Re: iPad / mobile device security and policy

["Flynn, Gary - flynngn" <flynngn () JMU EDU>]

We're developing a tiered configuration policy for end user devices based
on risk. That is, based on the type of accounts and data accessible to the
person using the device and the damage the University or constituents may
suffer if compromised. The idea being that with the proliferation of end
user devices and access methods, security controls and policy should be
based on risk, not on platform. If a platform cannot meet a risk based
policy then someone has to sign off on the acceptance of risk associated
with the exception.

A simplified version looks like this:

RED
-Devices used to access or process large volume of highly confidential
information about other people, access highly privileged accounts, or
perform financial transactions over a set amount.
-No general internet access from computer enforced with external network
access controls.
-Whitelist of accessible sites.
-Location based application whitelisting.
-No administrator accounts
-No local control of computer configuration without explicit approval and
terms and conditions. With large volumes of highly confidential data and
high potential damages to the university or constituents, we don't want
end users to be performing risk assessments of configuration changes and
unplanned software installations by themselves.


ORANGE 
-Devices used to access or process large volume of sensitive information
about other people.
-Whitelist of trusted sites in browser.
-Location based application whitelisting.
-No administrator accounts
-No local control of computer configuration without explicit approval and
terms and conditions. With large volumes of sensitive data and high
potential damages to the university or constituents, we don't want end
users to be performing risk assessments of configuration changes and
unplanned software installations by themselves.


YELLOW 
-Devices used to access or process large volume of non-public information,
manage high level public facing communications, manage infrastructure, or
remotely access ORANGE or RED devices.
-Location based application whitelisting
-Operated with regular user account

GREEN
-Devices whose compromise would have little effect on other people's data
or services.
-Baseline security policies for platform

We recently had the opportunity to configure some university purchased
iPhones for use in a sensitive application. We used the iPhone
configuration tool to lock down the device so apps could not be downloaded
after the one needed to perform the business function and disabled
unnecessary functionality. The main issue with mobile devices is the
inability to control internet access as required for RED applications.




-----Original Message-----
From: "Semmens, Theresa" <theresa.semmens () NDSU EDU>
Reply-To: The EDUCAUSE Security Constituent Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU>
Date: Wed, 2 Feb 2011 06:20:26 -0800
To: <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] iPad / mobile device security and policy

> Lewis,
> I see a case study and best practices white paper with your
> suggestion......
>
> Theresa Semmens, CISA
> Chief IT Security Officer
> North Dakota State University
> IACC 210D
> PO Box 6050
> Fargo, ND 58108
> Phone: 701-231-5870
> Cell Phone: 701-212-2064
> Fax: 701-231-8541
> Theresa.Semmens () ndsu edu
>
>
>
> Security is a process, privacy is a consequence
> Security is action, privacy is a result of successful action
> Security is the strategy, privacy is the outcome
> Security is the sealed envelope, privacy is the successful delivery of
> the message inside the envelope
>                            ~ Kevin Beaver & Rebecca Herold
>
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Watkins, Lewis
> Sent: Tuesday, February 01, 2011 10:47 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] iPad / mobile device security and policy
>
> I'm looking for model policies and processes for managing iPad use in
> campus environments?  Does your institution have iPad specific policies,
> or are iPads included in a broader mobile device policy?  How do your
> faculty and administrators currently use iPads?  Are any limits place on
> their use? Do you have specific configuraiton requirements or
> recommendations?   How concerned are you about the security of iPads,
> particularly for use with confidential information?   Thank you for any
> guidance, advice, or references you can provide.
>
>  Lewis
> ____________________________
> Lewis Watkins, CISO
> University of Texas System


-- 
Gary Flynn

Security Engineer
James Madison University

Attachment: smime.p7s
Description: