Disclosure
Step 2: Research Critical Infrastructure Concerns
After defining the scope of work, you are ready to begin updating the MDM policy. In order to determine the effectiveness of the current policy, research what critical infrastructure protection concerns affect compliance.
Consider the following list to guide your research:
impact of cyberattacks on critical infrastructure as defined by the Patriot Act of 2001
technologies used in critical infrastructure cyberattacks
cybersecurity defense principles that should be used to counter these cyberattacks
cybersecurity policy framework that should be employed to minimize the opportunity for a successful critical infrastructure cyberattack
Document the findings since they will be used in upcoming steps. In the next step, you will itemize those concerns.
Critical Infrastructure Protection
Critical infrastructure refers to the assets that provide vital services required to sustain the public health and safety of a population and protect the security and economic well-being of a nation.
In Presidential Policy Directive 21 (PPD-21), the United States designated the following 16 critical infrastructure sectors: Chemical; Commercial Facilities; Communications; Critical Manufacturing; Dams; Defense Industrial Base; Emergency Services; Energy; Financial Services; Food and Agriculture; Governmental Facilities; Healthcare and Public Health; Information Technology; Nuclear Reactors, Materials, and Waste; Transportation Systems; and Water and Wastewater Systems.
Supervisory control and data acquisition (SCADA) systems as well as industrial control systems (ICS) are in the Information Technology sector. These are critical systems that must be protected, as they can affect a wide range of services, from the flow of electricity to the operations and control of commercial transportation.
References
US Department of Homeland Security (n.d.). Critical infrastructure sectors. https://www.dhs.gov/what-critical-infrastructure
White House. (2013). Presidential Policy Directive 21: Critical infrastructure security and resilience. US Government Printing Office.
Step 3: Itemize Critical Infrastructure Concerns
Using notes taken from the completed research in the last step, itemize the findings in a table or spreadsheet titled Crucial Concerns Worksheet that assesses:
The impact of cyberattacks on critical infrastructure as initiated by the Patriot Act of 2001 and later refined by the Department of Homeland Security (DHS).
The technologies used in critical infrastructure cyberattacks. Especially consider which and how technologies may exploit mobile device vulnerabilities.
Cybersecurity defense principles should be used to counter these cyberattacks.
This itemized list of critical infrastructure concerns will be expanded to include an evaluation of cyber-physical systems in the next step so that you can later align critical concerns to MDM policy. It will also be included as an appendix to the updated MDM policy presentation for the board of directors. Submit the Crucial Concerns Worksheet for feedback.
Submission for Project 1: Crucial Concerns Worksheet
Previous submissions
0
Top of Form
Drop files here, or click below.
Add Files
Bottom of Form
In the next step, cyber-physical systems and the Internet of things will be considered and evaluated for the MDM policy presentation.
Mobile Device Vulnerabilities
Mobile devices have become an integral part of society. Most people have at least one mobile device, often a smartphone, and some carry several in order to access everything from social media to finance and banking. Mobile devices are now even used like a credit card.
However, one of the consequences of the proliferation of mobile devices is their vulnerability to cybercriminals. As crime moves from the realm of the physical world to the cyber world, mobile device privacy has become an important concern not only to individuals but also for the workplace, including government and the private sector.
Assessing these devices and developing guidelines and regulations have been challenging, since the definition of a "mobile device" has also been evolving. In a draft of the Mobile Device Privacy Act that was considered but not enacted by Congress, mobile devices were described as personal electronic devices that have the capability of transmitting and receiving voice, video, or data communications by means of commercial mobile service or commercial mobile data service (H.R. 6377, 2012).
The National Institute of Standards and Technology (NIST) offers some more specifics on mobile devices: They are small and have at least one wireless network interface for network access (data communications). This interface uses Wi-Fi, cellular networking, or other technologies that connect the mobile device to network infrastructures with connectivity to the Internet or other data networks. The devices also have an operating system that is not a full-fledged desktop or laptop operating system, and feature applications available through "multiple methods" provided with the mobile device, accessed through a web browser, or acquired and installed from third parties (Souppaya & Scarfone, 2013). All of these factors can serve as vulnerabilities for cybersecurity.
Cybersecurity professionals also need to be concerned about data loss and malware attacks, as well as basic factors such as network compatibility in the workplace. Data loss, data modification, and data corruption must be prevented in order to ensure the confidentiality, integrity, and availability of the data.
Malware attacks or malicious software are also major causes of mobile device vulnerabilities, compromising security privileges and private data, and data can be deleted in this attacks.
Malware traditionally falls into two categories: infecting programs and hiding programs. Infecting programs "actively attempt" to copy themselves to other computers, while hiding programs, as the name implies, hide in a computer to avoid detection while completing an attacker's instructions (Kim & Solomon, 2018). Malware types include viruses, worms, Trojan horses, rootkits and spyware.
Network compatibility in regards to mobile devices simply means whether a mobile device will work if the user travels from one location to the other, either within the host country or abroad. Even domestic mobile device signals hop or jump from cell tower to cell tower, so calls can be lost or dropped. Therefore, to ensure reliable communications to clients, a network must have reliable network compatibility.
The website GSM Nation (http://www.gsmnation.com/operator/compatibility/calculator/) allows mobile device users to pick a country and then choose a manufacturer, such as Apple, Motorola, etc. Once the information has been entered, the website provides a mobile device that will be compatible in that country.
There are several NIST publications that should be considered by the cybersecurity professional:
NIST SP-800-40 Revision 3, Guide to Enterprise Patch Management Technologies
NIST SP 800-121 Revision 1, Guide to Bluetooth Security
NIST SP 800-124 Revision 1, Guidelines for Managing the Security of Mobile Devices in the Enterprise
Individual users also have an important role to play when ensuring privacy on a mobile device. The following are best general practices for mobile devices recommended by the Official (ISC)2 Guide to the CISSP CBK (Certified Information Systems Security Personnel Common Body of Knowledge):
use a passcode/passphrase/pattern to lock the device after inactivity
encrypt the device if the option is available
never use unsecured Wi-Fi unless you have access to a virtual private network (VPN) client
report stolen/devices immediately to the proper authorities
cancel any credit card from which you use your phone to pay
never leave the mobile device unattended
turn off the global positioning system and data when not being used
regularly back up data
For additional information regarding the global positioning system (GPS) and its mobile devices utility, visit http://www.gps.gov/.
References
Kim, D., & Solomon, M. G. (2018). Fundamentals of information systems security (3rd ed.). Jones & Bartlett.
H.R. 6377 - Mobile Device Privacy Act. https://www.congress.gov/bill/112th-congress/house-bill/6377/text
Hernandez, S. (Ed.) (200). Official (ISC)2 guide to the CISSP CBK (3rd ed.). CRC Press.
Souppaya, M., & Scarfone, K. (2013, June). Guidelines for managing the security of mobile devices in the enterprise: Special Publication 800-124, Revision 1. National Institute of Standards and Technology. http://dx.doi.org/10.6028/NIST.SP.800-124r1
Step 4: Evaluate Cyber-Physical Systems (CPS) and Internet of Things (IoT)
In this phase of the project, you will evaluate cyber-physical systems (CPS) and the internet of things (IoT) to build upon the critical infrastructure concerns itemized in the previous step.
Assuming that you have addressed most of the concerns related to MDM from a policy perspective, begin an itemized list of potential countermeasures. In recognition of on-the-job training, education, and research conducted here, continue to expand the worksheet by specifically addressing issues relating to cyber-physical systems and the internet of things.
Briefly evaluate cybersecurity hardware, software, and network technological components of cyber-physical systems and the policy issues that they require. Also consider Wi-Fi and Bluetooth technologies and the policy issues they require.
Add this evaluation to the Crucial Concerns Worksheet completed in the previous step. This worksheet will be used to align to MDM policy later in the project and will be included as an appendix to the updated MDM policy presentation for the board of directors, and will be assessed as part of the final Project. Name the files Appendix 1, Appendix 2, etc. Submit the updated table or spreadsheet for feedback.
Submission for Project 1: Crucial Concerns Worksheet
Previous submissions
0
Cyber-Physical Systems (CPSs)
Cyber-physical systems (CPSs) are "co-engineered interacting networks of physical and computational components" (NIST, n.d.).
CPSs are more complex applications of the "internet of things" (IoT) wherein a physical object has components that are linked via the internet to systems that collect and/or transmit data. Examples of items in the IoT include cars, home security systems, smarthome devices (thermostats, lights, monitors), phones, environmental or industrial monitoring systems, and supply chain/logistics tracking programs.
These systems are also able to remotely control the objects, such as aircraft, robotics, medical devices, power grids, and other critical infrastructure items. Threats to CPSs exist in both the public and private sectors.
References
National Institute for Standards and Technology (NIST). (n.d.). Cyber-physical systems. https://www.nist.gov/el/cyber-physical-systems.
Internet of Things (IoT)
The internet of things (IoT) is the phenomenon of connecting devices used in everyday life. It provides an interactive environment of human users and a myriad of devices in a global information highway, always on and always able to provide information. IoT connections happen among many types of devices—sensors, embedded technologies, machines, appliances, smartphones—all connected through wired and wireless networks.
Cloud architectures such as software as a service have allowed for big data analytics and improved areas such as automated manufacturing. Data and real-time analytics are now available to workers through wearables and mobile devices.
Such pervasive proliferation of IoT devices gives hackers avenues to gain access to personal data and financial information and increases the complexity of data protection. Given the increased risks of data breaches, newer techniques in data loss prevention should be examined.
Smart Home Security
The online comic XKCD takes a humorous look at security issues surrounding the internet of things.
If they're getting valuable enough stuff from you, at least the organized crime folks have an incentive to issue regular updates to keep the appliance working after the manufacturer discontinues support.
Wi-Fi
Wi-Fi allows smartphones, smart objects, tablets, computers, and other web-enabled devices to connect to the internet without being physically connected to a router or server. Wi-Fi is one of the most influential technological advances of the twentieth century. Standards for Wi-Fi are set forth in IEEE 802.11.
The availability of Wi-Fi to the general public led to both expansion of existing industries and the creation of new industries. Wi-Fi also presents a myriad of threats to businesses, individuals, and government entities, increasing the opportunities for devices and servers to be hacked.
Wi-Fi is accessed via wireless local area networks (WLANs) and uses radio frequencies to transmit and receive data. In order to protect devices and networks from unauthorized interception or intrusion, both encryption and authentication protocols should be used.
| Summary Comparison of Protection Algorithms | |||
|
| WPA | WPA2 | WEP |
| Stands For | Wi-Fi Protected Access | Wi-Fi Protected Access 2 | Wired Equivalent Privacy |
| What Is It? | A security protocol developed by the Wi-Fi Alliance in 2003 for use in securing wireless networks. | A security protocol developed by the Wi-Fi Alliance in 2004 for use in securing wireless networks, designed to replace the WEP and WPA protocols. | A security protocol for wireless networks introduced in 1999 to provide data confidentiality comparable to a traditional wired network. |
| Methods | As a temporary solution to WEP's problems, WPA still uses WEP's insecure RC4 stream cipher, but provides extra security through TKIP. | WPA2 uses the AES standard instead of the RC4 stream cipher. | Through the use of a security algorithm for IEEE 802.11 wireless networks, it operates to create a wireless network that is as strong as a wired net. |
| Keys | Unique encryption key. Uses the temporary key - TKIP. | You set up your unique encryption key. | It applies a static key. |
| Speed | A little processing power. | Requires greater processing power. | Not much processing power. |
Organizations using WLANs must include limits on signal propagation to the physical security aspect of their cybersecurity plans. Increased threats and vulnerabilities to WLANs over wired networks include the potential for eavesdropping and loss of availability due to jamming, flooding, and electronic countermeasures (Scarfone et al., 2008). WLANs are also vulnerable to unauthorized access, rogue access point, man-in-the-middle, denial-of-service, session hijacking, and reply attacks (Waliullah & Gan, 2014).
The three early protocols for attempts to secure Wi-Fi are WEP, WPA, and WPA2. The figure below (Galli & Mustafa, 2015) provides a comparison of the technologies used in these protection algorithms:
WEP Protocol
The Wired Equivalent Privacy (WEP) protocol was the original method used to make wireless networks more secure. Waliullah & Gan (2014) explain that in WEP transmission:
The packets are encrypted with a symmetric encryption algorithm (RC4) using a session key which is made up of the IV and the default transmit key. The IV is randomly generated for each session but the default transmit key is fixed. The IV is sent in the packet along with the data. Once the encrypted packet reaches the receiving end, it decrypts the packet using the same session key (p. 177).
The use of common keys by all users within a WLAN exposes all users in the network if a breach occurs. WEP is easily hacked, as is evidenced by several wide-scale incidents at retail chains. As a result, WEP was banned from use for credit card processing in 2010.
WPA Protocol
The Wi-Fi Protected Access (WPA) replaced WEP. WPA uses the WEP algorithm and either a preshared key (PSK) or Temporal Key Integrity Protocol (TKIP) for encryption. In WPA-PSK, everyone on a network uses the same password to access encrypted data. In WPA-TKIP, a new key is generated for each packet of data. WPA also employs the Extensible Authentication Protocol (EAP) to authenticate each user on the network through a RADIUS (Remote Authentication Dial-in User Service) server (Waliullah & Gan, 2014).
The use of the WEP algorithm makes WPA vulnerable to offline dictionary and brute force attacks. It is also subject to DoS attacks "carried out over the MAC layer by sending out deauthentication and disassociation messages to the client or access point, resulting in the legitimate user being denied access to the service" (Waliullah & Gan, 2014). These weaknesses led to further research to secure WLANs, resulting in the development of WPA2.
WPA2 Protocol
The Wi-Fi Protected Access 2 (WPA2) protocol is the replacement for WPA. It uses Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP) instead of TKIP and Advanced Encryption Standard (AES) block cipher in lieu of RC4 stream cipher (Waliullah & Gan, 2014). The used of a standard shared key for all users makes both WPA and WPA2 vulnerable to dictionary and brute-force attacks—and it also makes detection of intruders difficult (Waliullah & Gan, 2014).
AES
The Advanced Encryption Standard (AES) uses a cryptographic algorithm to encrypt data into ciphertext for transmission and to decrypt ciphertext back into plaintext upon receipt. It was recognized as the required standard for federal government by the National Institute of Standards and Technology (NIST) in 2001. NIST also recommended AES for use by industry and individuals (Scarfone et al., 2008). While WPA2/AES are the most recommended tools for securing WLANs, there are many legacy networks still in use today that use older, less secure protocols.
References
Galli, T .A. B., & Mustafa, A. B. A. (2015). A comparative study between WEP, WPA and WPA2 security algorithms. International Journal of Science and Research, 4(5): 2390-91. https://www.ijsr.net/archive/v4i5/SUB154986.pdf
Scarfone, K., Dicoi, D., Sexton, M., & Tibbs, C. (2008, July). Special publication 800-48, revision 1: Guide to securing legacy IEEE 802.11 wireless networks. http://ws680.nist.gov/publication/get_pdf.cfm?pub_id=890006
Waliullah, M., & Gan, D. (2014). Wireless LAN security threats & vulnerabilities: A literature review. International Journal of Advanced Computer Science and Applications 5(1): 176-183. http://thesai.org/Downloads/Volume5No1/Paper_25-Wireless_LAN_Security_Threats_Vulnerabilities.pdf
Licenses and Attributions
A Comparative Study between WEP, WPA and WPA2 Security Algorithms by Tagwa Ahmed Bakri Gali and Amin Babiker A/Nabi Mustafa from International Journal of Science and Research is available under a Creative Commons Attribution 2.0 Generic license. © 2012–2017, International Journal of Science and Research (IJSR). UMGC has modified this work and it is available under the original license.
Bluetooth
Bluetooth is a wireless technology that permits short-range radio transmissions of data between enabled devices. In addition to smartphones, tablets, laptops, printers, keyboards, headphones, and mice, Bluetooth is used with items associated with the "internet of things" (IoT), such as locks, automobiles, activity trackers, speakers, and medical devices.
Bluetooth low-energy devices can be hacked up to a quarter of a mile away from a wireless local area network (WLAN), as was demonstrated at the DEFCON 24 conference (Rose & Ramsey, 2016).
Due to its use of radio frequencies, Bluetooth, like WLANs and Wi-Fi, is at risk for interception and eavesdropping. The National Institute of Standards and Technology (Padgette et al., 2012) notes that Bluetooth devices are susceptible to attacks targeting known weaknesses of the technology, as well as "denial of service (DoS) attacks, eavesdropping, man-in-the-middle (MITM) attacks, message modification, and resource misappropriation" (p. viii).
Unauthorized access of a Bluetooth device is a threat to all other devices connected on the WLAN with it. Strategies to mitigate threats include limiting the range of access, requiring authentication, encrypting data, restricting use of a device in the "discoverable" mode, and generation of a random key for authentication (Nagajayanthi et al., 2016).
There are three modes with respect to encrypting Bluetooth. Encryption Mode 1 transmits and receives clear traffic with no encryption. Encryption Mode 2 does not encrypt broadcast traffic but uses individual link keys to encrypt traffic addressed to individual subscribers. Encryption Mode 3 use a master link key to encrypt all traffic.
Since Bluetooth encryption can be broken with either a dictionary or brute-force attack, federal agencies and contractors must layer Federal Information Processing Standards (FIPS)-approved encryption over the standard Bluetooth encryption (Padgette et al., 2012).
The most recent iteration of the security standards are contained in Bluetooth 5.2, which was released in 2020.
Given the widespread use and popularity of Bluetooth-enabled devices and accessories, organizations should include policies and safeguards regarding its use in their cybersecurity and mobile device plans (Carnaghan, 2013).
References
Carnaghan, I., (2013, March 26). Mobile cybersecurity policies in the private and public sector. https://www.carnaghan.com/2013/03/mobile-cybersecurity-policies-in-the-private-and-public-sector/
Nagajayanthi, B., Vijayakumari, V., & Radhakrishnan, R. (2016, December). A strenuous macroanalysis on the substratals of securing Bluetooth mobile workforce devices. Indian Journal of Science & Technology, 9(48): 1-6. doi: 10.17485/ijst/2016/v9i48/89769. http://www.indjst.org/index.php/indjst/article/view/89769/77188.
Padgette, J., Scarfone, K., & Chen, L. (2012). Special publication 800-121, Revision 1: Guide to Bluetooth security: Recommendations of the National Institute of Standards and Technology. http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-121r1.pdf.
Rose, A., & Ramsey, B. (2016, November 10). Picking Bluetooth low energy locks a quarter mile away. DEF CON 24 Conference. https://youtu.be/KrOReHwjCKI
Step 5: Document Policy Impact
Now that you have listed crucial concerns surrounding critical infrastructure, cyber-physical systems, and the internet of things, in this step, you will report on policy impact.
Specifically consider:
the impact, if any, on the critical infrastructure of the company's mobile device management policies
policy or compliance initiatives that can address these concerns.
a recommended cybersecurity policy framework that when deployed would minimize the opportunity for a successful critical infrastructure cyberattack
Compile your ideas in a report titled Policy Alignment. Create a section in your report titled Policy Impact to document your ideas. This report will also be included as an appendix to the updated MDM policy presentation for the board of directors. You will add to this report in the next step.
Step 6: Describe Policy Issues Related to Cyber-Physical Systems and Internet of Things (IoT)Continue to build the Policy Alignment report from the previous step. Now that policy impact has been considered, you will examine policy issues related to cyber-physical systems (CPS) and the internet of things (IoT).
Create two sections in the Policy Alignment report. The first section will be titled Policy Issues Related to Cyber-Physical Systems. In this section of the report, describe enterprise, national, and international cybersecurity policy issues that arise due to the deployment of cyber-physical systems. In the second section, titled Policy Issues Related to IoT, describe enterprise, national, and international cybersecurity policy issues that arise due to the effect of the internet of things.
This report will also be included as an appendix to the updated MDM policy presentation for the board of directors. You will add to this report in the next step.
Cyber-Physical Systems (CPSs)
Cyber-physical systems (CPSs) are "co-engineered interacting networks of physical and computational components" (NIST, n.d.).
CPSs are more complex applications of the "internet of things" (IoT) wherein a physical object has components that are linked via the internet to systems that collect and/or transmit data. Examples of items in the IoT include cars, home security systems, smarthome devices (thermostats, lights, monitors), phones, environmental or industrial monitoring systems, and supply chain/logistics tracking programs.
These systems are also able to remotely control the objects, such as aircraft, robotics, medical devices, power grids, and other critical infrastructure items. Threats to CPSs exist in both the public and private sectors.
References
National Institute for Standards and Technology (NIST). (n.d.). Cyber-physical systems. https://www.nist.gov/el/cyber-physical-systems.
Internet of Things (IoT)
The internet of things (IoT) is the phenomenon of connecting devices used in everyday life. It provides an interactive environment of human users and a myriad of devices in a global information highway, always on and always able to provide information. IoT connections happen among many types of devices—sensors, embedded technologies, machines, appliances, smartphones—all connected through wired and wireless networks.
Cloud architectures such as software as a service have allowed for big data analytics and improved areas such as automated manufacturing. Data and real-time analytics are now available to workers through wearables and mobile devices.
Such pervasive proliferation of IoT devices gives hackers avenues to gain access to personal data and financial information and increases the complexity of data protection. Given the increased risks of data breaches, newer techniques in data loss prevention should be examined.
Smart Home Security
The online comic XKCD takes a humorous look at security issues surrounding the internet of things.
If they're getting valuable enough stuff from you, at least the organized crime folks have an incentive to issue regular updates to keep the appliance working after the manufacturer discontinues support.
Step 7: Analyze Current Technology Developments
After documenting policy impact on critical infrastructure and describing policy issues related to cyber-physical systems and the internet of things in the previous steps, move the focus to current technology developments relevant to mobile device management such as mobile payments and bring your own device (BYOD).
As the CISO of a global financial institution, analyze how such developments affect cybersecurity management and policy at the enterprise, national, and international levels. Also consider relevant technological development topics that may affect policy, such as mobile device privacy concerns. Document your findings in the final section of the Policy Alignment Report. This report will be included as an appendix to the updated MDM policy presentation for the board of directors. Submit the Policy Alignment Report for feedback, and will be assessed as part of the final Project. Name the files Appendix 1, Appendix 2, etc.
Submission for Project 1: Policy Alignment Report
Previous submissions
Mobile Payments
Shopping in the twenty-first century has become easier. When you purchase an item and pay for it, you don't need a wallet full of cash or a checkbook. Today, many buyers use a smartphone.
Mobile payment is the transfer of money from one account to another via a mobile device. When buyers use a mobile device for payment, it is called a mobile wallet. In a mobile wallet, a credit card or a debit card is uploaded into a digital mobile device that can be used as cash. Mobile payment is made possible today by using a smartphone, tablet, or even a watch.
With the convenience of mobile payments, the need for data security is even greater. The Payment Card Industry Data Security Standard (PCI DSS) is an independent organization created in 2006 under the auspices of several major credit card companies including American Express, Discover Financial, Services, JCB International, MasterCard, and Visa. The payment brands are responsible for enforcing compliance (PCI, n.d.).
The PCI DSS is a set of security rules "designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment" (PCI, n.d.). The PCI DSS was created to manage the Payment Card Industry (PCI) security standards "with a focus on improving payment account security throughout the transaction process" (PCI, n.d.). In essence, the PCI DSS requires all businesses that accept, process, store, or transmit credit card information to comply with the PCI DSS.
The PCI DSS is organized around six principles stated in the PCI DSS Quick Reference Guide (PCI Security Standards Council, n.d.):
build and maintain a secure network
maintain a vulnerability management program
implement strong access control measures
regularly monitor and test networks
maintain an information security policy
Based on those principles, the Payment Card Industry (PCI)'s Security Standards Council has provided guidelines to the National Institute for Standards and Technology on frameworks that would enhance cybersecurity. The council noted that the volume of funds and the individual payments transmitted through payment systems are "orders of magnitude" larger than retail payment systems, and often involve large transactions between financial institutions as opposed to consumers or merchants (PCI, 2013).
The council recommended that the PCI DSS be applicable to any organization "that stores, processes, and/or transmits cardholder data covering technical and operational system components included in or connected to cardholder data."
The council noted that the PCI Payment Application Data Security Standard (PA-DSS) features security requirements for software developers and integrators of applications that store, process, or transmit cardholder data; and that the PCI PIN Transaction Security Requirements (PCI PTS) apply to manufacturers "who specify and implement device characteristics and management for personal identification number (PIN) entry terminals used for payment card financial transactions." The council also lists approved devices that have been tested against the standards (PCI, 2013).
References
PCI. (2013, April 8). Developing a framework to improve critical infrastructure cybersecurity. http://csrc.nist.gov/cyberframework/rfi_comments/040813_pci_security_standards_council.pdf
PCI. (n.d.) PCI compliance guide. https://www.pcicomplianceguide.org/pci-faqs-2/#1
PCI Security Standards Council (n.d.). PCI DSS quick reference guide. https://www.pcisecuritystandards.org/documents/PCIDSS_QRGv3_1.pdf
protect cardholder data
Bring Your Own Device (BYOD)
Many organizations are adopting policies to allow workers to bring personal computers or mobile devices to work. This practice allows organizations to reduce costs and provides employees with the freedom, flexibility, and convenience of using one device for both personal and business use. While there may be some benefits to adopting a bring your own device (BYOD) policy, there are security risks.
Worker-owned devices can now carry sensitive and confidential organizational data. Data access and ownership issues can create risk of data loss. Additionally, use of personal computers for business can bring about security complications. Personal equipment might not always be patched properly, and employees might access websites, applications, or other content that would normally be blocked on most company equipment.
In order to minimize security risks and maximize effectiveness, organizations must have comprehensive security and BYOD policies. Organizations need to invest in security solutions such as registering personal devices, implementing encryption standards for data protection, and using endpoint protection technology to guard personal devices against attacks. User knowledge of security threats related to using personal devices for business purposes can also help mitigate the risk.
Although implementing security controls directly onto a worker's personal equipment might be a challenge for many organizations, it is imperative that employers design properly documented BYOD policies to mitigate risk and data loss. Employees can focus on user training programs, remote system access, and virtual private networks to help create a more secure environment for personal devices.
References
Horwath, J. (2013, April 29). Managing the implementation of a BYOD policy. https://www.sans.org/reading-room/whitepapers/leadership/managing-implementation-byod-policy-34217
Mobile Device Privacy Concerns
Handheld devices provide tremendous convenience and accessibility, but that increased connectivity makes all those daily interactions a concern for privacy. The applications commonly found on mobile devices can reveal a lot of information about the user.
"With more people using their devices for online shopping, managing finances, paying bills, and playing online games," the risk of privacy concerns is growing (Kumar, 2016). The threats that individuals face now often extend to their workplaces, since more employers expect employees to use their personal devices for work-related tasks.
Mobile devices have become a convenience as well as a problem for organizations worldwide as they try to provide mobility and accessibility to their employees while also trying to protect the organization's main computer systems from cyber threats and attacks.
Many organizations have developed or will be developing a mobile device security policy. The confidentiality, integrity, and availability model, known as the CIA triad, is often used as a model for information security policies, which include privacy. The following guidelines, taken from NIST Special Publication 800-124, Revision 1, Guidelines for Managing the Security of Mobile Devices in the Enterprise, outline several procedures for organizations to secure the CIA triad (Souppaya & Scarfone, 2013):
Develop system threat models for mobile devices and the resources that are accessed through the mobile devices.
Consider the merits of each provided security service, determine which services are needed for their environment, and then design and acquire one or more solutions that collectively provide the necessary services.
Implement and test a pilot of the mobile device solution before putting the Secure each organization-issued mobile device before allowing a user to access it.
Maintain mobile device security.
An organization's chief information security officer (CISO) should have knowledge of the National Institute of Standards and Technology's (NIST) Special Publication 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations.
This publication catalogues security and privacy controls for federal information systems and other organizations. It outlines a process for selecting controls to protect operations from cyberattacks, natural disasters, structural failures, and human errors (NIST, 2013; NIST, 2014).
Organizations may also consider installing mobile device management (MDM) on the employees' devices. MDM is software that allows organizations to monitor, control, locate, lock, and potentially wipe data in a lost device, thus preventing potential hackers from compromising the enterprise's systems. Obviously, users may be concerned about potential "big brother" aspects of MDM.
The vulnerability of personally identifiable information (PII) is another concern with the proliferation of mobile devices in the workplace. Back in 2008, a Government Accountability Office (GAO) report noted a host of security breaches in government agencies alone that exposed PII numerous times (GAO, 2008). That report defines PII as "any information about an individual maintained by an agency, including any information that can be used to distinguish or trace an individual's identity, such as name, Social Security number, date and place of birth, mother's maiden name, or biometric records; and any other information that is linked or linkable to an individual," such as medical, educational, financial, and employment information (GAO, 2008).
Historically, privacy concerns have been taken more seriously in Europe than the United States when it comes to personal information collection, retention, and distribution. The differences stem from a 1995 directive by the European Union mandating that each nation pass privacy laws and create data protection authorities. In parts of Europe, personal information can't be collected without permission, and data processing companies have to register with the government (Sullivan, 2006). In addition, unlike the United States, companies in many European countries are limited in how much information they can store about their employees.
References
Government Accountability Report. (2008, January). GAO 08-343: Information security: Protecting personally identifiable information. http://www.gao.gov/new.items/d08343.pdf
Kumar, A. (2016, June 3). Risk of mobile threats and privacy concerns grows. http://www.csoonline.com/article/3078815/security/risk-of-mobile-threats-and-privacy-concerns-grow.html
National Institute of Standards and Technology (NIST). (2014, December). Special publication 800-53A, revision 4: Assessing security and privacy controls in federal information systems and organizations. http://dx.doi.org/10.6028/NIST.SP.800-53Ar4
National Institute of Standards and Technology (NIST).(2013). Special publication 800-170: Computer security division: 2013 annual report. http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-170.pdf
Souppaya, M., & Scarfone, K. (2013, June). NIST special publication 800-124, revision 1: Guidelines for managing the security of mobile devices in the enterprise. http://dx.doi.org/10.6028/NIST.SP.800-124r1
Sullivan, B. (2006, October 19). 'La difference' is stark in EU, U.S. privacy laws. http://www.nbcnews.com/id/15221111/ns/technology_and_science-privacy_lost/t/la-difference-stark-eu-us-privacy-laws
solution into production.
After creating a list of crucial concerns and documenting issues of policy alignment, you are ready to evaluate the current MDM policy. Complete the Evaluating Cyber Policy eLearning Module for guidance on developing a course of action or strategy for updating the current MDM policy for the organization. Document noteworthy concepts, steps, or strategies that will help update the MDM policy in later steps.
In the next step, you will consider any chain of custody impacts to the policy.
Step 9: Address Chain of Custody
After reviewing the process of evaluating cyber policy in the previous step, you are nearly ready to update the MDM policy. Keeping in mind the demands should a breach occur, address two primary aspects of this concern:
mobile device risk reduction (management of mobile device risk) from the employee/consultant perspective
highlighting the portion of your policies that addresses the "chain of custody" requirements if an investigation is required
Document your thoughts to be included in the updated MDM policy framework in the next step.
Management of Mobile Device Risks
Mobile devices have proliferated since their introduction into the market. Their sizes have become smaller and their capabilities have increased, so cybersecurity professionals tasked with managing these devices for the workplace must be aware of the risks and consequences associated with these technologies.
Mobile devices use Wi-Fi, cellular networking, or other technologies that connect to the internet or other data networks. In addition, mobile devices use an operating system that is not a full-fledged desktop or laptop operating system, and often contain applications available through multiple methods—some that came with the device, some that were accessed through the web, and some acquired and installed from third parties (Souppaya & Scarfone, 2013). These factors provide security challenges to a cybersecurity professional.
The National Institute of Standards and Technology's Special Publication 800-124 Revision 1, Guidelines for Managing the Security of Mobile Devices in the Enterprise, notes that since mobile devices are used outside the organization (homes, businesses, hotels), those devices are more likely to be lost or stolen, putting the data at increased risk (Souppaya & Scarfone, 2013). This is just one reason why cybersecurity managers need to create an environment in which workers will adhere to a strong password policy.
Another potential risk that must be addressed by cybersecurity managers involves use of untrusted networks by workers when accessing their company's mainframe. Since mobile devices primarily use nonorganizational networks for internet access, there is no control over the security of the external networks (Souppaya & Scarfone, 2013).
Communications systems, such as Wi-Fi and cellular networks, can be targets of eavesdroppers. Man-in-the-middle attacks may also be performed to intercept and modify communications (Souppaya & Scarfone, 2013).
Finally, since third-party applications on mobile devices are common, they pose subtle risks to organizations, which cannot easily monitor the apps on the devices. As NIST 800-124 Rev. 1 points out: "This poses obvious security risks, especially for mobile device platforms and application stores that do not place security restrictions or other limitations on third-party application publishing" (Souppaya & Scarfone, 2013). Cybersecurity managers should assume that third-party apps should not be trusted.
References
Souppaya, M., & Scarfone, K. (2013, June). Guidelines for managing the security of mobile devices in the enterprise: Special Publication 800-124, Revision 1. National Institute of Standards and Technology. http://dx.doi.org/10.6028/NIST.SP.800-124r1
Step 10: Update the MDM Policy Framework
You are finally ready to update the MDM policy framework. Develop final written comments for presentation at the next standards body meeting. Include any perspectives on evaluation strategy and chain of custody from the previous two steps. These comments should be between two and three pages, and should include a paragraph on your thoughts about how your comments will be received and whether or not they will have an impact on the regulations/standards, etc. Submit the MDM policy framework for feedback. This framework will serve as the basis for your presentation, and will be assessed as part of the final Project. Name the files Appendix 1, Appendix 2, etc.
Submission for Project 1: MDM Policy Framework
Previous submissions
0
Step 11: Submit the MDM Policy Presentation
The final phase of the project is to deliver a presentation on the MDM findings and policy recommendations to management that summarizes the results. This will include an update to the Policy Framework from the previous step according to received feedback. You are allotted 15 minutes for the presentation.
Refer to the MDM Policy Presentation Instructions for detailed requirements. Submit the MDM Policy Presentation.
Check Your Evaluation Criteria
Before you submit your assignment, review the competencies below, which your instructor will use to evaluate your work. A good practice would be to use each competency as a self-check to confirm you have incorporated all of them. To view the complete grading rubric, click My Tools, select Assignments from the drop-down menu, and then click the project title.
1.1: Organize document or presentation clearly in a manner that promotes understanding and meets the requirements of the assignment.
2.4: Consider and analyze information in context to the issue or problem.
8.1: Report on current developments in cybersecurity management and policy.
Submission for Project 1: MDM Policy Presentation
Previous submissions
0
Top of Form
Drop files here, or click below.
MDM Policy Presentation Instructions
Assignment: MDM Policy Presentation
The CEO has entrusted you with delivering a high-level mobile device management policy presentation. The presentation should be about 15 minutes in length. It should highlight how you arrived at your conclusions and why you made these specific recommendations based upon the organizational needs.
Note: This presentation should incorporate key points from the three assignments that you completed in this project. Those assignments should be submitted as documents separate from the presentation. You will submit four files in total.
The presentation to management should include the following elements:
Title Slide
Include:
client (person and/or organization)
title
date prepared
provider (person and/or organization who prepared/is presenting)
Agenda
Overview (introduction and purpose)
Scope of Work (discussion board posting: Step 1)
should include modifications made from feedback received
Crucial MDM Concerns (key points from Assignment 1, Steps 2-4)
Determine the effectiveness of current policies by:
researching the critical infrastructure concerns (include in appendix of presentation) that affect compliance
itemizing findings
evaluating cyber-physical systems
Policy Alignment (key points from Assignment 2, Steps 5-7)
Should include how policy alignment impacts crucial concerns and issues affecting critical infrastructure and cyber-physical systems and consider:
MDM
initiatives that can address concerns
recommendation for framework deployment to minimize opportunities of attacks
potential global effects
ongoing and evolving technological advancements
MDM Policy Framework (key points from Assignment 3, Steps 8-10)
Should include:
action plan to update current MDM policy with strategies, steps, or concepts
potential breach chain of custody to address mobile device risk reduction of individuals and demonstration of policy requirements
When you are finished, submit the 15-minute MDM Policy Presentation, along with the following appendices, which are the assignments you completed during Project 1:
Appendix A: Crucial Concerns Worksheet
Appendix B: Policy Alignment Report
Appendix C: Comments on the MDM Policy Framework
Bottom of Form
