Recently, a terminated employee used his mobile device to log in to the company network and steal sensitive data. As the manager of the information technology (IT) security department, you were asked by your boss to present a summary of what the organization should do to prevent this from happening again.

Explain the goal of information security in relation to mobile devices.

Identify the three sources of threats, provide a summary of each, and provide at least one example of each.

Explain technical safeguards, and discuss which technical safeguard (s) should be used for mobile devices.

Explain data safeguards, and discuss which data safeguard (s) should be used in this type of scenario.

Explain human safeguards, and discuss which human safeguard (s) should be implemented.

Discuss why the organization needs an incident response plan to secure information and knowledge.

Answer: Recently, a terminated employee used his mobile device to log in to the company network and steal sensitive data. This is the presentation of the summary of what the organization should do to prevent this from happening again.

Explanation:

The objective of information security is to maintain a reasonably secure environment as well as the proper use of resources and risk management, in order to preserve the availability, integrity and confidentiality of information and the assurance of business continuity. Also:

To manage information security risks to keep them at acceptable levels. Protect information assets. Train public servants, suppliers and stakeholders about the importance of data protection. Monitor compliance with information security requirements. Implement corrective and improvement actions.

Since the current trend is that employees take their personal devices to the office, in addition to giving them personal use, the most common is that they use it for the review of corporate email and as support for the tasks of their daily work. Therefore, proper management of the devices that are connected must be defined, in order to use the applications and information according to the provisions of the policies established by the company.

The most common threats are:

Unofficial applications. (Can ask you for permitions and steal your private information) Public WIFI. (Can enter in to your network and steal your private information) Phising. (The most common is an email that force you to open a message which links to a malicious website to steal your personal information)

Always is important to protect the device with one or several of this advices:

Secure access networks. Access to information must be restricted in a way that guarantees that only those people who are really qualified to do so can access the information. Write a security policy. Define which devices can access corporate information. Protect WiFi connections. Protect against malware.

In this scenario the company should make an update of all information and networks, the installation and configuration of firewalls and encryption of corporate confidential information.

The best way is to train and make the employees of the company aware of the risk of sharing information and the legal punishment that they can have if they do it.

Every company must have a standardized risk plan to solve these types of situations before more information is leaked (can apply some of those mentioned above).