The University of Texas SystemNine Universities. Six Health Institutions. Unlimited Possibilities.System Audit Office210 W . 6th Street, Suite B .140E, Austin, Texas 78701Phone: 512-499-4390 Fax: 512-499-4426July 6, 2015The University of Texas at ArlingtonThe University of Texas at AustinThe University of Texas at BrownsvilleThe University of Texas at DallasThe University of Texas at El PasoPhillip B. DendyExecutive Director of Risk Management and Systemwide Compliance Officer ad interimThe University of Texas System Administration210 W. 6th Street, Suite B.140EAustin; Texas 78701The University of Texas - Pan AmericanThe University of Texasof the Pennian BasinThe University of Texas at San AntonioThe University of Texas at TylerDear Mr. Dendy:We have completed our audit of mobile device management across The University ofTexas System. The d tailed report is attached for your review.We conducted our engagement in accordance with The Institute of Internal Auditors'International Standards for the Professional Practice ofInternal Auditing.The University of TexasSouthwestern Medical CenterThe University of TexasMedical Branch at GalvestonThe University of TexasHealth Science Center at HoustonThe University of TexasHealth Science Center at San AntonioThe University of TexasM. D. Anderson Cancer CenterThe University of TexasHealth Science Center at Tylerwww.utsystem.eduWe will follow up on recommendations made in this report to determine theirimplementation status. This process will help enhance accountability and ensure thataudit recommendations are implemented in a timely manner.We appreciate the assistance provided by all information security staff and otherpersonnel throughout this audit.Sincerely,1Jk J. Michael Peppers, CPA, CIA, QIAL, CRMAChief Audit Executivecc:Mr. Miguel Soldi, Assistant CISO - Policy and AdministrationMr. Kevin Kjosa, Assistant CISO - Technical SupportMr. Marc Milstein, Associate Vice Chancellor and Chief Information OfficerInstitutional Chief Audit ExecutivesInstitutional Chief Information Security Officers

The University of Texas SystemMobile Device Management Audit ReportFY 2015July 2015THE UNIVERSITY OF TEXAS SYSTEM AUDIT OFFICE210 WEST SIXTH STREET, SUITE B.140EAUSTIN, TX 78701(512) 499-4390

The University of Texas SystemMobile and Personal Device Management AuditFiscal Year 2015Audit ReportJuly 2015EXECUTIVE SUMMARYIn a November 2011 report to The University of Texas (UT) System Board of Regents (Board), Deloitte& Touche LLP (Deloitte) cited mobile device security as the top security risk Systemwide. Mobiledevices, particularly those owned by individuals instead of the institution, present a high risk toinformation security due to the widespread and increased use of mobile devices to access Universityinformation resources by UT System faculty, staff, and students, who may not be aware of best practicesor have the tools to securely use such devices. In addition to the risk that University confidential datamay reside on a personally-owned and unsecure mobile device, connecting an unmonitored or unmanageddevice to institutional resources also increases the risk of spreading malware and other network intrusionthreats. These risks may be somewhat mitigated by having some combination of user training andsecurity and monitoring operations at each institution. The impact of a failure to manage institutionallyowned and personally-owned mobile devices (collectively referred to as mobile devices unlessspecifically stated otherwise) could vary, depending on the specific situation and whether any confidentialor sensitive data was compromised.The Deloitte security report resulted in the development of the UT System Information SecurityAssurance Initiative (ISAI), and as of November 2014, slightly over 1 million allocated for this initiativehad been spent specifically towards mobile device security. The majority of the mobile device securityfunds were used to purchase Systemwide licenses for a mobile device management (MDM) softwaresolution, AirWatch LLC.To determine whether UT System institutions are implementing appropriate strategies to address theserisks, we read policies and procedures related to mobile devices and interviewed institutional ChiefInformation Security Officers (CISOs). We also reviewed UT System’s agreement with AirWatch, LLCto gain an understanding of the contract terms for the purchase of MDM services, and assessedimplementation status of this solution.Information security staff are aware of the rise in mobile device usage across the UT System. Institutionsare currently in various stages of maturity in terms of mobile device management strategy, ranging fromlimited controls up through more robust MDM solutions. This report includes recommendations relatedto enhancing coverage of mobile device topics in policies and procedures, inventorying mobile devices,managing the AirWatch contract, and additional observations regarding cloud storage and computingservices that are common with mobile device use.A Priority Finding is defined as “an issue identified by an internal audit that, if not addressed timely,could directly impact achievement of a strategic or important operational objective of a UT institution orthe UT System as a whole.” Non-Priority Findings are ranked as High, Medium, or Low, with the levelof significance based on an assessment of applicable Qualitative, Operational Control, and Quantitativerisk factors and probability of a negative outcome occurring if the risk is not adequately mitigated. Thisaudit resulted in one High and three Medium-level findings, but no Priority Findings.BACKGROUNDIn November 2011, following a report to the Board by Deloitte on their comprehensive informationsecurity compliance effectiveness review of UT System, the Board allocated 29,255,000 to invest invarious information security enhancements. This launched the UT System Information SecurityThe University of Texas SystemPage 1

The University of Texas SystemMobile and Personal Device Management AuditFiscal Year 2015Assurance Initiative, and as of November 2014, slightly over 1 million had been used towards mobiledevice security, specifically by purchasing the AirWatch MDM software. The rest of the ISAI allocationwas budgeted for other information security risks identified by Deloitte. As shown in the followinggraphic, mobile device security was identified by Deloitte as the highest security risk across UT System.Accordingly, the UT Systemwide Information Security Office recognized this risk and attempted tomitigate it with an MDM solution that could be used across the institutions.Graphic courtesy of the UT Systemwide Information Security OfficeSince mobile device security was identified as the highest security risk, institutional policies shouldclarify what constitutes a mobile device or refer institutional users to UT System Policy UTS165,Information Resources Use and Security Policy. The National Institute of Standards and Technology(NIST) acknowledges the difficulty in defining a “mobile device” because their features are constantlychanging. However, in its Special Publication 800-124, Revision 1, Guidelines for Managing theSecurity of Mobile Devices in the Enterprise, NIST does provide a working definition of a mobile deviceas one that has: A small form factor;At least one wireless network interface for network access (data communications);Local built-in (non-removable) data storage;An operating system that is not a full-fledged desktop or laptop operating system; andApplications available through multiple methods (provided with the mobile device, accessedthrough web browser, acquired and installed from third parties).Additionally, the provisions of the Texas Administrative Code, Title 1, Part 10, Chapter 202 (TAC 202)that became effective on March 17, 2015 require the Texas Department of Information Resources (DIR)to define mandatory security controls. Recognizing that “mobile computing and teleworking exposesystems and information to exploitable vulnerabilities,” the DIR published the Security Control StandardsCatalog and established control standard AC-19 – Access Control for Mobile Devices, which requiresthat state organizations begin implementing “usage restrictions, configuration requirements, connectionThe University of Texas SystemPage 2

The University of Texas SystemMobile and Personal Device Management AuditFiscal Year 2015requirements, and implementation guidance for organization-controlled mobile devices, whether ownedby the state organization or the employee” by February 2016. These requirements should be taken intoconsideration when updating or developing new institutional policies regarding mobile devices.Contributing to the risk is the fact that use of mobile devices has increased rapidly over the past severalyears, beyond personal use for gaming or entertainment, to a broad spectrum of both personal andcorporate computing and connectivity. Gartner, an information technology (IT) research and advisorycompany, issued a press release on January 5, 20151, predicting an increase in the number of overallcomputing device shipments through 2016; however, traditional personal computers (PCs) are expected todecrease, while “ultramobile” PCs, tablets, mobile phones, and other hybrid computing devices areexpected to increase. Summary data on the current mobile landscape is presented in the following table:Worldwide Device Shipments by Segment, 2014-2016 (Millions of Units)Device Type2014 Estimated2015 Projected2016 ProjectedTraditional Personal Computers279259248(PCs), Desk-Based and NotebookUltramobile Premium396285PC Market Total318321333Tablets216233259Mobile Phones1,8381,9061,969Other Hybrids/Clamshells6911Total2,3782,4692,572As indicated from these data, the use of mobile devices is expected to rise. While protecting data iscritical, the increase of mobile devices being connected to institutional networks also introduces a newsource for attacks. Therefore, the proliferation of mobile devices and their increased use to accessUniversity information resources was identified as a high risk and, combined with the Deloitte securityfindings, resulted in the inclusion of this audit on the Fiscal Year 2015 audit plan.AUDIT OBJECTIVESThe objectives of this audit were to assess whether UT institutions, including UT System Administration,have a) policies and procedures in place to define and address mobile devices and b) methods to enforcethese policies and manage such devices. We also gathered information on institutional successes andchallenges in implementing mobile device management strategies.SCOPE & METHODOLOGYFor purposes of this audit, we substantially adopted NIST’s definition and focused on small devices thatdo not run on a full-fledged desktop or laptop operating system (i.e., primarily Android and Apple iOSsmartphones and tablets). Also, institutionally-owned mobile devices are defined as devices purchasedand managed by the institution, and personally-owned mobile devices are defined as those that are ownedby individuals instead of the institution but used for business purposes. Policies and procedures related toinstitutionally-owned laptop computers were not included in the scope of this audit. Our review of UTSystem and institutional policies and procedures for coverage of mobile device security topics was basedon guidance from various sources (for example, NIST and ISACA).1“Gartner Says Tablet Sales Continue to Be Slow in 2015,” Gartner, Inc., accessed March 2, e University of Texas SystemPage 3

The University of Texas SystemMobile and Personal Device Management AuditFiscal Year 2015We performed background research to gain an understanding of the current mobile device landscape andMDM technologies, and reviewed institutional policies and procedures for mobile devices. We gatheredand reviewed information about mobile device security practices from the institutional CISOs throughquestionnaires and follow-up meetings. We also reviewed UT System’s agreement with AirWatch togain an understanding of the terms for the purchase of MDM services.This audit was primarily intended to assess whether institutions across the UT System have a mobiledevice strategy in place, and if so, to what extent. Having a strategy, or plan, in place is an important firststep to achieving effective mobile device security. Accordingly, we collected and analyzed informationthat was self-reported by the information security staff across UT System and did not perform specificdetailed testing for compliance with institutional policies. That is, we inquired whether MDM was beingused but did not test whether the MDM solution was in place and effectively functioning. Our audit wasconducted in accordance with guidelines set forth in the Institute of Internal Auditors’ InternationalStandards for the Professional Practice of Internal Auditing.AUDIT RESULTSThe CISOs and their staff reported that a variety of mobile devices, such as phones and tablets, are usedto check email and run various mobile device programs (“apps”) for business purposes at their respectiveinstitutions. In general, the UT System institutions are currently in various stages of maturity in terms ofmobile device management. As expected, some institutions had more mature mobile device managementstrategies than others. The AirWatch MDM solution that was purchased by UT System has not yet beenfully leveraged by UT System Administration or the institutions, as described in further detail below.Generally, the health institutions had more robust strategies in place, while the smaller academicinstitutions tended to lag behind in implementation of MDM strategies, reportedly due to limitedresources and different institutional needs.Mobile Device Management SolutionsAs previously mentioned, users increasingly rely on the use of mobile devices to stay connected to theirbusiness-related emails, calendar, and contacts. Most institutions allow personally-owned devices, withfew restrictions, to connect to the institutional network, provided that the user has the appropriatecredentials. For example, UT MD Anderson does not allow Android devices and will request that they bedisconnected when detected and UTHSC-Houston does not permit jailbroken or rooted devices.2 MDMsoftware solutions can help enforce these restrictions.MDM Products and Common FeaturesImplementation and use of MDM software varies among the institutions. The CISOs reported that theyare evaluating or are currently using different tools for MDM, including: Absolute ManageAirWatch by VMwareBoxTone (now Good Technology)Microsoft IntuneCisco MerakiMobileIron2“Jailbreaking” or “rooting” a device is the process of removing or circumventing restrictions such that the user canmodify the core operating system.The University of Texas SystemPage 4

The University of Texas SystemMobile and Personal Device Management AuditFiscal Year 2015 AT&T ToggleMicrosoft Exchange ActiveSync protocolNote that Microsoft Exchange ActiveSync is a communications protocol for the synchronization of emailand other information (for example, a user’s emails, calendar, and contacts) from a server to users’ mobiledevices. While it is not generally considered a full MDM product, it does have some MDM capabilitiesand can be used to enforce certain security policies, such as requiring passwords and performing remotewipes.An MDM product typically has more robust features and can perform more device managementfunctions. For example, while ActiveSync can wipe a device remotely, MDM software may offer theoption to only delete business-related data or only provide view access to emails such that they are neveractually stored on the mobile device. MDM solutions in the market today offer security controls that canbe applied to the entire device or only to a secure container on the device. According to Gartner, MDM“includes software that provides the following functions: software distribution, policy management,inventory management, security management and service management for smartphones and mediatablets.”3We reviewed product information from various MDM vendors and found their software have certainfeatures in common: Manage various types of devices running different operating systems;Provide visibility into enrolled devices from a single console or dashboard;Enforce network security policies and manage apps;Segregate work content from personal content; andAllow easy enrollment of personally-owned devices.Unused AirWatch Licenses Purchased by UT SystemIn July 2013, UT System entered into a Preferred Supplier Agreement with AirWatch, LLC for MDMservices. As part of this agreement, UT System purchased 50,000 perpetual licenses for the MDMsoftware at 14 each and also received 10,000 perpetual licenses4 for AirWatch’s mobile contentmanagement (MCM) software without charge. The MCM software allows corporate content to besecurely stored and accessed from mobile devices. UT System also paid for the first two years of annualmaintenance and support for the MDM and one year of maintenance and support for the MCM(maintenance fees for the first year were waived), with the current maintenance term scheduled to expireat the end of July 2015. The annual maintenance fee for the MDM and MCM is 2.80 per license. Theaggregate initial cost of the software licenses and maintenance was 1,008,000.ItemMDM LicenseMDM Annual MaintenanceMCM LicenseMCM Annual MaintenanceTotalUnits50,00050,00010,00010,000Price per Unit 14.00 2.80/year 0 (waived) 2.80/year3Total 700,000 280,000 0 28,000 1,008,000Gartner, Inc., accessed March 2, 2015, anagement-mdm.A perpetual license allows the licensed software to be used indefinitely. However, separate annual maintenancefees are typically required to receive updates to the software.4The University of Texas SystemPage 5

The University of Texas SystemMobile and Personal Device Management AuditFiscal Year 2015Beginning with the third year, any institutions that hold licenses will be responsible for maintenance feeson those licenses allocated to them. For any licenses not allocated, UT System is contractually obligatedto pay for maintenance fees or the software will not be updated and become outdated as mobile devicesand operating systems evolve.The AirWatch contract was executed with the intentInstitutionRequestedUsedthat the MDM tool would be made available forUT Arlington2,0510those institutions that did not already have an MDM5UTAustin0100tool in place. The implementation of AirWatchUT San Antonio1000MDM was not mandated. Of the 50,000 AirWatchUTTyler500fewMDM licenses purchased by UT System nearly twoUT MD Anderson1000years ago, approximately 22,500 (or 45 percent)UTSouthwestern1,8151,442have been requested by the institutions forUTHSC-Houston7,0002,009deployment as of March 2015, leaving over half ofUTHSC-SanAntonio5,00062the licenses remaining with UT System. Of the6UTMedicalBranch5,50036822,566 licenses reported as requested ,5006approximately 17 percent (or 8 percent of the 50,000 UT System AdministrationTotal22,5663,887total) was reported as actually being in use. Thetable to the right provides a summary of the AirWatch MDM licenses requested, and being used, by eachinstitution. This effectively translates to about 645,000 of MDM software and 258,000 in annualmaintenance fees, or approximately 903,000 of the initial cost left unused Systemwide.Recommendation (1): If a significant number of the licenses will remain unused, theSystemwide Information Security Office should work with the vendor to suspend the annualmaintenance fees for unused licenses (currently approximately 75,000 per year) or identify afeasible alternative to mitigate the future expense (such as eliminating those licenses not expectedto be used).Level (1): This finding is considered High due to the actual costs incurred and potential futurecosts for a product that is not being significantly utilized.Management’s Response (1): As part of the ISAI initiative, the Systemwide InformationSecurity Office created a multi-institutional work group, comprised of members from UT Dallas,UT Austin, UT Pan American, UT Southwestern, UT HSC Houston, Medical Branch, MDACC,and the Supply Chain Alliance, to determine the functional requirements of the product,determine deployment levels, draft a Request for Proposal (RFP), evaluate proposals, and make arecommendation on the selected product. The intent of the purchase of AirWatch was to providethose institutions that had not already selected and purchased a product with a viable alternative.Institutions have the flexibility to choose a mobile device management product that best meets theinstitutions’ requirements and capabilities of implementation. Institutions are not required bydirective or policy to use or consider AirWatch as their preferred solution for mobile devicemanagement.5Note that UT Austin’s 100 AirWatch MDM licenses are excluded from the total, as those appear to have beenpurchased separately from the UT System agreement (on annual subscription basis), based on accounting records.6The total number of licenses reported as requested by the institutions was substantially reconciled to an internaltracking spreadsheet provided by the Systemwide Information Security Office in March 2015 (within 282 licenses).The University of Texas SystemPage 6

The University of Texas SystemMobile and Personal Device Management AuditFiscal Year 2015Management agrees with the need to avoid the continued payment of maintenance on licensesthat will never be deployed. The Systemwide Information Security Office will work withVMware to identify a means by which UT System and institutions will pay for the maintenanceof licenses deployed or that have a realistic expectation of being deployed in the short to mediumterm. Specifically: Determine the number of AirWatch licenses currently not allocated or deployed. Follow up with institutions to assess the status of their corresponding evaluations anddeployment. Re-evaluate the number of licenses that will be required by institutions deploying orconsidering deploying AirWatch. Determine the number of excess licenses that, realistically, will never be deployed. Engage VMware in conversations to identify, if possible, a path moving forward bywhich the maintenance fee for the excess licenses is suspended or avoided.Implementation Date (1): August 31st, 2015Recommendation (2a, 2b): The Systemwide Information Security Office should continue towork with the CISOs of the institutions where AirWatch MDM is not being considered toreassess the viability of implementing that product. Also, it may be beneficial to developawareness training to assist the institutional CISOs in better informing the users at theirinstitutions of the capabilities and limitations of MDM, and how the features of an MDM solutionwill assist and protect the users. Recognizing that institutions may implement AirWatch indifferent ways, training content could include a general reminder of the importance of protectingUniversity data and the purpose of MDM as another tool to do so. Communicating this messagemay increase success in deployment.Level (2a, 2b): This finding is considered Medium due to potential level of information securityrisk from insufficient controls over mobile devices as their use is expected to increase over time.Management’s Response (2a): The recommendation includes a task related to theimplementation of AirWatch and a task related to mobile device management awareness training.Each will be addressed separately.The Systemwide Information Security Office has actively engaged institutions on mobile devicemanagement, including AirWatch. As mentioned above, institutions are not required by directiveor policy to use AirWatch as their preferred solution for mobile device management. Thisrecommendation requires the Systemwide Information Security Office to compel institutions notcurrently considering AirWatch to reassess their decision. However, the SystemwideInformation Security Office will re-engage institutions that do not have an MDM strategy in placeas identified in Appendix B.Implementation Date (2a): Email communication to appropriate CISOs and follow-up conference call: July 31st. Include mobile device management implementation as topic of discussion during CISOCouncil – August 12th. In-person meeting and discussion during CISO Council and UTINFOSEC – August 14th. Report detailing outcome of communication and meeting – August 31st, 2015.The University of Texas SystemPage 7

The University of Texas SystemMobile and Personal Device Management AuditFiscal Year 2015Management’s Response (2b): Management agrees that training and guidelines are an importantrequirement for a successful implementation of a mobile device management strategy and tocreate the user buy-in needed to accept it, enroll devices, and participate in its deployment. TheSystemwide Information Security Office leverages mobile device management related resourcesfrom UT System institutions, EDUCAUSE, and institutions of higher education, and makes themavailable to institutional CISOs via a SharePoint site dedicated to mobile device management.The items below are already works-in-process: Create a UT System web site for mobile device management that introduces the initiativeand includes links to resources available to CISOs. Create a SharePoint site, as part of the UT System CISO SharePoint, dedicated to mobiledevice management that includes: benefits, FAQ, Getting Started guidelines, privacyconcerns, configuration baselines, and resources from other UT System institutions,EDUCAUSE, and other institutions of higher education. Create a SharePoint site to support the UT System Administration AirWatch pilotimplementation. In addition, this site will include device requirements, device enrollmentinstructions, and device management rules.Implementation Date (2b): August 31st, 2015AirWatch and MDM Usage SystemwideBased on AirWatch’s website materials and a review of the agreement, it appears that their MDMsolution can control the majority of mobile device platforms (operating systems) currently in use andmanage personally-owned mobile devices as well. The AirWatch MDM solution is in various stages ofimplementation across the UT System institutions, with UT Southwestern appearing to be the most fullyimplemented based on the information we reviewed. Several other institutions are evaluating ordeploying the software, and a few have not been able to begin work on AirWatch or any other MDMimplementation for various reasons. See Appendix B for details by institution, including explanationsprovided for why AirWatch was not implemented. A summary follows: 1 of 16 institutions7 has fully implemented AirWatch;7 institutions are evaluating or have partially implemented AirWatch and are planning to expandimplementation;3 institutions have fully implemented and were already using a different MDM solution (AbsoluteManage, Meraki, and BoxTone);4 institutions are evaluating or have partially implemented a different MDM solution; and3 institutions do not yet have plans to implement any MDM solution.At institutions where the purchased AirWatch licenses are not currently being considered for use, theinstitutional CISOs cited ongoing maintenance fees, inadequate staffing and training, and a desire forproducts that are more suited for their unique institutional needs as some of the reasons for notimplementing AirWatch at this time. Interestingly, at two institutions where AirWatch is not beingconsidered for implementation across the entire institution, each one has a single department that does useAirWatch for MDM.7For purposes of this audit, UT System Administration was considered an institution, along with the nine currentacademic institutions and the six current health institutions. However, total number of institutions does not equal 16because some institutions are evaluating AirWatch along with a different MDM solution.The University of Texas SystemPage 8

The University of Texas SystemMobile and Personal Device Management AuditFiscal Year 2015UTS165 includes specific requirements for mobile devices used for business. Also, institutions mayallow users to access or store confidential data with a personally-owned mobile device. The UT SystemInformation Security Compliance staff conducted a series of “Mobility Monday” presentations to educatetechnical staff across the UT System about various risks related to mobile devices and using MDMsoftware solutions. An MDM solution would help meet the policy requirements and mitigate risks relatedto unauthorized exposure of confidential data.Recommendation (3): The Systemwide Information Security Office should assist the institutionsin reconsidering a decision to not implement any MDM solution by highlighting how MDM canbe used to enhance policy compliance and overall information security. While additional costand effort may be required upfront, an MDM solution can help ensure compliance with policyrequirements and mitigate risks related to unauthorized exposure of confidential data.Level (3): This finding is considered Medium due to the potential level of information securityrisk from insufficient controls over mobile devices as their use is expected to increase over time.Management’s Response (3): Management agrees that the implementation of a mobile devicemanagement strategy and supporting application mitigates risks related to unauthorized exposureof confidential data, enhances policy compliance, and overall information security. Theimplementation of such a strategy and application is not a trivial endeavor limited to installingand deploying a tool, but one that requires policy work, identification of requirements andcreation of management rules, strategy communicat

We have completed our audit of mobile device management across The University of Texas System. . (MDM) software solution, AirWatch LLC. . acknowledges the difficulty in defining a “mobile device” because their features are constantly c