IT353 Information Management

Contents
1. EXECUTIVE SUMMARY...........................................................5
2. SECURITY BREACHES IN HANDHELD DEVICE...........................6
2.1 LOST OR STOLEN THE DEVICE.................................................................6
2.2 VIRS IN!ECTION "ND M"L#"RE "TT"C$..................................................%
2.3 &HISHIN' "ND H"C$IN' THE DEVICE........................................................%
3. SECURITY MEASURES FOR HANDHELD DEVICE........................
3.1 &REVENT N"THORI(ED "CCESS...........................................................)
3.2 VIRS &ROTECTION...............................................................................*
3.3 "VOID &HISHIN'...................................................................................*
!. HANDHELD DEVICE TO INCREASE THE BUSINESS
"ERFORMANCES......................................................................1#
5. AFFECTS OF MANA$EMENT AND TECHNICAL FACTORS TO THE
HANDHELD SECURITY "OLICIES................................................11
5.1 TECHNOLO'+ !"CTORS........................................................................11
5.2 M"N"'EMENT !"CTORS.......................................................................12
6. REFLECTIONS AND LEARNIN$%S...........................................13
&. REFERENCES......................................................................15
. A""ENDIX..........................................................................16
).1 "&&ENDI, "......................................................................................16
).2 "&&ENDI, -......................................................................................16
).3 "&&ENDI, C......................................................................................16
&./a0t1i Ma2.0an3a $ota/a4a/a 1551%%155163 &age 1
IT353 Information Management
1.E'e()t*+e s),,-./
Value Insure is a global insurance company, which spread across 15 countries in
Asia Pacific region. ne of the main factors that affect organi!ation success is customers.
"aining prospecti#e customers in the competiti#e mar$et is a difficult tas$ for e#ery
organi!ation. %o it is important to concern some effecti#e approaches to con#ert these
Prospectors for %ale.
&'cellent (anagement of information will lead company to pro#ide better ser#ice for
their customers in the competiti#e mar$et. In the process of con#erting Prospects to the )ead
the field officers, who interact most with customers of Value Insure can use wireless
*andheld +e#ices to pro#ide accurate and up to date information to minimi!e the drop of
customers during this con#ersion.
,ith the e#olution of business communication the mobile handheld de#ices are
becoming a typical tool for communicate corporate data among busy professionals. -he field
officers of Value Insure are always busy with their wor$. -hus introducing handheld de#ices
for the Value Insure will increase the producti#ity of the field officers.
-his *andheld +e#ice enables field officers to access corporate information from
anywhere to increase the efficiency. (oreo#er customer information can record to further
references are also possible from the de#ice.
Although the *andheld de#ice is concerned as a better communication feature, it also
consist se#eral security ris$s. .nauthori!ed access or use of de#ice to hac$ corporate data,
Virus infection, and (alware attac$s are some areas that increase the ris$ of the organi!ation
corporate data. .nfortunately all this circumstances turn organi!ation corporate data to ris$.
In order to safeguard corporate data the certain security measures ha#e to follow for rele#ant
situation.
&./a0t1i Ma2.0an3a $ota/a4a/a 1551%%155163 &age 2
IT353 Information Management
2.Se().*t/ B.e-(0es *n H-n10e21 De+*(e
2.1 Lost o. Sto2en t0e De+*(e
)ost or stolen de#ice will be #ulnerable for the organi!ation critical information, by
unauthori!ed people accessing it. -he de#ice, which was not protected can easy for hac$ers to
access the corporate data of the organi!ation. -he de#ices, which are held by e' / employees
can also become a ris$ for a company. 0elow are some areas that can affect due to the loss or
stolen of the de#ice.
Information about suppliers and all the sales information will go to the competitors.
Affect the business continuity due to loss of day to day business information.
1onsume both &mployees and Administrator time to reco#er from the data loses, that
will be cost more than replacing with a new de#ice.
-ime consumed by Administration team to replace or reinstall the de#ice.
%ynchroni!e the de#ice with the organi!ation database to introduce (alware and
Viruses to damage the corporate data by the hac$ers.
Viewing the information by unauthori!ed peoples such as competitors, 2ournalist, and
business associates will be bac$ door to a company. 0ecause competitors can imitate the
business strategies that the company currently using. (oreo#er 2ournalists and other business
associates will analy!e the business of the company and report it to the whole word.
(Refer Appendix A some information that can be stolen from the handheld device)
If the current employees, who use the *andhelds are lea#ing from the company they
can $eep confidential data with them. %o they can sell these data for hac$ers or they can use
those data to 1rac$ the corporate information for his or her pri#ate ad#antage.
*andheld de#ice can use as a mobile phone. %o it can be share among other people.
0y the time of sharing the de#ice with others or gi#e it to a third party ser#ice pro#ider to
repair it the data in a ris$ of hac$ing.

&./a0t1i Ma2.0an3a $ota/a4a/a 1551%%155163 &age 3
IT353 Information Management
2.2 V*.)s In3e(t*on -n1 M-24-.e Att-(5
Virus is computer file that runs by means of the other software programs in the
de#ice. -his Virus can ha#e an impact on the data by destroying the storage or memory of the
de#ice. ,hile the de#ice connected to the networ$ it bypasses the data to one point to
another. %o the illegal #iruses can recei#ed through the networ$ and it will infect the de#ice.
(alware is a software program, that running independently on the handheld de#ice
and it crate malicious codes to malfunction the de#ice. -his malicious software will able to
reduce the producti#ity of the de#ice, and destroy the information in both %I( card and the
memory chip.
Pathway for both the abo#e to the de#ice is through e / mail and the Internet.
(oreo#er the #iruses can attac$ corporate data through the networ$ by means of the handheld
de#ices. -his type of attac$ is called (an/In3the3(iddle attac$.4
*(Refer Appendix B for ManIn-the-Middle attacks)
2.3 "0*s0*n6 -n1 0-(5*n6 t0e 1e+*(e
Phishing is a method of obtaining information without the $nowledge of the user to
gain access to the organi!ation corporate data. %uch sensiti#e information li$e Password,
.ser I+, and 1redit card number will ac5uire in this method. .ser does not $now whether the
hac$er trying obtain his or her information, because they use reliable sources such as e3
mails, or getting access to the user to the fa$e websites, which are loo$s li$e normal websites.
All the field officers are enabling to recei#e e / mails through the handheld de#ice. %o
Phishing e / mails are possible to recei#e by these de#ices. If the officers try to open this e /
mails the unauthori!ed person can trace the sensiti#e information to gain access to the
database, where the organi!ation critical data were stored.
*ac$ers are s$illed people, who ha#e an ability to gain access to the system through
company internal and e'ternal networ$s. -hey interest is to steal, damage, or read the
companies critical information through the handheld de#ice.
&./a0t1i Ma2.0an3a $ota/a4a/a 1551%%155163 &age 6
IT353 Information Management
3. Se().*t/ Me-s).es 3o. H-n10e21 De+*(e
3.1 ".e+ent Un-)t0o.*7e1 A((ess
.nauthori!ed access can a#oid by implementing an Access 1ontrols in to the de#ice.
-he Access controls that we can implement to the de#ice are Password protecting, &ncryption
of data, and .ser Authentication.
Password Protection3 +e#ice with a PI6 number can a#oid unauthori!ed people
to log into the de#ice. If the de#ice is lost or stolen the company does not need to
worry, since the de#ice is protected from the unauthori!ed parties.
Encryption / If the person, who is not authori!ed to #iew the corporate data, gain
access to the de#ice by ea#esdropping4 can a#oid by &ncrypting the data.
&ncryption will scramble the data in one point and unscramble 7+ecryption8 data
in the recei#ing point. %o the critical information in the de#ice can encrypt to $eep
unreadable for the unauthori!ed person!
(Refer Appendix " for #avesdroppin$)
User Authentication Authentication allow the different user to different le#els
to access the system. 9or e'ample the 9ield officers of #alue Insure can only
access the read only data, while managers and other top e'ecuti#es ha#e a
permission to edit the files and information of the system. 1omparing to the
managers field officers de#ice ha#e greater possibility to lose and theft, since there
are wor$ing in the field. 9ollow are some policies that can be e'ecute in the
de#ice.
1hange of password e#ery month, or wee$.
)oc$ the profile if there are a number of failed attempts to enter the
password.
Inform administrator to unloc$ the profile.
Password should be with designated length and format.
0eyond the abo#e methodologies it is worth to use mirror ser#er and gi#e access to
the one ser#er to third party access to the system. %o it will minimi!e the damaged of data
due to unauthori!ed access to the system.
&./a0t1i Ma2.0an3a $ota/a4a/a 1551%%155163 &age 5
IT353 Information Management
3.2 V*.)s ".ote(t*on
Virus can be infect at any time that the de#ice is been used for daily operations. %o it
has to protect from the #arious protection tools such as Anti 3 #irus %oftware or 9irewalls.
Anti3#irus %oftware solutions will detect the #irus within the handheld de#ice and eliminate it
by deleting or 5uarantining it from the other files. 9irewall is software, which can use to
bloc$ suspicious incoming and outgoing codes, messages, and unauthori!ed uses of the
networ$ ports from the de#ice. 9ollowing are some remedies that can follow to minimi!e the
#irus attac$s to the handheld de#ice.
:eeping the regular bac$ups to restore data after the #irus attac$.
+isable the options such as 0luetooth or ,i39i in the handled, because these are
pathway to dangerous #irus and malware attac$s.
-rain field officer to identify the suspicious e3 mail, which contains (alware and
Virus among the other e / mails.
If the officers suppose to use 0luetooth and ,i39i accessories as$ them to turn on it
when it needed.
.se e3mail monitoring system to identify doubtful e3mails, which contain #iruses.
3.3 A+o*1 80*s0*n6
Phishing e3mails are spam based emails. It can be monitor by implementing the e3mail
monitoring system to the de#ice. Although the e3mail monitors system contains ethical issues,
it is a#oid the unauthori!ed access to the system. 9re5uent change of password is also
effecti#e to the phishing.
-he best way to a#oid phishing is to training and educating the handled de#ice users
about the e3mail policies or else place uni5ue group e3mail address the company and so the
de#ice holder can disregard the phishing e3mails. -his cannot effecti#ely a#oid, since the
de#ice holders recei#ing many e3mails.
-he remedy for hac$ing is to install powerful 9irewall software in the handheld
de#ice. 9irewall software will detect and disable the unauthori!ed connections by chec$ing
both inbound and outbound connections.
&./a0t1i Ma2.0an3a $ota/a4a/a 1551%%155163 &age 6
IT353 Information Management
!.H-n10e21 De+*(e to *n(.e-se t0e 9)s*ness
8e.3o.,-n(es
In the term of Insurance customers, who ha#e opportunity to buy the product is
$nown as a Prospect. 9irst they ha#e to find prospects from the pool of %uspects, who are in
the Insurance mar$et or already ha#e the insurance. -he ne't step is to con#ert these
prospects to the )eads, who ha#e potential interest to buy the product. And finally con#ert the
)eads to %ales. A sale is the point, where any insurance company can gain income. %o it is a
huge tas$ for e#ery insurance company to con#ert these prospects to sale.
(ost of the companies losing its customers during this con#ersion due to lac$ of
information pro#ide to the customers about the product. &specially the Value Insure, which is
in the personal insurance business ha#e to always interact with customers. %o the field
officers in Value Insure are the ma2or party to bring some sales to the company. -herefore
they should pro#ide better ser#ice to the customers by pro#iding complete, accurate, and up
to date information. %o their wireless handheld de#ice can use to perform better ser#ice.
-he de#ice is enabling to access the information about the products anywhere they
prospecting customers. -he field officer should able to answer the fle'ible 5uestion that can
as$ from the customer li$es change of insurance premium, or ad2ust the claims etc.
-he handheld de#ice should ha#e to include #alue added features to win the
customers. %ome #alue added features in the handheld de#ice are as follows.
)oad images and catalogs about the products from the de#ice. -hat ma$e customers
more comfortable about the product and the information is precise.
If the customer is willing to buy the product itself the officer can sing up the
customer to the insurance policy by fill application forms within the handheld
de#ice. -his will eliminate the step of customer physically #isit to the insurance
company to obtain his or her insurance.
.se word processor to generate and edit documents to deli#er contacts or proposals
with the customer.
In the case of damage the field officer should physically wants to #isit the client to
assess the damage and e'amine claims. %o they perform most of their duties outside the
&./a0t1i Ma2.0an3a $ota/a4a/a 1551%%155163 &age %
IT353 Information Management
office. -hrough this wireless handheld de#ice field officer can update the assessed claims for
the rele#ant damage on the system immediately. %o it will impro#e the efficiency of the
company to produce the claim for the customer in no time.
-he de#ice is capable of ta$ing photos. ,hen the damage too$ place field officers can
ta$e photo and send it to the office to audit the claim from higher authority. %o it will increase
the producti#ity by assessing the correct compensation for damage.
-o get the ma'imum return on in#estment the handheld de#ice need to upgrade
fre5uently. %o then the de#ice efficiency of the de#ice will increased. All these will impro#e
the 5uality of the #alue Insure ser#ice while increase the #elocity of the business. -his will
helps the company to gain competiti#e ad#antage.
5.A:e(ts o3 M-n-6e,ent -n1 Te(0n*(-2 3-(to.s to
t0e 0-n10e21 se().*t/ 8o2*(*es
-he process of implementing security policies and procedures for wireless handheld
de#ice we ha#e to consider both management and technological factors.
5.1 Te(0no2o6/ F-(to.s
Acquisition of Handheld Device
-he 1ompany can purchase *andheld de#ices off the shelf. %o e#ery de#ice is
containing same features and accessories. %o they can e'ecute 1ontracting with the
handheld de#ice company to impro#e the 5uality of the de#ices. %o the software for the
de#ices also can obtain from this company.
(oreo#er the training for use the de#ice and after sale ser#ices can obtain from the
mobile company. %o the defects of the de#ice can also minimi!e. %o the de#ice is safe,
because third ta$ing care of it.
Have timely Version Management on the device
&./a0t1i Ma2.0an3a $ota/a4a/a 1551%%155163 &age )
IT353 Information Management
-his method is use to ma$e change to the #ulnerable areas of the handheld de#ice. 9or
e'ample if the de#ice operating system is too old this methodology helps to find new #ersions
of operation systems by chec$ing with #endors about their new operating system releases or
search de#ices for current operation system le#el. (oreo#er it chec$s the feasibility of
upgrading the de#ice with the new operating system. %o it will deny the #irus attac$s,
because the de#ice is e5uipped with latest anti / #irus software.
5.2 M-n-6e,ent F-(to.s
Access controls
-he management of Value Insure can implement two types access control to the
de#ice. -here are Physical Access 1ontrol and )ogical Access 1ontrols. Physical access
controls is ha#ing a strong passwords, which is not easy for unauthori!ed person to crac$ the
password. Also it includes physically protected the de#ice, when it not using. 9or e'ample
switch off the de#ice when it is not using or switch off the accessories such as 0luetooth or
,i39i when it not needed. n the other hand )ogical access controls is to authenticate the
user gi#ing access le#els to the system.
9urthermore the automatic passwords e'piration to certain time period can implement
in the de#ice to sa#e the system from unauthori!ed assessors and loc$ the profile if user failed
login to the system se#eral times. ;esignation of the field officer has to inform three months
prior to the resignation day. -hen their handheld de#ice has to retain and the user profile has
to delete. If the de#ice contains contact details it can be returned. %o it is better to order the
user enter his or her contact details to the de#ice. &rasing data after the process is also protect
the de#ice.
Having ! audits
-he policy can be implemented to ha#e fre5uent audits to chec$ whether the user used
the de#ice according to the gi#en set of rules and regulations by the I- department of the
Value Insure.
9ollowing conditions and aspect can be chec$ed during this audit session.
.se of password or PI6 to the de#ice.
.se of assigned authentication le#el to the system through the handheld
de#ice.
&./a0t1i Ma2.0an3a $ota/a4a/a 1551%%155163 &age *
IT353 Information Management
.se of correct &ncryption standards in the de#ice.
1hec$ database access networ$ of the de#ices to reduce the interruption due to
networ$ traffic, while it accessing the database.
1hec$ whether the de#ice contains all the updates in Anti / Virus and other
software and the updates are occurring to the planed schedule.
1hec$ synchroni!ing speed with the database to identify further updates re5uired
to the de#ice.
6.Re;e(t*ons -n1 Le-.n*n6%s
(a2or business operations in the modern business world occur outside the office. %o it is
effecti#e to use handheld de#ices in company to impro#e the producti#ity of the business
operations.
9inding the company, which is in telecommunication as well as mobile telephone industry
to purchase both handheld de#ices and phone connection, is profitable and producti#e for
a company. 0ecause it is possible to ha#e common connecti#ity and bandwidth among
de#ices. (oreo#er it is economical to corporate with one company and Value Insure can
obtain better after sales and #alue added ser#ices from them. If the handheld de#ice
pro#ider and telecommunication ser#ice pro#ider separate, compatibility problems
between de#ice and connecti#ity will arise.
,hen purchasing Anti3 Virus software it is effecti#e to obtain software that include both
Virus and 9irewall facilities. It is profitable to ha#e a software li$e that, since it co#ers
ma2or areas, that the handheld de#ice at a ris$ from one software.
+e#ice holders should train to use the de#ice before it hando#er to them. .ser manual and
other accessories also need to pro#ide at the end of this training session.
(ost of the #irus and malware attac$s occur during #iewing and transferring #ulnerable e
/ mails. %o it is so it is effecti#e to ha#e e / mail monitoring system to separate that e /
mails among others. (oreo#er user of the de#ice can train to recogni!e that $ind of e /
mails.
&./a0t1i Ma2.0an3a $ota/a4a/a 1551%%155163 &age 15
IT353 Information Management
%ince Value Insure is a global insurance company, field officers are located in different
time !ones. %o it is difficult to update or upgrade whole handheld de#ices at one time,
while some officers are wor$ing. -herefore it is effecti#e to implement method for update
de#ices in different time !ones separately.
Personal information of the de#ice holder has entered in the de#ice. %o there is a
possibility to return the lost de#ice from the founder.
*andheld de#ice in the insurance industry is a tool to gain competiti#e ad#antage.
0ecause it increase the ability of field personals to describe the products precisely and
interacti#ely to the customers.

******#%&******
&.Re3e.en(es
<ames A =0rien, "eorge ( (ara$as, ;amesh 0ehl, 7>??@8 (anagement Information
%ystems, @
th
edition, -A-A (c"raw *ill, 6ew +elhi.
&./a0t1i Ma2.0an3a $ota/a4a/a 1551%%155163 &age 11
IT353 Information Management
%cribd, (obile de#ice security, 7>?1?8 (httpABBwww.scribd.comBdocB55C1DECB(otorola3
(obile3+e#ice3%ecurity8, +ate accessed ?D.11.>?1?
0u!!le.com, -ypes of 1omputer crimes, 7>?1?8
(httpABBwww.bu!!le.comBarticlesBtypes3of3computer3crimes.html8, +ate accessed
?D.11.>?1?
*andheld de#ice trends in .% Insurance industry,7pdf8 7>?1?8,
(httpABBus.blac$berry.comBbusinessBindustryB;I(F-"FInsuranceF,P.pdf8, +ate accessed
?G.11.>?1?
%cribd, ,ireless handheld de#ice security, (>?1?8,
7hhttp'(()))!infosec)riters!com(text*reso+rces(pdf(,&A*-.l/ak!pdf 8, +ate
accessed ?G.11.>?1?
,hite Paper3Phishing 7pdf8 ,(>?1?8,
7http'(()))!strikeforcetech!com(pdf(0hite,aper--,hishin$!pdf)1 +ate accessed
?G.11.>?1?
1? ,ays to use mobile de#ice to run your business,(>?1?8,
7http'((smallbi/trends!com(2343(35(mobile-devices-to-r+n-6o+r-b+siness!html8, +ate
accessed ?5.11.>?1?
*andheld computing maga!ine, handheld de#ice security,(>?1?8,
7http'(()))!hhcma$!com(feat+res(handheldsec+rit6(index!htm8, +ate accessed
?5.11.>?1?
.A88en1*'
.1 A88en1*' A
&./a0t1i Ma2.0an3a $ota/a4a/a 1551%%155163 &age 12
IT353 Information Management
Information that can be stolen
H *uman resource records
H 1ompensation information
H 0usiness reorgani!ation plans
H (erger and ac5uisition details
H %ensiti#e e3mails
H 0usiness proposals
H 9inancial records
H %ales reports
H 1ustomer information
H Product release information
H (edical reports
.2 A88en1*' B
Man-In--he-Middle attack is the type of attac$ where attac$ers intrude into an
e'isting connection to intercept the e'changed data and in2ect false information. It
in#ol#es ea#esdropping on a connection, intruding into a connection, intercepting
messages, and selecti#ely modifying data.
.3 A88en1*' C
#avesdroppin$ is the intentional interception of data 7such as e3mail, username,
password, credit card, or calling card number8 as it passes from a user=s computer to a
ser#er, or #ice #ersa.
&./a0t1i Ma2.0an3a $ota/a4a/a 1551%%155163 &age 13