ISACA: take action to avoid mobile device geolocation risk: Association suggests five-step route isaca.org.50% of Smart phone users globally * access location-based applications such as Facebook, Groupon and Google Maps Google Maps (for a time named Google Local) is a free web mapping service application and technology provided by Google that powers many map-based services including the Google Maps website, Google Ride Finder and embedded maps on third-party websites via the Google Maps on their mobile devices, and that number is expected to grow significantly. But a new ISACA (Information Systems Audit and Control Association, Rolling Meadows, IL, www.isaca.org) A membership association dedicated to information systems auditing and security. Founded as the EDP Auditors Association in 1969, ISACA provides certification in auditing and security (see CISA and CISM). white paper cautions that regulating the use of geolocation data is still in its infancy, so individuals must be aware of the information they are sharing and enterprises must act now to protect themselves and the information they provide, collect and use.
Geolocation uses data acquired from a computer or mobile device to identify a physical location. Applications using this technology offer consumers greater convenience, discounted prices and easy information sharing, and enable enterprises to deliver more personalized customer service and offers. But as geolocation services become more common, the need for data management and enterprise controls increases significantly.
As ISACA's new white paper, "Geolocation: Risk, Issues and Strategies," points out, malicious use of geolocation data can put both an individual and an enterprise at risk. When a person's personal information, such as gender, race, occupation and financial history, is combined with information from a GPS and geolocation tags, the data can be used by criminals to identify an individual's present or future location. This raises the potential of threats ranging from burglary and theft to stalking and kidnapping.
"Geolocation is becoming more and more a real source of commercial and financial benefits for organisations, but unfortunately as with any technology that becomes popular, geolocation becomes also more and more interesting for hackers, scammers and spammers," said Marc Vael, CISA, CISM (Certified Information Security Manager) The award for successful completion of an examination in information security management from the Information Security Audit and Control Association. See ISACA. , CGEIT CGEIT Certified in the Governance of Enterprise IT (certification program) , CISSP (Certified Information Systems Security Professional) The award for successful completion of an examination in computer security administered by the International Information Systems Security Certification Consortium (ISC)2. , Chair of the Knowledge Board and Cloud Computing Task Force at ISACA. "That is why this ISACA white paper is right on time to bring an independent but constructive view on the risks and issues, as well as and strategies to follow in order to use geolocation in a sensible manner."
Marios Damianides, CISM, CISA, CA, CPA (Computer Press Association, Landing, NJ) An earlier membership organization founded in 1983 that promoted excellence in computer journalism. Its annual awards honored outstanding examples in print, broadcast and electronic media. The CPA disbanded in 2000. , past international president of ISACA and partner, Advisory Services advisory services
advisory services provided to the public, in their capacity as owners and managers of animals, are an important part of veterinary science. They may be provided by government bureaux, by commercial companies who deal in pharmaceuticals or animals or animal , at Ernst & Young added that "As the number of geolocation users grows and the proliferation of mobile devices continues, the prospect of individual or enterprise information becoming available to hackers or other unauthorized users is a significant concern," said. "We need policies that will establish 'privacy by design' to instill in·still
To pour in drop by drop.
instil·lation n. trust across the enterprise and guard against malicious use of location information."
In the US, regulators now are moving to enact rules regarding how companies can use geolocation data. Current U.S. legislation proposed by Sens. Al Franken (D-Minn) and Richard Blumenthal (D-CT) would restrict whether companies can store individual location data obtained from mobile devices, and a proposed amendment to the Children's Online Privacy Protection Act Not to be confused with the Child Online Protection Act.
The Children's Online Privacy Protection Act of 1998 (COPPA) is a United States federal law, located at Title 15, Section 6501, et seq., of the United States Code. (COPPA) from the U.S. Federal Trade Commission addresses the collection of geolocation data from children under age 13.
"In Europe, regulators are aware of such concerns and are referring to the existing data privacy legislation for rules regarding how companies can use geolocation data from individuals (independent the age), customers and employees since this is also considered as personal data," said Ramses Gallego, member of ISACA's Guidance and Practices Committee and security strategist and evangelist at Quest Software. "All principles and rules from the European data privacy law remain valid, such as proportionality, purpose limitation, transparency and security. In the transportation sector, for example, this topic is already taken care of for properly managing geolocation data captured and monitored from truck drivers and taxi drivers."
Marc Vael, continued, "EU regulators are focused on how you collect the data and for what use. The goal of the legislation is the process and answering the following questions: what data is collected, when, how, what for, for which period of time, etc. Geolocation data is no different than other personal data and any Pll (Personal Identifiable Information) needs to have a purpose and limitation."
Collecting and using geolocation data pose risk to the enterprise, including:
* Privacy: Geo-tagging is implemented by users, but there may be multiple entities that have access to the data, including the service provider and wireless access points/developers. Users can't always identify (or aren't always aware of) the source or owner of their location data.
* Enterprise reputation: When breaches occur or policies have not been communicated clearly to customers, organizations risk negative perceptions of their brand.
* Compromise of sensitive information: The physical location of an enterprise and its remote facilities/equipment can be identified, increasing potential for loss of sensitive information through a variety of attacks.
"We live in a mobile world and geolocation is here to stay. It brings obvious benefits both to individuals and enterprises, but if not managed properly the associated risk will be substantial," said Ramses Gallego. "It directly impacts individuals' and enterprises' privacy and confidentiality, and the consequences of poor governance over geolocation can be disastrous."
What Can the Enterprise Do?
* Implement technology safeguards, leveraging frameworks such as COBIT (Control OBjectives for Information and related Technology) A business-oriented set of standards for guiding management in the sound use of information technology from the Information Systems Audit and Control Association (ISACA) (www.isaca.org). as guidelines for policy development.
* Regularly update the operating systems and software of work devices to ensure security improvements are quickly proliferated throughout the enterprise.
* Classify data, making the most sensitive data (personal, financial, client-sensitive or confidential) unreadable or inaccessible.
* Design a device management program that includes where the users connect, etc.
* Take into account the applicable legislation and regulations on privacy around the world, which differ by country.
* Implement an effective risk management policy that identifies where geolocation services add value and are to be utilized, and where they should be disabled. Geolocation should be part of an organization's risk profile.
What Can Consumers and Employees Do?
ISACA advises people to follow a five-step "ROUTE" for informed use of geolocation services:
* Read mobile app agreements to see what information you are sharing.
* Only enable geolocation when the benefits outweigh the risk.
* Understand that others can track your current and past locations.
* Think before posting tagged photos to social media sites.
* Embrace the technology, and educate yourself and others.
"There are great consumer advantages of geolocation services, such as photos being tagged with the correct location or assisting you with directions to the location you are travelling. However, as with all technologies, individuals and enterprises must consider their risk tolerance Risk Tolerance
The degree of uncertainty that an investor can handle in regards to a negative change in the value of their portfolio.
An investor's risk tolerance varies according to age, income requirements, financial goals, etc. level," said Robert Stroud, past international vice president of ISACA and vice president, Strategy and Innovation, at CA Technologies. "The fundamental issue at play is that many consumers are unaware of the risks. They need to educate themselves in order to make informed decisions."
For more information on geolocation risk, benefits and governance issues, download the free ISACA white paper from www.isaca.org/geolocation.
Note * Link to the IGS IGS - Internet Go Server. survey http://www.businesswire.com/news/home/20l10711006694/en/IDG-Global-Survey-Shows-Smartphone-Growing-Rapidly
For more information on COBIT 5, which will be released in early 2012, visit www.isaca.org/cobit5.