JUNE 2013

RiskManagement ofEnterpriseMobility IncludingBringYourOwnDevice

TABLEOFCONTENTS
ExecutiveSummaryIntroductiontoEnterpriseMobility ....................................................................................... 1 PotentialBenefitsofEnterpriseMobility .................................................................................................................. 2 PotentialBenefitsofUsingPersonallyOwnedDevices............................................................................................. 2 DevelopanEnterpriseMobilityStrategy................................................................................................................... 3 DeterminetheExtentofExistingEnterpriseMobility............................................................................................... 3 DevelopBusinessCasesWithSuitableMobilityApproaches.................................................................................... 3 ExampleBusinessCases ........................................................................................................................................ 3 ExampleEnterpriseMobilityApproachesandScenarios ...................................................................................... 4 ConsiderationsforChoosingEnterpriseMobilityApproaches ............................................................................. 6 IdentifyRegulatoryObligationsandLegislation........................................................................................................ 7 AllocateBudgetandPersonnelResources ................................................................................................................ 8 DevelopandCommunicateEnterpriseMobilityPolicy............................................................................................. 9 TechnicalSupport ................................................................................................................................................ 10 FinancialSupport ................................................................................................................................................. 11 MonitortheImplementationandReporttoManagement .................................................................................... 12 FacilitateOrganisationalTransformation................................................................................................................ 12 FurtherInformation................................................................................................................................................. 12 ContactDetails......................................................................................................................................................... 13 AppendixA:ArbitraryUnmanagedDevicesforInternetAccess............................................................................. 14 CorporatelyEnforcedRiskManagementControls .............................................................................................. 15 FilteredandMonitoredNetworkTraffic ......................................................................................................... 15 SeparationBetweentheOrganisationsCorporateNetworkandtheGuestWiFiNetwork.......................... 15 CorporateWorkstationsConfiguredtoBlockAccesstoUnauthorisedDevices ............................................. 15 UserreliantRiskManagementControls ............................................................................................................. 15 AntimalwareSoftware.................................................................................................................................... 15 AvoidBehaviourthatisUnauthorised,Excessive,OffensiveorUnlawful ...................................................... 16 AppendixB:ArbitraryUnmanagedDevicesforNonsensitiveData ....................................................................... 17 CorporatelyEnforcedRiskManagementControls .............................................................................................. 17 SegmentationandSegregationBetweenDevicesandOrganisationalSystems ............................................. 17 WebApplicationandOperatingSystemVulnerabilityAssessmentandSecurityHardening ......................... 17

ii

AppendixC:CorporatelyApprovedandPartiallyManagedDevicesforSensitiveData ......................................... 18 CorporatelyEnforcedRiskManagementControls .............................................................................................. 19 OverviewofManagedSeparation,RemoteVirtualDesktopandMobileDeviceManagement..................... 19 ManagedSeparation ....................................................................................................................................... 22 RemoteVirtualDesktopSoftware................................................................................................................... 22 MobileDeviceManagement ........................................................................................................................... 25 MultifactorAuthentication ............................................................................................................................ 26 EncryptionofDatainTransit ........................................................................................................................... 27 RemoteTracking,LockingandWiping ............................................................................................................ 27 LowPrivilegedCorporateUserAccounts ........................................................................................................ 27 NetworkArchitectureControllingAccesstoOrganisationalDataandSystems ............................................. 28 OperatingSystemExploitMitigationMechanisms ......................................................................................... 29 UserreliantRiskManagementControls ............................................................................................................. 29 RegularBackupsofWorkData ........................................................................................................................ 29 AccesstoEmails,FilesandOtherDataofArchivalSignificance...................................................................... 29 AvoidUnauthorisedCloudServicesforDataBackup,StorageorSharing ...................................................... 30 StrongPassphraseConfigurationSettings....................................................................................................... 30 SecurityIncidentReportingandInvestigation ................................................................................................ 31 AvoidJailbreakingandRooting ....................................................................................................................... 31 EmployeeEducationtoAvoidPhysicalConnectivitywithUntrustedOutletsorDevices............................... 31 EmployeeEducationaboutBluetooth,NearFieldCommunicationandQuickResponseCodes ................... 32 EmployeeEducationtoAvoidInstallingPotentiallyMaliciousApplications................................................... 32 EmployeeEducationtoAvoidBeingVictimsofShoulderSurfing ................................................................... 33 EmployeeEducationtoAvoidCommonIntrusionVectors ............................................................................. 33 SecurityPatches............................................................................................................................................... 34 OwnershipofIntellectualPropertyandCopyright.......................................................................................... 35 EncryptionofDataatRest............................................................................................................................... 35 AvoidPrintingviaUntrustedSystems ............................................................................................................. 36 PersonalFirewall ............................................................................................................................................. 36 AppendixD:CorporatelyApprovedandManagedDevicesforHighlySensitiveData............................................ 37 CorporatelyEnforcedRiskManagementControls .............................................................................................. 37 DeviceSelection............................................................................................................................................... 38 MobileApplicationManagementandEnterpriseApplicationStores............................................................. 38

iii

EXECUTIVESUMMARYINTRODUCTIONTOENTERPRISEMOBILITY
Enterprisemobilityenablesemployeestoperformworkinspecifiedbusinesscasescenariosusingdevicessuch assmartphones,tabletsandlaptops,whileleveragingtechnologiesthatfacilitateremoteaccesstodata.Awell designedenterprisemobilitystrategycancreateopportunitiesfororganisationstosecurelyimprovecustomer servicedelivery,businessefficiencyandproductivity.Inaddition,employeesobtainincreasedflexibilityto performworkregardlessoftheirphysicallocation. ThisdocumentisdevelopedbytheAustralianSignalsDirectorate(ASD),alsoknownastheDefenceSignals Directorate(DSD),toprovideseniorbusinessrepresentativeswithalistofenterprisemobilityconsiderations. Theseincludebusinesscases,regulatoryobligationsandlegislation,availablebudgetandpersonnelresources, andrisktolerance.Additionally,riskmanagementcontrolsareprovidedforcybersecuritypractitioners. Thisdocumentaimstoassistreaderstounderstandandhelpmitigatethesignificantrisksassociatedwithusing devicesforworkrelatedpurposesthathavethepotentialtoexposesensitivedata.Risksareprimarilydueto thelikelihoodofdevicesstoringunprotectedsensitivedatabeinglostorstolen 1 ,useofcorporatelyunapproved applicationsandcloudservicestohandlesensitivedata,inadequateseparationbetweenworkrelateduseand personaluseofadevice,andtheorganisationhavingreducedassuranceintheintegrityandsecuritypostureof devicesthatarenotcorporatelymanaged.Additionalrisksariseduetolegalliability,regulatoryobligationsand legislationrequiringcompliance,andtheimplicationsfortheorganisationsbudgetandpersonnelresources. Riskscanbepartiallymitigatedthroughapolicyoutliningthepermitteduseofdevices,includingtherequired behaviourexpectedfromemployees,whichiscomplementedbytechnicalriskmanagementcontrolstoenforce thepolicyanddetectviolations. Businesscasesforenterprisemobilitythatinvolveaccessingnonsensitivedatamightpermitemployeestouse theirpersonallyowneddevices,referredtoasBringYourOwnDevice(BYOD). Businesscasesforenterprisemobilitythatinvolveaccessingandpotentiallystoringsensitivedatamightpermit employeestousedevicesthatarelistedonacorporatelyapprovedshortlistofdevices.Suchdevicesare partiallyorcompletelycorporatelymanagedtoenforcepolicyandtechnicalriskmanagementcontrols.These controlscanincludepreventingunapprovedapplicationsfromrunningandaccessingsensitivedata,applying patchestoapplicationsandoperatingsystemsinatimelymanner,andlimitingtheabilityofemployeestouse devicesthatarejailbroken,rootedorotherwiserunwithadministrativeprivileges 2 .Optionally,some organisationsmightprovidedevicestoemployees,permitareasonabledegreeofpersonaluse,andretain ownershipofthedevicesforlegalreasonsthatfacilitatetheorganisationmonitoringdevices,remotelywiping sensitivedata,performingsecurityandlegalinvestigations,andretainingownershipofintellectualproperty. Beforeimplementingenterprisemobilityforaspecificbusinesscase,organisationsmustdecidewhether applyingthechosenriskmanagementcontrolswouldresultinanacceptablelevelofresidualrisk.
1 2

http://www.amta.org.au/pages/amta/The.Mobile.Phone.Industry.Statement http://www.dsd.gov.au/infosec/top35mitigationstrategies.htm

POTENTIALBENEFITSOFENTERPRISEMOBILITY
Potentialbenefitsofenterprisemobilityinclude: improvedcustomerservicedelivery,businessefficiencyandproductivity,especiallyforemployeeswho workoutoftheoffice,arefieldagents,orwhotravelfrequently improvedproductivitythatisindependentofanemployeesphysicallocation,andprovidesemployees withtheopportunitytobeproductivewhenotherwiseidlesuchaswhentravellingonpublictransport enablingtherecruitmentoftalentedpeoplefromanywhereintheworldwhodontwanttorelocateto thecityoftheorganisationsoffice flexibleworkinghoursenablingemployeestoblendpersonaltimeandprofessionaltimetoachievean integratedworklifebalance opportunitiestotransitionemployeesonextendedleavebackintotheworkplacesoonerbyworking parttimefromhome reducedcostsofrealestate,buildingoperationsandbuildingmaintenanceifemployeeshotdeskand areencouragedtoworkoutoftheoffice businesscontinuityifemployeesareunabletoworkintheoffice,forexampleduetoanairconditioning failure,poweroutage,publictransportstrike,flood,fireorotherevent environmentalbenefitssuchasreducedcommutingtotheofficeandreduceduseofprintedpaper.

POTENTIALBENEFITSOFUSINGPERSONALLYOWNEDDEVICES
Potentialbenefitsofusingpersonallyowneddevicesforenterprisemobilityinclude: reducedhardwarecostsfortheorganisationifemployeespayfortheirdeviceanincreasingnumberof employeesalreadyownpowerfuldevicesandemployeesmighttakebettercareofadeviceifthey contributetheirownmoneytowardsit freedomforemployeestousedevicesthattheyprefer,arefamiliarwithandhavetailoredtotheir usagepreferencestoincreasetheirproductivity negatingtheneedforemployeestocarryadeviceforworkuseandanotherdeviceforpersonaluse improvedemployeejobsatisfaction,staffretentionandrecruitmentofstaffwhodesiretheabilityto usetheirowndevice leveragingmoderntechnologiesthatempoweremployeestoinnovatefasteranddevelopmoreefficient waystodotheirjob,bytakingadvantageofemployeeswhorefreshtheirsoftwareandhardwaremore regularlythanorganisationsthatprovideoutdatedITcapabilitythatisrefreshedevery35years.

DEVELOPANENTERPRISEMOBILITYSTRATEGY
Developinganenterprisemobilitystrategyisfundamentallyimportanttoanorganisationsuccessfully implementingenterprisemobilitytoachievebusinessoutcomeswithanacceptablelevelofrisk.Intheabsence ofastrategy,theorganisationsmobilitymightbedrivenbyemployees,withoutclearmeasuresofsuccessand withoutadequateconsiderationofrisks. Anenterprisemobilitystrategymightinvolvestartingwithapilottrialconsistingofasmallnumberofusersand abusinesscasethatislowrisk,highvalueandhasclearmeasuresofsuccess.Subsequentlyreviewingthe successofthetrial,includingthecostsandtheimpacttotheorganisationssecurityposture,enablesthe organisationtomakeaninformeddecisionastowhethertoincreasetheiruseofenterprisemobility. Thefollowingsectionsinthisdocumentprovideguidanceforthestepsassociatedwithimplementingthe enterprisemobilitystrategythattheorganisationhasdeveloped.

DETERMINETHEEXTENTOFEXISTINGENTERPRISEMOBILITY
Theextentofexistingauthorisedandunauthorisedenterprisemobilitycanbeinformedbytalkingtobusiness representativesandemployees,reviewingtheorganisationsassetinventoryofassigneddevices,andusing securitycontrolstodetect: rogueWiFiaccesspointslocatedontheorganisationspremises unauthoriseddevicesaccessingthecorporatenetworkoraccessingtheInternetviatheorganisations networkinfrastructure employeesobtainingacopyoforganisationaldataviaremovablestoragemedia,emailorcloudservices.

DEVELOPBUSINESSCASESWITHSUITABLEMOBILITYAPPROACHES
Justifiedbusinesscasesforenterprisemobilityhavetangibleandmeasuredbenefitstotheorganisation,its employeesandcustomers.Thesebenefitsoutweightherisksandcoststotheorganisation.Clearlydefiningeach businesscase,includingspecifyingwhatorganisationaldataneedstobeaccessed,providesabetter understandingoftheopportunitiesandbenefitsversustherisksandcoststotheorganisation.

ExampleBusinessCases
Organisationsdevelopingenterprisemobilitybusinesscasesmightdecidetopermitemployeesto: collaboratewithotheremployeesviainstantmessagingorvideoconferencing useworkrelatedsoftwareincludingapplicationsdevelopedbytheorganisation send,receiveandprintworkrelatedemailswithfileattachments

access,develop,print,storeandshareworkrelatedfilesthatresideindatarepositoriessuchas SharePoint,networksharesorenterprisegradecloudstorage accesscalendars,contacts,intranetwebsitesandintranetwebapplications accesstheInternetusingtheorganisationsnetworkinfrastructure.

ExampleEnterpriseMobilityApproachesandScenarios
Anexampleenterprisemobilityimplementationmightinvolveacombinationofthefollowingapproaches. ScenarioA:Thisscenarioinvolvesusingdeviceswithahardwaremodelandoperatingsystemversionthat: isarbitrarilychosenbytheemployee hasminimalriskmanagementcontrolsappliedfurtherdetailsareprovidedinAppendixA iscorporatelyunmanaged isusedtoaccesstheInternetviatheorganisationsnetworkinfrastructure.

ScenarioB:Thisscenarioinvolvesusingdeviceswithahardwaremodelandoperatingsystemversionthat: isarbitrarilychosenbytheemployee hasminimalriskmanagementcontrolsappliedfurtherdetailsareprovidedinAppendixB iscorporatelyunmanaged isusedtoaccessnonsensitivedata.

ForAustraliangovernmentagencies,nonsensitivedataisdefinedforthepurposeofthisdocumentasdatathat isunclassified.Examplesofnonsensitivedataareunclassifiedcomputerbasedtrainingcoursesandunclassified intranetwebapplications. ScenarioC:Thisscenarioinvolvesusingdeviceswithahardwaremodelandoperatingsystemversionthat: ischosenbytheemployeefromacorporatelyapprovedshortlist hasmoderateriskmanagementcontrolsappliedfurtherdetailsareprovidedinAppendixC usescorporatelymanagedseparationoforganisationaldataandpersonaldata,forexampleusing remotevirtualdesktopsoftware,amanagedcontainerorpartitioningfunctionalitybuiltintothe operatingsystem usesacorporatelymanagedmechanismtoaccessandpotentiallystoresensitivedata,forexampleusing remotevirtualdesktopsoftwareorcorporatelyapprovednativeapplicationscombinedwithaVirtual PrivateNetwork.

ForAustraliangovernmentagencies,sensitivedataisdefinedforthepurposeofthisdocumentasdatathatis unclassifiedwithdisseminationlimitingmarkerssuchasForOfficialUseOnly(FOUO),Sensitive,Sensitive:Legal orSensitive:Personal.Examplesofsensitivedataarecorporateemails,calendarsandcontacts,aswellasfiles residinginSharePoint,networksharesorenterprisegradecloudstorage. Devicesinthisscenariomightbeprovidedtoemployeesbytheorganisation,withareasonabledegreeof personalusepermitted.Organisationsmightretainownershipofdevicesforlegalreasonsthatfacilitatethe organisationmonitoringdevices,remotelywipingsensitivedata,performingsecurityandlegalinvestigations, andretainingownershipofintellectualproperty.Enablingemployeestochooseadevicefromacorporately approvedshortlistisreferredtobysomevendorsasChooseYourOwnDevice,especiallyifthedeviceis purchased,ownedandmanagedbytheorganisation. ScenarioD:Thisscenarioinvolvesusingdeviceswithahardwaremodelandoperatingsystemversionthat: ischosenbytheemployeefromacorporatelyapprovedshortlist hascomprehensiveriskmanagementcontrolsappliedfurtherdetailsareprovidedinAppendixD iscompletelycorporatelymanaged,forexampleusingASDevaluatedBlackBerryEnterpriseServer 3 or AppleConfigurationProfilescombinedwithSupervisedMode 4 potentiallyincludescorporatelymanagedseparationoforganisationaldataandpersonaldata,for exampleusingremotevirtualdesktopsoftware,amanagedcontainerorpartitioningfunctionalitybuilt intotheoperatingsystem usesacorporatelymanagedmechanismtoaccessandpotentiallystorehighlysensitivedata,for exampleusingremotevirtualdesktopsoftwareorcorporatelyapprovednativeapplicationscombined withaVirtualPrivateNetwork.

ForAustraliangovernmentagencies,highlysensitivedataisdefinedforthepurposeofthisdocumentasdataup toPROTECTED. Thecomprehensiveriskmanagementcontrolsmightrestrictthedevicesfunctionalitytoanextentthatwould overlyfrustrateanemployeeusingapersonallyowneddevice.Therefore,devicesinthisscenariomightbe providedtoemployeesbytheorganisation,withareasonabledegreeofpersonalusepermitted.Devicesonthe shortlistmightbelimitedtosmartphonesandtabletsthatarepartofasinglevendorsecosystemduetothe requiredcompatibilitywithriskmanagementcontrols.Organisationsmightretainownershipofdevicesforlegal reasonsthatfacilitatetheorganisationmonitoringdevices,remotelywipingsensitivedata,performingsecurity andlegalinvestigations,andretainingownershipofintellectualproperty.Enablingemployeestochoosea devicefromacorporatelyapprovedshortlistisreferredtobysomevendorsasChooseYourOwnDevice, especiallyifthedeviceispurchased,ownedandmanagedbytheorganisation.
3 4

http://www.dsd.gov.au/infosec/epl/index_details.php?product_id=MTE2IyMjMjAzLjYuNjkuMg== http://www.dsd.gov.au/publications/iOS5_Hardening_Guide.pdf

ConsiderationsforChoosingEnterpriseMobilityApproaches
Whenselectinganenterprisemobilityapproachforaparticularbusinesscase,considertheemployeesjobrole, thesensitivityofthedatatobeaccessed,riskmanagementcontrolsandtheirimpacttoemployeeprivacyand userexperience.Alsoconsiderwhetherthelevelofresidualriskisacceptabletotheorganisation,andcoststo theorganisationsuchastheleveloftechnicalsupportandfinancialsupportprovidedtoemployees. TheseconsiderationsarerepresentedinFigure1whichreflectstheexampleenterprisemobilityscenarios mentionedpreviously.Detailedriskmanagementcontrolsforeachenterprisemobilityscenarioareprovidedin theappendicesofthisdocument.

CharacteristicsofExampleEnterpriseMobility Scenarios

SecurityPosture,UserExperienceImpact,TechnicalandFinancialSupport

High

ScenarioD Corporatelymanagedandapproved devicemodelandOS,toaccess/store highlysensitivedata,potentially separatingpersonalandworkdata ScenarioC Corporatelyapproveddevicemodel andOS,withcorporatelymanaged access/storageforsensitivedata, separatingpersonalandworkdata ScenarioB Corporatelyunmanagedarbitrary devicemodelandOS,toaccessnon sensitivedata ScenarioA Corporatelyunmanagedarbitrary devicemodelandOS,toaccessthe Internetviatheorganisationsnetwork Employee Degreeof DeviceOwnership

Low

Organisation

Figure1.Exampleenterprisemobilityscenariosvaryintheirsuitabilitytohandle sensitivedata,theircostandtheirimpacttotheemployeesuserexperience.

IDENTIFYREGULATORYOBLIGATIONSANDLEGISLATION
ASDdevelopsandpublishestheAustralianGovernmentInformationSecurityManual(ISM) 5 .TheISMadvises thatlegaladvicemustbeobtainedbeforeallowingpersonallyowneddevicestoconnecttoorganisational systems. NeithertheISMnorthisdocumentaretobeconsideredaslegaladvice.Anorganisationslegalrepresentatives mustdeterminetowhatextententerprisemobilitycanbeusedbasedonregulatoryobligationsandlegislation affectingtheirorganisation.RelevantlegislationincludesthePrivacyAct1988,thePrivacyAmendment (EnhancingPrivacyProtection)Act2012 6 ,stateandterritoryprivacylawsincludingActscoveringsurveillanceof employees 7 ,theArchivesAct1983andtheFreedomofInformationAct1982.Organisationsneedtomaintainan awarenessofrelevantlegislationandaddressanyassociatedimpactstotheirorganisation. Aspectsofenterprisemobilityrequiringlegaladvicemightinclude: whethertheorganisationispermittedtomonitordevicesandnetworktraffictoidentifypolicy violationsandothersecurityincidents whethertheorganisationispermittedtomonitortheuseofpersonallyowneddevicesoutsideofthe organisationspremises,includingremotelylocatingandtrackingadeviceslocationbasedonthe devicesGPScoordinates,nearbymobilecelltowersorthelocationofnearbyknownWiFinetworks whethertheorganisationispermittedtoaccesspersonaldatastoredonadevicewhenperforminga securityorlegalinvestigationpersonaldataincludesemails,historyofwebsitesaccessed,calendar, contactsandphotos,aswellaspersonaldatastoredintheemployeespersonalconsumergrade webmailorcloudstorageaccount whatactionanorganisationshouldtakeifviolationsofcivillaworcriminallawareaccidentally discoveredwhileanalysinganemployeesdeviceornetworktraffic insuranceandliabilityforcompensation,repairorreplacementofanemployeesdevicethatislost, stolen,compromisedwithmalwareorisotherwisedamagedandpotentiallycausesinjurysuch damagemightoccurthroughnofaultoftheemployeesincludingwhileusingthedeviceintheofficefor workrelatedpurposes legalliabilityresultingfromanorganisationremotelywipingpersonaldata 8 ,especiallyifthedeviceis ownedbysomeonewhohasnotprovidedwrittenconsent,suchastheestateofadeceasedemployee

5 6 7 8

http://www.dsd.gov.au/infosec/ism/index.htm http://www.oaic.gov.au/privacyportal/resources_privacy/Privacy_law_reform.html http://www.privacy.gov.au/law/states http://www.npr.org/2010/11/22/131511381/wipeoutwhenyourcompanykillsyouriphone

legalliabilityresultingfromdevicesspreadingmalwareorotherwiseharmingothercomputers legalliabilitytotheorganisationresultingfromemployeeshavingortransferringtoorganisational systemsanysoftwareordatathatispirated,infringingcopyrightorisinappropriatelylicenced 9 whethertheorganisationortheemployeeownstheintellectualpropertyandcopyrightofworkthatis performedonanemployeesdevice,especiallyifperformedoutsideoftraditionalbusinesshours.

ALLOCATEBUDGETANDPERSONNELRESOURCES
Organisationsimplementingenterprisemobilitymightencounteravarietyofcostssuchas: subsidisingorcompletelypayingforthecostofdevicesandassociatedworkrelatedexpenses respondingtosecuritybreaches,policyviolationsandregulatorycomplianceviolations personnelresourcesneededfromavarietyofsectionsacrosstheorganisationtocollaboratively developtheenterprisemobilitystrategyandassociatedpolicies implementingriskmanagementcontrolssuchaslicencingsecuritysoftwareandusereducation upgradingtheorganisationsITinfrastructureincludingtheWiFinetwork 10 ,Internetbandwidth,aswell asthedatacentresnetwork,storageandserverprocessingcapacity cybersecuritypersonneltoarchitecttheITinfrastructureandperformongoingdevicemanagement, monitoringandreporting additionalsoftwareClientAccessLicencesforMicrosoftWindowsserverandclientoperatingsystemsas wellasforMicrosoftOffice,especiallyiftheorganisationpaysforsoftwarelicencesperdeviceinstead ofperuser trainingIThelpdeskstafftosupportavarietyofdevicesataminimumprovidingemployeeswith configurationsettingsandbasictrainingtoconnecttopermittedorganisationalnetworksandsystems modifyingintranetwebsitesandwebapplicationstosupportavarietyofwebbrowsers enhancingidentityandaccessmanagementinfrastructuretoperformauthenticationandauthorisation ofemployeesanddevices developingmobilewebapplicationsornativesoftwareapplicationstointeractwithorganisationaldata, potentiallyrequiringtheuseofmiddlewaresolutionsenablingaccesstodatastoragerepositories.

http://www.zdnet.com/au/byodcouldopenbusinessestocopyrightlitigationbsa7000010533/ http://www.dsd.gov.au/publications/csocprotect/wireless_network_security_tech_advice.htm

10

DEVELOPANDCOMMUNICATEENTERPRISEMOBILITYPOLICY
ASDsISMadvisesthatenterprisemobilitypolicymustbedevelopedtogoverntheuseofdevicesaccessing organisationaldata. Policyreliesonuseradherenceandislikelytobemoreeffectiveifitexhibitsthefollowingcharacteristics: offersenterprisemobilityasoptininsteadofmandatory,unlesstheorganisationiswillingto completelypayforthecostofdevicesandassociatedworkrelatedcosts isjointlydevelopedbyanadvisoryboardconsistingofstakeholdersincludingthecybersecurityteam, systemandnetworkadministrators,humanresources,finance,legal,seniormanagementand employeesthisconsultativeprocesshelpstoensurethatstakeholdershavehadinput,arewillingto adheretothepolicyandacceptanyadditionalresponsibilitiestoprotectorganisationaldata clearlystateswhattypesoforganisationaldataarepermittedtobeaccessedfromwhichdevicesand whichapplicationstheabsenceofanapplicationstrategymightresultinemployeesusingapplications thathaventbeenvettedbytheorganisationtodeterminetheirpotentialtoexposesensitivedata clearlystateshoworganisationaldataispermittedtobestoredanddistributed,forexampleusing corporatelymanageddatarepositoriessuchasSharePoint,networksharesorenterprisegradecloud storage,whileavoidingtheuseofconsumergradecloudstorageandpersonalconsumergradewebmail clearlystateswhichriskmanagementcontrolsapplyanddetersemployeesfromcircumventingthese controlsbyhelpingemployeestounderstandwhypolicyrulesexist requiresemployeestosignanAcceptableUsePolicythatclearlystatestherequiredbehaviourexpected fromemployeesandtheconsequencesofviolations iscommunicatedthroughouttheorganisationtoenableemployeestounderstandtheirobligationsand thepolicy,toensurefullawarenessoftheexistenceofthepolicyandramificationsofnoncompliance theorganisationneedstodeterminewhichbusinessrepresentativesareresponsibleforremediating noncompliance,whichiscomplementedbyadocumenteddisputeescalationandresolutionprocess iscomplementedbytechnicalriskmanagementcontrolstoenforcethepolicyanddetectviolations, especiallyincaseswhereanemployeedishonourstheirwrittenagreementtoadheretothepolicy minimisesnegativeimpactstotheemployeesuserexperiencenegativeimpactsincluderequiringa verycomplexunlockpassphrase,automaticallylockingadevicesscreenafteraveryshortidletimeout period,excessivelylimitingadevicesfunctionality,anddeletingpersonaldatawhenwipinganentire deviceremotelyorafteraverysmallnumberofconsecutiveincorrectunlockpassphraseattempts statesthetechnicalsupportandfinancialsupportthatemployeescanobtain

documentstheonboardingprocessforemployeestoobtainsignedapprovalfromtheirmanager, registertheirdevice,havetheorganisationalpolicyapplied,andpotentiallyhavesoftwareinstalledon theirdevicetoassisttheorganisationtoconfigureandmanagethedevice documentstheoffboardingprocesstoremoveorganisationalsoftwareanddatafromdevicesthatare lost,stolenordeprovisionedincludingwhenemployeesceaseemployment providesabusinessrepresentativepointofcontactincaseemployeeshavefeedbackaboutthepolicy isreviewedandrefinedifnecessary,initiallyonaquarterlybasiswhileenterprisemobilityisstillnewto theorganisation,andthenonanannualbasis.

Surveyingemployeescanhelprevealwhethertheywouldbewillingtoacceptthepolicyandparticipatein enterprisemobilitybusinesscases,notingthatsomeemployeesmightperceivethat: costswillbeshiftedfromtheorganisationtothem theirprivacywillbeinvaded thefunctionalityoftheirdevicewillbeexcessivelylimited personaldatastoredontheirdevicewillbedeletedorexposed theywillbeexpectedtobeoncalltoansweremailsandphonecallsatalltimesoutsideoftraditional businesshours.

TechnicalSupport
ItisimpracticalforanorganisationsIThelpdesktosupportdevicesfromalargevarietyofmanufacturers runningalargevarietyofoperatingsystemswithalargevarietyofconfigurationsettings.Therefore,the amountoftechnicalsupportprovidedtoemployeesdependsontheorganisationspersonnelresources, whetherdevicesarelistedonacorporatelyapprovedshortlistofdevices,andthedegreetowhichdevicesare necessaryforemployeestoperformtheirjob.Technicalsupportmightinclude: providingguests,contractorsandotheremployeeswithdetailsofhowtoconnecttotheorganisations guestWiFinetworktoaccesstheInternet providingemployeeswithdetailsofhowtoconnecttopermittedorganisationalnetworksandsystems, andtheorganisationobtainingvisibilityofsecurityincidentsthatplacetheorganisationsdataatrisk providinganinternalselfservicecommunitysupportwebforumenablingemployeestoassisteach other,withtheIThelpdeskadvertisingtheexistenceoftheinternalwebforumandoccasionally contributingtowebforumdiscussionstoanswerfrequentlyaskedquestionsaninternalwebforum helpstomitigatetheriskofemployeesdisclosingdetailsabouttheorganisationsnetwork infrastructureconfigurationwhenseekingassistanceonpubliclyvisibleInternetforums

10

providingemployeeswithasmuchtechnicalsupportastheIThelpdeskiscapableof,includingashort termloanofadevicetokeepanemployeeproductivewhiletheygettheirdamageddevicerepaired providingemployeeswithfulltechnicalsupport,includingreplacingdamagedorbrokendevices.

FinancialSupport
FinancialsupportmighthaveFringeBenefitTaximplicationsduetotheorganisationpayingforadeviceor Internetandtelecommunicationsconnectivitythatisusedforpersonaluse,especiallyoutsideofbusiness hours 11 .Theamountoffinancialsupportprovidedtoemployeesdependsontheorganisationsfinancial resourcesandthedegreetowhichdevicesarenecessaryforemployeestoperformtheirjob.Financialsupport mightinclude: acknowledgingworkrelatedcostsincurredinsupportofemployeesmakingtaxdeductibleclaims providingemployeeswithataxableallowanceorstipend,orotherwisesubsidisingorreimbursingthe costofadevice,contractuallyobligatingemployeestorepayaprorataportioniftheycease employmentwithinasettimeperiod providingemployeeswithadevicethatiscompletelypaidforbytheorganisation,contractually obligatingemployeestoreturnthedeviceiftheyceaseemploymentwithinasettimeperiodorifthe organisationretainsownershipofthedevice providingemployeeswithreimbursementfortheworkrelatedportionofthemonthlybillfromthe employeestelecommunicationscarrierandInternetServiceProvider,notingthatratesassociatedwith aconsumerplanmightbehigherthanratesassociatedwithacorporateplan providingemployeeswithacorporateSIMcardorotherwisearrangingInternetand telecommunicationsconnectivityviaacorporateplan,usinganautomatedprocesstorecoverthe employeesportionofthemonthlybillviapayrollbasedoncriteriathatindicatepersonaluse expensivedataroamingchargesforemployeestravellingoverseascanbemitigatedbyproviding employeeswithaprepaidSIMcardassociatedwithatelecommunicationscarrierintheforeigncountry, orbydisablingdataroamingviaMobileDeviceManagementtoonlyallowWiFidataconnectivity 12 providingemployeeswithreimbursementforthecostofessentialworkrelatedsoftware,notingthat softwarelicencedtoanemployeeviaaconsumerlicenceinsteadofanenterpriselicenceisunlikelyto betransferabletoadifferentemployee providingemployeeswithreimbursementforthecostofessentialperipheralsandaccessories.

11 12

http://www.ato.gov.au/businesses/content.aspx?doc=/content/00167381.htm http://www.zdnet.com/au/telstraphonetheftbillshockshowsroamingstillbroken7000008331/

11

MONITORTHEIMPLEMENTATIONANDREPORTTOMANAGEMENT
OngoingmonitoringoftheenterprisemobilityimplementationincludesreviewinglogsfromMobileDevice Managementandotherlogsourcessuchasnetworklogs,userauthenticationlogsandsecuritysoftware. Regularreportingtomanagementhelpsthemtounderstandandaddressunacceptablerisks,andassess whetherthebenefitsofenterprisemobilitytotheorganisationjustifytherisksandcoststotheorganisation. Informationtoreporttomanagementincludes: thedegreeofcompliancewithregulatoryobligations,legislationandorganisationalpolicies theseverityandnumberofpolicyviolationsandothersecurityincidents thenamesofemployeeswhoareregularlyinvolvedinpolicyviolationsandothersecurityincidents costsofITinfrastructureincludingnetworkupgrades,Internetbandwidth,datastorageandserver processingcapacity costsofriskmanagementcontrols costsofprovidingemployeeswithtechnicalsupportandfinancialsupport thenamesofemployeescausinganexcessivecostburdenduetotheiruseofInternetbandwidth,data storage,technicalsupportorfinancialsupport.

FACILITATEORGANISATIONALTRANSFORMATION
Organisationsmightupdatetheirbusinessprocessestoleverageenterprisemobility,potentiallyeven transformingtheorganisationtoembraceopportunitiessuchasactivitybasedworking 13 by: reviewingthesuccessofenterprisemobilitypilottrials,includingthecostsandtheimpacttothe organisationssecurityposture reviewingandupdatingtheorganisationsenterprisemobilitystrategy makinganinformeddecisionwhethertoincreasethescopeofenterprisemobilitytoidentifyand pursueadditionalinnovativecosteffectiveopportunitiestoimprovecustomerservicedelivery, efficiencyandproductivitywithalevelofriskthatisacceptabletotheorganisation.

FURTHERINFORMATION
ThisdocumentcomplementstheadviceinASDsISMandrelevantguidanceavailableathttp://www.dsd.gov.au.
13

http://www.smh.com.au/itpro/businessit/kpmgtestrunsfutureworkplace2012111929m1j.html

12

CONTACTDETAILS
AustraliangovernmentcustomerswithquestionsregardingthisadviceshouldcontactASDAdviceand Assistanceatasd.assist@defence.gov.auorbycalling1300CYBER1(1300292371). AustralianbusinessesorotherprivatesectororganisationsseekingfurtherinformationshouldcontactCERT Australiaatinfo@cert.gov.auorbycalling1300172499.

13

APPENDICES
UsingtheAppendices
Theseappendicesprovideguidanceforfourdifferentexampleenterprisemobilityimplementationscenarios.

APPENDIXA:ARBITRARYUNMANAGEDDEVICESFORINTERNET ACCESS
ThisappendixprovidesguidancetomanagerisksassociatedwithScenarioA.Thisscenarioinvolvesdeviceswith ahardwaremodelandoperatingsystemversionthat: isarbitrarilychosenbytheemployee hasminimalriskmanagementcontrolsapplied iscorporatelyunmanaged isusedtoaccesstheInternetviatheorganisationsnetworkinfrastructure.

Thisimplementationcanenableorganisationstoapplymorestringentwebcontentfilteringcontrolsonthe corporatenetworktoreducetheriskofcorporateworkstationsbecomingcompromised. Highlevelobjectivesassociatedwiththisexamplescenarioinclude: avoidunauthorisedaccesstotheorganisationscorporatenetworktohelppreventemployees introducingmalwareontoorganisationalsystemsorexposingsensitivedata mitigatethethreatofsensitiveworkrelateddiscussionsbeingrecordedbyInternettelephony,voice recognitionorothervoicerecordingapplications maintaintheavailabilityoforganisationalInternetconnectivityatanacceptablecost reducetheriskoflegalliabilitytotheorganisationresultingfrom: o o o compromiseddevicesspreadingmalwareorharmingothercomputersontheInternet employeesdownloadingcopyrightinfringingmovies,musicorsoftwarefromtheInternet softwareordatathatispirated,infringingcopyright,orusedforworkrelatedpurposeseven thoughitisonlylicencedforhomeuse,noncommercialuseoreducationaluse employeesaccessingpornographyorotheroffensivematerialwhileintheoffice,during workinghours,fromdevicessubsidisedbytheorganisationorviatheorganisationsnetwork infrastructure.

14

CorporatelyEnforcedRiskManagementControls
Theorganisationisabletomanageriskbyenforcingthefollowingtechnicalcontrols.

FilteredandMonitoredNetworkTraffic
Implement: basicInternetwebcontentfilteringtoblockaccesstoknownpiracy,pornographicandoffensive websites bandwidththrottlingandQualityofServicetoprioritiseworkrelatednetworktraffic bandwidthquotasperuserandperdevicetopreventemployeesfromusingexcessivebandwidth networktrafficlogging,archivingandmonitoringtohelpidentifypolicyviolationsandsecurityincidents.

SeparationBetweentheOrganisationsCorporateNetworkandtheGuestWiFiNetwork
SeparatetheorganisationsinternalcorporatenetworkfromtheguestWiFinetworkthatenablescorporately unmanagedanduntrustworthydevicestoaccesstheInternet.

CorporateWorkstationsConfiguredtoBlockAccesstoUnauthorisedDevices
Configurecorporateworkstationstoblockaccesstounauthoriseddevices,forexampleUSBdevices 14 15 , Bluetoothdevices,WiFiaccesspoints,mobilehotspotsandotherdeviceswith3G/4Gconnectivity.Thishelps mitigatetheriskofcorporateworkstationseitherexchangingdatawithunauthoriseddevices,ortetheringto devicesandaccessingtheInternetviaanunmonitoredandunfilteredInternetgateway.

UserreliantRiskManagementControls
Thefollowingtechnicalcontrolsandpolicycontrolstomanageriskrelyonemployeescomplyingwithpolicy.

AntimalwareSoftware
Obtainwrittenemployeeagreementtouseantimalwaresoftwarewhichhelpsmitigatedevicesbeing compromised. Thiscontrolislessapplicabletodevicesthatuseastrongsandboxdesign,andlimittheexecutionofapplications toonlythosethatarecryptographicallysignedbyatrustedauthorityandoriginatefromanapplication marketplacewithagoodhistoryofcurationtoexcludemalware 16 .
14 15 16

http://www.securelist.com/en/blog/805/Mobile_attacks http://www.dsd.gov.au/videos/cybersense1.htm http://www.apple.com/ipad/business/itcenter/security.html

15

AdditionalInformation TheorganisationmightofferantimalwaresoftwarefreeofchargewhenemployeesaccesstheInternetviaa captiveportalandagreetothepolicy. Signaturebasedantivirussoftwareisareactiveapproachthatisunlikelytoprotectagainsttargetedmalware thattheantivirusvendordoesnthavevisibilityof.Antimalwaresoftwareextendssignaturebasedantivirus softwaretotypicallyincludeheuristicdetection,identificationofapplicationsbehavingsuspiciously,aswellas reputationcheckingofapplicationsandwebsitesaccessed.

AvoidBehaviourthatisUnauthorised,Excessive,OffensiveorUnlawful
Obtainwrittenemployeeagreementto: onlyaccessorganisationalsystemsordatathattheyareexplicitlypermittedtoaccess avoidsensitiveworkrelateddiscussionsbeingrecordedbyInternettelephony,voicerecognition 17 or othervoicerecordingapplications useorganisationalInternetconnectivityasperexistingpolicy,whichmightdisallowaccessingoffensive andcopyrightinfringingcontent,disallowexcessiveuseofInternetbandwidthforexampleviapersonal useofYouTube,andrequireemployeestoaccepttheriskoftheirdevicebeingcompromised ensurethattheirdevicedoesntcontainortransfertoorganisationalsystemsanysoftwareordatathat ispirated,infringingcopyright,orusedforworkrelatedpurposeseventhoughitisonlylicencedfor homeuse,noncommercialuseoreducationaluse notdeliberatelyaccesspornographyorotheroffensivematerialwhileintheoffice,duringworking hours,fromdevicessubsidisedbytheorganisation,orviatheorganisationsnetworkinfrastructure AustralianPublicServiceemployeesareboundbytheAustralianPublicServiceCodeofConductand Valuesevenwhenworkingoutoftheofficeusingtheirowndevice.

17

http://www.zdnet.com/applestoresyourvoicedatafortwoyears7000014216/

16

APPENDIXB:ARBITRARYUNMANAGEDDEVICESFORNON SENSITIVEDATA
ThisappendixprovidesguidancetomanagerisksassociatedwithScenarioB.Thisscenarioinvolvesdeviceswith ahardwaremodelandoperatingsystemversionthat: isarbitrarilychosenbytheemployee hasminimalriskmanagementcontrolsapplied iscorporatelyunmanaged isusedtoaccessnonsensitivedata.

ForAustraliangovernmentagencies,nonsensitivedataisdefinedforthepurposeofthisdocumentasdatathat isunclassified.Examplesofnonsensitivedataareunclassifiedcomputerbasedtrainingcoursesandunclassified intranetwebapplications. Thisappendixbuildsuponandincorporatesthehighlevelobjectivesandriskmanagementcontrolsdiscussedin AppendixAwhichcoversarbitrarycorporatelyunmanageddevicesusedtoaccesstheInternetviathe organisationsnetworkinfrastructure.HighlevelobjectivesassociatedwiththeexamplescenarioinAppendixB alsoinclude: avoidunauthorisedaccesstoorganisationalsystemsanddata avoiduntrustworthydevicescompromisingorganisationalsystemsthatarepermittedtobeaccessed.

CorporatelyEnforcedRiskManagementControls
Theorganisationisabletomanageriskbyenforcingthefollowingtechnicalcontrols.

SegmentationandSegregationBetweenDevicesandOrganisationalSystems
Appropriatelyarchitectandsegmenttheorganisationscorporatenetworkusingacombinationofsecurity enforcingmechanismssuchasfirewalls,reverseproxies,VirtualLocalAreaNetworksandVirtualPrivate Networks.Thishelpsmitigatedevicesaccessingunauthorisedorganisationalsystemsanddata.

WebApplicationandOperatingSystemVulnerabilityAssessmentandSecurityHardening
Performvulnerabilityassessmentsandsecurityhardeningofwebapplicationsandoperatingsystemsrunningon organisationalsystemsthatarepermittedtobeaccessed.Thishelpsmitigatedevicescompromising organisationalsystemsandtheirdata.

17

APPENDIXC:CORPORATELYAPPROVEDANDPARTIALLYMANAGED DEVICESFORSENSITIVEDATA
ThisappendixprovidesguidancetomanagerisksassociatedwithScenarioC.Thisscenarioinvolvesdeviceswith ahardwaremodelandoperatingsystemversionthat: ischosenbytheemployeefromacorporatelyapprovedshortlist hasmoderateriskmanagementcontrolsapplied usescorporatelymanagedseparationoforganisationaldataandpersonaldata,forexampleusing remotevirtualdesktopsoftware,amanagedcontainerorpartitioningfunctionalitybuiltintothe operatingsystem usesacorporatelymanagedmechanismtoaccessandpotentiallystoresensitivedata,forexampleusing remotevirtualdesktopsoftwareorcorporatelyapprovednativeapplicationscombinedwithaVirtual PrivateNetwork.

ForAustraliangovernmentagencies,sensitivedataisdefinedforthepurposeofthisdocumentasdatathatis unclassifiedwithdisseminationlimitingmarkerssuchasForOfficialUseOnly(FOUO),Sensitive,Sensitive:Legal orSensitive:Personal.Examplesofsensitivedataarecorporateemails,calendarsandcontacts,aswellasfiles residinginSharePoint,networksharesorenterprisegradecloudstorage. Devicesinthisscenariomightbeprovidedtoemployeesbytheorganisation,withareasonabledegreeof personalusepermitted.Organisationsmightretainownershipofdevicesforlegalreasonsthatfacilitatethe organisationmonitoringdevices,remotelywipingsensitivedata,performingsecurityandlegalinvestigations, andretainingownershipofintellectualproperty.Enablingemployeestochooseadevicefromacorporately approvedshortlistisreferredtobysomevendorsasChooseYourOwnDevice,especiallyifthedeviceis purchased,ownedandmanagedbytheorganisation. Thisappendixbuildsuponandincorporatesthehighlevelobjectivesandriskmanagementcontrolsdiscussedin AppendixBwhichcoversarbitrarycorporatelyunmanageddevicesusedtoaccessnonsensitivedata.Highlevel objectivesassociatedwiththeexamplescenarioinAppendixCalsoinclude: protecttheorganisationsfinancialinvestmentinthecostofdevices maintaintheavailabilityandintegrityoforganisationaldataforbusinesscontinuity maintaintheconfidentialityofsensitivedata maintaincorporateownershipoforganisationaldatacreatedbyemployeesusingtheirdevice rapidlyrespondtopolicyviolations,dataspillsandothersecurityincidents beabletoperformelectronicdiscoveryforlitigationcasesandfreedomofinformationrequests.

18

Someoftheriskmanagementcontrolsdescribedinthisappendixmightbeunnecessaryorimpractical dependingontheorganisationsbusinesscase,thesensitivityofdataaccessedbydevices,theuseofotherrisk managementcontrols,andthetypeofdevicenotingthatsomecontrolsfocusprimarilyonsmartphonesand tabletsratherthanlaptops. Anexampleshortlistofdevicesfromwhichemployeescanchooseisasmartphoneortabletdevicerunning: iOSversion5.1orlater 18 BlackBerryversion5orlater Windowsversion8orlater Androidversion4orlaterrunningondevicesfromspecificallynamedhardwaremanufacturerswitha historyofdistributingsecurityupdatesinatimelymanner.

Theshortlistofdevicesisregularlyupdatedtoreflectnewlyavailabledevicesonthemarketandislimitedto onlydevicesthat: arecompatiblewithrequiredbusinessapplicationsdevelopedbytheorganisationandbythirdparties theorganisationhasthetechnicalknowledgetosupport,resultinginmorepredictablesupportcosts meetminimumrequirementsspecifiedbytheorganisation,includingcompatibilitywiththe organisationschosenriskmanagementcontrolssuchasMobileDeviceManagementaswellas managedseparationmechanismssuchasmanagedcontainers providetheorganisationwithadequateassuranceofthedevicesabilitytoappropriatelyprotect sensitivedata complywithAustralianlegislation 19 andarecoveredbyAustralianwarranties.

CorporatelyEnforcedRiskManagementControls
Theorganisationisabletomanageriskbyenforcingthefollowingtechnicalcontrols.

OverviewofManagedSeparation,RemoteVirtualDesktopandMobileDeviceManagement
ASDsISMadvisesthatdeviceswithoutASDapprovedencryptionshouldnotstoreunclassifiedFOUO/Sensitive dataandmustnotstoreclassifieddata.Additionally,ASDsISMadvisesthatemployeesshouldbeprevented frominstallingunapprovedapplicationsthatcanaccessunclassifiedFOUO/Sensitivedataorclassifieddata.
18

MentionofanyvendorproductisforillustrativepurposesonlyanddoesnotimplyASDsendorsementoftheproduct.All trademarksarethepropertyoftheirrespectiveowners. http://www.acma.gov.au/webwr/_assets/main/lib310037/summary%20of%20labelling%20requirements%20%20fs89.pdf

19

19

Riskmanagementcontrolsusedtofollowthisguidanceincludeusingmanagedseparationsuchasanencrypted managedcontainer,preferablycombinedwithMobileDeviceManagementtoprovidesomebasicassurancein thedevicesunderlyingoperatingsystemconfiguration,orusingappropriatelyconfiguredremotevirtual desktopsoftware.Useofthephraseremotevirtualdesktopsoftwareinthisdocumentincorporates virtualisedapplicationsandVirtualDesktopInfrastructure(VDI). OrganisationsmightchoosetousemanagedseparationforsomebusinesscasessuchasanASDevaluated encryptedmanagedcontainer 20 onevaluatedsmartphones 21 withsmallscreens,andremotevirtualdesktop softwareforotherbusinesscasessuchasunevaluateddevicesordeviceswithlargescreens. Detailedinformationaboutmanagedseparation,remotevirtualdesktopsoftwareandMobileDevice Managementisprovidedinthefollowingpagesofthisappendix.Figure2showsthecomparativeabilityofthese riskmanagementcontrolstoprotectorganisationaldataandtheirnegativeimpacttotheemployeesuser experience.Alloftheimplementationsshownincludebasicriskmanagementcontrolssuchasapplyingvendor securitypatchesinatimelymanner,usinguptodateantimalwaresoftwareandperformingbackupsofwork datatobackupserversspecifiedbytheorganisation.Theseriskmanagementcontrolswontpreventamalicious employeefromcopyingorganisationaldatabytakingascreenshotorphotographoftheirdevicesscreen.

20 21

http://www.dsd.gov.au/infosec/epl/index_details.php?product_id=MzA5IyMjMjAzLjYuNjkuMg== http://www.dsd.gov.au/infosec/epl/

20

TradeoffofRiskManagementControlsBetweenSecurityandUserImpact
High (e.g.PROTECTEDdata)

Devicerunningsoftware andcryptoevaluatedby ASD,configuredasper ASDshardeningguide, andmanagedbythe organisation Remotevirtualdesktoponatablet, withMobileDeviceManagement (MDM)providingassuranceinthe devicesconfiguration Remotevirtualdesktopon asmartphone,withMDM providingassuranceinthe devicesconfiguration

AbilitytoProtectOrganisationalData

ManagedcontainerwithMDM providingassuranceinthe devicesconfiguration Remotevirtual desktoponatablet Managed containeronly MDMonly Unmanageddeviceusingnative applicationsandstoringorganisational dataunencryptedonthedevice Low ImpacttoUserExperience Figure2.Riskmanagementcontrolsvaryintheirabilitytoprotectorganisational dataandtheirnegativeimpacttotheemployeesuserexperience. High Remotevirtualdesktop onasmartphone

Low (e.g.nonsensitivedata)

21

ManagedSeparation
Managedseparationhelpsprotectandisolateorganisationaldatastoredondevices.Organisationaldatais logicallyseparatedfromtheemployeespersonaloperatingenvironment,limitingtheabilityofsuchdatato spread,andfacilitatingtheremotewipingofonlyorganisationaldata. AdditionalInformation Thereareseveraldifferenttypesofseparationmechanismsincludingpartitioningfunctionalitybuiltintothe operatingsystemaswellasmechanismsboltedontopoftheoperatingsystemsuchasmanagedcontainers 22 23 . Emergingtechnologyincludestype1hypervisorsandtype2hypervisorsprovidingalocallyvirtualisedoperating system 24 .Someseparationmechanismsaredesignedtoensurethatorganisationaldatacanonlybeaccessedby applicationsthathavebeenvettedbytheorganisation. Managedcontainers,type2hypervisorsorothermechanismsboltedontotheoperatingsystemprovide reducedsecurityifthereisinadequateassuranceintheintegrityandsecuritypostureoftheoperatingsystem. Useofamanagedcontainerhasthefollowingcorporatebenefitswithassociatedpotentialimpactstothe employeesuserexperience: requiringemployeestoenteranadditionalpassphrasetoaccessorganisationaldata dataencryptionthatisindependentoftheencryptionprovidedbyadevicesoperatingsystem softwarebasedencryptionmightslowdownthedeviceduetocryptographicoverhead reducingtheriskofdataleakagebyrestrictingemployeestouseonlycorporatelyapprovedapplications tohandleorganisationaldata,whilelimitingtheabilityofsuchapplicationstocopyorganisationaldata tocorporatelyunapprovedcloudservicesorelsewherebeyondthemanagedcontainer.

Organisationsconsideringusingamanagedcontainerneedtodeterminewhetherthevendorhasaccessto organisationaldataorcryptographickeysusedtodecryptorganisationaldata.

RemoteVirtualDesktopSoftware
Appropriatelyconfiguredremotevirtualdesktopsoftwarehelpskeeporganisationaldataintheorganisations datacentreandnotstoredondevices,whilestillenablingemployeestoaccessorganisationaldataand applications. AdditionalInformation

22 23 24

http://www.dsd.gov.au/infosec/epl/view_document.php?document_id=OTUxIyMjMjAzLjYuNjkuMg== http://www.theregister.co.uk/2013/03/14/blackberry_secure/ http://computerworld.com/s/article/print/9233834/Dual_identity_smartphones_could_bridge_BYOD_private_corporate_divide

22

ASDsISMadvisesthatunclassifiedFOUO/Sensitivedataorclassifieddataexchangedduringtheentireremote virtualdesktopsessionmustbeencryptedusingASDapprovedencryption. ASDsexperienceisthatremotevirtualdesktopsoftwaredoesnotnecessarilykeeporganisationaldatainthe datacentreorpreventsuchdatabeingtransferredtoandfromdevices.Someremotevirtualdesktopsoftware containsfunctionalitytodeliberatelyenableorganisationaldatatobecopiedtoandfromdevices,includingthe abilityformalwareondevicestobeintroducedintotheremotevirtualdesktopasshowninFigure3below.

Figure3.Inthisexample,anemployeeisaccessingtheirAndroiddevicesfilesystemand removablemediafromwithintheremotevirtualdesktoprunningMicrosoftWindows.The employeeisabletocopyorganisationaldatatotheirdevice,andintroducemalwareinto theremotevirtualdesktop.Thisemployeebehaviourresultsinalessstringentaudittrail thanifemailwasusedtoextractorganisationaldataortointroducemalware.

23

Thereareavarietyofwaysinwhichorganisationaldatamightleakoutoftheremotevirtualdesktopandbe storedunprotectedondevices.Riskmanagementcontrolstohelpmitigatesuchdataleakageinclude: appropriatelyconfiguringremotevirtualdesktopsoftwarerunningontheserverandonthedeviceto helpmitigatetheemployeeprintingtolocalprinters,printingtolocalfiles,accessingtheirdevicesfile systemandremovablemediafromwithintheremotevirtualdesktop,andusingtheclipboardtocopy andpastedatainbothdirectionsbetweentheremotevirtualdesktopandthedevice usingfulldeviceencryptiontohelpprotectorganisationaldatathatmightinadvertentlybestoredon thedevice,especiallyifthedeviceisalaptopduetothepossibilityofdatainmemorybeingwrittento diskaspartofapage/swapfileorhibernation/sleepfile obtainingwrittenagreementfromemployeestoavoiddeliberatelycopyingorganisationaldatatotheir deviceandtoavoidintroducingpotentialmalwarefromtheirdeviceintotheremotevirtualdesktop partiallymitigatingkeystrokeloggingsoftwareandmalwarethatenablesanadversarytotake screenshotsoftheremotevirtualdesktopbyusinguptodateantimalwaresoftwareondevices, ensuringthatallvendorsecuritypatchesareappliedtodevicesassoonaspatchesareavailablefrom thevendor,andeducatingemployeestoavoidinstallingpotentiallymaliciousapplications configuringtheremotevirtualdesktoptolockitsscreenafterashortidletimeoutperiodtohelp mitigateanadversaryusingacompromiseddevicetocontroltheremotevirtualdesktopsmouseand keyboard disallowingtheuseofkeyboardapplicationsfeaturingacustomdictionaryorpredictivetextwhich capturesensitivewordsorwordcombinationstypedintotheremotevirtualdesktopandsavesuch sensitivedataonthedeviceslocalfilesystem 25 .

Thefollowingimpactsofremotevirtualdesktopsoftwareshouldbeconsideredpriortoimplementation: therequirementforemployeestohavereliableInternetconnectivity theimpactontheemployeesuserexperienceespeciallyfordeviceswithsmallscreenssuchas smartphonesforexample,usingremotevirtualdesktopsoftwaretoturnasmartphoneintoadumb terminalmightfrustrateemployeestryingtosendanemailusingMicrosoftOutlookrunningonanolder versionofMicrosoftWindowsthatwasnotdesignedforatouchinterface thepotentialrequirementfortheorganisationtoupgradetheirnetworkanddatacentresstorageand serverprocessingcapacity thepotentialrequirementfortheorganisationtopurchaseadditionalClientAccessLicencesfor MicrosoftWindowsserverandclientoperatingsystemsaswellasforMicrosoftOffice.

25

http://support.swiftkey.net/knowledgebase/articles/9101swiftkeyispredictingmypasswordhowdoistop

24

MobileDeviceManagement
MobileDeviceManagementconfiguresandauditsdevices,includingenforcingaspectsofthepolicysuchas: thedeviceenrolmentprocess,whichmightinvolveinstallingsoftwareonthedevicetoassistthe organisationtomanagethedeviceandadigitalcertificatetoauthenticatethedevicetothenetwork unlockpassphraseshavingaspecifiedminimumlengthandrequiredcomplexity thedeviceidletimeoutperioduntilthedevicesscreenisautomaticallylocked thenumberofconsecutivefailedpassphraseattemptsuntilthedeviceisautomaticallywiped thecapabilitytoperformremotetracking,lockingandwipingofdevices theabilityofemployeestoprinttononorganisationalprinters encryptionofdataatrestandintransit,includingVirtualPrivateNetworkconfigurationsettings theabilityforemployeestousetheirdevicescamera,microphone,Bluetooth,USBinterface, removablemediaorGPS,particularlywhileonorganisationalpremises detecting,reportingandblockingdevicesthatarejailbrokenorrooted,notingthatdetectionisnot perfectandreliesonanuntrusteddevicetotellthetruthaboutitssoftware 26 endpointcompliancecheckingincludingwhetherpatchesandantimalwaresoftwareareuptodate disablingthebackupofunprotectedsensitivedatatoconsumergradecloudstoragesuchasiCloud, whilestillenablinganemployeespersonaldatatobebackedup configuringappropriateemailandWiFiconnectivitysettings disablinginbuiltvoicerecordingapplicationsthatsendcapturedvoiceovertheInternet ongoingdevicemanagement,monitoringandassettracking.

AdditionalInformation ASDsISMadvisesthatmobiledevicesaccessingunclassifiedFOUO/Sensitivedataorclassifieddata: shoulduseMobileDeviceManagementtoensurethatorganisationalpolicyisapplied,enabling organisationstocentrallymanagetheconfigurationofdevicesandauditadherencetopolicy mustpreventemployeesfromdisablingsecurityfunctionsonadeviceonceprovisioned

26

http://www.networkworld.com/news/2010/121010appleiosjailbreak.html

25

shouldberegularlytestedtoensurethatdevicesarestillsecure,forexamplethattheirconfiguration alignswiththeorganisationspolicyandthatsecurityupdateshavebeenappliedonaregularbasis.

UsingMobileDeviceManagementtoenforceanorganisationsunreasonablystrictpolicy,especiallywhenthe employeeisnotusingtheirdeviceforworkrelatedpurposes,mightnegativelyaffecttheemployeesuser experience. OrganisationsconsideringusingMobileDeviceManagementneedtodeterminewhetherthevendorhasaccess tosensitivedatasuchasadevicesunlockpassphrase.

MultifactorAuthentication
Multifactorauthenticationhelpsmitigateanadversaryaccessingorganisationalsystemsbyusingcompromised employeecorporateaccountcredentials 27 . AdditionalInformation ASDsISMadvisesthatmultifactorauthenticationmustbeusedforremoteaccesstogovernmentsystems. Employeesshouldlogofforganisationalsystemswhenfinished,sothatmultifactorauthenticationisrequired toregainaccess.Organisationalsystemsshouldbeconfiguredtologusersoffafteranidletimeoutperiod. Aphysicallyseparatehardwaremultifactorauthenticationtokenwithatimebasedvalue,storedseparatelyto theemployeesdevice,canprovidegreatersecuritythanasofttokensuchasanSMSorsoftwareapplication thatdisplaysanauthenticationtokenvalueontheemployeesdevice.Ifthedeviceiscompromised 28 29 orifits SIMcardisreissuedtoanadversary 30 ,theemployeessofttokenvaluecanbeaccessedbytheadversary, therebydefeatingthemultifactorauthenticationmechanism. Usingmultifactorauthenticationdoesntcompletelymitigatetheriskoftypingacorporatepassphraseintoan untrustworthydevice.Anadversarymightobtaintheemployeescorporatepassphrasewhentheemployee typesitintoacompromiseddevice.Theadversarycouldthenusethispassphraseduringasubsequentintrusion, forexamplebyeithergainingphysicalaccesstoacorporateworkstationandsimplylogginginastheemployee. Alternatively,theadversarycoulduseaspearphishingemailtocompromiseanyemployeesworkstationonthe corporatenetworkandusethepreviouslyobtainedpassphrasetoaccesssensitivedataonnetworkdrives. Tohelpmitigatethisrisk,eitherrequiremultifactorauthenticationforallemployeeloginsincludingloginsto corporateworkstationsintheoffice,orrequirethatcorporatepassphrasesenteredbyemployeesinto untrustworthydevicesaredifferenttocorporatepassphrasesenteredintocorporateworkstationsintheoffice.
27 28 29 30

http://www.dsd.gov.au/publications/csocprotect/multi_factor_authentication.htm http://www.securitybistro.com/blog/?p=4226 http://www.scmagazine.com/zeusforandroidstealsonetimebankingpasswords/article/207286/ http://nakedsecurity.sophos.com/2013/01/20/indiantwofactorauthenticationfraudstersbustedbydelhicops/

26

EncryptionofDatainTransit
Encryptingdataintransithelpsmitigateorganisationaldatabeingaccessedbyanadversarywhohasaccesstoa devicesnetworkcommunications.SuchaccessmightresultfromtheuseofaWiFiaccesspointthatis unencrypted,ortheuseofanynetworkinginfrastructurethatisnotcontrolledbytheorganisationandis thereforeconsidereduntrustworthy. AdditionalInformation ASDsISMadvisesthatASDapprovedencryptionmustbeusedtoencryptunclassifiedFOUO/Sensitivedataor classifieddataintransitoveruntrustworthynetworkinfrastructure.Forexample,datasentoveranuntrusted networksuchastheInternetcouldbeprotectedbyusingASDapprovedencryptionimplementedviaaVirtual PrivateNetworkorremotevirtualdesktopsoftware.ASDapprovedWiFiProtectedAccess2(WPA2)couldbe usedforprotectingdatathatonlyrequiresprotectionwhenexchangedbetweenadeviceandanorganisations WiFiaccesspoint. ASDsISMadvisesthatsplittunnellingmustbedisabledondevicessupportingthisfunctionalitywhenaccessing anorganisationalsystemviaaVirtualPrivateNetwork.

RemoteTracking,LockingandWiping
Remotetrackinghelpstorecoveradevicethathasbeenlostorstolen. Remotelockingandwipinghelpstoprotectorganisationaldataonadevicethathasbeenlost,stolen,orde provisionedincludingwhentheemployeeceasesemployment. AdditionalInformation Theconsequencesofwipinganemployeespersonaldatacanbereducedbyeducatingemployeestoregularly backuptheirpersonaldataorbyusingmanagedseparationtoavoidwipingpersonaldatainthefirstplace. Attemptingtoremotelytrack,lockorwipeadevicethatisnotnetworkaccessiblewillfail.Forexample,remote wipefunctionalityiscircumventedifthethiefconfiguresthedeviceforaeroplanemode,whichcaneasilybe donefromthelockedscreenofsomedevicessuchasaNexus7tabletrunningAndroidversion4.2.2JellyBean. Successfullyremotelywipingadeviceprovidestheorganisationwithafalsesenseofsecurityifthedatahas alreadybeenaccessedorcopiedbythepersonwhofoundorstolethedevice.

LowPrivilegedCorporateUserAccounts
Usingcorporateuseraccountswithreducedprivilegesandlimitedaccesstosensitivedatahelpsmitigatean adversaryaccessingsensitivedatabyusingcompromisedemployeecorporateaccountcredentialsora compromiseddevice. AdditionalInformation ASDsISMadvisesthatprivilegedaccountsshouldnotbeallowedtoremotelyaccessorganisationalsystems containingunclassifiedFOUO/SensitivedataorPROTECTEDdata.

27

Provideasecondarycorporateuseraccount,whichhasreducedprivilegesandlimitedaccesstosensitivedata, toemployeeswhoeither: haveadministrativeprivileges haveaccesstosignificantamountsofsensitiveorganisationaldata areathigherrisk,forexampleduetotemporarilytravellingoverseas 31 suchemployeesmight temporarilyuseaseparatecorporatelyprovideddevice.

NetworkArchitectureControllingAccesstoOrganisationalDataandSystems
NetworkAccessControlhelpstoimplementcontextualsecuritytodetermineifanemployeeattemptingto accessorganisationaldatashouldbepermittedbasedon: thedevicessecuritypostureasdeterminedbyendpointcompliancechecking,includingthedegreeto whichthedeviceiscorporatelymanaged theemployeesidentityandthestrengthofauthenticationusedtoprovetheiridentity thesensitivityofthedatabeingaccessed thedestinationofthedata,forexamplewhetherdataistobestoredonthedeviceorsharedvia corporatelymanagedenterprisecloudstorage theemployeesnetworkconnectivity,forexamplewhethertheemployeesdeviceisconnectingusing theorganisationsWiFinetworkoranexternallesstrustednetworkconnection thegeographiclocationoftheemployeeandthedevice thetimeanddayoftheweek.

DevicesthatdontcomplywithsecuritypolicycanbequarantinedtohavelimitedInternetaccessbutnoaccess toorganisationalsystems. Devicessimultaneouslyconnectingtotheorganisationsnetworkandanadditionalnetworkvia3G/4GorWiFi canbridgethetwonetworkstherebycreatinganadditionalInternetgatewayontheorganisationalnetwork. Riskmanagementcontrolstohelpmitigatethisinclude: usingMobileDeviceManagementtoconfiguredevicesonorganisationalpremisestoeitherforceall devicetraffictoanorganisationalVirtualPrivateNetworkendpoint,ortoturnoffadevices3G/4Gdata connectivitywhilestillallowingphonecalls organisationssettingupacustomAccessPointNametocontroldatasentfromdevicesvia3G/4G

31

http://www.dsd.gov.au/publications/csocprotect/electronic_devices_os_travel.htm

28

forcingdevicestousetheorganisationsgatewaytoconnecttotheorganisationalnetworkthisalso assiststheorganisationtouseexistinggatewaymechanismsforlogging,auditing,andfilteringmalicious orotherwiseundesirablenetworktraffic.

ThenetworkflowofsensitivedatatodevicescanbelimitedbyusingmechanismssuchasEnterpriseRights ManagementorDataLossPreventionsolutions,forexampletopreventadevicedownloadinganemailfromthe organisationsemailserveriftheemailorattachmentcontainsspecifickeywordsindicatingsensitivedata.

OperatingSystemExploitMitigationMechanisms
Limitdevicesontheshortlisttothosedeviceswithoperatingsystemexploitmitigationmechanismssuchas: AddressSpaceLayoutRandomisation 32 DataExecutionPrevention applicationsandpatchesthatarecryptographicallysignedbyatrustedauthority applicationsandboxingtocompartmentaliseapplications,restricttheirabilitytoaccessdatastoredon thedevice,andrestrictapplicationsinteractingwithotherapplicationsortheoperatingsystem.

UserreliantRiskManagementControls
Thefollowingtechnicalcontrolsandpolicycontrolstomanageriskrelyonemployeescomplyingwithpolicy.

RegularBackupsofWorkData
Obtainwrittenemployeeagreementtoregularlybackupworkrelateddatacreatedormodifiedbytheirdevice, onlytobackupserversspecifiedbytheorganisation.Thishelpsmitigateanemployeesworkbeinglostdueto suddencessationofemploymentortheirdevicebeingdamaged,lostorstolen.

AccesstoEmails,FilesandOtherDataofArchivalSignificance
Obtainwrittenemployeeagreementtoensurethatworkrelateddataofarchivalsignificanceisaccessibletothe organisation.Thisinvolvesemployeesusingtheirworkemailaccountinsteadoftheirconsumergradewebmail account,andusingcorporatelymanagedfilestorageinsteadofstoringfileslocallyorinconsumergradecloud storage.Thishelpsmitigate: noncompliancewithlegislationsuchastheArchivesAct1983 corporateknowledgebeinglostwhentheemployeedepartstheorganisation theorganisationbeingunabletoproperlyperformsecurityinvestigations,orperformelectronic discoveryforlitigationcasesorfreedomofinformationrequests.

32

http://www.theregister.co.uk/2012/07/20/android_jelly_bean_security_revamp/

29

AvoidUnauthorisedCloudServicesforDataBackup,StorageorSharing
Obtainwrittenemployeeagreementtoavoidexposingsensitivedatatoconsumergradecloudservicesusedfor webmail,databackup,datastorageordatasharing. AdditionalInformation Someconsumergradecloudstorageandsharingservicesautomaticallysyncbetweenanemployeesdevices, potentiallycopyingsensitivedatatoadevicethathasnotbeenapprovedtohandlesuchdata. Tofacilitatetheauthorisedexchangeofdatabetweendevices,theorganisationmightneedtoarrange employeeaccesstoacorporatelymanagedandremotelyaccessiblefilestorageandsharingcapability,hosted inhouseorbyatrustedthirdparty 33 34 .

StrongPassphraseConfigurationSettings
Obtainwrittenemployeeagreementtousestrongpassphrasesandassociatedconfigurationsettings. Obtainwrittenemployeeagreementtoavoidconfiguringtheirdevicesoperatingsystemorapplicationsto rememberorganisationalauthenticationcredentialssuchascorporatepassphrasesusedtoaccess organisationalsystems. AdditionalInformation Recommendeddeviceconfigurationsettings,basedonthesensitivityofdatabeingaccessedorstored,are providedbyASDsISM,deviceconsumerguidesanddevicehardeningguides.ASDsiOSHardening ConfigurationGuide 35 advisesthefollowingconfigurationsettingsforiOSdevicesthataccessorstore PROTECTEDdata: passphrasesrequireaminimumofeightcharactersincludingalphanumericcharacters devicesautomaticallylocktheirscreenafterfiveminutesofinactivity apassphraseisalwaysrequiredtounlockthedevicethereisnograceperiodenablingadevicetobe unlockedwithoutapassphraseifthescreenlockactivatedrecently devicesareautomaticallywipedafterfivefailedpassphraseattempts,notingtheriskofdevicesbeing accidentallywipedespeciallyifemployeesallowtheirdevicetobeplayedwithbychildren passphraseshaveamaximumageof90days

thepreviouseightpassphrasesareunabletobereused.
33 34 35

http://www.dsd.gov.au/infosec/cloudsecurity.htm http://agimo.gov.au/policyguidesprocurement/cloud/ http://www.dsd.gov.au/publications/iOS5_Hardening_Guide.pdf

30

SecurityIncidentReportingandInvestigation
Obtainwrittenemployeeagreementtoimmediatelyreportsecurityincidentsandcooperatewithsecurityand legalinvestigationsincludingprovidingtheorganisationwithaccesstotheirdeviceforforensicanalysis. AdditionalInformation ASDsISMadvisesthatemployeesmustbedirectedtoreportsecurityincidentstotheorganisationassoonas possible. Securityincidentsrequiringreportingincludeadevicesuspectedofbeinginfectedwithmalwareorotherwise compromised,aswellasdevicelossortheft.Additionalactivities,whilstnotnecessarilyconsideredtobe securityincidents,thatneedbereportedbytheemployeetotheorganisationincludedeprovisioningadevice forsaleorpassingtoafamilymember,oriftheemployeeceasesemployment. Anorganisationscybersecurityteamrequiresplansandprocedurestorespondtosecurityincidents,for exampledisablingandmonitoringtheemployeesorganisationalaccountsincludingVirtualPrivateNetworkand remoteaccessaccounts,aswellasremotelytrackingthedeviceandwipingorganisationaldataifappropriate. Organisationspermittingtheuseofpersonallyowneddevicesareacceptingtheresidualrisksoftheiruse,such asanypotentialsecurityincidentsorconsequencesoflegalproceedingsincludingelectronicdiscoveryfor litigationcasesandfreedomofinformationrequests.Therefore,organisationsneedtoensurethattheyhave riskmanagementcontrolstopreventandrespondtosecurityincidentsandlegalinvestigations.Organisations shouldnotassumethatASDorCERTAustraliahavethelegalauthorityandresourcestoassistwithperforming incidentresponseorforensicanalysisthatinvolvespersonallyowneddevices. Asecurityorlegalinvestigationmightrequireanemployeetotemporarilysurrendertheirdevice,whichthe employeemightrefuseunlessrequiredbylaw,forexampleduetolawenforcementhavingevidenceofacrime towarrantseizingthedevice.Organisationsperformingappropriateloggingandregularbackupsofwork relatedemailsandfilesassistswithelectronicdiscoveryorotherinvestigationsinvolvingemployeeswhorefuse tocooperateorwhohavedepartedtheorganisation.

AvoidJailbreakingandRooting
Obtainwrittenemployeeagreementtoavoidjailbreakingorrootingtheirdevicetocircumventtheprotective securitycontrolsimplementedbythedevicesvendor,whichmightresultinthedevicebeingunmanageableby theorganisationandeasilycompromised.

EmployeeEducationtoAvoidPhysicalConnectivitywithUntrustedOutletsorDevices
Educateemployeestoavoidallowingconnectivitybetweentheirdeviceandeitherapotentiallymalicious chargingoutlet 36 oranuntrusteddevice 37 .
36 37

http://krebsonsecurity.com/2011/08/bewareofjuicejacking/ http://www.dsd.gov.au/videos/cybersense1.htm

31

EmployeeEducationaboutBluetooth,NearFieldCommunicationandQuickResponseCodes
Educateemployeestoavoid: pairingwithanunintendedorinsecureBluetoothdevice exchangingdatawithanuntrustedNearFieldCommunication(NFC)device 38 scanningNFCtags 39 orQuickResponse(QR)codes 40 thatareuntrustworthyandpotentiallymalicious.

AdditionalInformation ASDsISMadvisesthatdevicesstoringoraccessingunclassifiedFOUO/Sensitivedataorclassifieddata: mustbeconfiguredtoremainundiscoverabletoallotherBluetoothdevicesexceptduringpairing mustonlyconnecttotheintendedBluetoothdeviceduringpairing mustbeconfiguredtoavoidsupportingmultiplesimultaneousBluetoothheadsetconnections mustuseBluetoothversion2.1orlaterduetotheintroductionofsecuresimplepairingandextended inquiryresponsewhichfacilitatessecurepairingwiththedesireddeviceadevicesBluetoothversion canbedeterminedbyreadingtheproductsspecificationsorbyusingtheLinuxbtscannerprogram.

EmployeeEducationtoAvoidInstallingPotentiallyMaliciousApplications
Educateemployeesusingdevicesthathaveanofficialapplicationmarketplaceto: onlyinstallapplicationsfromtheorganisationsenterpriseapplicationstoreorfromofficialapplication marketplacessuchasApplesAppStore,GooglePlay,MicrosoftsWindowsStore,MicrosoftsWindows PhoneStoreorBlackBerryWorld priortoinstallingorupdatinganapplication,determinetheriskofexposingsensitivedatabyreading userratings,userreviewsandtheapplicationsrequestedpermissionstoensurethattheyalignwiththe applicationsstatedfunctionality 41 42 notingthatsuchanalysisisnotguaranteedtoavoidmalware 43 .

Educateemployeesusingdevicesthatdonthaveanofficialmarketplacetoobtainsoftwarefromtheofficial websiteofmainstreamvendors.
38 39 40 41 42 43

http://www.zdnet.com/exploitbeamedvianfctohacksamsunggalaxys3android4047000004510/ http://www.theregister.co.uk/2012/09/25/samsung_flaw/ http://www.theregister.co.uk/2012/12/10/qr_code_sticker_scam/ http://www.theregister.co.uk/2013/03/04/android_app_google_play_fraud/ http://www.securelist.com/en/blog/845/Hello_from_Malaysia http://www.theregister.co.uk/2013/04/22/android_malware_badnews/

32

EmployeeEducationtoAvoidBeingVictimsofShoulderSurfing
Educateemployeestoavoidsensitivedataontheirdevicesscreenbeingvisibletoeither: peoplewithouttheappropriatesecurityclearanceandneedtoknow 44 surveillancevideocameras 45 46 membersofthepublic anyone,includingfamilymembers,whoarenotauthorisedtoseesensitivedata.

AdditionalInformation Usingaprivacyfilteronadevicesscreenmightnegativelyimpactthedevicestouchfunctionality.

EmployeeEducationtoAvoidCommonIntrusionVectors
Educateemployeestoavoid: sharingtheirdevicewithunauthorisedpeoplewhoareabletoaccessandexposesensitivedata sendingorreceivingunencryptedsensitivedatausinganuntrustworthyWiFiaccesspoint,suchasa publicWiFiaccesspointoranyWiFiaccesspointthatisntownedbytheorganisation leavingtheirdeviceininsecurelocationssuchasanunattendedcar,checkedinairplaneluggage,ora hotelsafeespeciallyinaforeigncountry interactingwithemailsandSMSmessagesfromsuspiciousorunfamiliarsources,forexampleclickingon hyperlinksoremailattachments selectingweakpassphrases reusingthesamepassphraseformultiplesystems unnecessarilyexposingtheirworkemailaddressandpersonaldetailsonpubliclyaccessiblewebsites.

AdditionalInformation ASDsISMadvisesthatallpersonnelwhohaveaccesstoanorganisationalsystemmusthavesufficient informationsecurityawarenessandtrainingincludinganawarenessofthesocialengineeringthreat.

44 45 46

http://www.theregister.co.uk/2012/08/16/shoulder_surfing_security_risk/ http://www.engadget.com/2011/07/15/automatedshouldersurfingmakesiteasiertostealpasswordsi/ http://arstechnica.com/security/2013/02/atfacebookzerodayexploitsbackdoorcodebringwargamesdrilltolife/2/

33

SecurityPatches
Obtainwrittenemployeeagreementtoapplyallvendorsecuritypatchesfortheoperatingsystemand applicationsassoonaspatchesareavailablefromthevendor. AdditionalInformation ASDsISMadvisesthatmobiledevicespermittedtoaccessunclassifiedFOUO/Sensitivedataorclassifieddata shouldhavesecurityupdatesappliedassoonasvendorpatchesbecomeavailable. Historically,ApplehasprovidediOSdeviceswithsecuritypatchesforatleasttwoyearsfromdeviceavailability, enablingemployeestousedevicessupportedwithpatchesforthedurationoftheircontractwiththeir telecommunicationscarrier. MicrosofthasstatedthatforWindowsPhone8,theywillsupporteverydevicewithovertheairupdatesforat least18monthsfromthelaunchofthatdevice 47 thoughtheavailabilityofupdateswillvary 48 .Microsofts lifecyclepolicyforWindowsRT,includingthesupporttimeperiodforsecurityupdates,istobecommunicated whenavailable 49 . ItiscomparativelystraightforwardtoapplysecuritypatchestosomeAndroiddevicesthatdonthavethirdparty additionsormodificationstobaselineAndroidcode 50 .However,applyingsecuritypatchestootherAndroid devicesmightbechallengingduetothecooperationrequiredfromthedeviceshardwaremanufacturerandthe employeestelecommunicationscarriertotweak,testanddistributeupdates.Somehardwaremanufacturers andtelecommunicationscarriersmightfocustheireffortsondevelopingandsellingnewerdevicesratherthan maintainingthesecurityoftheemployeescurrentdevice,eveniftheemployeeisforcedtocontinueusingtheir currentdeviceduetoacontractwiththetelecommunicationscarrier 51 .Somedevicesareimmediately orphanedandneverreceiveupdates 52 .InadditiontovulnerabilitiesinbaselineAndroidcode,some vulnerabilitiesareintroducedbydevicehardwaremanufacturers 53 54 55 .

47 48 49 50 51 52 53 54 55

http://channel9.msdn.com/Events/WindowsPhone/Summit/UpdatesAppsandclosingremarks

http://support.microsoft.com/lifecycle/search/default.aspx?alpha=windows+phone http://support.microsoft.com/gp/lifecyclewindowsrtfaq http://support.google.com/googleplay/bin/answer.py?hl=en&answer=2589788 http://www.wired.com/threatlevel/2013/02/carriersfailtosecurephones/ http://arstechnica.com/gadgets/2012/12/thecheckeredslowhistoryofandroidhandsetupdates/ http://threatpost.com/htcsettlementcouldaltermobilesecurityandprivacylandscape022513/ http://threatpost.com/vulnerabilitiescontinueweighdownsamsungandroidphones032013/ http://www.zdnet.com/kernelvulnerabilityplacessamsungdevicesatrisk7000008862/

34

SomecheaperAndroiddeviceshavethebareminimumhardwarespecificationsrequiredtoruntheversionof theoperatingsystemshippedwiththedevice,andmightnotbesuitedtorunningnewermajorversionsofthe operatingsystemthatrequireadditionalmemoryorprocessingpower.Patchingvulnerabilitiesintheoperating systemrunningonsuchdevicesmightbechallengingforpatchesthatareonlyavailableinnewermajorversions oftheoperatingsystemandarenotbackportedtocurrentandpreviousoperatingsystemversions. CaseStudy In2012,anASDemployeepurchasedabrandnewAndroidsmartphone.Theemployeesubsequently discoveredthatonthedaythesmartphonewassold,itcontainedavulnerabilitythatatthetimehadbeen publiclyknownforoversevenmonths.Thesmartphoneshardwaremanufacturerandtheemployees telecommunicationscarrierdidnotmakeapatchavailable. Todemonstrateatargetedintrusion,thesmartphonewasdeliberatelycompromisedbyexploitingthis vulnerability.Thecompromiseenabledthemicrophonetobesurreptitiouslyturnedontorecordnearby audioconversationsandtherecordingstobetransmittedtoanadversaryovertheInternet. Thisdemonstrationhighlightedsomeconsequencesoforganisationspermittingtheuseofdeviceswith publiclyknownvulnerabilitiesthattheemployeeisunabletopatch.AsofMay2013,over18monthsafter thevulnerabilitywaspubliclydisclosed,apatchhasntbeenmadeavailableviathehardwaremanufacturer andtelecommunicationscarrier.

OwnershipofIntellectualPropertyandCopyright
Obtainwrittenemployeeagreementthattheorganisationretainsownershipofintellectualpropertyand copyrightofworkperformedonaformallyassignedtaskthattheemployeeispaidtoperform,regardlessof whethertheemployeeperformstheworkontheirdeviceoroutsideoftraditionalbusinesshours.

EncryptionofDataatRest
Obtainwrittenemployeeagreementtousefulldeviceencryptiontohelpmitigateorganisationaldatabeing accessedbyanadversarywhohasphysicalaccesstoalostorstolendevice. AdditionalInformation ASDsISMadvisesthatdeviceswithoutASDapprovedencryptionshouldnotstoreunclassifiedFOUO/Sensitive dataandmustnotstoreclassifieddata. ASDsISMadvisesthatASDapprovedencryptionshouldbeusedtoencryptadevicesinternalstorageandany removablemedia. Fulldeviceencryptiondoesntlimitwhichapplicationscanaccessorspreadorganisationaldatastoredonthe device.Therefore,itseffectivenessreliesupontheuseofadditionalcomplementaryriskmanagementcontrols. Encryptionneedstobeactivewhenthedeviceisnotinuse.Dependingonthetypeofdevice,theeffectiveness ofencryptingadevicesinternalstoragemightbereducedifthedeviceislostorstolenwhileitisinsleepmode orpoweredonandscreenlocked.

35

Usingsoftwarebasedencryptionmightnegativelyimpacttheemployeesuserexperience. MicrosofthasstatedthatWindowsPhone8hasfullinternalstorageencryption,andthatalthoughremovable mediasuchasSDcardsarenotencrypted,theyareonlyabletostoremusic,videos,photosandebooks 56 . ApplesiPad,iPhone3GSandlatermodelsusehardwarebasedcryptographicaccelerationforprotectingdata. BlackBerrydevicessupportnativeencryptionofinternalstorage 57 andremovablemedia 58 . Androidversion3Honeycombintroducedfulldeviceencryption 59 ,thoughdependingonadevices manufacturer,thirdpartysoftwaremightberequiredtoencryptremovablemedia 60 . CryptographicimplementationsthathavenotbeenevaluatedbyASDareunsuitableforprotectingclassified Australiangovernmentdata.

AvoidPrintingviaUntrustedSystems
Obtainwrittenemployeeagreementtoavoidprintingsensitivedataviauntrustedprintersoutsideoftheoffice suchasfromhome,anairlinelounge,ahoteloranInternetcaf.Otherwise,sensitivedatamightbeexposedto thirdpartiesduetoprintersorprintserversstoringacachedcopyofprintouts,orprintoutsbeingaccidentally leftontheprinter.

PersonalFirewall
Obtainwrittenemployeeagreementtouseapersonalfirewalltohelpmitigatedevicesbecomingcompromised, bylimitingtheexposureofnetworkaccessibleservicesandcontrollingwhichapplicationscanaccessthe network. AdditionalInformation Thisriskmanagementcontrolisnotapplicabletosomedevices,suchasthoserunningiOS,thatdontexpose personalfirewallfunctionalityandavoidusingnetworkaccessibleservices.Somedevices,suchasthoserunning Android,useaninbuiltapplicationpermissionmechanismtocontrolwhichapplicationsareabletoaccessthe network.

56 57 58 59 60

http://www.zdnet.com/windowsphone8atourofthebusinessfeatures7000006600/ http://www.dsd.gov.au/infosec/epl/view_document.php?document_id=OTA4IyMjMjAzLjYuNjkuMg== http://docs.blackberry.com/en/smartphone_users/deliverables/39933/1812724.jsp http://source.android.com/tech/encryption/android_crypto_implementation.html http://code.google.com/p/android/issues/detail?id=11211

36

APPENDIXD:CORPORATELYAPPROVEDANDMANAGEDDEVICES FORHIGHLYSENSITIVEDATA
ThisappendixprovidesguidancetomanagerisksassociatedwithScenarioD.Thisscenarioinvolvesdeviceswith ahardwaremodelandoperatingsystemversionthat: ischosenbytheemployeefromacorporatelyapprovedshortlist hascomprehensiveriskmanagementcontrolsapplied iscompletelycorporatelymanaged,forexampleusingASDevaluatedBlackBerryEnterpriseServeror AppleConfigurationProfilescombinedwithSupervisedMode potentiallyincludescorporatelymanagedseparationoforganisationaldataandpersonaldata,for exampleusingremotevirtualdesktopsoftware,amanagedcontainerorpartitioningfunctionalitybuilt intotheoperatingsystem usesacorporatelymanagedmechanismtoaccessandpotentiallystorehighlysensitivedata,for exampleusingremotevirtualdesktopsoftwareorcorporatelyapprovednativeapplicationscombined withaVirtualPrivateNetwork.

ForAustraliangovernmentagencies,highlysensitivedataisdefinedforthepurposeofthisdocumentasdataup toPROTECTED. Thecomprehensiveriskmanagementcontrolsmightrestrictthedevicesfunctionalitytoanextentthatwould overlyfrustrateanemployeeusingapersonallyowneddevice.Therefore,devicesinthisscenariomightbe providedtoemployeesbytheorganisation,withareasonabledegreeofpersonalusepermitted.Devicesonthe shortlistmightbelimitedtosmartphonesandtabletsthatarepartofasinglevendorsecosystemduetothe requiredcompatibilitywithriskmanagementcontrols.Organisationsmightretainownershipofdevicesforlegal reasonsthatfacilitatetheorganisationmonitoringdevices,remotelywipingsensitivedata,performingsecurity andlegalinvestigations,andretainingownershipofintellectualproperty.Enablingemployeestochoosea devicefromacorporatelyapprovedshortlistisreferredtobysomevendorsasChooseYourOwnDevice, especiallyifthedeviceispurchased,ownedandmanagedbytheorganisation. Thisappendixbuildsuponandincorporatesthehighlevelobjectivesandriskmanagementcontrolsdiscussedin AppendixCwhichcoversdevicesfromacorporatelyapprovedshortlistusingacorporatelymanagedmechanism toaccessandpotentiallystoresensitivedata.RiskmanagementcontrolsinAppendixCthatanorganisation considersunnecessarytoprotectsensitivedataarelikelytobenecessarytoprotecthighlysensitivedata.High levelobjectivesassociatedwiththeexamplescenarioinAppendixDalsoincludemaintainingtheconfidentiality ofhighlysensitivedata.

CorporatelyEnforcedRiskManagementControls
Theorganisationisabletomanageriskbyenforcingthefollowingtechnicalcontrols.

37

DeviceSelection
LimitdevicesonthecorporatelyapprovedshortlisttothosedevicesthatareevaluatedbyASDandare configuredasperASDsconsumerguidesanddevicehardeningguides.Preferdevicesthathaveanapplication marketplacewithagoodhistoryofcurationtoexcludemalware,forexamplebyanalysingapplicationsfor suspiciousbehaviour,requiringapplicationstobecryptographicallysignedbyatrustedauthorityinsteadofa selfsignedcertificate,andperformingadequateverificationoftheidentityofapplicationdevelopers.

MobileApplicationManagementandEnterpriseApplicationStores
MobileApplicationManagementenablestheorganisationtoinventory,install,updateandremoveapplications andassociateddataondevices. Usinganenterpriseapplicationstoreenablestheorganisationtodistributeandmanageapplicationsdeveloped bytheorganisation,andvetthirdpartyapplicationstodeterminetheirpotentialtoexposehighlysensitivedata. AdditionalInformation ASDsISMadvisesthatemployeesshouldbepreventedfrominstallingunapprovedapplicationsthatcanaccess unclassifiedFOUO/Sensitivedataorclassifieddata. TheuseofMobileApplicationManagementandenterpriseapplicationstoresisamorereliableapproachto avoidingtheuseofapplicationsthatmightexposehighlysensitivedata,thansimplyrelyingonantimalware softwareandemployeestoreaduserreviewsandratingsbeforeinstallingorupdatingapplications.Whitelisting permittedapplicationsandupdatedversionsoftheseapplications,orlesspreferablyattemptingtoidentifyand blacklisteverymaliciousorundesirableapplication,helpsmitigatedevicesrunningapplicationsthateither: arepotentiallymalicious,undesirable,ornotapprovedbytheorganisation havethepotentialtoexposehighlysensitivedatathisincludesadwareandpotentiallyunwanted applicationsthatcollectdatafromdevicesaspartoftheapplicationsrevenuemodel haveundesirableinteractionswithotherapplications,forexampleusingtheOpenIn...featureto openahighlysensitiveemailattachmentinaconsumergradecloudstorageapplication.

SomevendorimplementationsofMobileApplicationManagementalsoincludefunctionalitytoeffectivelyplace anapplicationintoitsownmanagedcontainerbywrappingitwithsecuritypolicy.Suchsecuritypoliciesinclude: requiringapassphrasetobeenteredbeforeanapplicationwillrun enforcingencryptionofanapplicationsstoreddata requiringaVirtualPrivateNetworkconnectiontoencryptanapplicationsdataintransit limitinganapplicationsabilitytocopyandpastedata.

MobileApplicationManagementmightnotbeabletoblockpowerfulwebapplicationsthatarewrittenin HTML5andrunwithinthewebbrowser.

38