Mobile devices and information security


Mobile devices and information security

The key to addressing the risk of mobile devices is to think of them as functionally equivalent to a PC (with all the information security risks therein), PLUS the added risk of mobility.   In fact, the FFIEC combines workstations, laptops and hand-held devices together in their Information Security Examination Procedures for the purposes of determining compliance with user equipment security guidelines.

SO if we consider that all these devices should have equivalent security considerations, the information security risk assessment should determine the institutions’ risk exposure regardless of the location of the data:

  • Processing (in-house or at a third party)
  • Transit and Transmission
  • Handling and Storage
  • Destruction / Disposal

Mobile devices have issues in each of these categories and the institution must identify them, and apply layered controls designed to reduce or eliminate them.  For example, processing includes email applications as well as third party apps.  Do any of these third-party apps process or have access to customer information?  Is the application approval process the same as for in-house applications?  What about social networking issues?  These are easy to control through the internal network, but almost impossible in a mobile device.  How will the device handle authentication, and is a reduced password/PIN acceptable?

Transmission presents a particular challenge for mobile devices, as data can traverse multiple platforms such as cellular and Internet in  addition to the local area network.  The FFIEC requires that “…policies and procedures address the protections for data that is sent outside the institution.”  Encryption is the most common control here.

Handling and storage presents the biggest challenge to mobile devices, and again encryption plus remote wipe capability is key to addressing these risks.

Finally, how are mobile device taken out of service at end-of-life?

These are only a few considerations, but at the end of the process the institution must assess the residual risk and decide if it is acceptable.  That shouldn’t mean accepting a higher level of residual risk just because of the difficulty of controlling it, but perhaps a slightly higher level is acceptable if the added productivity of mobile devices justifies it.

Tom Hinkel
As author of the Compliance Guru website, Hinkel shares easy to digest information security tidbits with financial institutions across the country. With almost twenty years’ experience, Hinkel’s areas of expertise spans the entire spectrum of information technology. He is also the VP of Compliance Services at Safe Systems, a community banking tech company, where he ensures that their services incorporate the appropriate financial industry regulations and best practices.

Write a Comment