Documente Academic
Documente Profesional
Documente Cultură
OF DISA 2.0
ASSESSING RISKS
AND FORMULATING
POLICY FOR
MOBILE COMPUTING
This is to certify that we have successfully completed the DISA 2.0 course training conducted
at:Hotel Om Tower, Jaipur, from 4th June, 2016 to 17th July, 2016 and we have the
requiredattendance. We are submitting the Project titled: ASSESSING RISKS &
FORMULATING POLICY FOR MOBILE COMPUTING. We hereby confirm that we have
adhered to the guidelines issued by CIT, ICAI for the project. We also certify that this project
report is the original work of our group and each one of us have actively participated and
contributed in preparing this project. We have not shared the project details or taken help in
preparing project report from anyone except members of our group.
Place: JAIPUR
Page 1 of 15
TABLE OF CONTENTS
Page 2 of 15
PROJECT REPORT
Title: Assessing Risks And Formulating Policy For Mobile Computing
An imaginary company called Radisson Ltd. is said to have a certain problem which can
be solved by use of Mobile Computing. Various aspects related to implementation of
Mobile Computing have to be analyzed by an imaginary audit firm M/s XYZ to deliver a
basis for decision making
1. Introduction
Radisson Ltd is a global Indian IT Solutions provider with development centres in India
and marketing offices across, USA, Asia and Europe. It has more than 15,000 employees.
It offers both standard and customized products and services to its customers. The
company has highly skilled professionals who are in great demand in the highly
competitive market. The HR department has recently enforced a strict attendance policy
which requires mandatory physical presence at the office premises for specified number of
hours. This has resulted in increasing dis-content from the employees.
The company has approached the Audit Firm M/s XYZ which excels in the field of
Information System Consultancy and also provides Audit & Assurance Services related to
the Information System. Mr. X who is a Senior Partner of the firm, is a CISA and has a
vast experience in this domain will be the Team leader. Mr. A, B & C will be a part of the
Team as they all hold a Diploma in Information System Audit and have carried out such
assignments in the past.
Page 3 of 15
2. Auditee Environment
3. Background
There has been increase in employee turnover and HR has identified that one of the
reasons for this is the strict office timings which are implemented by the company. A
meeting of the business unit heads was held where it was pointed out that the increased
turnover of employees is impacting deliverables to the customers and is leading to loss of
reputation and business. As the productivity of the highly skilled workers can be assessed
based on the project plan and deliverables, it has suggested that management has to
implement flexible working hours and allow employees to work off-site.
4. Situation
The management has decided to explore option of using mobile computing to increase
employee productivity and offer convenience of working for employees from any location.
However, they are concerned about the risks of allowing access to IT resources of the
company from off-site location.
Page 4 of 15
5. Terms and Scope of assignment
You have been appointed to assess the company’s working practices, technology
infrastructure, HR policies, access policy, security requirements and customer deliverables
as per project plan. You have to provide recommendations on how the company can
implement mobile computing with recommendations of policies and procedures required to
meet business needs, compliance and regulatory requirements.
Mobile Computing is a technology that allows transmission of data, voice and video via a
computer or any other wireless enabled device without having to be connected to a fixed
physical link. Mobile computing is not just about using mobile phones but it is about
computing on the move using wireless connectivity. Mobile computing is enabled by use of
mobile devices (portable and hand held computing devices) such as PDA, laptops, mobile
phones, MP3 players, digital cameras, tablet PC and Palmtops on a wireless network.
a) Mobile communication:
Mobile communication refers to the infrastructure put in place to ensure that seamless
and reliable communication goes on. This would include devices such as Protocols,
Services, Bandwidth, and Portals necessary to facilitate and support the stated
services. The data format is also defined at this stage. This ensures that there is no
collision with other existing systems offering the same services.
b) Mobile hardware:
Mobile hardware includes mobile devices or device components that receive or
access the service of mobility. They would range from Portable laptops,
Smartphones, Tablet PC's, Personal Digital Assistants. These devices use an existing
and established network to operate on. In most cases, it would be a Wireless network.
At the back end, there are various servers like Application Servers, Database Servers
and Servers with wireless support, WAP gateway, a Communications Server and/or
MCSS (Mobile communications server switch) or a wireless gateway embedded in
Page 5 of 15
wireless carrier's network (this server provides communications functionality to allow
the handheld device to communicate with the Internet or Intranet infrastructure).
c) Mobile software:
Mobile software is the actual program that runs on the mobile hardware. It deals with
the characteristics and requirements of mobile applications. It is the operating system
of that appliance. It's the essential component that makes the mobile device operate.
Mobile applications popularly called Apps are being developed by organisations for
use by customers but these apps could represent risks, in terms of flow of data as
well as personal identification risks, introduction of malware and access to personal
information of mobile owner.
For the execution of assignment, selection of the most relevant material in COBIT
applicable to the scope of audit is referred. Based on the choice of specific COBIT IT
processes and consideration of COBIT information criteria the following was our strategy
The COBIT information criteria are confidentiality, integrity and availability, efficiency and
reliability.
Page 6 of 15
The scope and objectives of the engagement, the IS auditor has to document the way
business, security and IS objectives (when applicable) are affected by the identified risks
and controls that mitigate those risks.
In this process the IS auditor should evaluate areas of weakness or vulnerabilities that
need strengthening. New controls identified as mitigating the risks considered should be
included in a work plan for testing purposes.
8. Documents reviewed
According to the objectives and scope of the audit, the following documentation need to be
reviewed by the auditors M/s XYZ
i) Gather & review Security Policy & SLA for better completion & execution of
audit.
ii) Communications (covering risks such as sniffing and denial-of-service, and
protocols such as encryption technologies and fault tolerance)
iii) Network architecture
iv) Virtual private networks
v) Application delivery
vi) Security awareness
vii) User administration
viii) User and session administration (covering risk such as hijacking, spoofing, loss
of integrity of data) Physical security
ix) Public key infrastructure
x) Backup and recovery procedures
xi) Operations (such as incident response and back-office processing)
xii) Technology architecture (such as feasible, expandable to accommodate
business needs and usable)
xiii) Security architecture
xiv) Security software (such as IDS, firewall and antivirus)
xv) Security administration
xvi) Patch deployment
xvii) Business contingency planning
Page 7 of 15
9. References
For making the project a reference has been made to learning material of DISA course
which includes background material, reference material and e-Learning. Also following
websites have also been accessed for better understanding of the topic and formulating
effective solution:
ÿ www.isaca.org/cloud
ÿ www.cloudconnectevent.in
ÿ www.cloudsecurityalliance.org/
ÿ www.csrc.nist.gov/groups/SNS/cloud-computing/
ÿ www.opencloudconsortium.org/
ÿ www.opencloudmanifesto.org/
ÿ www.cloud-standards.org/wiki/
ÿ www.searchcloudcomputing.techtarget.com/
ÿ www.cloudcomputing.sys-con.com/
ÿ www.cloudsecurity.org/
ÿ www.cloudaudit.org/
10. Deliverables
10.1 Methodology
i) Information Gathering
∑ The IS auditor should obtain the security policy that rules the acceptable use of
mobile devices.
∑ The IS auditor should obtain information about the intended use of mobile
devices, identifying where they are used for business transaction and data
processing and/or for personal productivity purposes (i.e., Internet browsing, mail,
calendar, address book, to-do list) and about hardware and software technologies
used. Key processes—automated and manual— should be documented.
Page 8 of 15
∑ The IS auditor should obtain sufficient information about the risk analysis, along
with the likelihood of occurrence and probable impact of the event, performed by
the entity to evaluate the impacts of its mobile computing environment.
∑ The IS auditor should obtain sufficient information about the policies and
procedures used to manage mobile computing, involving deployment, operation
and maintenance of aspects, such as communications, hardware, application
software, data security, systems software and security software. Examples of
areas to cover are device configuration, physical control, approved software and
tools, application security, network security, contingency plans, backup and
recovery.
∑ Personal interviews, documentation analysis (such as business case and
protocols documentation) and wireless infrastructure testing should be used
appropriately in gathering, analysing and interpreting the data.
∑ Where third-party organisations are used to outsource IS or business functions,
the IS auditor should review the terms of the agreement, evaluating the
appropriateness of the security measures they enforce and the right of the
organisation to periodically review the environment of the third party involved in
the service it provides.
The IS auditor should also review previous examination reports and consider their
results in the planning process.
iii) Identify internal control and regulatory deficiencies that could affect the
organization.
iv) Identify information security control concerns that could affect the reliability,
accuracy and security of enterprise data due to weaknesses in mobile computing
controls.
Page 9 of 15
vii) Documentation of the whole process.
ix) Periodic review of the Mobile Computing Policy and maintenance of the Mobile
Computing Platform.
The IS auditor should assess the probability that the risks identified will materialize
together with their likely effect, and document the risks along with the controls that
mitigate these risks. Depending on the scope of the review, the IS auditor should include
the most likely sources of threats—internal as well as external sources—such as hackers,
competitors and alien governments.
Page 10 of 15
Various controls can be implemented in order to mitigate the risk. The Risk Control Matrix
is as under:
Page 11 of 15
identify the changes,
The policy and procedures with regard to Mobile Computing need to be framed diligently
with caution on the lines of best practices and standards. This policy is intended to
manage the risks of mobile computing by:
∑ Ensuring computing assets are appropriately procured and managed.
∑ Implementing a uniform and consistent approach to security issues associated with
mobile computing devices.
Page 12 of 15
∑ Providing guidelines that assist protection of the confidentiality, availability and
integrity of Radisson Ltd.’s information while stored, transmitted or processed using
mobile computing devices and
∑ Ensuring that users of mobile computing are aware of their responsibilities.
Page 13 of 15
∑ Selection of Mobile Hardware Devices that will be suitable for the organization
∑ Selection of appropriate Mobile Software that will serve as the Operating System and
Applications to be made compatible with selected hardware devices.
∑ The remote access to be governed by the principle of “Least Privileges”.
∑ Putting proper mechanisms to ensure authorization and authentication.
∑ Thorough testing to be carried out before bringing Mobile Computing into existence to
identify all the security loopholes and correct them.
∑ Framing of Bring Your Own Devices (BYOD) Policy, if required.
∑ Updation of the Business Continuity Plan accordingly.
∑ Establishment of Controls for Network security, Database security and Penetration
testing as required.
11. Recommendations
Page 14 of 15
12. Summary/Conclusion
Mobile Computing can address the Radisson Ltd.’s problem of employee turnover to a
great extent by proving the following capabilities:
∑ Location flexibility: Mobile Computing enables user to work from anywhere as long as
there is a connection established. A user can work without being in a fixed position.
∑ Saves time: Time reduced as there is no travel required from different locations such
as office and back.
∑ Enhanced productivity: Employees can work efficiently and effectively from any
location they are comfortable with and at any time they want.
∑ Ease of research: Research is made easier, since users in the field searching for facts
can feed data back to the system.
Mobile computing can be used for enhancing overall efficiency and effectiveness of
services rendered by an organisation.However, implementation has to be based on the
overall IT Strategic plan of the firm and should take into consideration the current
technology deployed, organisation structure, technical competency of the staff, services
offered currently and planned in the future, client profile, usage of technology by clients,
cost benefit analysis, etc. A detailed project plan with specific milestones and timelines
has to be prepared and implemented considering all the above factors rather than just
buying mobile devices with connectivity.
Page 15 of 15