The key to addressing the risk of mobile devices is to think of them as functionally equivalent to a PC (with all the information security risks therein), PLUS the added risk of mobility. In fact, the FFIEC combines workstations, laptops and hand-held devices together in their Information Security Examination Procedures for the purposes of determining compliance with user equipment security guidelines.
SO if we consider that all these devices should have equivalent security considerations, the information security risk assessment should determine the institutions’ risk exposure regardless of the location of the data:
- Processing (in-house or at a third party)
- Transit and Transmission
- Handling and Storage
- Destruction / Disposal
Mobile devices have issues in each of these categories and the institution must identify them, and apply layered controls designed to reduce or eliminate them. For example, processing includes email applications as well as third party apps. Do any of these third-party apps process or have access to customer information? Is the application approval process the same as for in-house applications? What about social networking issues? These are easy to control through the internal network, but almost impossible in a mobile device. How will the device handle authentication, and is a reduced password/PIN acceptable?
Transmission presents a particular challenge for mobile devices, as data can traverse multiple platforms such as cellular and Internet in addition to the local area network. The FFIEC requires that “…policies and procedures address the protections for data that is sent outside the institution.” Encryption is the most common control here.
Handling and storage presents the biggest challenge to mobile devices, and again encryption plus remote wipe capability is key to addressing these risks.
Finally, how are mobile device taken out of service at end-of-life?
These are only a few considerations, but at the end of the process the institution must assess the residual risk and decide if it is acceptable. That shouldn’t mean accepting a higher level of residual risk just because of the difficulty of controlling it, but perhaps a slightly higher level is acceptable if the added productivity of mobile devices justifies it.