Managing Device Proliferation and BYOD Policies in SMB Non-Profits
Device proliferation and adoption of BYOD policies in SMB non-profits pose significant security challenges, such as encryption, password policies, data mixing, legal discovery, remote wiping, and security attestation. Neglecting these issues can lead to severe consequences, as illustrated by a case study of a lost MacBook containing sensitive company data. Awareness of legal mandates and real-world incident risks is crucial for effective security and compliance management.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
INFORMATION SECURITY AND COMPLIANCE CASE STUDY: MANAGING ISSUES ARISING FROM DEVICE PROLIFERATION AND ADOPTION OF BRING YOUR OWN DEVICE POLICIES IN SMB NON-PROFITS 866.926.8746 www.xantrion.com
Device Proliferation Complicates Security and Privacy Tools for unified security management aren t adequate to enforce the following. Encryption Password policy Inactivity timeout and screen lock Users mix personal and sensitive company data on the same device complicating Legal discovery Remote wipe Ability to attest to a known security state 866.926.8746 www.xantrion.com
Abad day looks like.. A personal MacBook with company e-mail containing sensitive data (donor list / patient information) is lost. A disgruntled employee reports this to: your Board / the Department of Health and Human Services / the San Francisco Business Times. Upon investigation it is discovered: There was no policy prohibiting e-mail on unmanaged devices Your helpdesk set up e-mail on the device The device was not password protected The device was not encrypted The device can not be remotely erased IT had never informed management of the risks of allowing e-mail to synchronize to unmanaged devices Your organization is now publically on the wall of shame at Privacyrights.org The Department of Health and Human Services The Office of the California Attorney General 866.926.8746 www.xantrion.com
YOU 866.926.8746 www.xantrion.com
The risk of an incident is very real Target Loss of nearly 110M customer s payments cards Home Depot 56M customer s payments cards compromised Anthem Health Insurance Cyber-attack resulting in exposure of over 80M people s health and SS infomation Thousands of other examples http://www.privacyrights.org/data-breach http://oag.ca.gov/ecrime/databreach/list 866.926.8746 www.xantrion.com
Legal Mandates to disclose increase the consequences of a privacy breach Department of Health and Human Services HITECH Health Information Technology (HITECH) Act section 13402 HIPAA covered entities Federal Trade Commission FTC 16 C.F.R. Part 318: Health Breach Notification Rule Health Information California Privacy Act: Civil Code 1798.80-1798.84 Broad variety of personal information 866.926.8746 www.xantrion.com
The California Privacy Act covers a very broad range of personal information Name, Signature, physical characteristics or description Social security number, passport number Driver's license or state identification card number Address, telephone number Insurance policy number Education, employment, employment history Bank account number, credit card number, debit card number Any other financial information Any other medical information Any other health insurance information Does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records 866.926.8746 www.xantrion.com
Loss and Theft of devices is the biggest cause of incidents Sources of HIPAA Data Breaches 2010 to 2013 and Recommended Controls Code review, Patching, penetration testing, IDS etc. Theft 53% Hacking / IT Error 9% Insider Disclosure 21% Human resource controls: Education, Employee satisfaction Loss / Improper Disposal 17% Endpoint and storage media Controls: Encryption, allow only streaming access 866.926.8746 www.xantrion.com Source: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html
Loss and theft occurs for all types of network equipment, each needs to be properly protected. Phone / tablet 23% Laptop 58% Server 9% Backup Media 2% = Endpoints, encrypt Desktop 8% = Servers and Backups, locate in data centers 866.926.8746 www.xantrion.com
Small to Mid Sized Non-Profits have a particularly big problem Often have sensitive information Donor lists Client information subject to HIPAA controls Client information subject to California Privacy Act Cost considerations prohibit providing a dedicated company phone / tablet. Users are encouraged to use personal devices Cultural norms limit ability of IT to enforce policy Budget and lack of scale exacerbate issues of having a heterogeneous set of devices 866.926.8746 www.xantrion.com
Dont do this! 866.926.8746 www.xantrion.com
Recruit allies who can drive adoption of security best practices CPA s (auditors) Homogeneity eases HIPAA or SSAE 16 compliance Legal Counsel Inadequate data protection practices increase legal liability Insurance Brokers Inability to attest to certain controls will increase insurance costs or make coverage unavailable IT Consultants Confirm for management the challenges and costs of supporting multiple platforms Help identify and the best tools to manage various platforms 866.926.8746 www.xantrion.com
Manage Risks Holistically Educate top management Get sign-off on a risk based security and privacy policy. Budget for tools to support new devices Control risks of user ignorance or anger at the firm Educate employees on legal and ethical requirements for protecting sensitive data Encourage good human resource practices to improve employee satisfaction Security requirements Restrict data storage to only those devices that can be physically secured or affirmatively encrypted Restrict uncontrolled devices to streaming only access Reduce Legal Liability Get audited for HIPAA or SSAE 16 compliance Buy Insurance 866.926.8746 www.xantrion.com
Security leads to Supportability Pushing back against having to support a new device is often a problem IT has to face alone. Security of company and customer data should be an organization wide issue everyone can get behind. By ensuring that everyone is on-board with security you will have the buy-in you need to restrict access to a supportable environment. 866.926.8746 www.xantrion.com
Appendix 866.926.8746 www.xantrion.com
Some MDM Solutions Exchange ActiveSync Citrix XenMobile AirWatch Mobile Iron Good Meraki 866.926.8746 www.xantrion.com
Mobile Iron has caveats and limitations One-size-fits-all device management is not practical. Fractured set of device policies is required for implementation in heterogeneous environments. Problem is even more obvious if you wish to extend product beyond phones/tablets. OS X support is very limited. Implementation, scoping , and application of device security policies is not intuitive. Administrator, support staff, and end user training/retraining is required. General out of compliance notifications are vague. Advanced administrator knowledge of product is required to interpret findings and act on potential security risks. Support response time is slow. Update are released infrequently even in response to acknowledged problems with product. 866.926.8746 www.xantrion.com