V O L U M E

INSIDE THIS
EDITION
Message From The
President

From The Editors

Desk

Get Connected To
ISACA Mumbai
Chapter

News Update

Interlude

Corporate Espionage
the insider threat

Social Media Usage In

The Enterprise

Vendor risk
assessment

Security
Considerations while
Procuring BYOD
Solutions for Mobile
Phone/Tablets

ISACA Conference

Photo Gallery

Solution To Last
Editions Crossword
Puzzle

Crossword Puzzle

2 ,

I S S U E

isaca @ mumbai
E - J O U R N A L ( F O R

I N T E R N A L

C I R C U L A T I O N

Message From The President

It used to be
expensive
to
make
things
public
and
cheap to make
them
private.
Now its expensive to make
things private and cheap to
make them public. Clay
Shirky,
Noted
internet
scholar and Professor from
New York University has
said this. This is what
happening in todays world.
More and more personal
and private information is
being shared over internet
and users are not taking
enough
measures
in
protecting
it.
The
information being available
so easily that anyone can find
out about other persons
details on where he was
born, his birthday, school
and college attended, jobs
and companies joined and
left, likes and dislikes etc
without aware that this data
can be used whenever and
wherever and without their
knowledge.
This is the power of
connectivity in todays world
thanks to a phenomenon
called Internet which started
more than three decades
ago. No one really thought
the power of Internet then
and even now. ISACA
Mumbai Chapter is taking
precisely this theme The

Internet of Things for its 19th

Annual conference which is
being scheduled on August 1
and 2, 2015 in Hotel Westin
Garden City, Goregaon. The
conference
will
bring
Security
professionals,
Auditors,
Consultants
together to listen to some
great speakers from industry
talking about various aspects
of The Internet of things or
should it be called The
Internet of Everything Look
forward to see you there.
The chapters new office is
now fully functional. We
have
conducted
and
completed first CISA Review
Course in the new premises
along with mock tests. Also
CISM Review Course has
also been completed. COBIT
5 Foundation and PCI DSS
Ver 3.0 workshop have also
been conducted during last
quarter. All the courses and
workshops were appreciated
by the attended participants.
Various
speakers
have
graced the Saturday Chapter
meetings in the premises for
the chapter members. We
are
now
looking
for
conducting more and more
meetings and workshops for
the benefit of the members
in the coming days.
Lot of things are happening
in the outside world.
Historic Iran nuclear signoff,
Greek Bailout, Earthquake in

O N L Y )

-Vaibhav Patkar

Nepal etc. These things are

some way connected and
affected to all of us. They are
also making us think that
nothing is perpetual and
change is constant. Always
look and embrace the
change, tune to and with it
and the world would be a
better place to live.
Talking about change, one
should not expect others to
change and not themselves,
David Brin has commented
beautifully in relation with
security When it comes to
privacy and accountability,
people always demand the
former for themselves and the
latter for everyone else.
I guess time has come to
change the mindset in the
ever changing world of The
Internet of Things.

All Rights Reserved 2007-2015 ISACA Mumbai Chapter.

PAGE

From the Editors Desk

-Latha Sunderkrishnan
eJournal Editor, ISACA Mumbai Chapter

This may be probably

my last editorial this
financial year. We are
in the midst of times
wherein every other
day we read of a hack /data breach.
Thus data protection has become one
of the key concern area to most
companies. Corporate world is
gearing up to face this challenge of
protecting their data.
People post pictures of themselves
and their friends wherever they are
with the different location. Selfies
have become so popular and the
Profile picture are being changed by

individuals on a daily basis. Is your

picture posted on Facebook or
WhatsApp safe? Once you post it, it
is in the server of Facebook or
WhatsApp? Whom does it belong to
now? You? Where is the Server
hosted?
Which country does it
belong? So many questions? No real
answers. These questions perhaps
may be answered in the ensuring
ISACA Mumbai Chapter Conference.
Interestingly the key theme of ISACA
Mumbai
Chapters
Annual
Conference scheduled on August 1st
and August 2nd is IOT Internet of
Things. The conference is preceded

by a work shop on 31st July. As per the

ISACA IT Risk/Reward Barometer 2014
survey 43% believe IOT is likely to be
one of the major thrust area and
impactful from a future business plan
perspective. 60% believe that Bring your
own wearable or Bring your own
Device (BYOD) is risky. The
conference has received a good
response and seats are getting filled up
fast. Wish all the members happy three
days of networking.
For any feedback/articles/criticism/
suggestions, please leave a message to
lsunder@hotmail.com

Get Connected to ISACA Mumbai Chapter

Given that the entire focus is now shifted to the social media ISACA Mumbai Chapter has attempted to create its
presence in twitter, Facebook and LinkedIn. However, no such initiative would succeed without your cooperation and
participation. Please get connected!
Get socially connected with ISACA Mumbai Chapter in the following manner:
https://www.facebook.com/IsacaMumbaiChapter
https://twitter.com/ISACA_Mumbai
https://www.linkedin.com/ISACAMumbai

News Update from the Editors Desk

Logjam This New Encryption Glitch Puts Internet Users at Risk
After HeartBleed, POODLE and FREAK encryption flaws, a new encryption attack has been emerged over the Internet that allows
attackers to read and modify the sensitive data passing through encrypted connections, potentially affecting hundreds of thousands of
HTTPS-protected sites, mail servers, and other widely used Internet services.
A team of security researchers has discovered a new attack, dubbed Logjam that allows a man-in-the-middle (MitM) to downgrade
encrypted connections between a user and a Web or email server to use extremely weaker 512-bit keys which can be easily

ISACA

MUMBAI

All Rights Reserved 2007-2015 ISACA Mumbai Chapter.

VOLUME

2,

ISSUE

PAGE

decrypted.
Source http://thehackernews.com/2015/05/logjan-ssl-vulnerability.html
Source https://weakdh.org
Cyberattack Exposes I.R.S Tax Returns
Criminals used stolen data to gain access to past tax returns of more than 100,000 people through an application on the Internal
Revenue Services website, the agency said on Tuesday.
Using Social Security numbers, birth dates, street addresses and other personal information obtained elsewhere, the criminals
completed a multistep authentication process and requested the tax returns and other filings, the I.R.S. said. Information from
those forms was used to file fraudulent returns, the I.R.S. said, and the agency sent nearly $50 million in refunds before it detected
the scheme.
Source http://www.nytimes.com/2015/05/27/business/breach-exposes-irs-tax-returns.html?_r=1
Gaana.com reportedly hacked, details of 10 million users allegedly scraped
One of Indias most popular music streaming service, Gaana.com, has been reportedly hacked. The site is currently down for
maintenance, with no official statement given out yet. A Pakistan-based hacker has claimed responsibility for the hack and claims
details of 10 million users including their email address, date of birth and other information has been scraped and made available
in a searchable database.
The hacker, Mak Man, claims he can get all details of users by entering an email address. He claims his exploit has given him access
to information about 10 million users of the service. Of course, the claims remain unverified at the moment.
Source: http://www.bgr.in/news/gaana-com-reportedly-hacked-details-of-10-million-users-allegedly-scraped/
http://thenextweb.com/insider/2015/05/28/indian-music-streaming-service-gaana-hacked-millions-of-users-detailsexposed/

Ola Cabs Hacked And Users Credit Card Details Comprised

Ola Cab is a taxi service, which is been hacked by a group of hackers called Team Unkown. The group posted a thread on sunday
in Reddit claiming that they have hacked Ola Cab database including all the information of the users such as credit card
transaction history, vouchers etc.
Source: http://www.latesthackingnews.com/ola-cabs-hacked-and-users-credit-cards-details-comprised/

Kaspersky Lab cybersecurity firm is hacked

One of the leading anti-virus software providers has revealed that its own systems were recently compromised by hackers.
Kaspersky Lab said it believed the attack was designed to spy on its newest technologies.
It said the intrusion involved up to three previously unknown techniques.
The Russian firm added that it was continuing to carry out checks, but believed it had detected the intrusion at an early stage.
Although it acknowledged that the attackers had managed to access some of its files, it said that the data it had seen was "in no
way critical to the operation" of its products.
Source: http://www.bbc.com/news/technology-33083050

All Rights Reserved 2007-2015 ISACA Mumbai Chapter.

PAGE

Interlude

Brief Bio
About The
Interviewee

Anuprita Dagga, CISM

is
the
Chief
Information Security
Officer of Reliance
Capital Ltd.

Q: What is your vision

for security for your
organization for 2015?
A: In the world of
technology, every day there
is innovation. Every
innovation is giving new
opportunity as well as
generating new threat. Due
to increase in the adaption of
internet, users are expecting
every information at their
finger tip.
As we are in financial
services industry, it is very
important to provide
services to the customers
and make them self-sufficient
by providing self-service
avenues.
Our vision is to provide a
user-centric trusted and
secure environment to
employees to conduct
business, while ensuring
protection of RCL
information assets including
customer data.
Q: How strong is your
ISMF team and how
much is the support from
the management in your
company? How often do
you meet to discuss
Security issues?
A: We have a very strong
governance framework and
ISMF defined and practiced,
that is having the top down
approach. There is a visibility
from end user up to the
Board and all issues and
incidents are discussed at
different levels. There is an
Information Security Risk
Management Committee

ISACA

MUMBAI

-Anuprita Dagga

defined which discusses all

information security related
issues and tries to address
them, in the most optimal
manner. All the risks are
reported to Risk
Management committee,
which reports to Board.

2. Reactive (Happening within

the company) Be aware on
what is happening inside the
company. Have continuous
monitoring mechanism, which
can be used for improving
system effectiveness and taking
disciplinary action in case of
violation.

Q: What do you thing is

the bare minimum
compliances that need to
be followed to avoid any
security breaches?

3. Awareness (Deterrent)
People are the most critical
part of the system. It is very
important to make users
aware of the information
security concept about WHY,
WHAT, WHERE and HOW.

A: Security of Customer
information and company
confidentiality is in the
centre of the Information
Security Management
System. Protection and
monitoring of confidential
information, is the minimum
compliance that should be
kept in mind, while defining
information security
program. Being in financial
services industry, we give
priority to safeguard and
monitor customer personal
information and company
confidential information.
There are 3 parallel paths
which helps in avoiding
security breaches
1. Proactive (Learning from
the external world) Every
security professional needs
to be aware of the security
trends, threats,
vulnerabilities published,
breaches that occur in the
external world etc. This will
help the Company to initiate
proactive action plans before
responding to any incident.

One needs to ensure that

organization Security Policies
align with the requirements of
the business. Needless to say,
regulatory and statutory
compliance requirements are
mandatory in nature.
Q: How has being certified
helped you enhance your
career?
A: Yes. I am a certified CISM
professional. It has definitely
helped me to increase my
professional knowledge, which
I can use it in my job. It has
also helped me to collaborate
with the same professional
interest group and share
information.
Q: Do you arrange for
security awareness
trainings? How often are
they conducted in your
organizations?
A: We do arrange security
awareness trainings. We
conduct formal and informal
trainings in groups as well as
establish connect with

All Rights Reserved 2007-2015 ISACA Mumbai Chapter.

VOLUME

2,

ISSUE

individuals and also conduct

refresher security awareness
sessions for all users.
Q: What are the
challenges that you face
at your workplace?
A: Keeping pace with the
developments of technology
and maintaining dynamic
security along with

PAGE

technology developments is
one of the major challenge.
Q: How has social media
impacted you
professionally?
A: Social media helps one to
know all the developments
happening in the external
world. In such a busy
working schedule, it is the

fastest channel to reach

anyone. Social media has also
made access to information
easy.

It's all about Information.

Corporate espionage can be
defined as the collection of
illegal and unethical activities
undertaken by companies /
organisations to gather, analyse
and manage information on
competitors with the purpose of
gaining corporate edge in the
market.
Trade
secrets,
commercial
secrets, intellectual property and
strategic information like a
potential bid price are typically
targeted
during
industrial
espionage.
In the early days, as now, spies
deal mainly with information.
They dont care where the
information comes from, its
irrelevant as long as the
information is compromised. In
todays workplace much focus is
given to the technical controls
like implementing firewalls and
IPS. While these are good to
prevent the traditional hackers,
this does not mitigate the risk of

The Associated chamber of

Commerce and Industry of
India (Assocham) did a survey in
2012. Over 35 percent of
companies operating in various
sectors across India are engaged
in corporate espionage to gain
advantage
over
their
competitors and are even
spying on their employees via
social networking Web sites,
Assocham said in its report.
Assocham made a stronger
claim
that
about
900
respondents said they plant a
mole in other companies,
usually as receptionists, photocopiers and other low end jobs.
About 1,200 respondents said
they use
detectives and
surveillance
agencies
to
constantly
monitor
their
employees
activities
and
whereabouts, using moles and
social media, according to the
survey. About a quarter of
respondents said they have
hired computer experts for
installing monitoring software
to hack and crack the networks,
track e-mails of their rivals and
perform
other
covert

Writer

A: Security news subscription,

conferences, events, social
media groups etc.

-Murli Nambiar
employees working as spies for
competition:
the
INSIDER
THREAT.

Brief Bio
About The

Q: How do you keep

updated with the latest
security news?

Corporate Espionage the insider

threat
Introduction
All warfare is based on
deception. There is no place
where espionage is not used.
Offer the enemy bait to lure him
----Sun Tzu (~ 400 B.C)

activities, Assocham notes.

According
to
the
survey,
respondents also said they install
spying gadgets like close-circuit
television cameras, audio and
video surveillance devices, voicerecorders, and global positioning
systems, in their offices to keep
track of employees.
Another Pwc report of 2013 calls
Industrial Espionage Indias new
booming sector. As per them,
almost 80% of all CEO use
detective and surveillance agencies
to spy on ex and current
employees
in
addition
to
attempting to get competitive
advantage.

Murli has 22 years of rich

IT experience as a
strategist, innovator and
visionary. He has been
instrumental in setting up
information
security
divisions
for
Mashreqbank
(Dubai),
ICICI Bank and Reliance
capital group. He has
conceptualized
&
implemented
various
innovative data security
solutions like Data flow
analysis for data security,
worked on key security
solutions like Privileged
Identity
management,
SIEM
/
SoC
environments, Incidence
response and recovery
(including forensics) and
many more.
Murli also worked as
Chief Technology officer
for
Apollo
Munich
Health
Insurance,
Reliance Life Insurance &
Reliance
International
business

And the Federation of Indian

Chambers of Commerce and
Industry (FICCI) called business
espionage the 9th biggest threat
to Indian companies in its
annual India Risk Survey in 2014.
Evolution
of
corporate
espionage
The
history
of
corporate/
industrial espionage probably
dates back to the sixth century
when Justinian, the Byzantine
emperor hired two monks to visit
China.

All Rights Reserved 2007-2015 ISACA Mumbai Chapter.

PAGE

More About
The Writer

Murli
is
widely
acknowledged
as
a
domain expert and has
been featured in number
of publications. He's
spoken at many seminars
and conferences as well.
In addition to winning
many
awards
in
Information
security
space. He was also
featured in a book The
Innovative
heroes,
published
by
DynamicCIO.com
2013" as one of Top 30
CIO's.
In his spare time, Murli is
an avid photographer,
loves to travel, read and
listen to old Hindi music.

He wanted them to gain an

understanding of silk production
in China and to smuggle silkworm
eggs and mulberry seeds out of
that country to break its
worldwide monopoly on silk
production. The monks smuggled
these eggs and seeds out of China
in hollow bamboo walking sticks.
Subsequently, in a few years the
Byzantine empire, replaced China
as the largest silk producer in the
world. Over the centuries,
industrial espionage practices
continued to play a major part in
the
development
of
many
countries. In the 18th century,
alarmed by the industrial and
military supremacy of Great
Britain, France sent its spies to
steal the latter's industrial
secrets
Various types of espionage
activities
Technology
has
transformed
capabilities of spying with addition
of
miniature
cameras,
photocopiers disguised as pens
able to copy docs simply by rolling
over
them

sensitive
microphones to pick up and
record
conversations
and
satellites that survey entire globe.
Technical intelligence
Radio
signals,
coded
communications,
recorded
conversations, intercepted calls
and emails, satellites surveillance
and electronic monitoring of ship
and aircraft movements all
contribute
to
increasingly
complex intelligence pictures.
Proliferation of smartphones is
another factor.
Commercial
and
trade
intelligence
Corporate espionage has become
more
prominent.
National
interests are now more focussed
on economic strength and
commercial
competition.
Information regarding strategy of
a competitor is invaluable and is
often used as a tool when
negotiating
contracts
with
customers. Corporate espionage
can be online or offline, however
with advanced technology, online
espionage in the form of hacking
has
been
steadily
gaining
popularity.

ISACA

MUMBAI

Human intelligence
In some areas of espionage,
however human agents are still
the best information sources
because they can supply the
missing factors the intentions of
those in command. Human
espionage can reveal the way
competition management think
what they know, what they want
and what they plan to do to
achieve their objectives.
Traditionally companies spend
their time and effort in investing
on technology controls to prevent
online
leakage
however
information is often leaked when
the employees interact with the
head-hunters
and
their
counterparts in other companies.
Juneau Kastuva, President and
CEO of a Canadian security firm,
Northgate estimated that 85 to 90
per cent of incidents involve the
assistance of an insider who has
legitimate
access
to
the
information. Thus, the most
common agent of industrial
espionage often emerges as an
insider an employee.
Double agents
In this shadowy world of cat and
mouse,
perhaps
the
most
dangerous figure is the double
agent the spy with divided
loyalties or personal greed who
trades
information
between
contenders and who betrays both
sides with equal ease.
To win an espionage battle,
counterintelligence forces have to
watch for the tell-tale signs of
someone who quite does not
belong, who shows too much
interest in sensitive places or
pieces of information, who
associates with people who may
be suspect, or whose background
details seem less than convincing.
Implications of corporate
espionage
Corporate
espionage
always
damages the interests of the
company,
in
some
cases
irreparable. Leaking of critical and
confidential data would give an
advantage to the competition.
Innumerable cases are known
where companies had disastrous
results by virtue of stocks
dropping, legal and financial
implications and loss of customer
confidence. The leaking of

confidential
product
plans,
marketing strategies, and financial
documents could cripple an
organization and bring it to
extinction.
Tools and modus operandi
Tools various tools could be
used by spies- using invisible ink,
secret messages using codes and
ciphers, Microdots, telephone
taps,
hidden
microphones,
miniature
cameras,
infrared
cameras, Night vision systems etc.
Many spying devices are available
on the Internet at dirt cheap
prices motion activated video
recorder, Voice recorder, GPS
tracking key, Watch cameras, PC /
Cell monitoring etc.
Modus operandi Dumpster diving the process
of looking at thrash to identify
confidential data not disposed
of correctly.
Carrying
off
confidential
documents
and
joining
competitors. Emailing / copying
confidential
information

through unprotected USB /

Internet access
Social engineering attempts
attempting
to
misguide
personnel in sharing their
sensitive data to either do
malicious acts unknowingly or
part with their credentials.
Joint ventures with competitors
- During the process of
expanding the state-of-the-art, a
company must divulge its
knowledge of the state-of-theart
Open source information
newspaper articles, corporate
annual reports, court filings,
marketing info etc.
Hiring of employees the
easiest aspect for getting quick
turnaround from an employee
is recruit from a company who
has them. And when they come
on board it would be difficult
not to use the knowledge they
have gained from previous
company when for ex. bidding
for the same project.
Information
collection
specialists trade shows,
conferences - They usually act
like potential customers or
fellow researchers to elicit

All Rights Reserved 2007-2015 ISACA Mumbai Chapter.

VOLUME

2,

ISSUE

information from people that

are all too willing to give it up.
Most importantly of all
Insider Threat
Most of incidents involve the use
of insiders to steal information.
Getting an insider to collude can
occur in various ways. They
include people who have
become disillusioned with it,
greedy people who can be
bought, people who can be
compelled to cooperate by
threats to family, blackmail and
other ugly means. Hatred of
those in power, a desire to
hasten their downfall or need
for money or goods in short
supply. For some, excitement
and adventure could be enough
reason.
In many corporate organizations,
especially the big corporates its
easy for people with malicious
intent (read spies) to get a job.
Once they get in they are usually
not monitored or given a
cooling period before having
access to confidential data. Thus,
they go undetected in their
thefts of information. This
highlights
the
issue
of
Information
security
teams
spending time and money in
protecting their perimeter but
dont have sufficient internal
controls.
Getting jobs in housekeeping
and other supporting functions
is easy enough. Then, at night
the floor is theirs to play. Any
document kept in the open, files
not locked away are easy
material to copy and steal. They
would also go through the
thrash to see documents that
are not properly shredded and
gather information. This is a very
effective
way
of
getting
information without raising any
suspicion. In some cases, if the
person posing as a housekeeping
personnel is actually someone
who knows computers could try
breaking into open systems OR
trying to login to systems is
another easy way. Unless the
organization has trained their
personnel to identify these kinds
of break ins (for ex: showing
the last login time and noticing
the unearthly login time Or

account being locked out when

they come in the morning to
work) its an easy process for
the spies to keep trying until
they strike it lucky.
In some cases, they could also
keep
bugs
to
records
conversations that take place,
especially in sensitive areas like
the board or conference rooms.
These are areas which are
rarely scanned for these devices
and could provide unimaginable
benefits to the spies. A board
discussion discussing sensitive
and critical corporate topics
would probably be of immense
benefit to competitor.
Some methods to detect
espionage activities
Identification or Increase
in spear fishing activities The spear phishing emails
contain either a malicious
attachment or a hyperlink to
a malicious file. The subject
line and the text in the email
body are usually relevant to
the recipient.
Establishing a presence
usually
firewalls
detect
inbound traffic but all
malicious activities require
the exploit to report back to
C2C (command and control)
server. Backdoors that mimic
legitimate traffic and use SSL
encryption
so
communications are hidden in
encrypted SSL tunnel. This
backdoor will communicate
to the server and Infosec / IT
teams need to monitor
outbound traffic in this
regard.
Privilege Escalation once
a presence is made the next
step is to allow access to
more resources within the
network. The malicious user
will try and dump the
password hashes to obtain
legitimate user credentials.
Identifying
any
activity
attempted
using
these
password cracking would help
detect a malicious activity.
Monitor logs and physical
access control devices
regularly monitoring the
logs of various servers,
firewalls
and
IPS
and
developing correlation rules
which can highlight possibility

of any potential breach. The

CCTV and any biometric /
access control device logs
should be regularly monitored
to
identify
cases.
If
housekeeping team seem to be
spending more time in specific
areas than required, review the
reasons for it.
Physical scans / verification
conduct regular checks of
sensitive areas like CEO office,
Board and conference rooms to
detect any unauthorised devices
(Wi-Fi access points OR
recording devices or bugs) ,
especially before any important
meetings take place there.
New employees expressing
interest in areas / domains not
relevant to his scope of work
could be potential indicators of
spying.
Especially
if
the
employee has joined from
competition.
Monitor
the
internet browsing, emails and
phone calls made of these
employees in such cases.

PAGE

How to prevent corporate

espionage
Information security efforts must
therefore address comprehensive
countermeasures that are as
comprehensive as the methods
employed against them. There are
four parts of a comprehensive
security effort that enhance and
support each other: Technical,
Operational,
Physical,
and
Personnel Security.
Technical security reduce the
vulnerabilities
present
in
electronic systems. In addition to
implementing perimeter level
defences
like
Firewall
and
Intrusion prevention systems,
InfoSec teams should start paying
attention to the other factors like
protecting the data within the
enterprise.
Identifying
and
classifying critical and confidential
data and then implementing
security solutions to assign rights
and identify leaks should be top
most priority for them. The
database team is privy to lot of
information and adequate controls
to monitor and audit their
activities should be in place.
Encrypting critical data identified
in earlier step is key in ensuring
data is protected even if
compromised.

All Rights Reserved 2007-2015 ISACA Mumbai Chapter.

PAGE

Operational security Giving

data access to new employees on
need to know basis prevents
the unnecessary proliferation of
information. Likewise, policies on
restricting the use of open
communication lines, such as the
Internet and telephone systems,
reduces the potential for the
compromise
of
information.
Other operational security issues
include enforcing your own
security policies on your vendors
and suppliers.
Critical departments within the
organization should be reviewed
for potential ways the information
could be maliciously used. There
must be a clear understanding of
who to disclose information to,
and under what conditions and
controls.
A strong security awareness
program is the foundation for a
strong
operational
security
program. People must know what
information they should protect,
and specifically how to protect it.
Everyone should be encouraged
to identify & report any
questionable circumstances, and
know who to report it to.
Physical security - Physical
access to facilities should be
carefully regulated and controlled.
This includes limiting the access of
visitors and contractors, as well as
your
own
employees.
All
employees must wear access
badges that indicate their status,
such as employee, temporary,
visitor, or contractor. This feature
helps to reduce the threat of
people overstating their authority.
Obviously, there should be an
operational security policy that
encourages all people to look at
badges. Top management should
lead by example and wear / display
their badges at all times. Another
physical security issue to be
addressed is the control of
garbage. Locks on office doors
and file cabinets frequently go
unused in many organizations.
Clean desk policies, that require
all sensitive information to be
locked up, must also be enforced.
Clear screen policy should be
enforced.

ISACA

MUMBAI

Personnel security - All new

personnel joining the organization
should undergo a background
verification check. In cases where
they would be handing sensitive
data there should be a cooling off
period during which these
employees should not be provided
access to confidential data.
Criminal background verification
is a must for all employees
handling or managing sensitive
data like Information security
professionals, database and IT
teams, processing teams etc.
Ensuring stringent background and
criminal checks are done even for
casual employees or contractors
offering housekeeping and physical
security services is mandatory.
Implementing and monitoring
CCTV records, especially of
critical areas like CEO office,
board or conference rooms to
identify any malicious acts by
these personnel during the night is
a must.
Hiring and Exit formalities should
be in sync with IT processes, any
absconding or resigned staff
should be deleted from systems
within defined time frame. In cases
where potential job hunting is
detected the employees should be
monitored closely to ensure data
is not being taken out. Contract
termination of external vendors
and more importantly their
personnel who have access to
critical data of the organization
either for processing or having
access to FTP /web systems in
absconding state or resigning from
services should be notified to the
organization immediately.
Another major factor that needs
to
be
addressed
is
the
proliferation of social media.
Some of the most popular ones
like LinkedIn, Facebook and
Twitter are easy channels for
people to vent out their griefs and
frustration,
likes
and
dislikes.key information for
competition to source these
people to work for them and use
them as spies. Inadvertent
disclosure
of
corporate
information could also lead to
serious repercussions for the
organization. Its important for
organizations to have a policy and

awareness session
corporate staff.

for

their

Instances
of
corporate
espionage and the damage
caused global / India
An Article in ComputerWeekly
in 2013 highlights a large and
sophisticated
cyber-attack
infrastructure that appears to
have originated in India. A group
of attackers, based in India seem
to have employed multiple
developers to deliver specific
malware for private threat
actors, according to a report by
malware analysis firm Norman
Shark.
Analysis of IP addresses
collected from criminal data
stores showed that attacks
targeted victim in more than a
dozen countries.

Shastrigate

- named after
Shastri Bhavan which housed
number of ministries - the
recent leaks of documents from
the Petroleum and Gas Ministry
and later the Coal, Foreign
Investment Promotion Board
(FIPB), Power, Coal and New
and Renewable Energy. Delhi
Polices Crime Branch arrested
five
persons,
reportedly
including
two
government
officials and a journalist, for
allegedly
leaking
classified
documents from the petroleum
ministry.
Two forged identity cards of the
Ministries of Coal and Power
and copies of various official/
secret documents were seized
from his possession. Total of 16
people were arrested in the
espionage case.
APT1 Chinas cyber espionage
units they have been active
since 2006 and have targeted
more than 141 organizations,
having stolen more than
hundreds of terabytes of data
from them. They focus on
compromising
organizations
across a broad range of
industries in English speaking
countries.
In 2001, Procter & Gamble
admitted to a spying operation,
alleged to have been carried out
over 6 months, on its hair-care

All Rights Reserved 2007-2015 ISACA Mumbai Chapter.

VOLUME

2,

ISSUE

competitor Unilever. Their

plan included going through
Unilevers trash in search of
documents.
In the early 90s allegations
came to light that Avant! A
Silicon
Valley
software
company, had stolen code
from
a
rival
company,
Cadence Design Systems.
When the chief of production
from Opel moved to rival
Volkswagen and was followed
by not one, not two, but
seven other executives. Opel
cried industrial espionage
over an alleged missing bundle
of confidential documents in
response
to
which
Volkswagen
parried
with
accusations of defamation.
Michael Mitchell worked on
the marketing and sales of
Kevlar for DuPont until he
was fired in 2006. He offered
to provide his services to
Kolon Industries Inc, a Korean
form which just happens to be
one of two companies that
manufactures fibers that can
tough it out with Kevlar in the
toughness
stakes.
After
emailing his new bosses
confidential information on
Kevlar, he went back to old
colleagues at DuPont to find
out more.
Covert
monitoring
of
Microsoft by Larry Ellison,
head of Oracle who wanted to
expose Microsofts funding of

various public interest groups,

used detectives to bribe the
cleaning staff at Microsoft at
Microsofts Washington office
to lay their hands on
documents.
Conclusions
There needs to be a
paradigm
shift
for
information
security
professionals to shift from
traditional
information
security mechanisms to
focussed
corporate
espionage
protection
techniques. In the end, its
always the data and
information thats at stake
and
identifying
and
knowing where it lies in
the
organization
and
protecting
it
through
focussed data security
mechanisms removes the
fizz if spies get their hands
on it.
Many incidents have shown
the impact of Insider
threats, in some cases 70%
of them are related to it. If
the Information security
team focuses on various
other factors in addition to
technical aspects it would
provide a holistic approach
and reduce the potential
loopholes which can be
exploited.
Close
coordination with Physical
security
and
Human

Resources team & working as

one close knit unit would
help alleviate the threats of
corporate espionage.

PAGE

A detailed and continual

awareness program is the
best method to deter many
attacks. If all employees know
what to look for, then the
chances for the attack to be
successful are minimized.
References:
1 - Akanksha Vasishth and Akash
Kumar. 2013. Corporate
Espionage: The Insider Threat,
Business Information Review, Vol.
30. June.
2- Ahvi Spindell. 2013. Industrial
Espionage Threats to SMEs
Originate from Within.
Thomasnet News. 17 October.
http://news.thomasnet.com/
IMT/2013/10/17/industrialespionage-threats-to-smesoriginate-from-within/
3- http://social-engineer.org/wiki/
archives/PenetrationTesters/
Pentest-Winkler.html
4- http://
www.computerweekly.com/
news/2240184448/Researchersuncover-Indian-cyber-espionagenetwork
5- http://
intelreport.mandiant.com/
6-http://
www.businesspundit.com/10-most
-notorious-acts-of-corporateespionage/

Social Media Usage in the Enterprise

-K K Mookhey
Introduction
With the onslaught of SMAC
Social Media, Analytics, Mobility
and Cloud Computing in our
personal as well as professional
lives, we are spending a huge
amount of time and energy in a
digital world. Many organizations
are faced with the challenge of
how to handle and even leverage
these technological innovations
to gain a business advantage.
This article looks at the aspect
of social media and how best an

organization may decide its

stance with respect to allowing
or disallowing users, access to
social media sites from work.

Facebook, Twitter, LinkedIn, etc.

What is social media?

The main objective behind this

step should be clearly articulated
and spelt out for all employees to
read and understand.
What aspects are to be kept in
mind when allowing employees
access to social media from within
the network?

Social media refers to those

websites where users interact
with each other based on
common interests and much of
the content is user-generated.
The most common examples of
social media are of course

Why are we opening

access to social media?

up

All Rights Reserved 2007-2015 ISACA Mumbai Chapter.

PAGE

10

Brief Bio
About The
Writer

K. K. Mookhey is the
Principal Consultant at
Network Intelligence (I)
Pvt Ltd. and the Institute
of Information Security.
One of the pioneers in
the information security
space, he founded NII in
2001. What started as a
one-man show has
grown into a team of
200+ security
professionals working
across India and the
Middle East with the
whos-who of industry as
long-term clients. He is
the author of two books
on security Linux
Security & Controls and
Metasploit Framework as
well as numerous
articles. He is one of the
first Indian security
researchers to have
presented at Blackhat
USA in 2004. His
experience and skillsets
encompass IT
Governance, Information
Security Strategy,
Forensics, Fraud Risk
Management, and
Business Continuity. He
holds the CISA, CISSP,
CISM, CRISC and PCI
QSA qualifications.

ISACA

There are certain risks that we

must be aware of when allowing
access to social media

that helps them use social

media in a secure fashion.

1. Loss of productivity

3. Employee privacy

One of the concerns that senior

management might have is that
people will end up spending too
much time on these sites and
thereby reduce their focus from
work. Studies have shown that a
large percentage of access to
social media happens during
working hours even in cases
where employers have not
allowed such access on their
networks. This means that
employees in any case access
these sites using their
smartphones. One answer to
this problem would be to allow
access to these sites during
specific times of the day such
as during lunch break as well as
after working hours. This will
give employees a targeted time
during the day when they can
use these sites and reduce their
propensity to access them using
their smartphones. Why
increase ones data consumption
when the company network
allows me to access these sites
during lunch and after working
hours? We might actually see an
increase in productivity from
this approach.
It is important to closely
monitor social media usage and
bandwidth consumption on a
regular basis to avoid misuse.

Managers must be sensitized to

not cross boundaries of social
etiquette and laws around
workplace harassment just
because they are connected
with their peers or employees
over social media. This
connectivity can create a false
sense of intimacy where none
might exist and cause
relationships to sour. Certain
boundaries must be maintained
in social media interactions
between employees especially
between those in management
positions and their
subordinates.

4. Disclosure of sensitive
information on social
media
Any instance of disclosure of
company confidential
information on social media
should be handled with strict
action and a strong message
sent that these channels cannot
be used for causing any sort of
harm to the company or its
reputation. Again, the employee
awareness campaigns should
help sensitize people to the
proper usage of these channels
and ensure they dont
inadvertently disclose insider
information even over chat.

2. Security risks
Often the content and links
posted on social media sites can
be used to compromise the
users system via a phishing scam
or malware download. While
this can happen in any case, the
social media interactions happen
with a certain level of inherent
trust the posts and links are
from friends of mine and
therefore must be valid to some
extent. This can be mitigated by
strong malware controls within
the network as well as constant
employee education. While we
open up social media for our
employees, we should combine
it with an awareness campaign
@

MUMBAI

5. Protecting company
reputation
What employees post about the
Company should be outlined
more along the lines of
encouraging them to give
positive insights rather than
listing out too many
restrictions, which might appear
to be a curb on freedom of
speech. The signal that should
go out is that social media is a
positive technology, and
promoting the Company, its
brand, and its practices on
social media would help create
a beneficial image for the
Company and employees.

Promote employees to use their

common sense rather than treat
them with kid gloves.

6. Other safeguards
The other guidelines we have in
our acceptable usage guidelines
for email and Internet should also
flow through to social media
such as not posting content of a
sexual nature or that which might
break the countrys laws or be
considered racist or offensive.
Overall, the following steps should
be taken:
1. Identify the purpose behind
taking this step and make it
public to all employees
2. Restrict use of social media to
lunch break and after working
hours
3. Monitor closely usage of these
sites and alert employees and
their managers if usage crosses
acceptable thresholds
4. Educate employees to the risks
of social media even at home
this will encourage them to
follow proper safety
precautions both at work and
at home
5. Create an acceptable set of
guidelines and circulate them
to all employees

Further reading:
Social Media Strategy, Policy and
Governance
Enterprise Social Governance
Social Media Policy Template
Social Media Policy Template
Another template (4 pages)

All Rights Reserved 2007-2015 ISACA Mumbai Chapter.

VOLUME

2,

ISSUE

PAGE

Vendor risk assessment

-Latha Sunderkrishnan

11

Brief Bio
About The
Writer

1. Introduction
Companies today have third party contracts with various vendors. Most of the process are outsourced to
various companies. This is the most convenient and flexible way to work, so that overall management
activities are limited to just vendor management alone. The quantum of work that is outsourced to third
parties include not just IT, data management and security providers, but also facilities management
(cleaning HVAC Heating, Ventilation and Air Conditioning) along with any vendor that may have access
to network, data or facilities. However, outsourcing to third parties comes with significant risks such as
adverse vendor incidents, and sometimes even penalty from regulators.
In todays paperless and highly competitive environment, it is in the interest of the company to safe guard
its information Therefore it becomes imperative that the company does everything to manage and
maintain its IT infrastructure. This means a need to evolve a Vendor risk management, which will look at
various aspects of information security associated with the vendor. This would include management of
risks right from identifying the vendor, contract management, risk management, Business continuity plans
etc. Managing external vendors should be a key competency for every enterprise and can lead to optimally
mitigated risk and significant benefits.
In order to establish an effective vendor management process with goals and objectives, the enterprise
needs to ensure the following:
Vendor management strategy is consistent with enterprise goals.
Effective cooperation and governance models are in place.
Service, quality, cost and business goals are clearly defined.
All parties perform as agreed.
Vendor risk is assessed and properly addressed.
Vendor relationships are working effectively, as measured according to service objectives.

2. Approach
1. A Risk assessment needs to be done for choosing the vendors. The controls implemented need to be
evaluated and if need be the policies and procedures need to be audited. The selection procedure
should have been performed with due-diligence. This should be properly documented based on needs
and appropriate criteria.
2. Site visits to the vendor office needs to be carried out. The financial capabilities of the vendor needs
to be assessed, along with previous experience, staff capabilities, any pending litigation or customer
complaints etc.

Latha Sunderkrishnan
(CISA, ISO27001 LA,
COBIT 5 Foundation) is
a Senior Consultant with
Network Intelligence
India. She is an
Electronics Engineer with
more than 17 years of
experience in IT with
various multi-national
organizations working
with a wide variety of
technologies. She has
worked in Information
Security Audits and
Consulting, Information
Security trainings,
Project Management,
Quality Assurance and
Customer Support. She
can be reached at
lsunder@hotmail.com

3. Skill levels and training of the vendor needs to be assessed. This will help in understanding their
capabilities for the contractual work undertaken.
4. Checks for adequate documentation present to convey the program management of the vendors to
the relevant staff of the company.
5. The contracts needs to be well defined. It should be vetted by internal/external legal counsel.
6. Adequate staff should be deployed in order to fulfill the requirements of the contract. The third party
staff should be well aware of their roles and responsibilities. They should also have had confidential
agreements signed.
7. All records pertaining to activities needs to be managed in an organized manner, Methodologies for
updating and archiving documents need to be defined.
8. The results of the activities performed by the vendor needs to be reported to the management on a
timely basis. This should be reviewed by Management periodically. There should be a feedback
mechanism in place. Thus the performance of the vendor needs to be evaluated continuously.
9. All precautions need to be taken to ensure that the data of the organization is protected and secure
at all times.
10. The organization should ensure that compliance is met and all policies and procedures are complied
with. It should also plan for regular audits of the third party process and ensure that those are also
All Rights Reserved 2007-2015 ISACA Mumbai Chapter.

PAGE

12

complied with at all times.

11. In case if the outsourced vendor is a foreign company, then the organization should take care that
the legal requirements are met with. There should be penalty clauses or fines that can be adhered to.
12. The vendor organization should also have Business Continuity Plans and Disaster Recovery plans in
place in case of any disruptions. It should ensure that the activities are performed in case of a
disaster.
3. COBIT 5 framework for Vendor Management
COBIT 5 has defined a fame work for Vendor Management. Here it defines the roles and responsibilities
of the different stakeholders in the contractual agreements. The RACI (responsible, accountable, consulted
and informed) chart is as shown in the figure below:

Vendor Management RACI chart

Contractual Relationship Life Cycle
Stakeholders

Setup

Contract

Operations

Transition-Out

C-level executives

Business process
owners
Procurement

Legal

Risk function

Compliance and audit

IT

Security

Human resources (HR)

C-level Executives - They are accountable for the vendor management process depends on the scale of
outsourcing
Business Process Officers - Business Process Officers should be actively involved in the vendor
management life-cycle
Procurement - Many responsibilities within the vendor management life cycle belong to the
procurement function
Legal - To effectively mitigate vendor-related risk, the legal function should be involved throughout the
entire vendor management life cycle.
Risk Function - The risk function should be consulted throughout the vendor management lifecycle to
obtain a complete view on risk that is related to the relationship, services or products.
Compliance and Audit - The compliance and audit functions should be consulted throughout the vendor
management life cycle to ensure compliance with internal and external laws, regulations and policies
IT - The IT role is significant because its members may be more familiar with the products and services
and their market availability.
Human Resources - The HR stakeholder should be consulted throughout the vendor management
lifecycle to ensure compliance with the enterprises worker statutes, local regulations, and code of
conduct and labour law.
4. Managing a Cloud Service Provider
Cloud computing security is the set of control-based technologies and policies designed to adhere to

ISACA

MUMBAI

All Rights Reserved 2007-2015 ISACA Mumbai Chapter.

VOLUME

2,

ISSUE

PAGE

13

regulatory compliance rules and protect information, data applications and infrastructure associated with
cloud computing use.
The cloud is a shared resource, hence identity management, privacy and access control are of particular
concern. With more organizations using cloud computing and associated cloud providers for data
operations, proper security in these and other potentially vulnerable areas have become a priority for
organizations contracting with a cloud computing provider.
Cloud computing security processes should address the security controls, the cloud provider will
incorporate to maintain the customer's data security, privacy and compliance with necessary regulations.
The processes may also include a business continuity and data plan in case of a cloud security breach.
Cloud using the public cloud effectively is an IT governance issue. The impact cloud is having on the
organization is initially assessed in order to devise a strategic and workable approach.
It is important to identify and categorize data already within the organization and the business processes
around them. For example, storing credit card data in house currently and outsourcing the storage would
mean an increased scope for PCI DSS (although outsourcing the payment transactions themselves to an
approved provider usually makes sense). Storing personal data could have legal ramifications, if stored or
replicated outside the country of the data subject
Firstly there is a need to address the new threats that virtualisation poses within cloud computing. The
second is the ability for SMEs to perform due diligence effectively for an outsourced provider, given they
rarely have in-house technical or legal expertise.
Google Plus cloud service helps me keep my contacts, calendars, photos, etc., synchronized across my
various computing devices. Thus I like this feature and service. When suddenly I had to switch mobiles as
my previous one was not working, I got back all my data intact from this service. But I am also careful
about the data I put there.
5. Metrics for SLA
SLA would define the service level agreements between the vendor or the service provider and the
company. It would also include how the services would be measured. This would define if the
expectations are met in terms of the services provided.
How to go about choosing the various factors for the Metrics?
Firstly there is a need to define the KPIs that could be used to measure the Metrics. Secondly it would
include the type of KPI like

Objective Number of Major incidents in a month

Subjective Improvements in client satisfaction.

When selecting KPI, need to understand what the indication of value to the customer is:

Enhanced performance in the business

Constraints removed from the business
Availability & Reliability of the Service
Performance of the service
Security of the service
Service Continuity (ability to recover from disaster)
Metrics type could be

Service metrics which reflect the end-to-end quality of service or user experience
Process metrics to inform the service provider and customer of the effectiveness (achieving goals) and
efficiency (use of resources) of key activities within the service delivery function.
Technology metrics to inform the IT provider at the component level, enabling the identification of
issues and improvement opportunities
All Rights Reserved 2007-2015 ISACA Mumbai Chapter.

PAGE

14

Penalty clauses should be used only if

there is a reasonable lack of performance

if it is only the service providers fault, which means that the company is not at fault at all
It should be done in a fair manner with overall understanding of the incident.
Above all else, never forget the #1 rule Nothing should be included in an SLA unless it can be effectively
monitored and measured at commonly agreed points.
6. Third Party Audits
These can be conducted once in a while depending on the criticality of the services. For these Audits,
the general controls used are:
Risk Assessment - Based on the risks pertaining to Confidentiality, Integrity and Availability, access
should be provided to the third party. Access control rights can be given based on sensitivity of data.
This should also be taken care as a clause in the contract. The Risk Assessment can decide the further
action that needs to be taken.
Screening - Background checks for vendors/partners need to be performed vigilantly. This is very
important aspect of vendor management. The company also needs to be checked for its financial viability.
Depending on the criticality of the business and contract, audits could also be performed to their existing
information security controls and processes.
Information transfer Agreements between the external party needs to ensure that need to address
that the transfer of information between both the parties happens in a secure manner.
Selecting clauses in the agreement - Based on the risks assessed, the clauses should be present in
the agreement. Penalty clauses based on the risk identified should exist. Turnaround time should also be
mentioned in the clause.
Access control - Accessing data by the third party contractors need to be monitored at regular
intervals. It should be given only on needs basis and minimum access necessary should be provided.
Confidentiality and Non-Disclosure Agreements - Confidentiality and non-disclosure agreements
need to be signed by all employees of the third party who are contracted by the organization. This needs
to be reviewed on a periodic basis.
Compliance monitoring - Ensure that the third party complies with all clauses pertaining to security.
This needs to be monitored and also they can be audited for the same. This needs to be controlled based
on access and other rights on data.
Termination of the agreement - When the agreement is terminated or the contract has expired and
the company has decide not to extend the contract, the proper controls for this needs to be monitored,
All assets should be returned by the vendor, and all access rights removed for the vendor. This again
needs to be part of the contract.
7. Need for an effective vendor risk assessment
An effective and efficient vendor risk assessment provides benefits to the enterprise in terms of:
Delivery of Costs savings

Meeting Stakeholder needs

Risk Management
Assurances of Quality
Standardization
Flexibility and efficiency
IT Security has become an important aspect for any business. Most Companies are not willing to budget
enough for IT security in general and vendor risk assessment in particular, despite the fact that Security
of data processed by the enterprise including vendor resources is pivotal. Data Security may not be the
primary business of any company, so companies do not spend higher amounts for IT security in general
and in particular for vendor risk assessment.
Financial Services companies are inclined to have higher budgets for IT security in general and for
vendor risk assessment as compared to other types of companies. This is because regulators have
mandated security and confidentiality of customer data processed by these companies, albeit using many
vendors. Consequently, these companies are forced to implement IT security standards. A vendor risk
assessment will assure us that a vendor has become conscious of protecting the confidentiality, integrity
and availability of the data and the associated information assets. This brings a culture change at the
vendor company. Controls of IT security can be implemented only if the management of the vendor
ISACA

MUMBAI

All Rights Reserved 2007-2015 ISACA Mumbai Chapter.

VOLUME

2,

ISSUE

PAGE

company supports the initiative.

References:
http://citebm.business.illinois.edu/TWC%20Class/Project_reports_Spring2006/Business%20Risk%
20Management/Manzoor/project%20report.pdf

15

Brief Bio
About The
Writer

http://www.employeeservices.gov.sk.ca/projectsecurity
www.isaca.org Vendor Management Using COBIT 5

Security Considerations while Procuring BYOD

Solutions for Mobile Phone/Tablets
-Janak Majithiya
Bring your own device (BYOD) is the latest trend in many companies. Business requirements for Working
from Home, accessing E-mail 24*7, instant customer support etc. are increasing and future trend looks like
this is continue to be increasing.
In early 2010, most companies were using BlackBerry as company provided mobile phone device. Few
months later smartphone took over all most entire market of BlackBerry. Smartphone has made life easy,
user friendly and cost effective. Companies realized going cost of BlackBerry server, user license, device
cost and Service cost. From a security perspective, BlackBerry is reasonably secured due to lots of
security policy options available on BlackBerry Server but too costly as compared to smartphone.
Further it is also a headache for IT team to manage inventory of such mobile devices. There are other
issues as well e.g. finance to maintain book value, depreciation in device is lost or stolen, IT team to
maintain Asset Allocation Form, repair in case device is faulty, coordination with vendor, follow purchase
procedure etc. After all of these headache and spending lots of money, business users are not satisfied due
to quality of company phone, restriction and controls over company provided phone.
Just to avoid these many hurdles and cost saving, many companies have started allowing users to use their
smartphone device. However I have seen many companies implemented BYOD policy without even
thinking of Information Security Risk.

Janak Majithiya (CISA,

ISO27001 LA) is
having 10 years of
extension experience
in information
security, designing and
reviewing infosec
policies and
procedures,
information security
risk management, ISO/
IEC27001
Implementation and
Auditing, Information
Security Audit and
Third Party
Information security
Risk assessment.

Risk Assessment (Without implementing any BYOD Security Solution)

Threat

Vulnerability

Business Risk

Information
No
segregation
between There is risk of Information
Leakage through Corporate
Information
and sharing (Intentional
or
BYOD
Personal Information
Unintentional) with
unauthorized
User can download any attachments person or competitor due to absent
of security controls over BYOD
on BYOD phone memory card.
In case of user separation, IT Team mobile; this may lead to loss of
business / reputation.
cannot delete files stored
on personal memory card.
Single user can configure companys
E-mail account on multiple mobile
phone devices without IT/Security
Teams knowledge.
I hope above table is enough to alert business stakeholders on information security assurance. No Firewall
can help to prevent Information Leakage if this is not taken care.
So many security companies have developed BYOD security solution. It is important for the companys
security officer to choose right solution to protect information. When we think of allowing user owned
device for official purpose, Follow MUST be taken care:

All Rights Reserved 2007-2015 ISACA Mumbai Chapter.

PAGE

16

1. Ensure company's information is protected on user owned device

2. Ensure users privacy. At the end, its users device, company has no rights to monitor whats store on
uses mobile phone.
Most recognized BYOD Security Solutions are providing THE MOST IMPORTANT SECURITY FEATURE
CALL SECURE CONTAINER.
Such tool creates Corporate Space within phone memory to segregate the companys information and
personal information. User can access Corporate Space through BYOD client installed on their device.
The magic of this control is: User cannot copy and paste any information from Corporate Space to
Personal Space.
Following are TOP 10 security controls MUST be considered on your BYOD security solution

Sr

Control

Description

Secure Container

Restrict screenshot

As mentioned above. Please dont even do POC if

solution does not provide secure container feature. All
business E-mail attachments to store on corporate space
only and not on personal space. Copy and paste should
not be allowed from corporate space to personal space.
No screenshot on corporate space

Integrate
with
companys BYOD security solution should be able to integrate with
central authentication control company AD to access E-mails. This feature reduce IT
teams headache to maintain separate user management
system.
Remote wipe-out
In case of theft of stolen, companys IT team should be
able to wipe out device remotely without anybodys
intervention.
Selective wipe-out
There should be option of Selective Wide-out to wide
only Corporate Space. No personal data should be
wiped out.
Password Policy
Few BYOD Security solutions do ask for Password
while accessing corporate emails. This is separate from
phone lock password.
Device Restriction
User should be restricted to configure companys email
account only on ONE device. In case users attempts to
configure another device, BYOD security solutions
should prevent and through alert to security
administrator.
Audit Logs
Various logs:
Last sync Date and Time
Device details e.g. Mobile no, IMIE etc
Activity logs
Security logs
User ID and E-mail ID
Also check of log retention, access to logs, security of
logs etc.
Compatibility
Does your solution support IOS, Android, and Windows
Phone etc.
Users Private data
BYOD solutions should not access users private space.
Solution should respect users privacy

4
5
6
7

9
10

Security checklist can be further enhanced along with BYOD security solution vendor and security officer
based on need. Once solution is implemented, organizations HR team rollout BYOD policy with eligibility
criteria, does and donts etc.
There are lots of BYOD security solutions in market; generally CISO function should lead BYOD security
solution assessment.
Visit http://highersecurity.blogspot.in for more information security related blogs.
ISAC

All Rights Reserved 2007-2015 ISACA Mumbai Chapter.

VOLUME

2,

ISSUE

PAGE

17

ISACA Conference

All Rights Reserved 2007-2015 ISACA Mumbai Chapter.

PAGE

18

ISACA

MUMBAI

All Rights Reserved 2007-2015 ISACA Mumbai Chapter.

VOLUME

2,

ISSUE

PAGE

19

Photo Gallery
Felicitation of 2014 exam passers
The chapter celebrated success of ISACA 2014 exam takers in a glittering felicitation ceremony.
Exam passers turned out in a large numbers to receive their momentos and shared their
experience about plan and preparation for the exam. Special mention of the function is the Son
getting his CISA momento in the presence of his mother who is also a CISA and old member of
the chapter. It was really heartening to see a mother and son holding CISA certification
together. The function finished with a dinner which was appreciated by all.

Exam passer from Vadodara

receiving the momento

CISA Coordinator and

President talking to exam
passers

Exam passer getting momento

Exam passer getting momento

Exam passer getting momento

Group Photo

Happy Exam passer

Momentos

Mother and son CISA

PCI DSS Workshop

All Rights Reserved 2007-2015 ISACA Mumbai Chapter.

PAGE

20

Career Fair

Solution To Last Editions Crossword

Puzzle
A
1
2
3
4
5
6
7
8
9
10
11
12
13

ISACA

S
C
R
I
S
C

D
L
L

T
H
R
E
A
T

P
A
M
M
I
N
G

D
H

MUMBAI

Z
A
R
C
I
S
P
A

A
F
Q
D
N

R
O
O
T
K
I
T

P
R
O
X
Y

C
I
P
H
E
R

H
T
T
P
S

O
T

R
P
O

P
I
R
A
C
Y

All Rights Reserved 2007-2015 ISACA Mumbai Chapter.

VOLUME

2,

ISSUE

PAGE

21

Crossword Puzzle
A

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

ACROSS
A-2

Something that blocks the signal

A-5

Computer dept. in old days

A-7

A code that can be used only once

A-12 Access which is not permitted

C-10 L in MPLS
A risk which remains after applying
C-14
countermeasures
An US Govt Computer Security
E-6 Standard for Cryptography (xxxx
140)
F-4

Objectionable sites are part of this

I-2

A business private social network

M-9

A type of ethical testing ( xxxx box)

The overall performance of a
M-14
telephony or computer network
Replicates and spreads over the
N-7
network

DOWN
A-4

B-1

D-2

F-1

F-6

To remove or eliminate the key

from a cryptographic equipment or
fill device
A routing technology used by many
firewalls to hide internal system
addresses from an external
network through use of an
addressing schema.
Layer 2 of OSI Model
A unique name or character string
that unambiguously identifies an
entity according to the hierarchical
naming conventions of X.500
directory service.
A device that protects the network

E-12 To be used in place of SSL

H-7

An _____ inventory is must for any

organization

A widely used authentication

protocol developed at MIT
Software that allows a single host
L-1 to run one or more guest operating
systems
N-7 A type of malicious code
J-7

O-6 A supercomputer
O-12 Message Digest
P-2

A digital certificate containing a

public key for entity

P-10

Rendering sanitized data

unrecoverable by laboratory attack
All Rights Reserved 2007-2015 ISACA Mumbai Chapter.