Professional Documents
Culture Documents
Infrastructure Mode
Ad-hoc mode
Mitigation
Encryption
Authentication
Common Sense Solutions
Understand what is really at risk
Take controls seriously
Don’t be too trusting of people
Use technology for help
TEST!
IS Auditing Guideline – Mobile
Computing
Planning
Obtain information regarding: intended use (business
transactions or personal productivity), technology
used, risk analysis, and policies used to manage
computing
Conduct interviews and document analysis
If a 3rd party is used to outsource IS or business
function, review the agreement
Relate risks to the criticality of the information stored
on the mobile devices
Risk Analysis
Auditor should consider the following when performing the risk
analysis:
- Privacy – examine protocols and procedures that protect sensitive
information on mobile devices (such as physical access controls)
- Authentication – certificate indicated verification by a certification
authority
- 2 Factor Authentication – verifies that the device and the end user
are authorized
- Data Integrity – detect changes in content or message during
storage or transmission
- Non Repudiation – user cannot deny processing a transaction
- Confidentiality and Encryption – using algorithms to transform data
- Unauthorized Use
Work Plan & Performance
Work Plan
Auditor documents how risks threaten
business, security, and IS objectives, and the
controls put in place to address the risks
Identify weaknesses
Performance of Audit
If control weaknesses exist, additional
procedures may be necessary
Consider discussing the audit with
stakeholders prior to issuing report
Auditing Wireless Networks
Access control, transmission control, viruses, and monitoring
access points are important risks to consider
Firewall generally secures information but WLAN creates new
challenges because it easier to access. Therefore control is
more important.
(Ex) If an employee were to bring in an unauthorized router in to
work, unauthorized users could potentially access the network
from outside the building
Access Point (AP) – security of APs is crucial for wireless
network auditing, consider unauthorized access, unauthorized
APs, improperly configured APs, and Ad Hoc networks
An Auditor might walk around the building looking for markings
left on the ground by hackers indicating a spot in range of a
wireless network
Wireless auditor – an automated system that detects anomalies