Mitigating mobile risks

Onboarding, management and decommissioning should all be part of your strategy.

by Jim Benlein, CISA, CISM

Managing the risks of mobile devices at your credit union used to be a fairly small part of your risk mitigation strategy. There just weren’t that many mobile devices in use. But things are different today.

Your Credit Union likely distributes to staff members laptops, tablet computers, and handheld mobile devices and storage units, such as USB drives. Plus, “bring your own device” is a common element of our culture, and employees are leveraging their own personal technology in their CU work.

In a bonus article, I discuss the value of having good governance practices for mobile device security—your starting point for mobile risk management. Your governance framework molds the specific controls and security measures your Credit Union will use to mitigate the risks of mobile. (Also see the National Credit Union Administration’s Nov. 7 Supervisory Letter on enterprise risk management.)

In this article, we’ll look at the kinds of specific controls your CU might need. Our review will divide mobile device controls into the three segments of the mobile device “lifecycle”: onboarding, management and decommissioning. The comments and examples used in the article primarily reference smartphones and laptops, but also apply to other devices, such as USB thumb drives, portable hard drives, camera/video recorders and Wi-Fi hotspot devices.

Device Onboarding

Device onboarding is the process of authorizing purchase of or approving an additional mobile device for the credit union’s information technology environment. The process for device onboarding is set by credit union policy and procedure. In creating policies and procedures for device onboarding, consider and examine the following:

Approved/authorized hardware. Based on its specific environment, each CU must examine a number of factors related to how it will determine what will be an authorized or approved device. The following are two of the more critical ones:

Classification of data. 
How critical or sensitive is data stored on or processed through the device? If the data is “medium risk,” the credit union may require encryption of data on the device. If the device can be used to send/receive data, the CU may require that the device use secure connections (i.e., no “open” Wi-Fi). If the data is “high risk,” the CU may require centralized or remote administration of the device to verify use of full-disk encryption and anti-virus tools, and allow for remote wiping of the device. For connections, the CU may allow only secure options (i.e., VPN, secure Bluetooth). If a device cannot provide needed security, it should not be approved for use.

Service/help desk resources. The CU should examine the resources available to support devices and determine what level or expansion of support it can provide. If current staff is capable of supporting Windows or Linux/Android devices, but has little training on supporting Apple devices, the CU may want to allow only Windows/Android devices until staff is trained. If data on a device is considered confidential and the user needs to go to an outside company to help with issues or problems, check out that vendor carefully.

Vendor/account management. In implementing its technology strategy, the CU may choose to concentrate purchasing with a select number of vendors (e.g. bulk discounts, fewer vendors to manage, stronger relationship/support). In this case, only purchases from a selected vendor may be allowed. For example, to better manage corporate mobile phone billing and reconciliation, the CU may have a corporate account with one provider. Any phones used by employees would need to be ones this vendor provides or supports.

Approved/allowed applications. Applications are software, and subject to hacking. To limit the exposure of information to malware, the CU may wish to limit what software can be installed on mobile devices. With smartphones, the credit union may choose to restrict users to only applications purchased/installed from the official Google or Apple stores, or only those tested and verified by the Credit Union.

continue reading »

More News