Enterprise Mobile Security & Compliance - GDPR, PCI DSS, HIPAA, NERC & NDB
Compliance for Mobile Devices
PSD2 and mobile devices
"The revised Payment Services Directive, also known as PSD2, pays a lot of attention to the security of mobile banking apps, mobile payment apps, mobile wallets, and other apps that offer payment functionality." Security Boulevard, July, 2018
PSD2, the European Commission's Revised Payment Services Directive, regulates payment services and payment service providers (PSPs) such as banks. The directive establishes rules covering all types of electronic and non-cash payments including mobile and online payments. The rules include strict security requirements for data protection, secure communication, and device and software integrity, and require that PSPs have mechanisms in place to mitigate failure of the required security measures. Technologies being explored to meet these requirements for mobile devices include containerization, (together with rootkit/jailbreak detection mechanisms), hardware security elements, anti-malware tools, and mobile device analytics / behavior solutions.
GDPR and mobile devices
"One of the challenges of achieving GDPR compliance will be securing Personally Identifiable Information (PII) held on laptops and other mobile devices. It is harder to track and at a greater risk of being compromised because it is not behind the company firewall." GDPR Report, October 13, 2017
The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). The GDPR sets out the principles for data management and the rights of the individual, while also imposing fines that can be revenue based. Any mobile devices and applications, including those provided to consumers, containing or processing personally identifiable information (PII) must be secured against exposure and theft. These devices and apps need mobile security solutions to prevent device, network and app (DNA) attacks.
PCI and mobile devices
"The PCI Data Security Standard (PCI DSS) requires merchants to protect cardholder data. ... Mobile devices are not necessarily designed to be secure input or storage devices for cardholder data." PCI Security Standards Council, 2014
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment. Mobile devices, from smartphones to tablets, are increasingly being used to process transactions. For PCI DSS compliance, these mobile devices should be considered “endpoints” in the same way that point of sale (POS) terminals, personal computers and servers are. They need mobile security solutions to prevent device, network and app (DNA) attacks.
The Zimperium Platform helps you meet the mobile mandates of these PCI DSS requirements:
"Under HIPAA, you’re required to take security measures to ensure your patient data — including those handled by mobile devices — are private and secure. If your practice suffers a data breach or fails to comply with HIPAA regulation, you will be subject to heavy fines ranging from $50,000 to $1.5 million." Health Security Solutions, November 6, 2017 Learn More
HIPAA (Health Insurance Portability and Accountability Act of 1996) is United States legislation that provides data privacy and security provisions for safeguarding medical information. Mobile devices and applications are increasingly being used to store and present patient data to doctors and patients. For HIPAA compliance, mobile devices should be considered “endpoints” in the same way that point of sale (POS) terminals, personal computers and servers are. Mobile apps containing and processing patient data must be secured against attacks as well, even on patient-owned devices. These devices and apps need mobile security solutions to prevent device, network and app (DNA) attacks.
The Zimperium Platform helps you meet the mobile mandates of these HIPAA requirements:
NDB and mobile devices
"The reality for a lot of businesses is that there are many Privacy Amendment (Notifiable Data Breaches) security time bombs in the workplace, including ... unsecured and lost personal devices such as smart phones and tablets." MyBusiness.Com.Au, 2017
The Notifiable Data Breaches (NDB) requirement, contained under Part IIIC of Australia's Privacy Act 1988 (Privacy Act), introduced an obligation to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm. The legislation applies to all businesses carried on in Australia that collect or hold personal information in Australia.
NERC and mobile devices
"CIP compliance is challenged when mobile devices, capable of unauthorized wireless connectivity with wired and wireless interfaces, are able to access a CIP-protected cyber asset within the electronic security perimeter." Department of Energy, February 25, 2009
The NERC CIP (North American Electric Reliability Corporation critical infrastructure protection) plan is a set of requirements designed to secure the assets required for operating North America's bulk electric system. Mobile devices, from smartphones to tablets, are increasingly being used by technicians to service critical infrastructure. For NERC CIP compliance, these mobile devices should be considered “endpoints”; they need mobile security solutions to prevent device, network and app (DNA) attacks.
The Zimperium Platform helps you meet the mobile mandates of these NERC CIP requirements:
"Mobile malware has not been an issue in the eyes of enterprises so far. However, mobile attacks (Pegasus, XcodeGhost) and vulnerabilities (Stagefright, Heartbleed) are increasing in terms of both number and pragmatism. Enterprises are now looking for solutions that can enhance their mobile security posture. Mobile threat defense (MTD) solutions combine signature-based checks with behavioral anomaly detection on the device, network and app layer."
Gartner Predicts 2017: Endpoint and Mobile Security, Analyst(s): John Girard | Dionisio Zumerle | Brian Reed | Peter Firstbrook | Bart Willemsen, 16 November 2016