Risk
3/23/2012
12:26 PM
50%
50%

Compliance In An Age Of Mobility

Regulated companies put compliance efforts in jeopardy unless they address mobility.

10 Companies Driving Mobile Security
10 Companies Driving Mobile Security
(click image for larger view and for slideshow)
Mobility might be rewriting some of the rules of business today, but some sets of rules it hasn't budged are the ones written by IT regulators. As organizations get their grips on the operational and endpoint security ramifications of persistent and pervasive mobility, they also need to think about how it is changing the way users interact with and store data, and what that means for ongoing compliance efforts.

"Compliance and regulatory rules still apply," said Wayne Wong, managing consultant for Kroll Ontrack's electronically stored information consulting group. "One of the truisms of compliance is that the principles remain the same regardless of the technology. All it is is a tweaking of the technical details of how you do it, but the obligations are the same. I think people think that it's a whole brand-new way of looking at compliance with mobility, but it really isn't. It's exactly the same."

According to some, this is going to require IT departments solidly fixed in an operations-focused mentality to shift paradigms.

"Due to cloud services and the consumerization of IT, corporate data is being housed both inside and outside the enterprise as well as in mobile user devices," said Eric Chiu, president and founder of HyTrust, a cloud compliance company. "With this trend, IT will need to move from being operational in function to being more control and governance-focused."

Getting a handle on governance of mobility practices requires businesses stop the wait-and-see game that has kept many from developing mobile policies until things seemingly settle down. As Mike Weber, managing director of Coalfire Labs, puts it, if your organization is "wishy-washy" about its mobile device policies, now is the time to take a stand.

"The most frequent problem we have seen is a lack of solid company standing on any issue. Without guidance and a documented 'company line' on mobile device usage, a company has no assurance that their staff understands the risks these devices bring, and further has no recourse in the event staff fail to report loss, theft, or suspicious activity," he said. "In the event of a data breach that goes unreported, a company may be faced with substantial fines and penalties depending on the state, industry, and regulation violated. If your organization is 'wishy-washy' on mobile device usage, it's time to pick a position and stick with it."

Read the rest of this article on Dark Reading.

The Enterprise Connect conference program covers the full range of platforms, services, and applications that comprise modern communications and collaboration systems. It happens March 26-29 in Orlando, Fla. Find out more.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4793
Published: 2014-12-27
The update function in umbraco.webservices/templates/templateService.cs in the TemplateService component in Umbraco CMS before 6.0.4 does not require authentication, which allows remote attackers to execute arbitrary ASP.NET code via a crafted SOAP request.

CVE-2013-5958
Published: 2014-12-27
The Security component in Symfony 2.0.x before 2.0.25, 2.1.x before 2.1.13, 2.2.x before 2.2.9, and 2.3.x before 2.3.6 allows remote attackers to cause a denial of service (CPU consumption) via a long password that triggers an expensive hash computation, as demonstrated by a PBKDF2 computation, a si...

CVE-2013-6041
Published: 2014-12-27
index.php in Softaculous Webuzo before 2.1.4 allows remote attackers to execute arbitrary commands via shell metacharacters in a SOFTCookies sid cookie within a login action.

CVE-2013-6043
Published: 2014-12-27
The login function in Softaculous Webuzo before 2.1.4 provides different error messages for invalid authentication attempts depending on whether the user account exists, which allows remote attackers to enumerate usernames via a series of requests.

CVE-2013-6227
Published: 2014-12-27
Unrestricted file upload vulnerability in plugins/editor.zoho/agent/save_zoho.php in the Zoho plugin in Pydio (formerly AjaXplorer) before 5.0.4 allows remote attackers to execute arbitrary code by uploading an executable file, and then accessing this file at a location specified by the format param...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.