IT in the gutter with Mobile Compliance
Article Courtesy of: TechTarget
The emergence of enterprise mobility has made it a lot more complicated for organizations to maintain compliance with government and industry-specific regulations.
Regulatory compliance encompasses a slew of federal, state and local laws and policies that businesses must adhere to. When it comes to technology, that means obeying laws that help ensure secure data storage and processing. If a company fails to comply, it could face repercussions such as fines and even criminal charges.
But the consumerization trend put another wrinkle in the way enterprises deal with compliance. Now, companies have to worry about mobile compliance and securing their data on employees’ personal smartphones and tablets — not just on corporate-provided devices. That’s tougher to secure, because IT typically has less insight into users’ own devices and apps. With company-issued laptops and desktops, IT admins could keep closer tabs on PCs in and even outside the physical office environment. But with their personal mobile devices, employees can access corporate data from any unsecured network, further complicating monitoring and security measures.
“The data is literally leaving their network,” said Nat Kausik, CEO of Bitglass, a cloud access security broker startup. “When [organizations] had conventional desktops, they controlled it — installed the software, locked it down, and you couldn’t alter it in any way. With mobile, all of that is essentially obsolete.”
Plus, mobile data is often accessed from or stored in the cloud. That complicates mobile device compliance because the organization is still liable for any data that a cloud provider delivers, manages or stores for IT.
“Cloud definitely poses a wrinkle for teams like security and legal,” said Jeff Jenkins, director of cybersecurity at Travelport, an Atlanta-based travel commerce platform provider. “It’s about contractual agreements. It requires you to do a lot more due diligence in negotiation when working with the cloud provider.”
What makes things even trickier is the fact that national regulations such as the Health Insurance Portability and Accountability Act (HIPAA), which governs the processing of patient health information, don’t offer specific language that addresses mobility and remote access. These kinds of laws were designed to be general and all-encompassing so that they’re less likely to become outdated as technology advances, said Ramy Fayed, a partner and U.S. practice leader of legacy health care at global law firm Dentons.
Still, HIPAA requires that any transmission of electronic health information is protected, which would include data stored or processed from mobile devices — and it’s up to IT departments to figure out how.
“You’re not going to find a magic list that the government said, ‘OK, do these ten things and you can rest at night,'” Fayed said. “If you’re applying security rules to your hospital computers, [those] are going to need to be carried out with your mobile procedures… At the end of the day it’s all about, how do I implement a process that best safeguards privacy, confidentiality and all the protected health information?”
HIPAA does have some hard and fast rules, such as mandated security risk assessments. But other rules are simply what are called “addressable standards,” meaning they’re not required by law but IT departments must assess whether they’re appropriate to implement for their organization. The use of encryption is one example of the latter, Fayed said.
“Despite it being ‘addressable,’ it would be hard to come up with a justification as to why you didn’t implement encryption,” he said.
Plus, HIPAA in 2014 implemented increased fines if companies violate certain parts of its regulations. That has made more healthcare organizations formalize their policies around mobile compliance, Kausik said.
What Counts as PII (personally identifiable information)?*
- Name and aliases
- Social Security, passport, driver’s license and taxpayer or patient identification numbers
- Financial account and credit card numbers
- Street, email and IP addresses
- Telephone numbers
- Characteristics gleaned from photographs, X-rays, fingerprints and other biometric sources
- Vehicle registration numbers and home title information
- Information about date and place of birth, race, religion, weight, activities, geographical indicators, plus employment, medical, education and financial history
[*Source: National Institute of Standards and Technology special publication 800-122 “Guide to Protecting the Confidentiality of Personally Identifiable Information (PII),” U.S. Department of Commerce.]
“You can’t secure what you don’t acknowledge”
One of the compliance requirements most affected by mobility is the protection of personally identifiable information (PII) — data such as an individual’s name, address, Social Security and driver’s license numbers and even physical characteristics — because smartphone and tablet apps now access and process so much of this data. Any company that handles PII is mandated to follow federal and state privacy laws that serve to safeguard a person’s identity.
Travelport employees handle travelers’ PII, for instance, and the company must also comply with international information transfer laws and payment card industry (PCI) requirements, which compel organizations to process and store credit card information securely. Travelport offers corporate-provided mobile devices, so IT uses mobile device management (MDM) software to gather reports on user behavior and ensure that employees are properly processing sensitive customer data, Jenkins said.
“It gives us an idea of the trends and behaviors, whether someone is doing something bad on their endpoint that would create a security hole,” he said. “That’s huge from a compliance standpoint.”
But what if an organization doesn’t even know credit card information is being stored on or processed from mobile devices? That’s the biggest issue when it comes to mobile compliance: Many companies are dealing with unknowns, said Kevin Beaver, an independent security consultant at Principle Logic.
Some IT shops don’t know what devices they have on the network and whether they’re personal or corporate-owned, and therefore they don’t know what apps people are using and what corporate data they may be accessing. This problem occurs when companies don’t have a standard for what devices they provide, or they don’t have a strong BYOD policy, Beaver said.
“You can’t secure what you don’t acknowledge,” he said.
This lack of visibility can lead to compliance violations because IT may not put the proper security measures in place on devices or data it doesn’t monitor. The biggest breaches experts see around mobile device compliance are when companies don’t encrypt mobile data, enforce user passwords or have secure storage and networking. For instance, PCI Security Standards Council strongly recommends that organizations segment their networks to keep credit cardholder information separate from the rest of their stored data. But many companies don’t realize that or implement segmentation for mobile data, Beaver said.
In some ways, mobile compliance is similar to compliance for PCs. Admins need to require passwords and make sure they keep patches up to date, for example. IT also can’t assume that mobile devices — even iPhones and iPads, which tend to fall victim to less malware than others — don’t need antimalware, Beaver said. Bad links, such as those from banned sites or paid services, can carry viruses. But they’re harder to identify on mobile devices because touchscreens prevent users from viewing the full URLs of the links they may click, Beaver said.
“That’s a good reason alone to have antimalware on these systems,” he added.
The pushback problem…
Read the FULL STORY
OnPage is The World’s Most Advanced Enterprise Priority Messaging Solution.
CONTACT Sales: [email protected]
Call: 781-916-0040 – Ext. 110
[Follow OnPage on Twitter]