Get started Bring yourself up to speed with our introductory content.

Three steps to achieve defense in depth for mobile GRC applications

Mobile apps are vital to GRC processes but are vulnerable to hackers. In this tip, learn how to achieve defense in depth for mobile GRC applications.

Applications targeting governance, risk and compliance (GRC) can be used to track data retention and risk management procedures mandated by the Sarbanes-Oxley Act (SOX), HIPAA, Basel II and other regulations. In fact, tools provided by GRC applications have become increasingly important to helping meet these standards.

Defense in depth helps mitigate risks stemming from mobile GRC application use, or it at least brings risk to a more acceptable level.

To accommodate executives and administrators on the go, there are a variety of mobile GRC applications available for iOS, Android, BlackBerry and Windows Phone devices. These applications are useful for conducting audits, inspections, GRC assessments and reviews; reporting incidents and taking remedial action; and managing documents and information-related obligations such as data retention mandates.

Whatever mobile GRC applications you choose, they all come with security vulnerabilities and require protection against hackers and other attackers. The best security for these mobile GRC applications is multiple layers of protection collectively known as defense in depth.

Defense in depth helps mitigate risks stemming from mobile GRC application use, or it at least brings risk to a more acceptable level. No one security layer has all the safeguards needed to defend your mobile applications against hackers. Each defense mechanism in a layer, however, may have strengths that other defense mechanisms in the same layer do not have.

Here are steps you should take to implement defense in depth:

Step 1: Identify mobile GRC applications. Identifying exactly what mobile GRC applications you have is the first step in defending them against adversaries. These applications can be categorized either by stakeholder needs or by the type of application.

Stakeholders include the following personnel who use information from GRC applications:

  • Executives to make business decisions
  • Finance managers to help meet regulatory compliance requirements
  • Information managers to control multiple data retention policies
  • Legal counsel to discover and retain records
  • IT directors to manage GRC software installations
  • Compliance regulators to manage data retention/deletion policies
  • Risk managers to assess and manage risks

Specific types of GRC application uses include:

  • Noncompliance management
  • Risk management
  • Compliance training management
  • Incident management
  • Data retention policy management
  • Audits and inspections
  • Facility assessment
  • Asset inventory evaluation
  • Information system accreditation management
  • ROI calculation

Step 2: Identify your adversaries. Potential adversaries can be individuals, business competitors, terrorist groups and/or nation states. These adversaries and hackers target any mobile users possessing sensitive business information.

Adversaries typically spend time studying the company to discover entry points in its network, including employee Internet use and the business's intranet. Companies need to determine who the likely adversaries are, and whether they can perform the following malicious activities:

  • Passively monitor wireless connections to in-use mobile GRC applications.
  • Use social engineering to get mobile GRC application users to give away confidential information.
  • Exploit disgruntled, recently-terminated mobile application users.
  • Directly attack wireless networks using cell-phone jamming.

Step 3: Create layers of defense. The next step is to create layers of defense for mobile GRC applications. Each layer contains one or more defense mechanisms, or lines of defense, that present obstacles for adversaries.

There are four common types of attacks: passive, insider, active and close in. All require a different set of defense mechanism, but all should include a first line of defense with other lines of defense layered on top of them. There are no rules on the number of line of defenses for each of these four attack types. It's important to remember, however, that each defense mechanism should include cost-effective safeguards that will result in positive ROI.

Here are some tips for setting up layers of defense, beginning with two security layers for each attack type.

Passive attacks:

  • First line of defense: Network-layer encryption, firewall encryption, traffic flow security and Internet disconnection when not in use.
  • Second line of defense: Both in-house and cloud-based security-enabled applications.

Insider attacks:

  • First line of defense: Personnel and physical security.
  • Second line of defense: Role-based access controls and multi-modal biometrics security.

Close-in attacks:

  • First line of defense: Physical, personnel and multi-modal biometrics security.
  • Second line of defense: Technical surveillance countermeasures (facial recognition, gestures, gait).

Active attacks:

  • First line of defense: Defend outer and inner network boundaries with nested firewalls, each with its own intrusion detection system.
  • Second line of defense: Active defense of computing environment.

Whatever mobile GRC applications you choose, they should be secured using defense in depth. Check with your system administrator to find out if defense in depth has been set up on mobile-connected enterprise servers. More importantly, conduct periodic security awareness training programs to further ensure protection of sensitive business information included in mobile GRC applications.

About the author:
Judith M. Myerson is the former ADP Security Officer/Manager at a naval facility, where she led enterprise projects for its Materiel Management System. Currently a consultant and subject matter expert, she is the author of several books and numerous articles on cloud use, compliance regulations, mobile security, software engineering, systems engineering and risk management. She received her Master of Science degree in Engineering from the University of Pennsylvania and is certified in Risk and Information System Control (CRISC).

Let us know what you think about the story; email Ben Cole, site editor. For more regulatory compliance news and updates throughout the week, follow us on Twitter @ITCompliance.

Dig Deeper on Compliance policy management software

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

What security steps does your business take to provide defense in depth for mobile GRC applications?