e-dokumen.com

The University of Texas SystemMobile and Personal Device Management AuditFiscal Year 2015requirements, and implementation guidance for organization-controlled mobile devices, whether ownedby the state organization or the employee” by February 2016. These requirements should be taken intoconsideration when updating or developing new institutional policies regarding mobile devices.Contributing to the risk is the fact that use of mobile devices has increased rapidly over the past severalyears, beyond personal use for gaming or entertainment, to a broad spectrum of both personal andcorporate computing and connectivity. Gartner, an information technology (IT) research and advisorycompany, issued a press release on January 5, 20151, predicting an increase in the number of overallcomputing device shipments through 2016; however, traditional personal computers (PCs) are expected todecrease, while “ultramobile” PCs, tablets, mobile phones, and other hybrid computing devices areexpected to increase. Summary data on the current mobile landscape is presented in the following table:Worldwide Device Shipments by Segment, 2014-2016 (Millions of Units)Device Type2014 Estimated2015 Projected2016 ProjectedTraditional Personal Computers279259248(PCs), Desk-Based and NotebookUltramobile Premium396285PC Market Total318321333Tablets216233259Mobile Phones1,8381,9061,969Other Hybrids/Clamshells6911Total2,3782,4692,572As indicated from these data, the use of mobile devices is expected to rise. While protecting data iscritical, the increase of mobile devices being connected to institutional networks also introduces a newsource for attacks. Therefore, the proliferation of mobile devices and their increased use to accessUniversity information resources was identified as a high risk and, combined with the Deloitte securityfindings, resulted in the inclusion of this audit on the Fiscal Year 2015 audit plan.AUDIT OBJECTIVESThe objectives of this audit were to assess whether UT institutions, including UT System Administration,have a) policies and procedures in place to define and address mobile devices and b) methods to enforcethese policies and manage such devices. We also gathered information on institutional successes andchallenges in implementing mobile device management strategies.SCOPE & METHODOLOGYFor purposes of this audit, we substantially adopted NIST’s definition and focused on small devices thatdo not run on a full-fledged desktop or laptop operating system (i.e., primarily Android and Apple iOSsmartphones and tablets). Also, institutionally-owned mobile devices are defined as devices purchasedand managed by the institution, and personally-owned mobile devices are defined as those that are ownedby individuals instead of the institution but used for business purposes. Policies and procedures related toinstitutionally-owned laptop computers were not included in the scope of this audit. Our review of UTSystem and institutional policies and procedures for coverage of mobile device security topics was basedon guidance from various sources (for example, NIST and ISACA).1“Gartner Says Tablet Sales Continue to Be Slow in 2015,” Gartner, Inc., accessed March 2, e University of Texas SystemPage 3

The University of Texas SystemMobile and Personal Device Management AuditFiscal Year 2015We performed background research to gain an understanding of the current mobile device landscape andMDM technologies, and reviewed institutional policies and procedures for mobile devices. We gatheredand reviewed information about mobile device security practices from the institutional CISOs throughquestionnaires and follow-up meetings. We also reviewed UT System’s agreement with AirWatch togain an understanding of the terms for the purchase of MDM services.This audit was primarily intended to assess whether institutions across the UT System have a mobiledevice strategy in place, and if so, to what extent. Having a strategy, or plan, in place is an important firststep to achieving effective mobile device security. Accordingly, we collected and analyzed informationthat was self-reported by the information security staff across UT System and did not perform specificdetailed testing for compliance with institutional policies. That is, we inquired whether MDM was beingused but did not test whether the MDM solution was in place and effectively functioning. Our audit wasconducted in accordance with guidelines set forth in the Institute of Internal Auditors’ InternationalStandards for the Professional Practice of Internal Auditing.AUDIT RESULTSThe CISOs and their staff reported that a variety of mobile devices, such as phones and tablets, are usedto check email and run various mobile device programs (“apps”) for business purposes at their respectiveinstitutions. In general, the UT System institutions are currently in various stages of maturity in terms ofmobile device management. As expected, some institutions had more mature mobile device managementstrategies than others. The AirWatch MDM solution that was purchased by UT System has not yet beenfully leveraged by UT System Administration or the institutions, as described in further detail below.Generally, the health institutions had more robust strategies in place, while the smaller academicinstitutions tended to lag behind in implementation of MDM strategies, reportedly due to limitedresources and different institutional needs.Mobile Device Management SolutionsAs previously mentioned, users increasingly rely on the use of mobile devices to stay connected to theirbusiness-related emails, calendar, and contacts. Most institutions allow personally-owned devices, withfew restrictions, to connect to the institutional network, provided that the user has the appropriatecredentials. For example, UT MD Anderson does not allow Android devices and will request that they bedisconnected when detected and UTHSC-Houston does not permit jailbroken or rooted devices.2 MDMsoftware solutions can help enforce these restrictions.MDM Products and Common FeaturesImplementation and use of MDM software varies among the institutions. The CISOs reported that theyare evaluating or are currently using different tools for MDM, including: Absolute ManageAirWatch by VMwareBoxTone (now Good Technology)Microsoft IntuneCisco MerakiMobileIron2“Jailbreaking” or “rooting” a device is the process of removing or circumventing restrictions such that the user canmodify the core operating system.The University of Texas SystemPage 4

The University of Texas SystemMobile and Personal Device Management AuditFiscal Year 2015 AT&T ToggleMicrosoft Exchange ActiveSync protocolNote that Microsoft Exchange ActiveSync is a communications protocol for the synchronization of emailand other information (for example, a user’s emails, calendar, and contacts) from a server to users’ mobiledevices. While it is not generally considered a full MDM product, it does have some MDM capabilitiesand can be used to enforce certain security policies, such as requiring passwords and performing remotewipes.An MDM product typically has more robust features and can perform more device managementfunctions. For example, while ActiveSync can wipe a device remotely, MDM software may offer theoption to only delete business-related data or only provide view access to emails such that they are neveractually stored on the mobile device. MDM solutions in the market today offer security controls that canbe applied to the entire device or only to a secure container on the device. According to Gartner, MDM“includes software that provides the following functions: software distribution, policy management,inventory management, security management and service management for smartphones and mediatablets.”3We reviewed product information from various MDM vendors and found their software have certainfeatures in common: Manage various types of devices running different operating systems;Provide visibility into enrolled devices from a single console or dashboard;Enforce network security policies and manage apps;Segregate work content from personal content; andAllow easy enrollment of personally-owned devices.Unused AirWatch Licenses Purchased by UT SystemIn July 2013, UT System entered into a Preferred Supplier Agreement with AirWatch, LLC for MDMservices. As part of this agreement, UT System purchased 50,000 perpetual licenses for the MDMsoftware at 14 each and also received 10,000 perpetual licenses4 for AirWatch’s mobile contentmanagement (MCM) software without charge. The MCM software allows corporate content to besecurely stored and accessed from mobile devices. UT System also paid for the first two years of annualmaintenance and support for the MDM and one year of maintenance and support for the MCM(maintenance fees for the first year were waived), with the current maintenance term scheduled to expireat the end of July 2015. The annual maintenance fee for the MDM and MCM is 2.80 per license. Theaggregate initial cost of the software licenses and maintenance was 1,008,000.ItemMDM LicenseMDM Annual MaintenanceMCM LicenseMCM Annual MaintenanceTotalUnits50,00050,00010,00010,000Price per Unit 14.00 2.80/year 0 (waived) 2.80/year3Total 700,000 280,000 0 28,000 1,008,000Gartner, Inc., accessed March 2, 2015, anagement-mdm.A perpetual license allows the licensed software to be used indefinitely. However, separate annual maintenancefees are typically required to receive updates to the software.4The University of Texas SystemPage 5

The University of Texas SystemMobile and Personal Device Management AuditFiscal Year 2015Beginning with the third year, any institutions that hold licenses will be responsible for maintenance feeson those licenses allocated to them. For any licenses not allocated, UT System is contractually obligatedto pay for maintenance fees or the software will not be updated and become outdated as mobile devicesand operating systems evolve.The AirWatch contract was executed with the intentInstitutionRequestedUsedthat the MDM tool would be made available forUT Arlington2,0510those institutions that did not already have an MDM5UTAustin0100tool in place. The implementation of AirWatchUT San Antonio1000MDM was not mandated. Of the 50,000 AirWatchUTTyler500fewMDM licenses purchased by UT System nearly twoUT MD Anderson1000years ago, approximately 22,500 (or 45 percent)UTSouthwestern1,8151,442have been requested by the institutions forUTHSC-Houston7,0002,009deployment as of March 2015, leaving over half ofUTHSC-SanAntonio5,00062the licenses remaining with UT System. Of the6UTMedicalBranch5,50036822,566 licenses reported as requested ,5006approximately 17 percent (or 8 percent of the 50,000 UT System AdministrationTotal22,5663,887total) was reported as actually being in use. Thetable to the right provides a summary of the AirWatch MDM licenses requested, and being used, by eachinstitution. This effectively translates to about 645,000 of MDM software and 258,000 in annualmaintenance fees, or approximately 903,000 of the initial cost left unused Systemwide.Recommendation (1): If a significant number of the licenses will remain unused, theSystemwide Information Security Office should work with the vendor to suspend the annualmaintenance fees for unused licenses (currently approximately 75,000 per year) or identify afeasible alternative to mitigate the future expense (such as eliminating those licenses not expectedto be used).Level (1): This finding is considered High due to the actual costs incurred and potential futurecosts for a product that is not being significantly utilized.Management’s Response (1): As part of the ISAI initiative, the Systemwide InformationSecurity Office created a multi-institutional work group, comprised of members from UT Dallas,UT Austin, UT Pan American, UT Southwestern, UT HSC Houston, Medical Branch, MDACC,and the Supply Chain Alliance, to determine the functional requirements of the product,determine deployment levels, draft a Request for Proposal (RFP), evaluate proposals, and make arecommendation on the selected product. The intent of the purchase of AirWatch was to providethose institutions that had not already selected and purchased a product with a viable alternative.Institutions have the flexibility to choose a mobile device management product that best meets theinstitutions’ requirements and capabilities of implementation. Institutions are not required bydirective or policy to use or consider AirWatch as their preferred solution for mobile devicemanagement.5Note that UT Austin’s 100 AirWatch MDM licenses are excluded from the total, as those appear to have beenpurchased separately from the UT System agreement (on annual subscription basis), based on accounting records.6The total number of licenses reported as requested by the institutions was substantially reconciled to an internaltracking spreadsheet provided by the Systemwide Information Security Office in March 2015 (within 282 licenses).The University of Texas SystemPage 6

The University of Texas SystemMobile and Personal Device Management AuditFiscal Year 2015Management agrees with the need to avoid the continued payment of maintenance on licensesthat will never be deployed. The Systemwide Information Security Office will work withVMware to identify a means by which UT System and institutions will pay for the maintenanceof licenses deployed or that have a realistic expectation of being deployed in the short to mediumterm. Specifically: Determine the number of AirWatch licenses currently not allocated or deployed. Follow up with institutions to assess the status of their corresponding evaluations anddeployment. Re-evaluate the number of licenses that will be required by institutions deploying orconsidering deploying AirWatch. Determine the number of excess licenses that, realistically, will never be deployed. Engage VMware in conversations to identify, if possible, a path moving forward bywhich the maintenance fee for the excess licenses is suspended or avoided.Implementation Date (1): August 31st, 2015Recommendation (2a, 2b): The Systemwide Information Security Office should continue towork with the CISOs of the institutions where AirWatch MDM is not being considered toreassess the viability of implementing that product. Also, it may be beneficial to developawareness training to assist the institutional CISOs in better informing the users at theirinstitutions of the capabilities and limitations of MDM, and how the features of an MDM solutionwill assist and protect the users. Recognizing that institutions may implement AirWatch indifferent ways, training content could include a general reminder of the importance of protectingUniversity data and the purpose of MDM as another tool to do so. Communicating this messagemay increase success in deployment.Level (2a, 2b): This finding is considered Medium due to potential level of information securityrisk from insufficient controls over mobile devices as their use is expected to increase over time.Management’s Response (2a): The recommendation includes a task related to theimplementation of AirWatch and a task related to mobile device management awareness training.Each will be addressed separately.The Systemwide Information Security Office has actively engaged institutions on mobile devicemanagement, including AirWatch. As mentioned above, institutions are not required by directiveor policy to use AirWatch as their preferred solution for mobile device management. Thisrecommendation requires the Systemwide Information Security Office to compel institutions notcurrently considering AirWatch to reassess their decision. However, the SystemwideInformation Security Office will re-engage institutions that do not have an MDM strategy in placeas identified in Appendix B.Implementation Date (2a): Email communication to appropriate CISOs and follow-up conference call: July 31st. Include mobile device management implementation as topic of discussion during CISOCouncil – August 12th. In-person meeting and discussion during CISO Council and UTINFOSEC – August 14th. Report detailing outcome of communication and meeting – August 31st, 2015.The University of Texas SystemPage 7

The University of Texas SystemMobile and Personal Device Management AuditFiscal Year 2015Management’s Response (2b): Management agrees that training and guidelines are an importantrequirement for a successful implementation of a mobile device management strategy and tocreate the user buy-in needed to accept it, enroll devices, and participate in its deployment. TheSystemwide Information Security Office leverages mobile device management related resourcesfrom UT System institutions, EDUCAUSE, and institutions of higher education, and makes themavailable to institutional CISOs via a SharePoint site dedicated to mobile device management.The items below are already works-in-process: Create a UT System web site for mobile device management that introduces the initiativeand includes links to resources available to CISOs. Create a SharePoint site, as part of the UT System CISO SharePoint, dedicated to mobiledevice management that includes: benefits, FAQ, Getting Started guidelines, privacyconcerns, configuration baselines, and resources from other UT System institutions,EDUCAUSE, and other institutions of higher education. Create a SharePoint site to support the UT System Administration AirWatch pilotimplementation. In addition, this site will include device requirements, device enrollmentinstructions, and device management rules.Implementation Date (2b): August 31st, 2015AirWatch and MDM Usage SystemwideBased on AirWatch’s website materials and a review of the agreement, it appears that their MDMsolution can control the majority of mobile device platforms (operating systems) currently in use andmanage personally-owned mobile devices as well. The AirWatch MDM solution is in various stages ofimplementation across the UT System institutions, with UT Southwestern appearing to be the most fullyimplemented based on the information we reviewed. Several other institutions are evaluating ordeploying the software, and a few have not been able to begin work on AirWatch or any other MDMimplementation for various reasons. See Appendix B for details by institution, including explanationsprovided for why AirWatch was not implemented. A summary follows: 1 of 16 institutions7 has fully implemented AirWatch;7 institutions are evaluating or have partially implemented AirWatch and are planning to expandimplementation;3 institutions have fully implemented and were already using a different MDM solution (AbsoluteManage, Meraki, and BoxTone);4 institutions are evaluating or have partially implemented a different MDM solution; and3 institutions do not yet have plans to implement any MDM solution.At institutions where the purchased AirWatch licenses are not currently being considered for use, theinstitutional CISOs cited ongoing maintenance fees, inadequate staffing and training, and a desire forproducts that are more suited for their unique institutional needs as some of the reasons for notimplementing AirWatch at this time. Interestingly, at two institutions where AirWatch is not beingconsidered for implementation across the entire institution, each one has a single department that does useAirWatch for MDM.7For purposes of this audit, UT System Administration was considered an institution, along with the nine currentacademic institutions and the six current health institutions. However, total number of institutions does not equal 16because some institutions are evaluating AirWatch along with a different MDM solution.The University of Texas SystemPage 8

The University of Texas SystemMobile and Personal Device Management AuditFiscal Year 2015UTS165 includes specific requirements for mobile devices used for business. Also, institutions mayallow users to access or store confidential data with a personally-owned mobile device. The UT SystemInformation Security Compliance staff conducted a series of “Mobility Monday” presentations to educatetechnical staff across the UT System about various risks related to mobile devices and using MDMsoftware solutions. An MDM solution would help meet the policy requirements and mitigate risks relatedto unauthorized exposure of confidential data.Recommendation (3): The Systemwide Information Security Office should assist the institutionsin reconsidering a decision to not implement any MDM solution by highlighting how MDM canbe used to enhance policy compliance and overall information security. While additional costand effort may be required upfront, an MDM solution can help ensure compliance with policyrequirements and mitigate risks related to unauthorized exposure of confidential data.Level (3): This finding is considered Medium due to the potential level of information securityrisk from insufficient controls over mobile devices as their use is expected to increase over time.Management’s Response (3): Management agrees that the implementation of a mobile devicemanagement strategy and supporting application mitigates risks related to unauthorized exposureof confidential data, enhances policy compliance, and overall information security. Theimplementation of such a strategy and application is not a trivial endeavor limited to installingand deploying a tool, but one that requires policy work, identification of requirements andcreation of management rules, strategy communicat

We have completed our audit of mobile device management across The University of Texas System. . (MDM) software solution, AirWatch LLC. . acknowledges the difficulty in defining a “mobile device” because their features are constantly c