Tip

Three steps to achieve defense in depth for mobile GRC applications

Judith M. Myerson, Contributor

Applications targeting governance, risk and compliance (GRC) can be used to track data retention and risk management procedures mandated by the Sarbanes-Oxley Act (SOX), HIPAA, Basel II and other regulations. In fact, tools provided by GRC applications have become increasingly important to helping meet these standards.

    Requires Free Membership to View

Defense in depth helps mitigate risks stemming from mobile GRC application use, or it at least brings risk to a more acceptable level.

To accommodate executives and administrators on the go, there are a variety of mobile GRC applications available for iOS, Android, BlackBerry and Windows Phone devices. These applications are useful for conducting audits, inspections, GRC assessments and reviews; reporting incidents and taking remedial action; and managing documents and information-related obligations such as data retention mandates.

Whatever mobile GRC applications you choose, they all come with security vulnerabilities and require protection against hackers and other attackers. The best security for these mobile GRC applications is multiple layers of protection collectively known as defense in depth.

Defense in depth helps mitigate risks stemming from mobile GRC application use, or it at least brings risk to a more acceptable level. No one security layer has all the safeguards needed to defend your mobile applications against hackers. Each defense mechanism in a layer, however, may have strengths that other defense mechanisms in the same layer do not have.

Here are steps you should take to implement defense in depth:

Step 1: Identify mobile GRC applications. Identifying exactly what mobile GRC applications you have is the first step in defending them against adversaries. These applications can be categorized either by stakeholder needs or by the type of application.

Stakeholders include the following personnel who use information from GRC applications:

  • Executives to make business decisions
  • Finance managers to help meet regulatory compliance requirements
  • Information managers to control multiple data retention policies
  • Legal counsel to discover and retain records
  • IT directors to manage GRC software installations
  • Compliance regulators to manage data retention/deletion policies
  • Risk managers to assess and manage risks

Specific types of GRC application uses include:

  • Noncompliance management
  • Risk management
  • Compliance training management
  • Incident management
  • Data retention policy management
  • Audits and inspections
  • Facility assessment
  • Asset inventory evaluation
  • Information system accreditation management
  • ROI calculation

Step 2: Identify your adversaries. Potential adversaries can be individuals, business competitors, terrorist groups and/or nation states. These adversaries and hackers target any mobile users possessing sensitive business information.

Adversaries typically spend time studying the company to discover entry points in its network, including employee Internet use and the business's intranet. Companies need to determine who the likely adversaries are, and whether they can perform the following malicious activities:

  • Passively monitor wireless connections to in-use mobile GRC applications.
  • Use social engineering to get mobile GRC application users to give away confidential information.
  • Exploit disgruntled, recently-terminated mobile application users.
  • Directly attack wireless networks using cell-phone jamming.

Step 3: Create layers of defense. The next step is to create layers of defense for mobile GRC applications. Each layer contains one or more defense mechanisms, or lines of defense, that present obstacles for adversaries.

There are four common types of attacks: passive, insider, active and close in. All require a different set of defense mechanism, but all should include a first line of defense with other lines of defense layered on top of them. There are no rules on the number of line of defenses for each of these four attack types. It's important to remember, however, that each defense mechanism should include cost-effective safeguards that will result in positive ROI.

Here are some tips for setting up layers of defense, beginning with two security layers for each attack type.

Passive attacks:

  • First line of defense: Network-layer encryption, firewall encryption, traffic flow security and Internet disconnection when not in use.
  • Second line of defense: Both in-house and cloud-based security-enabled applications.

Insider attacks:

  • First line of defense: Personnel and physical security.
  • Second line of defense: Role-based access controls and multi-modal biometrics security.

Close-in attacks:

  • First line of defense: Physical, personnel and multi-modal biometrics security.
  • Second line of defense: Technical surveillance countermeasures (facial recognition, gestures, gait).

Active attacks:

  • First line of defense: Defend outer and inner network boundaries with nested firewalls, each with its own intrusion detection system.
  • Second line of defense: Active defense of computing environment.

Whatever mobile GRC applications you choose, they should be secured using defense in depth. Check with your system administrator to find out if defense in depth has been set up on mobile-connected enterprise servers. More importantly, conduct periodic security awareness training programs to further ensure protection of sensitive business information included in mobile GRC applications.

About the author:
Judith M. Myerson is the former ADP Security Officer/Manager at a naval facility, where she led enterprise projects for its Materiel Management System. Currently a consultant and subject matter expert, she is the author of several books and numerous articles on cloud use, compliance regulations, mobile security, software engineering, systems engineering and risk management. She received her Master of Science degree in Engineering from the University of Pennsylvania and is certified in Risk and Information System Control (CRISC).

Let us know what you think about the story; email Ben Cole, site editor. For more regulatory compliance news and updates throughout the week, follow us on Twitter @ITCompliance.

This was first published in February 2014

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Expert Discussion

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.