Implementing And Maintaining Effective Information Risk Management

Published Date: 02 Nov 2017

Submitted as part of the requirements for the award of the MSc. in Information Security at Royal Holloway, University of London.

Supervisor: Geraint Price

Olabode Adelowo Olaoke, SRN: 101104702

Royal Holloway University of London.

1/27/2013

Contents

Introduction:

A Brief history of computers

The use of computers in enterprises has come a long way in terms of evolution of computers in the corporate environment.

Taking a look at the history of personal computers and how they have evolved over time as a mass-market consumer electronic device; this history may be effectively traced to sometime around 1977 with the discovery/development of microcomputers even though some mainframe computers had been applied as single-user systems earlier (Wikipedia, 2011).

In the early days computers were very expensive and exclusive devices, which were acquired only by large enterprises that could part with a "premium" for the purchase of computers. Back then, computers were designed and developed mainly as mainframe systems. They required an awful lot of skill and specialization to be able to operate them.

Due to the high costs and relatively steep skill requirements to operate computers, they remained a "corporate technology" for several years with most computer implementations in educational, government or corporate environments. Even at that, it was organizations with deep pockets that could afford the "luxury" of computer ownership.

During this period (in the 1950’s), computers were generally used for commercial and scientific purposes and as a result, the major computer manufacturers did not commit sufficient resources to the development of small competitive computer systems.

In all of this, as far back as 1945, when most of the activities related to computer development and use were linked to large mainframe computers, there is record of a prediction by Vannever Bush in an article "As we may think" describing a "future device for individual use" called "Memex" in which a person stores all his books, records and communications… that may be consulted with exceeding speed and flexibility." (Allan, 2001)

At the time, computers were standalone infrastructures with limited/no connectivity to other computers. The security requirements were at most basic –you practically needed to have physical access to the mainframe systems or, at the least, one of the terminals to be able to access the mainframes.

Till the early 1970’s most of the efforts to provide computer security had been centered on the environments where all persons coming in contact with the systems shared a common clearance and where the principal effort for computer security had been directed at providing procedural controls, especially those associated with external (physical) access to the computer systems and their files and proper marking of the information found on the systems (Anderson, 1972)

Security was primarily about protecting the "physical" mainframe systems from unauthorized access.

Entry of Security and Risk Management to Computer systems

As computer systems continued to grow and develop in terms of functionality, processing power and storage capability, the dependence on computer systems also grew in like manner. The importance and need for secure computer programs started becoming a front burner issue. Also, there was a growing need to provide shared use of computer systems; these computer systems (majorly implemented in government, military and educational environments) contained information resources with different sensitivity/classification levels.

Computer security started becoming a serious issue for organizations using computers as the need to protect the information on the systems and to ensure that users of the system were not accessing information resources that they shouldn’t be accessing.

Research in to operating systems access controls was beginning to gain grounds by the early 1970’s as access control was seen primarily as the bases for computer security. Several models were being developed and the period 1972 – 1974 was characterized by a significant increase in computer security issues (The MITRE Corporation, 1976).

Over time personal computers started to gain increasing popularity and were showing up in homes at a very rapid rate. Despite the fact that these personal computers were still in early development stages, compared to what exists today, the world didn’t know better and so they were adequate for the need.

By this time, security and risk management in computer systems had gone beyond access controls to application security and OS security. Networks were being developed and the Internet was gaining grounds. Portable computers were gaining a lot of grounds with the increasing popularity of laptops and other portable computers. Computer security was no longer "just" about physical access and secure applications and operation systems. The idea of the enterprise perimeter was borne. Organizations were quickly beginning to realize that in order to keep their information systems secure and to protect from unauthorized access especially outside threats, the perimeter of the enterprise had to be secured.

Since the organization typically provided the workstations accessing its perimeter, it was very easy and convenient for the security administrators to configure the workstations to a standard configuration setting that ensured that the security administrators had effective controls over what was done on the workstations. Moreover, majority of the workstations were desktop computers, which never left the enterprise perimeter. It was therefore safe to assume that the perimeter of the enterprise was the "safe" zone and that any system within the perimeter was (or could be) protected using the enterprise defense systems which typically included firewall appliances, proxy servers, antivirus and anti malware applications, active directory and group policies etc.

For IT administrators and security administrators at the time, risk management in the enterprise network as regards the "infrastructure was controllable as far as the systems deployed to users were properly setup (including all necessary hardening features applicable0 based on the risk that was being addressed. Users typically did not have administrative privileges on their systems and so could not change security settings except explicitly permitted to do so. Confidential data could be kept within the enterprise by applying the appropriate information classification and handling policies of the enterprise onto the enterprise-owned systems.

The Consumerization of IT – the arrival of BYOD

Over the years, the price of personal computers became more affordable resulting in end-users being able to afford and own computer systems –in some cases faster and newer computers than the organization they worked with offered. The success of the Apple Mac Books (at the time, were rarely the enterprise choice for workstations – probably still the case today) combined with some aesthetics in the looks and feel and the tendency for fanatical followership also contributed in part to this trend. This, besides that of the email and document processing smartphones that were plaguing the enterprise messaging and collaboration services, made it difficult for the IT and security administrators to stem the tide of the term that is often referred to as the consumerization of IT. This led to situations where personal computing devices began to encroach on the corporate environment. Some of it was borne out of the need of certain users to be more productive by doing some work at home on personal computers.

In the same vein, executives were acquiring new mobile devices ranging from Blackberries to smart phones, tablet devices etc. and were requesting to have them configured for use on the enterprise infrastructure.

As expected (more like as would be ideally expected) the initial tendency was for the IT and Security administrators to refuse saying "that’s not consistent with our policy"! This kind of resistance often meant one of two outcomes:

IT & Security administrators resist & the users research workarounds

IT & Security administrators yield to the pressure

IT & Security Administrators resist & the users research workarounds:

Whenever the choice was to resist, users, because of their natural tendency to take accept change, would typically look for workarounds to ensure that they got their systems connected to the enterprise information systems. This could extend from getting corporate email on personal computers, smartphones, tablet devices etc. to getting their personal computers connected to the enterprise LAN.

This scenario resulted in a new type of threat to the enterprise network. The "Inquisitive insider" threat was beginning to put the enterprise at risk. IT and security administrators could no longer focus on the perimeter defense systems for protection of the enterprise systems, they had to shift to "endpoint" protection and also had to focus and dealing with the insider threat.

IT & Security administrators yield to the pressure

Alternatively, the IT administrators either easily yielded or forcefully submitted to the pressure from users to get their devices hooked up to the enterprise. Some of it was borne out of an understanding that the employees were genuinely trying to get more productive by doing some work at home using home computing resources. In some cases, it was majorly the upwardly mobile executives with the resources to acquire the newest gadgets and request them to be connected to the enterprise information systems for enhanced productivity on the move that drove such initiatives into the culture of the enterprise.

Gradually, IT and Security administrators started providing support to end user devices ranging from smartphones to personal computers and the alternate wasn’t working as the volume of influx was clearly overbearing.

When employees bring their devices to the enterprise and use them to share files outside the office, it becomes difficult for IT and security administrators to maintain visibility and control. With this trend, users request to use the technologies of their choice within the enterprise; this kills enterprise standardization. It is a symptom of a "shift" in the expectation of users in workplaces. This rapid shift in expectation of workplace users to be permitted to bring their own devices/technologies to the workplace is what has not become popularly know as "Bring Your Own Device" (BYOD).

Benefits and challenges of BYOD

While it is easy to blame the vendors that develop consumer products (Apple, Google, Blackberry Samsung etc.) for setting the stage for the consumerization of IT by inventing sufficient support for enterprise, the blame game misses the point that BYOD is a reflection of the changes that have come to stay in the enterprise information systems are deployed. The development of very easy to use personal devices has encouraged users to "own" and ‘desire to use" their personal devices within the enterprise workspace.

Today’s IT users are more technically savvy and sophisticated than ever before. They go for the technologies they prefer if they perceive that the technologies provided by the enterprise do not meet their needs (some of such needs could be controversial e.g. rigid IT Security policies).

Age is another significant factor in the consumerization of IT. A certain percentage of the current day workforce has always had technology all their lives. They grew up not knowing a world without the Internet. This "Internet-generation" often brings innovation and fresh ideas to the workplace, yet often want immediate gratification. They are usually unwilling to wait for a few months for the latest technologies and generally display a huge (sometimes overly) tendency for early technology adoption.

Although there may be benefits like greater productivity (e.g. having email on the go, saving work to personal clouds and bring able to access and update them on several disparate devices etc.), there may be some direct conflict associated with personal devices and the organization’s IT security policies. Such conflicts tend to put information systems at risk.

Project Objectives - Risk Management in BYOD environment

For a lot of enterprises, when it comes to enterprise operations, the tendency is to take a device-centered approach to information systems. This approach largely remained effective when all employees were constrained to the employer-supplied computers and information systems. With this approach, there usually would be some standardization in the type and configuration of the end-user systems. This standardization combined with centralization of administration and control made it easy for IT Security administrators to manage the risk to information systems.

Some of the end-user system management initiatives in the centralized administration were focused on securing the image on the systems –this was relatively easy to achieve as the computer systems were usually connected to the corporate network anyway. This image provided a standard configuration that contained the OS, applications, data and personal settings required for effective day-to-day operation in the enterprise.

Today, the enterprise landscape has changed, presenting a complex computing landscape with a substantial number of users working with several disparate devices all accessing the enterprise information systems and simultaneously accessing the internet as well as other uncontrolled networks. These systems typically run all sorts of un-managed and unstandardized applications from all sorts of sources.

In order to be able to effectively manage information security in such an environment, a BYOD environment, IT security administrators need to develop a user-centered strategy towards information risk management.

Information security deals with the preservation of confidentiality, integrity and availability of information, in addition other properties such as authenticity, accountability, non-repudiation and reliability and can also be involved (BS ISO/IEC 27001, 2005).

Risk management on the other hand is the process that allows IT managers to balance the operational and economic costs of protective measures and achieve gains in mission capability by protecting the IT systems and data that support their organizations’ missions (NIST SP 800-30, 2002).

Information Risk management therefore deals with coordinated activities to direct and control an organization’s information systems with regards to risk.

This project aims at developing an effective information risk management framework for managing risks in an environment where BYOD is implemented

Main Content

BYOD: The Usual Suspects

When employees bring their own devices to the enterprise, the devices come relatively uncontrolled compared to the enterprise policies. The devices come in many forms, shapes and sizes and vary in functionality and capability. These devices can very broadly be categorized into the following:

Smart Phones

Tablets and handheld devices

Laptops and PC’s

Storage devices

Smartphones:

These devices are the commonest devices penetrating the enterprise perimeter. A 2011 survey in the United States by the CTIA revealed that there are more mobile phones than humans (CTIA - The Wireless Association, 2011). People generally take their smartphones with them wherever they go and gradually lean on the functionality and capability of the smartphones for extra productivity. Such entrants usually start with employees trying to get corporate email on their mobile devices, when refused, they begin to forward corporate email to personal email boxes (Yahoo, Gmail etc.). Eventually, executives and senior management start asking for similar access and the rest becomes history –IT eventually begin to support smartphones.

Tablets and Handheld Devices:

Tablets are very similar to smartphones but often have the advantage of larger screens and, possibly, more processing power and storage capacity. They are able to deliver on most of the functionality of smartphones but tend to offer the benefit of being more comfortable on the eyes for most users and longer lasting battery life. They also tend to offer more in terms of relevant applications for basic document processing. Tablets tend to be a favorite for executives and gamers. Thanks to the iPad and Android tablets alike, a lot of mobile surfing, emailing and minor document processing is happening on tablet devices with several hundreds of thousands of applications to choose from.

Laptops and PC’s:

Computers are by far, the most popular devices for delivering day-to-day work in the enterprise. They have also become so ubiquitous that a very significant number of enterprise workers can boast of owning one computer at home. Due to the way we generally work with computers, we tend to develop a "certain" relationship with these devices that are at the core of our day-to-day life. Processing power, unavailability of applications or just sentimental attachments are some of the reasons that users tend to bring their personal computers (laptops especially) to the enterprise network. Personal computers penetrating the enterprise perimeter have the ability to be at par or higher in capability to enterprise provided counterparts. They can therefore do as much as the enterprise provided workstations while also having less enterprise protection.

Storage Devices:

With rapid developments in computer storage technologies, the last decade has seen a rapid evolution from 2.5" 1.44Mb to almost invisible 64GB flash drives. Portable storage devices have been at the heart of several high It is therefore no surprise that Wikileaks and like organizations are getting a lot of confidential corporate and state information shipped out of the enterprise perimeter and state networks without authorization.

In 2010, TheGuardian.co.uk reported about how an innocuous-looking memory stick, no longer than a couple of fingernails, came into the hands of a Guardian reporter early in 2010. The device was so small it would hang easily on a key ring. But its contents sent shockwaves through the world's chancelleries and delivered what one official described as "an epic blow" to US diplomacy (Leigh, 2010).

All of these broad categories of personal devices appearing within the enterprise environment are being used for both personal and business purposes. However, sensitivity and criticality of business and personal information on these devices can vary by a very wide margin, yet being handled in the same way. They are continuously being adopted in the business environments and in some cases have become an integral part or a convenient extension of the business enterprise information systems.

In a recent SANS Mobility/BYOD Security Survey on over 500 IT professionals, only 9% of the respondents "felt" completely aware of all the mobile devices accessing their enterprise infrastructure (Johnson, 2012). This raises the following questions

How does one manage what he has no awareness of?

What really is the risk associated with employees bringing their own devices to the enterprise?

What risks are organizations faced with that embrace BYOD?

The Information Security Objectives

Taking a closer look at the ISO27001 definition of information security and its key properties: Information security deals with the preservation of confidentiality, integrity and availability of information, in addition other properties such as authenticity, accountability, non-repudiation and reliability and can also be involved (BS ISO/IEC 27001, 2005).

Confidentiality: the property that information is not made available or disclosed to unauthorized individuals, entities, or processes.

Integrity: the property of safeguarding the accuracy and completeness of (information) assets.

Availability: the property of being accessible and usable upon demand by an authorized entity.

Authenticity:

Accountability: the property that ensures that the actions of an entity may be traced uniquely to the entity.

Repudiation: denial by one of the entities involved in a communication of having participated in all or part of the communication.

Reliability:

For the purpose of this report, focus would be mainly on confidentiality, integrity and availability of information. These three information security objectives are the core of information security and are referred to as the information security triad –the CIA.

Information Security Risks associated with BYOD

Confidentiality:

The risk to confidentiality of information, from the definition above, is the unauthorized disclosure of information. Breach of confidentiality is a major risk area with BYOD adoption. There are many ways in which BYOD puts the confidentiality of information at risk. Theft, loss or sharing of personal computing devices as some of the few ways in which BYOD devices put confidentiality of information at risk.

Due to the size and mobility of BYOD devices it is always too easy for the devices to be lost or stolen; this means that all the information on the device is "physically" available to a third party the moment the device is lost or stolen. With tiny thumb drives carrying several gigabytes of data around, the information disclosed may be quite substantial.

Besides loss and theft, there is an increasing trend in information and device sharing strongly promoted by social media. In an effort to gain followership on social media, employees are increasingly releasing and publishing content on social media channels. Use of their personal devices means that the controls by the information security team to restrict access to some social media sites is thwarted. Smartphones are being used to take high-resolution pictures of confidential documents and they are being sent out of the enterprise without any of the enterprise defense systems being able to stop them. Information is being released on social media sites even before it gets finalized and the corresponding insider threat to confidentiality.

Whenever confidentially of information is breached, it is always almost impossible to "undo" the impact. How does one un-learn what he has already learnt? How does one recover electronic information that is already in unknown locations? A case in point is the recent US Cable leaks by Wikileaks. The moment the information was released on the Internet, it was accessed, downloaded and stored by everyone that and any form of interest in its content on the Internet. It was immediately impossible to undo the damage that had been done.

Integrity:

Integrity deals with the completeness and accuracy of information. Any unauthorized modification of information or modification by an authorized party in an unauthorized way is a compromise of integrity of information. With portable media devices traversing the controlled enterprise perimeter with all the defense systems –antivirus, proxy servers, content filtering gateways, firewall appliances, network security zones etc. to less-controlled (sometimes uncontrolled) user/public environments the tendency for information modifying malware to infect and alter information increases. Employees copy corporate information to the physical or cloud storage devices or even via email to their devices to work on at a later time. This compromised information then finds its way back into the enterprise having appended itself to personal information systems, emails etc. Sometimes, unauthorized modification can be as a result of processing on disparate applications across multiple platforms. A scenario in which an MS Excel spreadsheet containing sensitive data (validated) is edited on a document processing application installed on a tablet device that doesn’t support some of the functions or formulas used to validate the contents of the spreadsheet as prepared on the authorized enterprise document processing application. The app installed on the tablet therefore truncates all unsupported content leaving the resulting document inaccurate.

Availability

Since September 2011 (a.k.a 9-11) many organizations have come to realize the importance of business continuity and disaster recovery initiatives. To this end, policies and processes and technology get deployed to ensure that critical business services are able to resume after significant incidents. However, whenever personal information systems are used in the enterprise environment, they typically don’t get included in the business continuity and disaster recovery plans. As such, an employee using his personal laptop for office work may not be getting his critical work files backed up along with those of the enterprise systems, which are centrally managed. The day the laptop fails or gets missing and the contents are no longer accessible, all non-backed up critical information may be lost forever resulting in a compromise of availability.

Opportunities (Potential benefits) associated with BYOD

It is worthy to acknowledge that BYOD is not exclusively associated with threats to information systems; rather, there are quite a number of benefits associated with BYOD. Some of them are as listed below:

Cost savings for the organization due to less expenditure for procuring information systems (laptops, smart phones, storage devices, scanners, additional employee internet subscriptions to work form home etc.)

More productive workforce –teleworking, ability to work from home and remote places

Cost savings on deployment of remote access connectivity for workforce to access work file s from remote locations due to employee owned cloud storage services

Increased operational efficiency due to increased employee productivity at no additional costs to the organization.

Less user support requirements as employees are often capable of providing first line of support for their own devices/technologies.

BYOD Risk Assessment

Risk Assessment Parameters

In order to be able to effectively manage the risks associated with adoption of BYOD, it is important to clearly understand the risks. According to NIST, risk assessment is the first step towards risk management (NIST SP 800-30, 2002).

We therefore proceed to perform a scoped risk assessment exercise, based on the NIST SP 800-30 on the earlier identified categories of BYOD devices. This assessment would give some informed insight into details of the risks associated with BOYD and help direct risk management efforts towards the desired objectives. The adopted risk assessment process, as borrowed from the NIST SP 800-30, is summarized in the flow diagram below.

Figure : NIST Risk Assessment Process Flow Chart

To successfully conduct the risk assessment exercise, there is a need to define some risk assessment parameters. The following parameters listed below are therefore defined for the purpose of this assessment.

Information/Data Classification

Likelihood

Impact Severity

Information Classification

Information Classification

Description

Public

Information that is safe to be disclosed to the public

Internal Use Only

Information that is safe to be circulated/disclosed internally within the organization but not permitted to be disclosed to external parties

Confidential

Information that needs to be disclosed strictly on a need-to-know basis

Likelihood Ratings

Likelihood Levels

Description

High

Likely to occur once every six months or less

The threat-source is highly capable and motivated; AND

Controls to prevent the threat-source exploiting the vulnerability are deficient

Medium

Likely to occur once every year

The threat-source is capable and motivated; BUT

Controls in place may impede the threat-source exploiting the vulnerability

Low

Likely to occur two – three times every five years

The threat-source lacks capability and motivation, OR

Controls to prevent (or significantly impede) the threat-source exploiting the vulnerability are in place

Impact Ratings

Impact Ranking

Description

Low

A breach/compromise of the asset will have a minor effect on the system/supported business operations and will require minimal effort to repair or reconfigure the system

Medium

A breach/compromise of the asset may cause damage to the reputation of the business/system management, and/or notable loss of confidence in the business and services as the asset is considered "mission critical" to business operations. Service would be significantly degraded. It will require expenditure of significant resources to repair.

High

A breach/compromise of the asset may cause business or system extended outage or to be permanently shutdown, resulting in the need to consider implementing processing recovery plan options. It may also result in complete compromise of business, information or customer services

Risk Ranking Matrix

Likelihood

(L)

Impact Severity Level (Potential Impact on Business Operations)

(I)

Low

Medium

High

High

Medium

High

High

Medium

Low

Medium

High

Low

Low

Low

Medium

Risk Assessment

Information Asset Classification

Threat (C, I, A)

Vulnerability

Threat Source

Description

Likelihood Rating

Impact Rating

Risk Ranking

Public Information

Unauthorized Disclosure (C)

N/A

Smartphone

There is no confidentiality attached to public information, therefore its confidentiality cannot be breached.

N/A

N/A

N/A

Public Information

Unauthorized Modification (I)

Access control information stored on employee owned device

Smartphone

Theft of smartphone containing access details to public information e.g. website log on credentials, ftp access details to website holding public information. This could also be saved username and password to webhosting control panel etc. Due to limited functionality (FTP limitation, file editing and document processing capability etc) of smartphones it is less likely that a lot of such information will be kept on such devices. Also in most organizations, the number of users that have access to such access control information would be a small percentage of the entire population further reducing the number of such occurrences per organization

Low

High

Medium

Public Information

Denial of Service (A)

Access control information stored on employee owned device

Smartphone

Theft of smartphone containing access details to public information e.g. website log on credentials, ftp access details to website holding public information. This could also be saved username and password to webhosting control panel etc. Due to limited functionality (FTP limitation, file editing and document processing capability etc.) of smartphones it is less likely that a lot of such information will be kept on such devices. Also in most organizations, the number of users that have access to such access control information would be a small percentage of the entire population further reducing the number of such occurrences per organization

Low

High

Medium

Public Information

Unauthorized Disclosure (C)

N/A

Tablet or Handheld Device

There is no confidentiality attached to public information, therefore its confidentiality cannot be breached.

N/A

N/A

N/A

Public Information

Unauthorized Modification (I)

Access control information stored on employee owned device

Tablet or Handheld Device

Theft of tablet or hand held device containing access details to public information e.g. website log on credentials, ftp access details to website holding public information. This could also be saved user name and password to webhosting control panel etc. Due to limited functionality (FTP limitation, file editing and document processing capability etc.) of tablets (although slightly better than smartphones) it is less likely that a lot of such information will be kept on such devices. Also in most organizations, the number of users that have access to such access control information would be a small percentage of the entire population further reducing the number of such occurrences per organization

Low

High

Medium

Public Information

Denial of Service (A)

Access control information stored on employee owned device

Tablet or Handheld Device

Theft of tablet or hand held device containing access details to public information e.g. website log on credentials, ftp access details to website holding public information. This could also be saved user name and password to webhosting control panel etc. Due to limited functionality (FTP limitation, file editing and document processing capability etc.) of tablets (although slightly better than smartphones) it is less likely that a lot of such information will be kept on such devices. Also in most organizations, the number of users that have access to such access control information would be a small percentage of the entire population further reducing the number of such occurrences per organization

Low

High

Medium

Public Information

Unauthorized Disclosure (C)

N/A

Laptop

There is no confidentiality attached to public information, therefore its confidentiality cannot be said to be breached.

N/A

N/A

N/A

Public Information

Unauthorized Modification (I)

Access control information stored on employee owned device

Laptop

Theft of personal Laptop containing access details to public information e.g. website log on credentials, ftp access details to website holding public information. This could also be saved user name and password to webhosting control panel etc. While it is more probable for personal laptops used in the corporate environment to have more sensitive access control information than smartphones and tablet devices, loss and theft of laptops is less probable than smartphones and tablet devices. As with smartphones and tablets, in most organizations the number of users that have access to such access control information would be a small percentage of the entire population further reducing the number of such occurrences per organization

Low

High

Medium

Public Information

Denial of Service (A)

Access control information stored on employee owned device

Laptop

Theft of personal Laptop containing access details to public information e.g. website log on credentials, ftp access details to website holding public information. This could also be saved username and password to webhosting control panel etc. that could be used to launch a DoS on the website, thereby denying access to information that should be publicly available. While it is more probable for personal laptops used in the corporate environment to have more sensitive access control information than smartphones and tablet devices, loss and theft of laptops is less probable than smartphones and tablet devices. As with smartphones and tablets, in most organizations the number of users that have access to such access control information would be a small percentage of the entire population further reducing the number of such occurrences per organization

Low

High

Medium

Public Information

Unauthorized Disclosure (C)

N/A

Storage Device

There is no confidentiality attached to public information, therefore its confidentiality cannot be said to be breached.

N/A

N/A

N/A

Public Information

Unauthorized Modification (I)

N/A

Storage Device

Storage devices generally do not threaten the integrity of publicly available information. If there is publicly available information on a storage media or on a cloud drive, then its unauthorized modification via the storage media may most likely have minimal impact as the public source may always be accessed.

N/A

N/A

N/A

Public Information

Denial of Service (A)

N/A

Storage Device

Availability of publicly available information is generally not threatened by storage media as the public source may always be accessed.

N/A

N/A

N/A

Internal Use Information

Unauthorized Disclosure (C)

1. Mobility of smartphone

2. Less access control/information handling implemented on smartphone compared to enterprise information processing resources

3. Resource sharing/Access (Family and friends)

4. Mobile Malware responsible for theft of data on smartphones

Smartphone

1. Smartphones are very mobile and so will typically cross many security boundaries form the 'controlled' enterprise network to publicly accessible free Wi-Fi networks etc. All sorts of sniffing activities cold be running on publicly used non-enterprise Wi-Fi networks increasing the potential for internal use information to be disclosed.

2. Internal use information form the enterprise may get handled with unclassified information on smartphones. This increases the potential for classified information to be disclosed to unauthorized party.

3. As part of day to day use of smart phones by employee, the device may temporarily come into the hands of family members and friends who then gain unauthorized access to classified information.

High

High

High

Internal Use Information

Unauthorized Modification (I)

1. Disparate applications running on smartphones with various capabilities.

2. Mobile malware targeted at specific mobile OS

3. Less security controls in smartphones compared to enterprise systems

Smartphone

Use of smartphones with several disparate applications to process enterprise information systems may lead to inconsistencies in output and unauthorized modification of enterprise information.

Mobile malware are increasingly penetrating smartphones and some of them are developing capability to modify content saved on the host devices without authorization

Medium

Medium

Medium

Internal Use Information

Denial of Service (A)

1. Personal device not included in enterprise business continuity/Disaster recovery initiatives

Smartphone

It is quite unlikely that employee owned smartphone will be included in enterprise-wide business continuity planning/disaster recovery initiatives. To this end, any information (for internal use) that is saved on the smartphone may become inaccessible in the event that the smartphone becomes unavailable (theft, fault, loss etc)

High

Low

Medium

Internal Use Information

Unauthorized Disclosure (C)

1. Mobility of Tablet/`Handheld

2. Less access control/information handling implemented on tablet compared to enterprise information processing resources despite more functionality than Smartphones

3. Resource sharing/Access (Family and friends)

4. Mobile Malware responsible for theft of data on smartphones

Tablet or Handheld Device

1. Tablet devices are fast outpacing sales of personal computers making them increasingly integral part of the wok environment, Tablets are also very mobile and so will typically cross many security boundaries form the 'controlled' enterprise network to publicly accessible free Wi-Fi networks etc. All sorts of sniffing activities cold be running on publicly used non-enterprise Wi-Fi networks increasing the potential for internal use information to be disclosed.

2. Internal use information form the enterprise may get handled with unclassified information on smartphones. This increases the potential for classified information to be disclosed to unauthorized party.

3. As part of day to day use of smart phones by employee, the device may temporarily come into the hands of family members and friends who then gain unauthorized access to classified information.

High

High

High

Internal Use Information

Unauthorized Modification (I)

1. Disparate applications running on tablets with various capabilities.

2. Mobile malware targeted at specific mobile OS

3. Less security controls in tablets compared to enterprise systems

Tablet or Handheld Device

Use of tablets with several disparate applications to process enterprise information systems may lead to inconsistencies in output and unauthorized modification of enterprise information.

Mobile malware are increasingly penetrating smartphones and some of them are developing capability to modify content saved on the host devices without authorization

Medium

Medium

Medium

Internal Use Information

Denial of Service (A)

1. Personal device not included in enterprise business continuity/Disaster recovery initiatives

Tablet or Handheld Device

In the event that employee-owned tablets are not included in enterprise-wide business continuity planning/disaster recovery initiatives. To this end, any information (for internal use) that is saved on the tablet may become inaccessible in the event that the tablet becomes unavailable (theft, fault, loss etc). It is also more probable that more of such information is resident on tablet devices compared to smartphones.

High

Medium

High

Internal Use Information

Unauthorized Disclosure (C)

1. Device Sharing

2. Malware - Protection not consistent with enterprise defense system

3. Loss

4. Theft

Laptop

Less control on access to information when used at home. Personal laptops and PCs that are used both at home and at work have a huge potential for unauthorized information disclosure. Simple enterprise standard security configuration such as screen lockout, password access etc may not necessarily be configured on employee owned personal computers. As such, information on the laptop classified as "Internal Use" may more easily get disclosed to third parties.

Personal PC's used in the enterprise are more susceptible to loss or theft as they are rarely ever stationed permanently at neither the office location nor the home location.

High

High

High

Internal Use Information

Unauthorized Modification (I)

Malware

Device Sharing

Laptop

Use of employee owned laptops with several uncontrolled applications from several uncontrolled sources to process enterprise information systems may lead to inconsistencies in output and unauthorized modification of enterprise information.

Mobile malware are increasingly penetrating smartphones and some of them are developing capability to modify content saved on the host devices without authorization

High

High

High

Internal Use Information

Denial of Service (A)

1. Personal device not included in enterprise business continuity/Disaster recovery initiatives

Laptop

Personal Laptops are prone to loss, theft or damage due to high commute frequency. This gives an opportunity for loss of information that is yet to be saved or copied over

High

Medium

High

Internal Use Information

Unauthorized Disclosure (C)

1. Unprotected storage coupled with storage

2. lack of sufficient controls implemented on the enterprise information systems on the handling of classified information

Storage Device

Personal storage devices containing classified information without adequate protection mechanisms can get missing and fall in to the wrong hands thereby resulting in unauthorized disclosure of classified information to external parties. In recent times, there have been many cases of lost flash drives containing millions of records of health record information.

There is also the part of insider threat whereby a legitimate user illegimate copies off classified information on a storage media or to a cloud storage device and then leaks it to third party.

High

High

High

Internal Use Information

Unauthorized Modification (I)

Lack of read-write protection for data stored on personal devices

Storage Device

Whenever storage devices cross multiple security zones, the potential to become infected by malware increases. Some of these malware append themselves to information stored on storage media increasing their potential to propagate. In the process they eventually gain access to enterprise information systems modifying more classified information and causing more damage

Medium

Medium

Medium

Internal Use Information

Denial of Service (A)

ease of loss of storage device

unreliable connectivity to cloud server

Storage Device

It is all to easy to loose portable devices along with all the information contents stored therein due to the size and portable of the devices coupled with the ever increasing storage capacities of such devices. Classified information stored only on employee owned personal storage devices could be subject to loss thereby causing denial of service.

Recent times have also seen outage on some cloud hosted storage services (Amazon web service etc). All dependence on such services are denied of service whenever there is downtime on such services

Medium

Medium

Medium

Confidential Information

Unauthorized Disclosure (C)

Smartphone

Confidential Information

Unauthorized Modification (I)

Smartphone

Confidential Information

Denial of Service (A)

Smartphone

Confidential Information

Unauthorized Disclosure (C)

Tablet or Handheld Device

Confidential Information

Unauthorized Modification (I)

Tablet or Handheld Device

Confidential Information

Denial of Service (A)

Tablet or Handheld Device

Confidential Information

Unauthorized Disclosure (C)

Laptop

Confidential Information

Unauthorized Modification (I)

Laptop

Confidential Information

Denial of Service (A)

Laptop

Confidential Information

Unauthorized Disclosure (C)

Storage Device

Confidential Information

Unauthorized Modification (I)

Storage Device

Confidential Information

Denial of Service (A)

Storage Device