Managing the risks of mobile devices at your credit union used to be a fairly small part of your risk mitigation strategy. There just weren’t that many mobile devices in use. But things are different today.
Your Credit Union likely distributes to staff members laptops, tablet computers, and handheld mobile devices and storage units, such as USB drives. Plus, “bring your own device” is a common element of our culture, and employees are leveraging their own personal technology in their CU work.
In a bonus article, I discuss the value of having good governance practices for mobile device security—your starting point for mobile risk management. Your governance framework molds the specific controls and security measures your CU will use to mitigate the risks of mobile. (Also see the National Credit Union Administration’s Nov. 7 Supervisory Letter on enterprise risk management.)
In this article, we’ll look at the kinds of specific controls your CU might need. Our review will divide mobile device controls into the three segments of the mobile device “lifecycle”: onboarding, management and decommissioning. The comments and examples used in the article primarily reference smartphones and laptops, but also apply to other devices, such as USB thumb drives, portable hard drives, camera/video recorders and Wi-Fi hotspot devices.
Device onboarding is the process of authorizing purchase of or approving an additional mobile device for the credit union’s information technology environment. The process for device onboarding is set by credit union policy and procedure. In creating policies and procedures for device onboarding, consider and examine the following:
Approved/authorized hardware. Based on its specific environment, each CU must examine a number of factors related to how it will determine what will be an authorized or approved device. The following are two of the more critical ones:
Classification of data. How critical or sensitive is data stored on or processed through the device? If the data is “medium risk,” the credit union may require encryption of data on the device. If the device can be used to send/receive data, the CU may require that the device use secure connections (i.e., no “open” Wi-Fi). If the data is “high risk,” the CU may require centralized or remote administration of the device to verify use of full-disk encryption and anti-virus tools, and allow for remote wiping of the device. For connections, the CU may allow only secure options (i.e., VPN, secure Bluetooth). If a device cannot provide needed security, it should not be approved for use.