5. Are we certain that confidential client information will not remain on a device after a session is finished?
Software developers should write code that does not allow private data to persist after a customer has finished browsing session given the vulnerable nature mobile devices. Also, an organization must keep up on whether certain browsers or operating systems circumvent these controls. Keeping an eye on mobile browser and OS weaknesses is a must.
6. What processes are in place to respond should there be a loss of customer data or breach associated with a mobile application?
Incident responses processes that exist for the enterprise should be mapped to the mobile world, including both internal and external players. Benchmark against others and consider conducting an exercise based on the loss of customer data. Those that have done so have been surprised at who interacts with mobile development in the enterprise. Are you prepared to pull the plug on mobile phones when a particularly nasty vulnerability comes to light?
7. What organization (enterprise, device provider, mobile OS provider) is responsible for security?
Given that there are several key architectural dependencies, if a breach occurs who is responsible for what aspect of the environment, be it device, OS, or application? Understanding this ecosystem will help you manage a security incident with a mobile application.
8. What development approaches are in place to build more secure mobile applications?
Has the development approach for mobile applications changed, given the inherent weakness of the mobile environment? What coding standards do you have for mobile code? How are these standards enforced? Are they checked frequently? Are they only checked for only certain high profile releases? Cutting-edge mobile development projects must be brought in-line with organizational standards for developing secure software and these standards must be augmented to reflect more complicated threat models associated with mobile applications.
Sign up for CIO Asia eNewsletters.