Mobile Device Management Ryder Audit Services 2013.

Mobile Device Management

Ryder Audit Services 2013

Agenda

Ryder Profile

Mobile Device Background

Mobile Device Overview

Baseline – Inventory

Baseline – Policies and Standardization

Baseline – Responsibilities

Central Management

Security Settings

Audit Strategy

Questions

Proprietary and Confidential

Proprietary and Confidential 3

Ryder Profile

Revenue (1) $6.1 Billion

Operating Revenue (1)

$4.8 Billion

Earnings Before Tax (1)

$279 Million

Net Earnings (1)

$170 Million

Free Cash Flow (1)

$257 Million

Assets $7.6 Billion

Vehicles Maintained 205,200

Employees 27,500

Full Year 2011

Dedicated Contract Carriage

Fleet Management Solutions

Supply Chain Solutions

(1) These amounts result from continuing operations.

Proprietary and Confidential 4

Background

Over 5,000 mobile devices (laptops, smart phones and tablets) access corporate emails, applications, intranet

Employees primarily located throughout US, Canada, UK , Mexico (key countries)

Controls around access of Corporate networks and emails via laptops have been in place for a long time

Ryder has “some” controls in place around Laptops:

Polices Procedures and process (procure, install software, track inventory, audit, etc) Mature technology (hardware/software) allows access to corporate networks Resources and management

However, with Blackberry definition of mobility started to change … access emails from any where

Laptop became the new desktop

Focus on managing “truly” mobile devices

Iphones, Androids and the tablets

04/10/23 Proprietary and Confidential 5

04/10/23 Proprietary and Confidential 6

Overview

There is an increasing “Demand” to “access” more via mobile devices

Beyond email now Intranet Access business application data Approvals (deals, contracts, transactions, etc.)

“Applications are more critical than the devices themselves”

Find a balance

Organizational needs User preferences Information security requirements with greater mobility

04/10/23 Proprietary and Confidential 7

04/10/23 Proprietary and Confidential 8

Baseline – Inventory

How many “mobile” devices are connected to your network?

Personally owned devices Corporate owned/issued devices

Have you audited the Corporate issued devices?

What types of mobile devices and OS’s are connecting to your network?

RIM/Blackberry iOS Iphone/iPads Android phones and tablets Windows based phones

What software/technology does the corporation use to access the emails and data via mobile technology?

Lotus Notes MS Outlook Each software (tool) can be configured differently

04/10/23 Proprietary and Confidential 9

04/10/23 Proprietary and Confidential 10

Baseline – Policies and Standardization

What policies are available to be used?

Email usage Remote access Computer usage Laptops Mobile devices

Can the user bypass the corporate security settings on the mobile devices?

Can the user turn off encryption on the mobile device? Can the user change password requirement on the mobile device? Have the data wipe settings (passwords to be 5 characters, data can be wiped

remotely) been changed on the mobile device?

Are the security settings standard across all mobile platforms?

04/10/23 Proprietary and Confidential 11

BYOD has solidified its standing in workplace. Here is a breakout of usage of personal mobile devices or tablets for work:

92 percent working in professional services 86 percent in financial services 84 percent in healthcare 77 percent of information technology workers 38 percent in government All companies, ranging from 200 to 2,000+ employees, report BYOD use at over 50 percent. (Source: businesswire.com)

04/10/23 Proprietary and Confidential 12

Baseline – Responsibility

Who is responsible for managing or setting up the policies and enforcing the policies

IT Management Legal/General Counsel Global Compliance Enterprise Mobile Team Risk management

Who approves use of mobile devices?

Director level approval needed to use the mobile devices There is usually a licensing cost with the number of devices allowed to access

the network. Standardization the type/kind of mobile devices to be used

Blackberry, Android phones, iPhones, iPads

04/10/23 Proprietary and Confidential 13

04/10/23 Proprietary and Confidential 14

Central Managemento How does your organization track/manage these devices?

o Require all devices to enroll in a “central” programo Corporate policy

o Require new devices to registero OS on the mobile gets upgraded (re-register)

o Stage the device to ensure proper enrollmento Allow administer time for review/installation

o Register the deviceo Limit number of devices user can login from

o Authenticate the user/deviceo Passwords/tokens

o Terms of conditions & Restrictionso Comply with rules of the organization o Outdated mobile devices or jailbroken devices not to be used

04/10/23 Proprietary and Confidential 15

04/10/23 Proprietary and Confidential 16

Security Settings• Roll out common standard security settings regardless of the mobile device

• Encryption of full device

• Minimum Passwords length/complexity requirement

• Wiping remotely (in case mobile device is lost)

• Restrictions of specific features on the device

• Ability to push configurations to all devices

• Ability to restrict access

• Ability to monitor usage (time, location, etc.) of the device

• Roll-out updates and provide remote support

04/10/23 Proprietary and Confidential 17

Other Security ConcernsEnsure the transport layer is secure end to end

Reliance placed on Virtual Private Network (secure end to end tunnel) for laptop/notebook usage

VPN does not work well in securing end to end transport layer with mobile devices. Mobile sites may not have the necessary Secure Socket Layer (SSL) security.

Mobile traffic is routed to the user’s network provider depending on where the user is located

Therefore, data that has been stored/processed needs to be secured by the organization during the transport

04/10/23 Proprietary and Confidential 18

04/10/23 Proprietary and Confidential 19

Audit Strategy

Does your organization have standard policies and procedures in place?

How old and relevant are the policies?

How many policies (email, mobile devices, laptops, computer usage, etc.) do you need to review?

Who at your organization is responsible for mobile device security? How involved are they?

Has an inventory of the corporate devices been done?

What tool/software is used to manage the security on the mobile devices?

04/10/23 Proprietary and Confidential 20

Audit Strategy If multiple tools, are being used, how sure you are that the security settings are configured uniformly?

Request and review the security settings (IT would be glad to help)

Ensure the security settings are in line with the corporate policies (encryption at all times, file sharing, etc.)

Do terminated employees still have access to the corporate data through these mobile devices?

Where would you rank your organization in the maturity model

Non-existent controls Adhoc / Initial Defined Managed/Measurable Optimized

04/10/23 Proprietary and Confidential 21

Questions/Answers/Links/Thank you!!!

Useful Links

www.isaca.org/auditprograms

www.isaca.org/security-mobile-devices

www.isaca.org/cloud

www.isaca.org/knowledgecenter

Ashish Dham

Sr. Director Audit & Investigations

Ryder System Inc.

[email protected]

Mobile: 954-661-6480

04/10/23 Proprietary and Confidential 22