September 29, 2011 - Twenty-eight percent of U.S. adults use location-based applications like Facebook and Google Maps, and that number will grow. A new ISACA white paper cautions that regulating geolocation data is in progress, so individuals and enterprises must be aware of the information they provide, collect and use. Geolocation uses data to identify a physical location. It offers consumers convenience, discounts and easy sharing, and enables enterprises to deliver personalized services. But this increases the need for data management and controls.
As ISACA’s white paper, "Geolocation: Risk, Issues and Strategies," notes, malicious use of geolocation data can increase risk. When information (gender, race, occupation, financial history) is combined with a GPS and geolocation tags, criminals can identify a location, increasing the potential of espionage, burglary, theft, stalking and kidnapping.
"As mobile device and geolocation use grows, more information becomes available to hackers and unauthorized users," said Marios Damianides, past international president, ISACA, and partner, Advisory Services, Ernst & Young. Proposed U.S. legislation restricts whether companies can store location data from mobile devices, and a proposed amendment to the Children’s Online Privacy Protection Act (COPPA) addresses the collection of geolocation data from children under 13.
Collecting and using geolocation data pose risk to enterprises, including:
- Privacy: Multiple entities have access to geo-tagging data, including service providers and wireless access developers. Users can’t always identify the source or owner of their location data.
- Reputation: Enterprises risk their brand/reputation, when breaches occur.
- Compromise: Secret locations and remote facilities/prototypes can be identified.
"We live in a mobile world and geolocation is here to stay. It has benefits for individuals and enterprises, but if not managed properly, the risk is substantial," said Ramsés Gallego, member of ISACA’s Guidance and Practices Committee and security strategist and evangelist, Quest Software.
- Implement safeguards, leverage COBIT for policy development.
- Update the security of device operating systems and software.
- Make sensitive data (personal, financial, confidential) unreadable or inaccessible.
- Respect differing global privacy regulations.
- Implement a risk management policy that identifies where geolocation services add value and where they should be disabled.
Consumer and Employee Tips
ISACA advises people to follow a five-step "route" for informed use of geolocation:
- Read mobile app agreements, know what information you share.
- Only enable geolocation when benefits outweigh risk.
- Understand that others can track your current and past locations.
- Think before posting tagged photos to social media sites.
- Embrace the technology, and educate yourself and others.
"There are great consumer advantages of geolocation, such as photo tagging and directions," said Robert Stroud, past international vice president, ISACA, and vice president, Strategy and Innovation, CA Technologies. "However, many consumers are unaware of the risk and need to educate themselves."
Separating Backup and Archiving: Securing Your Digital Information
Implementing Electronic Document and Record Management Systems
© Copyright 2011 Auerbach Publications