Meeting ISO 27001 Regulatory Concerns in Mobile Compliance Training for IT Staff
As business mobility continues to explode onto the scene, the support needs and regulatory concerns of mobile devices climb, especially if you are in the regulatory rich financial industry and handle mobile financial transactions. With ISO 27001 comes a security management standard that requires an organization to prove its IT structure is effective for risk management. Once a financial institution has achieved ISO 27001 certification, the fun doesn’t stop, especially when we are talking about MDM. This brings attention to control 6.2.1 in regards to MDM which adds about a dozen or so control specifications that need to have policies around them, policies that your IT support teams need to learn and follow.
The Road To Maintaining Certification
The need to continuously meet the requirements to sustain ISO 27001 certification becomes priority one. This includes all of the DevOps procedures put into place in order to achieve certification. This makes it necessary to ensure that IT staffers understand the technical and regulatory policies needed to support and enforce PCI compliancy on devices used for mobile transactions, on both corporate and customer-facing devices. Communicating to IT staffers and customers how to best manage devices, particularly smartphones and transactional devices, in a PCI compliance world is vital to data and transactional security. Appropriate training and awareness needs to be in place for all levels of IT support staff. Therefore, it is important to present the regulatory and certification policies IT DevOps staff must know in developing and supporting mobile financial transactions and MDM, and ensure that appropriate educational and training initiatives are available.
ISO 27001 and Mobility
Before touching on training, you first need to understand how ISO 27001 applies to the mobile devices in the organization. In banking and finance, this goes beyond laptops, smartphones and tablets. ATM’s and customer-facing kiosks are key areas of concerns of ISO 27001. And, if your financial house is anything like the ones I have worked with, you have multiple hardware and operating systems out in the field, all having their own respective ISO 27001 compliance idiosyncrasies.
Ok, anecdote time. I was sitting in a conference room at the headquarters of a medium-sized Midwestern bank a couple of months after they achieved ISO 27001 certification. I was summoned into a meeting with the bank’s CIO and CSO. The new tablets they had purchased and put into production about a month after certification were flagged as being out of compliance, putting the fledgling certification at risk. I can’t divulge the technical specifics of the issue, but I can say the infrastructure engineers were using the pre-ISO 27001 certified runbook and not the ISO27001 runbook. Making things worse, those that needed access to the runbook could not view it; access was restricted to only senior level IT staff, not the junior level staff that were tasked with configuring and deploying the new tablets. As the QRadar alerts flowed into staff consoles in 4th of July-like rapid fire succession, the bank was scrambling to remediate the situation.
After some investigation, it was found that the security team manager handed off the wrong runbook to an intern in the department, not noticing the big “do not defer these tasks” bullet point. The intern, not being briefed on any of this, posted the older pre-ISO 27001 runbook, which was what the junior support staff began to follow. Since they did not know to perform certain security functions on the new tablets, they went out in a less than compliant state.
Although the bank had achieved ISO 27001 certification, it mishandled the handoff and training of its own staff, limiting the knowledge of the overall procedures in place and how to identify, report or escalate a potential certification shortcoming. This bank never added staff training to the project SOW, and the vendor never brought this up as a project milestone. This led to the bank securing an additional engagement from the vendor, and not at minimal cost, and severed all ties with the vendor once the engagement completed.
What IT Support Staff Must Know
The items outlined in control 6.2.1 in terms of mobile compliance are pretty straightforward when bullet pointed, but are of course much more complex when developing and applying policy around them. Adding to this, not all items outlined in control 6.2.1 apply to all banks; this will vary based on the banks systems, service offerings and overall revenue streams. This makes it more important that the policies set for your mobile devices are more than communicated out to support teams; this needs to be a mandatory training that is refreshed on a regular basis (I recommend doing this quarterly, and with a subsequent quiz that staff must pass). In doing so, you secure a roadmapped IT structure around mobile device security, while ensuring that IT staff is both fully briefed and held accountable for device security misses. This gives you a clear, concise and certified road to mobile device success.
Certification Starts Here
Anything in regards to achieving a regulatory compliance milestone or achieving a certification such as ISO 27001 requires a bank or financial institution to dive deeply into its DevOps policies and procedures. Doing so requires being briefed on all of the regulatory in’s and out’s, which is why engaging Champion in this regard is the key to success. Bringing Champion’s experience and resources into the fold ensures that you hit your ISO 27001 certification goals, as well as other regulatory goals required.