PROJECT REPORT

OF DISA 2.0

ASSESSING RISKS
AND FORMULATING
POLICY FOR
MOBILE COMPUTING

AYUSH GUPTA Membership No.430751

DISA No. 47483

BHANU SHARMA Membership No.419744

DISA No. 42776

BHAWNA CHOUDHARY Membership No.424377

DISA No. 47229
 CERTIFICATE
Project report of DISA 2.0 Course

This is to certify that we have successfully completed the DISA 2.0 course training conducted
at:Hotel Om Tower, Jaipur, from 4th June, 2016 to 17th July, 2016 and we have the
requiredattendance. We are submitting the Project titled: ASSESSING RISKS &
FORMULATING POLICY FOR MOBILE COMPUTING. We hereby confirm that we have
adhered to the guidelines issued by CIT, ICAI for the project. We also certify that this project
report is the original work of our group and each one of us have actively participated and
contributed in preparing this project. We have not shared the project details or taken help in
preparing project report from anyone except members of our group.

1. AYUSH GUPTA, Membership No. 430751, DISA No. 47483 Signed

2. BHANU SHARMA, Membership No. 419744, DISA No. 42776 Signed

3. BHAWNA CHOUDHARY, Membership No. 424377, DISA No. 47229 Signed

Place: JAIPUR

Date: 28th July, 2016

Page 1 of 15
 TABLE OF CONTENTS

Details of Case Study/Project(Problem)

Project Report (solution)

1. Introduction
2. Auditee Environment
3. Background
4. Situation
5. Terms and Scope of assignment
6. Logistic arrangements required
7. Methodology and Strategy adapted for execution of assignment
8. Documents reviewed
9. References
10. Deliverables
11. Recommendations
12. Summary/Conclusion

Page 2 of 15
 PROJECT REPORT
Title: Assessing Risks And Formulating Policy For Mobile Computing

A. Details of Case Study/Project (Problem)

An imaginary company called Radisson Ltd. is said to have a certain problem which can
be solved by use of Mobile Computing. Various aspects related to implementation of
Mobile Computing have to be analyzed by an imaginary audit firm M/s XYZ to deliver a
basis for decision making

B. Project Report (Solution)

1. Introduction

Radisson Ltd is a global Indian IT Solutions provider with development centres in India
and marketing offices across, USA, Asia and Europe. It has more than 15,000 employees.
It offers both standard and customized products and services to its customers. The
company has highly skilled professionals who are in great demand in the highly
competitive market. The HR department has recently enforced a strict attendance policy
which requires mandatory physical presence at the office premises for specified number of
hours. This has resulted in increasing dis-content from the employees.

The company has approached the Audit Firm M/s XYZ which excels in the field of
Information System Consultancy and also provides Audit & Assurance Services related to
the Information System. Mr. X who is a Senior Partner of the firm, is a CISA and has a
vast experience in this domain will be the Team leader. Mr. A, B & C will be a part of the
Team as they all hold a Diploma in Information System Audit and have carried out such
assignments in the past.

Page 3 of 15
2. Auditee Environment

The company is emerging as one of the leaders in providing tailor-made IT solutions

across the globe. It has the state of the art infrastructure and highly qualified, capable and
experienced Human Resource. The company always looks forward to deliver the best and
innovative IT based solutions to its customers effectively and efficiently. The Company has
bought the latest hardware and has developed all the software in-house so has to have a
competitive edge. The company has made its policies & procedures in accordance with
the best practices and applicable regulatory requirements around the world. The company
has multiple servers and also maintains its databases at various locations. The BCP and
DRP plan has been made and reviewed on the regular basis by the concerned department
of the company.

3. Background

There has been increase in employee turnover and HR has identified that one of the
reasons for this is the strict office timings which are implemented by the company. A
meeting of the business unit heads was held where it was pointed out that the increased
turnover of employees is impacting deliverables to the customers and is leading to loss of
reputation and business. As the productivity of the highly skilled workers can be assessed
based on the project plan and deliverables, it has suggested that management has to
implement flexible working hours and allow employees to work off-site.

4. Situation

The management has decided to explore option of using mobile computing to increase
employee productivity and offer convenience of working for employees from any location.
However, they are concerned about the risks of allowing access to IT resources of the
company from off-site location.

Page 4 of 15
5. Terms and Scope of assignment

You have been appointed to assess the company’s working practices, technology
infrastructure, HR policies, access policy, security requirements and customer deliverables
as per project plan. You have to provide recommendations on how the company can
implement mobile computing with recommendations of policies and procedures required to
meet business needs, compliance and regulatory requirements.

6. Logistic arrangements required

Mobile Computing is a technology that allows transmission of data, voice and video via a
computer or any other wireless enabled device without having to be connected to a fixed
physical link. Mobile computing is not just about using mobile phones but it is about
computing on the move using wireless connectivity. Mobile computing is enabled by use of
mobile devices (portable and hand held computing devices) such as PDA, laptops, mobile
phones, MP3 players, digital cameras, tablet PC and Palmtops on a wireless network.

The key components of mobile computing are:

a) Mobile communication:
Mobile communication refers to the infrastructure put in place to ensure that seamless
and reliable communication goes on. This would include devices such as Protocols,
Services, Bandwidth, and Portals necessary to facilitate and support the stated
services. The data format is also defined at this stage. This ensures that there is no
collision with other existing systems offering the same services.
b) Mobile hardware:
Mobile hardware includes mobile devices or device components that receive or
access the service of mobility. They would range from Portable laptops,
Smartphones, Tablet PC's, Personal Digital Assistants. These devices use an existing
and established network to operate on. In most cases, it would be a Wireless network.
At the back end, there are various servers like Application Servers, Database Servers
and Servers with wireless support, WAP gateway, a Communications Server and/or
MCSS (Mobile communications server switch) or a wireless gateway embedded in

Page 5 of 15
 wireless carrier's network (this server provides communications functionality to allow
the handheld device to communicate with the Internet or Intranet infrastructure).
c) Mobile software:
Mobile software is the actual program that runs on the mobile hardware. It deals with
the characteristics and requirements of mobile applications. It is the operating system
of that appliance. It's the essential component that makes the mobile device operate.
Mobile applications popularly called Apps are being developed by organisations for
use by customers but these apps could represent risks, in terms of flow of data as
well as personal identification risks, introduction of malware and access to personal
information of mobile owner.

7. Methodology and Strategy adapted for execution of assignment

For the execution of assignment, selection of the most relevant material in COBIT
applicable to the scope of audit is referred. Based on the choice of specific COBIT IT
processes and consideration of COBIT information criteria the following was our strategy

PO9 Assess Risks

AI3 Acquire and Maintain Technology Architecture
AI4 Develop and Maintain IT Procedures
AI5 Install and Accredit Systems
AI6 Manage Changes
DS5 Ensure Systems Security
DS9 Manage the Configuration
M2 Assess Internal Control Adequacy Secondary Mobile Computing Guideline
AI2 Acquire and Maintain Application Software
DS8 Assist and Advise IT Customers

The COBIT information criteria are confidentiality, integrity and availability, efficiency and
reliability.

Page 6 of 15
 The scope and objectives of the engagement, the IS auditor has to document the way
business, security and IS objectives (when applicable) are affected by the identified risks
and controls that mitigate those risks.

In this process the IS auditor should evaluate areas of weakness or vulnerabilities that
need strengthening. New controls identified as mitigating the risks considered should be
included in a work plan for testing purposes.

8. Documents reviewed

According to the objectives and scope of the audit, the following documentation need to be
reviewed by the auditors M/s XYZ

i) Gather & review Security Policy & SLA for better completion & execution of
audit.
ii) Communications (covering risks such as sniffing and denial-of-service, and
protocols such as encryption technologies and fault tolerance)
iii) Network architecture
iv) Virtual private networks
v) Application delivery
vi) Security awareness
vii) User administration
viii) User and session administration (covering risk such as hijacking, spoofing, loss
of integrity of data) Physical security
ix) Public key infrastructure
x) Backup and recovery procedures
xi) Operations (such as incident response and back-office processing)
xii) Technology architecture (such as feasible, expandable to accommodate
business needs and usable)
xiii) Security architecture
xiv) Security software (such as IDS, firewall and antivirus)
xv) Security administration
xvi) Patch deployment
xvii) Business contingency planning

Page 7 of 15
9. References

For making the project a reference has been made to learning material of DISA course
which includes background material, reference material and e-Learning. Also following
websites have also been accessed for better understanding of the topic and formulating
effective solution:

ÿ www.isaca.org/cloud
ÿ www.cloudconnectevent.in
ÿ www.cloudsecurityalliance.org/
ÿ www.csrc.nist.gov/groups/SNS/cloud-computing/
ÿ www.opencloudconsortium.org/
ÿ www.opencloudmanifesto.org/
ÿ www.cloud-standards.org/wiki/
ÿ www.searchcloudcomputing.techtarget.com/
ÿ www.cloudcomputing.sys-con.com/
ÿ www.cloudsecurity.org/
ÿ www.cloudaudit.org/

10. Deliverables

10.1 Methodology

i) Information Gathering
∑ The IS auditor should obtain the security policy that rules the acceptable use of
mobile devices.
∑ The IS auditor should obtain information about the intended use of mobile
devices, identifying where they are used for business transaction and data
processing and/or for personal productivity purposes (i.e., Internet browsing, mail,
calendar, address book, to-do list) and about hardware and software technologies
used. Key processes—automated and manual— should be documented.

Page 8 of 15
 ∑ The IS auditor should obtain sufficient information about the risk analysis, along
with the likelihood of occurrence and probable impact of the event, performed by
the entity to evaluate the impacts of its mobile computing environment.
∑ The IS auditor should obtain sufficient information about the policies and
procedures used to manage mobile computing, involving deployment, operation
and maintenance of aspects, such as communications, hardware, application
software, data security, systems software and security software. Examples of
areas to cover are device configuration, physical control, approved software and
tools, application security, network security, contingency plans, backup and
recovery.
∑ Personal interviews, documentation analysis (such as business case and
protocols documentation) and wireless infrastructure testing should be used
appropriately in gathering, analysing and interpreting the data.
∑ Where third-party organisations are used to outsource IS or business functions,
the IS auditor should review the terms of the agreement, evaluating the
appropriateness of the security measures they enforce and the right of the
organisation to periodically review the environment of the third party involved in
the service it provides.
The IS auditor should also review previous examination reports and consider their
results in the planning process.

ii) Provide management with an assessment of mobile computing security policies

and procedures and their operating effectiveness.

iii) Identify internal control and regulatory deficiencies that could affect the
organization.

iv) Identify information security control concerns that could affect the reliability,
accuracy and security of enterprise data due to weaknesses in mobile computing
controls.

v) Testing of the Mobile Computing Platform before full-fledged implementation.

vi) Implementation of the Mobile Computing Mechanism

Page 9 of 15
 vii) Documentation of the whole process.

viii) Implementing changes/ modifications required to maintain the Confidentiality,

Integrity & Availability of information.

ix) Periodic review of the Mobile Computing Policy and maintenance of the Mobile
Computing Platform.

10.2 Risk Control Matrix

The IS auditor should consider the risks associated with the use of mobile devices and
relate them to the criticality of the information they store and access and the transactions
they process, from the business, law and regulatory perspectives. The portability,
capability, connectivity and affordability of mobile devices enables them to be used to
process applications that increase risks.

The IS auditor should assess the probability that the risks identified will materialize
together with their likely effect, and document the risks along with the controls that
mitigate these risks. Depending on the scope of the review, the IS auditor should include
the most likely sources of threats—internal as well as external sources—such as hackers,
competitors and alien governments.

Major Issue to be considered for Risk Analysis Are:

∑ Privacy
∑ Authentication
∑ Data Integrity
∑ Non-Repudiation
∑ Confidentiality

Page 10 of 15
Various controls can be implemented in order to mitigate the risk. The Risk Control Matrix
is as under:

S.No. Risk Control

1 It is not easy to monitor the proper Developing and implementing a Mobile
usage. Improper and unethical computing security policy.
practices such as hacking, industrial
espionage, pirating, online fraud and
malicious destruction are some
problems experienced due to mobile
computing.
2 The problem of identity theft is very Use of encryption technology such as
difficult to contain or eradicate. virtual private networks.

3 Unauthorized access to data and Use of power-on passwords.

information by hackers.
4 Physical damage to devices, data Use of encryption for stored information
corruption, data leakage, interception so that
of calls and possible exposure of
sensitive information.
5 Lost devices or unauthorized access Installing security software which allows
to unsecured devices allows remote wipe of data & GPS Tracking of
exposure of sensitive data, resulting the Device.
in loss to the enterprise, customers
or employees.
6 Unauthorised access to Installing such mechanisms in devices
data/applications that reside in the to block third party apps to access
device (due to the simplicity of its information.
operating systems that ordinarily
include only very basic security
functions).
7 Denial by user that he made Enforcing proper access rights and
modification to data. permissions. Also using of logs to

Page 11 of 15
 identify the changes,

8 Damage to network assets by the Auditing mobile security policy and

transfer of viruses, worms, etc. from implementation.
the mobile device.
9 Unauthorised access to data by Passwords and other logical access
downloading data from corporate controls. Educating the users on proper
devices or networks (due to its mobile computing ethics.
connectivity).

10 Unauthorised changes or additions Two-factor authentication Used to verify

to data by uploading data to both the device and the identity of the
corporate devices or networks. end user during a secure transaction

11 Unauthorised use of equipment and Firewall & Password Authentication.

communications, including the risk of
using unauthorised access to the
Internet to break into a third-party’s
networks (subjecting the entity to
potential legal liability)

10.3 Draft Policy Sample Procedures for Implementing Mobile Computing

The policy and procedures with regard to Mobile Computing need to be framed diligently
with caution on the lines of best practices and standards. This policy is intended to
manage the risks of mobile computing by:
∑ Ensuring computing assets are appropriately procured and managed.
∑ Implementing a uniform and consistent approach to security issues associated with
mobile computing devices.

Page 12 of 15
∑ Providing guidelines that assist protection of the confidentiality, availability and
integrity of Radisson Ltd.’s information while stored, transmitted or processed using
mobile computing devices and
∑ Ensuring that users of mobile computing are aware of their responsibilities.

The policy can be as under:

i) Two Types of Policies to be made in this respect by the Radisson Ltd. ie.
Acceptable Use Policy & Security Policy.
ii) Acceptable Use Policy, which defines ownership of the computer and any data
stored on it; what personal customization is allowed; what networks can be
connected to; and how training, support, repairs and help desk are implemented.
iii) Security Policy will relate to security of devices under mobile computing & extends
far beyond mobile computing security alone.
iv) All mobile computing and storage devices that access the Radisson Ltd. Intranet
and/or store the company data must be compliant with Information Security
Policies and Standards.
v) Restricted data which is stored on mobile computing and storage devices must be
encrypted.
vi) All mobile computing devices used within the Radisson Ltd. has information and
computing environments must meet all applicable company encryption
standards. Mobile computing devices purchased out of company funds, including,
but not limited to contracts, grants, and gifts, must also be recorded in the unit’s
information assets inventory.
vii) Radisson Ltd. information security policies applicable to desktop or workstation
computers are also apply to mobile computing devices.

Other Allied aspects to be included in the Policy:

∑ The process of implementation of Mobile Computing needs to be documented
properly.
∑ The needs, benefits, cost and capabilities alongwith security aspect of Mobile
Computing need to be analyzed.
∑ An evaluation is to be made as to what will be the means of Mobile Communications.

Page 13 of 15
 ∑ Selection of Mobile Hardware Devices that will be suitable for the organization
∑ Selection of appropriate Mobile Software that will serve as the Operating System and
Applications to be made compatible with selected hardware devices.
∑ The remote access to be governed by the principle of “Least Privileges”.
∑ Putting proper mechanisms to ensure authorization and authentication.
∑ Thorough testing to be carried out before bringing Mobile Computing into existence to
identify all the security loopholes and correct them.
∑ Framing of Bring Your Own Devices (BYOD) Policy, if required.
∑ Updation of the Business Continuity Plan accordingly.
∑ Establishment of Controls for Network security, Database security and Penetration
testing as required.

11. Recommendations

It is highly recommended to have the following practices to maintain the Confidentiality,

Integrity and Availability of Data. These will further address the security concerns
associated with Mobile Computing:

¸ Limit the use of Smartphones to access information and applications to approved

employees
¸ Limit access to sensitive information and applications for mobile devices
¸ Geo-track devices, especially Smartphones
¸ Prohibit the use of custom ROMs and unapproved App-markets/sites
¸ Deliver security awareness training and measure effectiveness with employees
¸ Scan mobile devices with anti-virus and anti-malware
¸ Protect and backup information on the devices
¸ Wipe and lock stolen and lost devices as soon as notified by employees
¸ Investigate the availability of patching as part of device evaluations
¸ Use frequent controls and configuration testing to reduce gaps and limit risks
¸ Increase spend on information security beyond your peers

Page 14 of 15
12. Summary/Conclusion

Mobile Computing can address the Radisson Ltd.’s problem of employee turnover to a
great extent by proving the following capabilities:

∑ Location flexibility: Mobile Computing enables user to work from anywhere as long as
there is a connection established. A user can work without being in a fixed position.
∑ Saves time: Time reduced as there is no travel required from different locations such
as office and back.
∑ Enhanced productivity: Employees can work efficiently and effectively from any
location they are comfortable with and at any time they want.
∑ Ease of research: Research is made easier, since users in the field searching for facts
can feed data back to the system.

Accelerated adoption of emerging technologies like Cloud Computing and Mobile

Computing has provided a lot of advantages to organisations. However; at the same time
the technology implementation has inherent risks which have to be properly understood
and mitigated. There is a need to understand the inherent risks in these technologies so
that these could be considered while implementation. An understanding of these
technologies will also open new opportunities for the organisations.

Mobile computing can be used for enhancing overall efficiency and effectiveness of
services rendered by an organisation.However, implementation has to be based on the
overall IT Strategic plan of the firm and should take into consideration the current
technology deployed, organisation structure, technical competency of the staff, services
offered currently and planned in the future, client profile, usage of technology by clients,
cost benefit analysis, etc. A detailed project plan with specific milestones and timelines
has to be prepared and implemented considering all the above factors rather than just
buying mobile devices with connectivity.

Page 15 of 15