You're Not Seeing Mobile Attacks & You Never Will Unless You Make This Change

Mobile attacks are invisible. Learn how to protect your organization.

Join Our Webinar April 25 | 10:00 - 10:30 a.m. CDT

Register Now

Enterprise Mobile Security & Compliance - GDPR, PCI DSS, HIPAA, NERC & NDB

Compliance for Mobile Devices

GDPR and mobile devices

GDPR and mobile devices
"One of the challenges of achieving GDPR compliance will be securing Personally Identifiable Information (PII) held on laptops and other mobile devices. It is harder to track and at a greater risk of being compromised because it is not behind the company firewall." GDPR Report, October 13, 2017

The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). The GDPR sets out the principles for data management and the rights of the individual, while also imposing fines that can be revenue based. Any mobile devices and applications, including those provided to consumers, containing or processing personally identifiable information (PII) must be secured against exposure and theft. These devices and apps need mobile security solutions to prevent device, network and app (DNA) attacks.

To learn how Zimperium enables companies to receive all of our award-winning mobile security in a completely GDPR- compliant manner, contact us now. Contact Us
"The PCI Data Security Standard (PCI DSS) requires merchants to protect cardholder data. ... Mobile devices are not necessarily designed to be secure input or storage devices for cardholder data." PCI Security Standards Council, 2014

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment. Mobile devices, from smartphones to tablets, are increasingly being used to process transactions. For PCI DSS compliance, these mobile devices should be considered “endpoints” in the same way that point of sale (POS) terminals, personal computers and servers are. They need mobile security solutions to prevent device, network and app (DNA) attacks.

The Zimperium Platform helps you meet the mobile mandates of these PCI DSS requirements:
Section Subsection Provision
Req 5 Protect all systems against malware and regularly update anti-virus software or programs
5.1 Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers).
5.1.1 Ensure that anti-virus programs are capable of detecting, removing, and protecting against all known types of malicious software.
5.2 Ensure that all anti-virus mechanisms are maintained as follows: Are kept current, Perform periodic scans Generate audit logs which are retained per PCI DSS Requirement 10.7.
5.3 Ensure that anti-virus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period.
Req 6 Develop and maintain secure systems and applications
6.1 Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities.
6.2 Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor supplied security patches. Install critical security patches within one month of release.
6.3.2 Review custom code prior to release to production or customers in order to identify any potential coding vulnerability (using either manual or automated processes).

PCI and mobile devices

PCI and mobile devices
To learn how Zimperium can help your business meet mobile PCI DSS compliance requirements, contact us now. Contact Us

HIPAA and mobile devices

HIPAA and mobile devices
"Under HIPAA, you’re required to take security measures to ensure your patient data — including those handled by mobile devices — are private and secure. If your practice suffers a data breach or fails to comply with HIPAA regulation, you will be subject to heavy fines ranging from $50,000 to $1.5 million." Health Security Solutions, November 6, 2017

HIPAA (Health Insurance Portability and Accountability Act of 1996) is United States legislation that provides data privacy and security provisions for safeguarding medical information. Mobile devices and applications are increasingly being used to store and present patient data to doctors and patients. For HIPAA compliance, mobile devices should be considered “endpoints” in the same way that point of sale (POS) terminals, personal computers and servers are. Mobile apps containing and processing patient data must be secured against attacks as well, even on patient-owned devices. These devices and apps need mobile security solutions to prevent device, network and app (DNA) attacks.

The Zimperium Platform helps you meet the mobile mandates of these HIPAA requirements:
Section Subsection Provision
164.308 Administrative safeguards
(a)(1)(ii)(D) Information system activity review (Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
(a)(5)(ii)(A) Install periodic security updates.
(a)(5)(ii)(B) Protection from malicious software. Procedures for guarding against, detecting, and reporting malicious software.
(a)(5)(ii)(C) Enable logging and log alerting on critical systems.
(a)(6)(ii) Standard: Security incident procedures. Implement policies and procedures to address security incidents.
(a)(6)(ii) Implementation specification: Response and Reporting (Required). Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes.
To learn how Zimperium can help your business meet mobile HIPAA compliance requirements, contact us now. Contact Us
"The reality for a lot of businesses is that there are many Privacy Amendment (Notifiable Data Breaches) security time bombs in the workplace, including ... unsecured and lost personal devices such as smart phones and tablets." MyBusiness.Com.Au, 2017

The Notifiable Data Breaches (NDB) requirement, contained under Part IIIC of Australia's Privacy Act 1988 (Privacy Act), introduced an obligation to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm. The legislation applies to all businesses carried on in Australia that collect or hold personal information in Australia.

NDB and mobile devices

HIPAA and mobile devices
To learn how Zimperium can help your business meet mobile NDB requirements, contact us now. Contact Us

NERC and mobile devices

NERC and mobile devices
"CIP compliance is challenged when mobile devices, capable of unauthorized wireless connectivity with wired and wireless interfaces, are able to access a CIP-protected cyber asset within the electronic security perimeter." Department of Energy, February 25, 2009

The NERC CIP (North American Electric Reliability Corporation critical infrastructure protection) plan is a set of requirements designed to secure the assets required for operating North America's bulk electric system. Mobile devices, from smartphones to tablets, are increasingly being used by technicians to service critical infrastructure. For NERC CIP compliance, these mobile devices should be considered “endpoints”; they need mobile security solutions to prevent device, network and app (DNA) attacks.

The Zimperium Platform helps you meet the mobile mandates of these NERC CIP requirements:
Section Subsection Provision
CIP-007-6 R2 Security Patch Management
2.1 A patch management process for tracking, evaluating, and installing cyber security patches for applicable Cyber Assets.
2.2 At least once every 35 calendar days, evaluate security patches for applicability that have been released since the last evaluation from the source or sources identified in Part 2.1.
CIP-007-6 R3 Malicious Code Prevention
3.1 Deploy method(s) to deter, detect, or prevent malicious code.
3.2 Mitigate the threat of detected malicious code.
3.2 For those methods identified in Part 3.1 that use signatures or patterns, have a process for the update of the signatures or patterns. The process must address testing and installing the signatures or patterns.
CIP-007-6 R4 Security Event Monitoring
4.1 Log events at the BES Cyber System level (per BES Cyber System capability) or at the Cyber Asset level (per Cyber Asset capability) for identification of, and after-the-fact investigations of, Cyber Security Incidents that includes, as a minimum, each of the following types of events:
4.1.3 Detected malicious code.
4.2 Generate alerts for security events that the Responsible Entity determines necessitates an alert, that includes, as a minimum, each of the following types of events (per Cyber Asset or BES Cyber System capability):
4.2.1 Detected malicious code from Part 4.1
4.3 Where technically feasible, retain applicable event logs identified in Part 4.1 for at least the last 90 consecutive calendar days except under CIP Exceptional Circumstances.
To learn how Zimperium can help your business meet mobile NERC CIP compliance requirements, contact us now. Contact Us