Mobile Devices in the Enterprise – Empowering or Endangering?

Tom DeSot, Executive Vice President, Chief Information Officer; Digital Defense, Inc.

Each day around the globe, organizations unknowingly introduce a new threat into their enterprise. Unfortunately many of these same organizations do not realize the reality of the threat until it is far too late and sensitive corporate information has been exposed.

The threat?  Mobile devices.

What is a Mobile Device?

Simply put, a mobile device is a smart phone or tablet computer that can be connected to a corporate network with little, if any, assistance needed from corporate IT departments.

But what’s the risk in that you say? Read on.

We Roll Our Own Around Here

To get a handle on the danger these devices pose, it’s best to start at the beginning…how do they get into the enterprise in the first place?

It has become very common in companies, small and large, to allow employees to source their own mobile device equipment. Unlike in times past where the corporate IT department provided the desktop or laptop computer and controlled the who, what, where, and when of its use, corporate IT now often does little more than provide instruction on how the employee needs to configure the device in order for it to connect to corporate resources.

Once connected, the device typically is given full access to corporate e-mail, calendars, and file sharing services.  Additionally, in a perfect world, the employee becomes instantly more productive.

However, this productivity comes at a cost.

There’s an App for That!

With the device now connected to the corporate network, the employee is free to answer emails, send out meeting requests, and pull down the latest sales figures to share with colleagues.

…. and post to Facebook, tweet on Twitter, and play any number of games downloaded from sources around the globe. Some are reputable, some not so much.

Would you let an employee download applications from the Internet to their desktop or laptop without IT approval? Of course not, the dangers are too great! 

However, in many companies, it is commonplace for employees to download games from marketplaces and install and run on their mobile device. In most cases, their corporate IT department is none the wiser.  Unfortunately, the app downloaded contained malware that is now wreaking havoc on the mobile device and the data residing on it.

It Only Gets Worse from Here

Downloading games and other apps from the Internet is just the tip of the iceberg when it comes to the threats enterprises are being exposed to each time a new mobile device is connected to their network.

Consider this scenario…

Jim has a new mobile device and has recently connected it to his company’s corporate network for all of the usual reasons. Jim feels empowered and his boss loves the newfound ability to respond to emails at any time of the day or night.

Unbeknownst to Jim’s boss or IT department, Jim typically gives his mobile device to his daughter when the family is out to dinner, or on the road to keep her occupied.

One day during a long road trip, Jim’s daughter accesses the e-mail program on the mobile device and forwards the corporate sales projections out to every person contained in the contact list on Jim’s mobile device.

You can use your imagination to guess what happened to Jim AND his mobile device later that day.

The Fact of the Matter is…. Pandora’s Box is Open

Mobile devices are proliferating in enterprises at an ever-faster rate with the byproduct being that the threat to corporations is growing exponentially.

So what to do? It’s actually not as difficult as you might first think.

First and foremost, if your organization is considering the use of mobile devices in the enterprise, or is already allowing their use, a risk assessment is in order. As with any new technology, the risk associated with the use of mobile devices needs to be weighed against its proposed benefits. Then and only then can a company determine what policies and technical controls need to be put in place to protect the company and its data.

What types of policies and technical controls are needed? That’s another article all together; however, being aware is the first step.

24 Signs That Your Life Is Going Too Hi-Tech

Elizabeth Hill, Tech Sage Solutions

1.      You try to enter your password on the microwave.

2.      You have 15 phone numbers to reach your family of three.

3.      You consider “mouse elbow” a sports injury.

4.      Your daughter is selling Girl Scout Cookies on her Web site.

5.      The concept of using real money is becoming foreign to you.

6.      Cleaning up the dining area means getting the fast food bags out of the back seat of your car.

7.      The only jokes you "hear" come by e-mail.

8.      Your cereal box says, “Visit us online”, and you do.

9.      You consider 2nd day air delivery painfully slow.

10.  The reason you don't keep in touch with some of your family: They don't have e-mail addresses.

11.  You chat with a stranger from South Africa, but you haven't spoken to your next door neighbor in more than a year.

12.  The computer you bought last week is now outdated and selling for half price.

13.  You instant message your son in his room saying dinner is ready. He replied back to ask what you're having.

14.  You consider naming your daughter "Dot" and your son "Com."

15.  You order take-out food online.

16.  Your family pet runs on batteries.

17.  You can have more meaningful conversations with your car than your spouse.

18.  You start calling telemarketers “spammers”.

19.  You’ve never actually met your spouse in person.

20.  You can turn your lights on, open the garage door, turn up your stereo, and see your back yard without leaving your computer.

21.  You have 5 remote controls in your living room to operate one TV.

22.  Your dog has an e-mail address.

23.  Your idea of a great first date involves a cup of coffee and a chat room.

24.  Your legs have fallen off from lack of use.

The SOC 2 Report: More Appropriate Assurance from a Cloud Service Provider

Brian J. Thomas, CISA, CISSP, Weaver LLP

The recent retirement of the Statement of Auditing Standards No. 70 (SAS 70) report provides an opportunity for cloud customers to consider the value of requesting a Service Organization Control 2 (SOC 2) assurance report from a Cloud Service Provider (CSP).

The SOC 2 report is one of three SOC reports developed by the American Institute of Certified Public Accountants (AICPA). The SOC reports were developed to complement the 2011 service organization reporting standard transition from SAS 70 to Statement of Standards for Attestation Engagements No. 16 (SSAE 16).

Prior to SAS 70’s retirement, public corporations appropriately requested the report to attain assurance that a third-party service organization maintained effective internal controls over financial reporting functions. The Sarbanes-Oxley Act of 2002 requires such assurance. Too often though, SAS 70 was viewed as an all-purpose assurance report that could address an array of operational and compliance scenarios.

SSAE 16 retains SAS 70’s value as an assurance report for a service organization’s internal controls over financial reporting. The SOC reports though, offer more appropriate report options for addressing information technology internal control issues, including issues that relate to operational and compliance concerns.

The SOC reports are available in SOC 1, SOC 2 and SOC 3 formats. A SOC 1 engagement is based on SSAE 16, and is most valuable to cloud customers who utilized a CSP’s SAS 70 for fulfilling Sarbanes-Oxley requirements. The SOC 2 and SOC 3 reports are based on the AICPA’s Trust Services Principles:

·         Security: Physical and logical measures protect against unauthorized access.

·         Availability: System is available for operation and use, as specified.

·         Processing integrity: System processing is complete, accurate, timely and authorized.

·         Confidentiality: Information designated as confidential is protected, as committed or agreed.

·         Privacy: Information is collected, handled and disposed of in accordance with criteria established by the AICPA and the Canadian Institute of Chartered Accountants’ Generally Accepted Privacy Principles (GAPP).

The SOC 3 report is more of a general use report that is beneficial for marketing purposes. It only includes the auditor’s opinion on whether the system achieved the Trust Services criteria. Supporting details are not included in the report.

A SOC 2 Type 2 report is far more useful in fulfilling a cloud customer’s audit requirements. The report includes a description of the organization’s system, a CPA’s opinion on fairness of presentation of the description, and suitability of design, as well as a description of the tests performed by the service auditor, and the test results.

One or more of the Trust Services Principles are addressed in a SOC 2 report. That focus and flexibility enables a cloud customer to attain assurance for the internal control principles that are most relevant for the services it receives from a CSP.

A professional services firm, for example, may contract with a CSP for the use of various applications offered in the Software-as-a-Service (SaaS) format. Those SaaS applications need to be readily accessible and available for use when needed. The professional services firm needs to know that various processing functions perform as expected and produce valid results. For that cloud customer, Availability and Processing Integrity are vital assurance issues.

Three Qualities of Highly-Effective Leaders

Dr. Jimmie Flores,  Alamo Colleges

I often use a quote from MSNBC’s Chris Matthews: “To become a meaningful participant, you must get a seat at the table.” It makes sense that we must take some level of risk, and do something to contribute to the success of our organization. In other words, standing on the sidelines will accomplish nothing. We must participate.

Here recently I heard Matthews discuss the leadership qualities that he finds important. While his discussion focused on the current political candidates, the attributes are equally applicable to those of us in the business community.

Quality #1: Motive

Matthews was adamant that a great leader “must stand for something.” What are you trying to accomplish? Where do you see a gap that you wish to bridge? How do you plan to make a difference? Until you can express to others why they should believe in you, nothing happens.

A leader is not a manager. The people who run the organization are far-sighted, continually focused on maximizing shareholder’s wealth, opening new markets, and providing unparalleled customer support. A manager, on the other hand, takes a tactical approach. These individuals create processes, teach those steps to others, and perform quality checks. The leaders ensure that the processes are aligned with organizational strategy, which means they will yield long-term results.

 

Quality #2: Passion

Matthews states that passion in leaders is described as “what brings out the emotions, and what drives their spirit.” You must know what excites you, and what will keep you going even when obstacles arise. If you are easily discouraged when a challenge arises, you lack the passion for that activity, work, and even for your career success.

 You must continually search for meaningful work. If you often awake before your alarm clock sounds because of your excitement to reach your office, you have passion for what you do. Passionate people have a difficult time accepting failure. Instead, they look for different angles, a unique perspective, and new ways to exploit opportunities.

 

Quality #3: Spontaneity

Matthews asks, “Can they react to a challenge or moment?” In other words, can you think on your feet? Are you prepared to make smart decisions without falling into the paralysis of analysis trap?

While process is important, we must embrace some level of risk. It’s foolish to believe that we must have all the facts before making a decision. We can expect to make mistakes, but the trick is to identify the error quickly. After the problem is resolved, you can conduct a lessons learned exercise, which focuses on what was done right, and what should be avoided.

Great leaders are committed on getting things done. Of course, these individuals build a talented staff, and are not threatened by them. The effort is on high-performance, and not who is going to receive the accolades.

  Excelling in a leadership role requires that one have a reason to do well. Once we know what is important, we must align our energy to realize the intended benefits. Given that problems will arise, the top-notch leader is agile, constantly taking corrective action to meet the organizational objectives. Finally, successful leaders are willing to share the wealth, understanding that it takes a competent team to realize the goals that are most important for the enterprise.

Sponsored By

In This Issue

• Comments from the Editor
• Mobile Devices in the Enterprise
• Life is Going Too High Tech
• Assurance from a Cloud Service Provider
• Three Qualities of Highly-Effective Leaders

Links

• Contact Us
• Archived Tech Newsletters

Sponsored By