Mobile Device Management Ryder Audit Services 2013
Mar 29, 2015
Mobile Device Management
Ryder Audit Services 2013
Agenda
Ryder Profile
Mobile Device Background
Mobile Device Overview
Baseline – Inventory
Baseline – Policies and Standardization
Baseline – Responsibilities
Central Management
Security Settings
Audit Strategy
Questions
Proprietary and Confidential
Proprietary and Confidential 3
Ryder Profile
Revenue (1) $6.1 Billion
Operating Revenue (1)
$4.8 Billion
Earnings Before Tax (1)
$279 Million
Net Earnings (1)
$170 Million
Free Cash Flow (1)
$257 Million
Assets $7.6 Billion
Vehicles Maintained 205,200
Employees 27,500
Full Year 2011
Dedicated Contract Carriage
Fleet Management Solutions
Supply Chain Solutions
(1) These amounts result from continuing operations.
Proprietary and Confidential 4
Background
Over 5,000 mobile devices (laptops, smart phones and tablets) access corporate emails, applications, intranet
Employees primarily located throughout US, Canada, UK , Mexico (key countries)
Controls around access of Corporate networks and emails via laptops have been in place for a long time
Ryder has “some” controls in place around Laptops:
Polices Procedures and process (procure, install software, track inventory, audit, etc) Mature technology (hardware/software) allows access to corporate networks Resources and management
However, with Blackberry definition of mobility started to change … access emails from any where
Laptop became the new desktop
Focus on managing “truly” mobile devices
Iphones, Androids and the tablets
04/10/23 Proprietary and Confidential 5
04/10/23 Proprietary and Confidential 6
Overview
There is an increasing “Demand” to “access” more via mobile devices
Beyond email now Intranet Access business application data Approvals (deals, contracts, transactions, etc.)
“Applications are more critical than the devices themselves”
Find a balance
Organizational needs User preferences Information security requirements with greater mobility
04/10/23 Proprietary and Confidential 7
04/10/23 Proprietary and Confidential 8
Baseline – Inventory
How many “mobile” devices are connected to your network?
Personally owned devices Corporate owned/issued devices
Have you audited the Corporate issued devices?
What types of mobile devices and OS’s are connecting to your network?
RIM/Blackberry iOS Iphone/iPads Android phones and tablets Windows based phones
What software/technology does the corporation use to access the emails and data via mobile technology?
Lotus Notes MS Outlook Each software (tool) can be configured differently
04/10/23 Proprietary and Confidential 9
04/10/23 Proprietary and Confidential 10
Baseline – Policies and Standardization
What policies are available to be used?
Email usage Remote access Computer usage Laptops Mobile devices
Can the user bypass the corporate security settings on the mobile devices?
Can the user turn off encryption on the mobile device? Can the user change password requirement on the mobile device? Have the data wipe settings (passwords to be 5 characters, data can be wiped
remotely) been changed on the mobile device?
Are the security settings standard across all mobile platforms?
04/10/23 Proprietary and Confidential 11
BYOD has solidified its standing in workplace. Here is a breakout of usage of personal mobile devices or tablets for work:
92 percent working in professional services 86 percent in financial services 84 percent in healthcare 77 percent of information technology workers 38 percent in government All companies, ranging from 200 to 2,000+ employees, report BYOD use at over 50 percent. (Source: businesswire.com)
04/10/23 Proprietary and Confidential 12
Baseline – Responsibility
Who is responsible for managing or setting up the policies and enforcing the policies
IT Management Legal/General Counsel Global Compliance Enterprise Mobile Team Risk management
Who approves use of mobile devices?
Director level approval needed to use the mobile devices There is usually a licensing cost with the number of devices allowed to access
the network. Standardization the type/kind of mobile devices to be used
Blackberry, Android phones, iPhones, iPads
04/10/23 Proprietary and Confidential 13
04/10/23 Proprietary and Confidential 14
Central Managemento How does your organization track/manage these devices?
o Require all devices to enroll in a “central” programo Corporate policy
o Require new devices to registero OS on the mobile gets upgraded (re-register)
o Stage the device to ensure proper enrollmento Allow administer time for review/installation
o Register the deviceo Limit number of devices user can login from
o Authenticate the user/deviceo Passwords/tokens
o Terms of conditions & Restrictionso Comply with rules of the organization o Outdated mobile devices or jailbroken devices not to be used
04/10/23 Proprietary and Confidential 15
04/10/23 Proprietary and Confidential 16
Security Settings• Roll out common standard security settings regardless of the mobile device
• Encryption of full device
• Minimum Passwords length/complexity requirement
• Wiping remotely (in case mobile device is lost)
• Restrictions of specific features on the device
• Ability to push configurations to all devices
• Ability to restrict access
• Ability to monitor usage (time, location, etc.) of the device
• Roll-out updates and provide remote support
04/10/23 Proprietary and Confidential 17
Other Security ConcernsEnsure the transport layer is secure end to end
Reliance placed on Virtual Private Network (secure end to end tunnel) for laptop/notebook usage
VPN does not work well in securing end to end transport layer with mobile devices. Mobile sites may not have the necessary Secure Socket Layer (SSL) security.
Mobile traffic is routed to the user’s network provider depending on where the user is located
Therefore, data that has been stored/processed needs to be secured by the organization during the transport
04/10/23 Proprietary and Confidential 18
04/10/23 Proprietary and Confidential 19
Audit Strategy
Does your organization have standard policies and procedures in place?
How old and relevant are the policies?
How many policies (email, mobile devices, laptops, computer usage, etc.) do you need to review?
Who at your organization is responsible for mobile device security? How involved are they?
Has an inventory of the corporate devices been done?
What tool/software is used to manage the security on the mobile devices?
04/10/23 Proprietary and Confidential 20
Audit Strategy If multiple tools, are being used, how sure you are that the security settings are configured uniformly?
Request and review the security settings (IT would be glad to help)
Ensure the security settings are in line with the corporate policies (encryption at all times, file sharing, etc.)
Do terminated employees still have access to the corporate data through these mobile devices?
Where would you rank your organization in the maturity model
Non-existent controls Adhoc / Initial Defined Managed/Measurable Optimized
04/10/23 Proprietary and Confidential 21
Questions/Answers/Links/Thank you!!!
Useful Links
www.isaca.org/auditprograms
www.isaca.org/security-mobile-devices
www.isaca.org/cloud
www.isaca.org/knowledgecenter
Ashish Dham
Sr. Director Audit & Investigations
Ryder System Inc.
Mobile: 954-661-6480
04/10/23 Proprietary and Confidential 22