As smartphones and tablets reshape the corporate landscape, IT is being pulled in opposing directions: The department is challenged to embrace mobility's productivity gains while balancing its associated risks and costs. In regulated industries, these challenges are exacerbated by the need to ensure and
Despite differences in regulatory compliance mandates across industry, we can easily see a common thread: Mobile devices are not excluded from regulation.
Healthcare: The Health Insurance Portability and Accountability Act (HIPAA) defines specific privacy and security rules to protect Electronic Protected Health Information (e-PHI) with standardized technical and non-technical safeguards. Organizations subject to HIPAA (known as covered entities) must ensure the confidentiality, integrity and availability of all e-PHI they create, receive, maintain or transmit; identify and protect against reasonably anticipated security threats to that information; protect against reasonably anticipated, impermissible uses or disclosures; and ensure compliance by their workforce.
The HealthIT.gov website recommends that covered entities assess whether and how mobile devices will be used to access, receive, transmit or store e-PHI. Affected mobile devices should be subjected to risk analysis to identify potential threats, vulnerabilities and risks. Mobile security controls should then be implemented to manage these risks. Controls can include authentication and encryption to prevent unauthorized disclosure of data sent, received or stored on mobile devices, and can be complemented by remote wipe capabilities for lost, stolen or retired devices. Covered entities must also formally develop, document and implement mobile security policies and procedures. A mobile device management, or MDM, platform can be used to configure the required controls, detect deviations and enforce regulatory compliance. Finally, workforce training must be provided in mobile security policies and procedures, with appropriate sanctions for those who violate these rules.
Retail: The Payment Card Industry Data Security Standard (PCI-DSS) imposes a dozen requirements on merchants and other entities that process; store; or transmit credit card numbers, or primary account numbers. PCI-DSS requirements are focused on building and maintaining a secure network, protecting cardholder data, managing vulnerabilities, implementing strong access controls, monitoring and testing the network regularly, and maintaining an associated security policy.
Mobile devices impact several PCI-DSS requirements. First, any mobile device involved in processing, storing or transmitting cardholder data must be reflected in the merchant's security policy. Second, personal firewall measures must be used in any mobile or employee-owned device with Internet connectivity. Third, all affected mobile devices must use encryption to protect cardholder data sent over an open public network (e.g., the public Internet or a mobile broadband network). Fourth, antivirus measures must be included on systems commonly affected by malware, including mobile devices. Finally, mobile devices should also be considered under any broad PCI-DSS requirements that restrict access to cardholder data and test a cardholder data environment.
Finance: The Gramm-Leach-Bliley Act (GLBA) calls upon financial institutions such as banks, investment firms, CPAs and insurance companies to protect the privacy of consumers' nonpublic personal information (NPI). GLBA rules cover financial privacy and pretexting provisions and safeguards. The latter require companies to develop a written plan for protecting customer information that includes designating staff to coordinate a security program, identifying and assessing risk to customer information, designing and implementing a safeguards program, and regularly monitoring and testing that program, selecting service providers that maintain the safeguards, and evaluating or adjusting the program as needed to adapt to changes and risks.
Even though GLBA predates the current popularity of smartphones and tablets, its Safeguards Rule requires policies for the appropriate use and protection of laptops, personal digital assistants, cell phones and other mobile devices used by financial institutions to handle customer NPI. All such mobile devices must be authorized and configured with required security controls, including authentication and encryption capabilities to protect data stored or accessed by each device. Any mobile device found to deviate from defined policies must be quarantined to prevent further access to financial information, and then reconfigured to return the device to a compliant state. Also, employees must be trained to take basic steps to maintain the security, confidentiality and integrity of customer NPI.
Publicly traded companies: The Sarbanes-Oxley Act (SOX) established reporting rules for publicly traded U.S. companies, and holds corporate leadership responsible for establishing, evaluating and monitoring internal controls over financial and other operational processes. SOX Section 404 requires corporate annual reports that provide a year-end assessment of the effectiveness of internal control structures and procedures for financial reporting.
Companies subject to SOX must identify whether mobile devices play a role in the SOX control environment. For those that do, companies must identify control policies and procedures for risk management. These can include steps to authorize mobile device use, to secure financial data stored on or accessed by those devices, and to block access by devices that fail to comply with security policies. SOX also requires that relevant information be communicated in a timely manner. For mobile devices, this may include employee training on mobile security policies and prompt management notification when security incidents occur. Finally, to comply with monitoring requirements, usage and policy compliance must be monitored for all mobile devices relevant to the SOX control environment.
SOX, HIPAA, GLBA and PCI-DSS are only four well-known, industry-specific regulations out of dozens that may require the mobile workforce to follow regulatory compliance procedures. Despite differences in regulatory compliance mandates across industries, we can easily see a common thread: Mobile devices are not excluded from regulation. What determines applicability is not device type, but the kind of information handled by the devices or the networks and systems accessed by them. Increasingly, mobile devices are being used in the business setting and thus require the same consideration, configuration and supervision that have long been applied to other business computing devices. Don't fall into the trap of thinking mobile devices don't carry or touch regulated data and as a result won't endanger regulatory compliance. Instead, treat mobile devices as an integral part of your computing and regulatory compliance environment.
About the author:
Lisa Phifer owns Core Competence Inc., a consulting firm specializing in the business use of emerging Internet technologies. She has been involved in the design, implementation and evaluation of networking, security and management products for nearly 30 years. She is a recognized industry expert on wireless security, mobile device security and VPNs.
This was first published in November 2013