Security Experts:

ISACA Offers Guidance for Geolocation Usage and Collection

Organization Warns that Poor Governance over Geolocation can be Disastrous

In a recently released white paper, the ISACA has offered a general overview of the issues surrounding corporate and consumer privacy when it comes to mobile geolocation services. In addition, the organization has offered a simple mnemonic to consumers and employees to address privacy and safety concerns - aptly named ROUTE.

ISACA According to ISACA, geolocation services offer a wealth of benefit to the business world, earning it a popular status within the enterprise. For example, location-based data can be used to offer direct marketing and context-sensitive content delivery, monitoring of criminals, enforcing location-based access restrictions on services, cloud balancing, and fraud detection and prevention.

On the other hand, such data collection raises questions when it comes to privacy, specifically, business practices around the collection and use of the PII (personally identifying information).

“This raises several questions of concern for the user, such as how their location data are being used, with whom the data will be shared, whether there will be onward transfer of the data, and the timeline for data retention and destruction,” the white paper comments.

“The amount and the nature of individual and corporate information available to potential hackers would allow targeted attacks that are difficult to prevent, detect and manage. In addition, each user’s personal information, including race, gender, occupation, and financial history, has significant financial value. Therefore, location information is particularly of high value. Information from a GPS and geolocation tags, in combination with other personal information, can be utilized by criminals to identify an individual’s present or future location…”

Again, while all of the geolocation data collected has tremendous value, the risk that comes with the storage and collection should be a topic of concern to business leaders. This is why the ISACA is encouraging organizations to think carefully about their geo-marketing practices, to the point of considering their current privacy policies, and if they accurately reflect the collection and use of geolocation data.

“There is a growing consensus that geolocation data should be classified as sensitive due to a number of concerns such as transparency about data collection practices, solicitations made based on geolocation data obtained without the user’s consent and physical safety stemming from the misuse of information that can identify a user’s current (or future) physical location,” the ISACA notes.

For example, consider the use of geolocation data in a Phishing attack. As the whitepaper points out, “attacks to an individual’s e-mail or mobile device are targeted and are, therefore, highly effective at soliciting a response acknowledgment from the victim.”

In Phishing, all it takes is one person opening an attachment or accessing a link for the attack to work. The ISACA’s point is that geolocation data can help craft messages, which will allow an attacker to get a target’s attention with accurate and granular information.

Those with concerns, including consumers and employees within an organization, need only remember a single word to protect themselves: ROUTE

Translated, ROUTE covers the following practices:

Read mobile app agreements to see what information you are sharing.

Only enable geolocation when the benefits outweigh the risk.

Understand that others can track your current and past locations.

Think before posting tagged photos to social media sites.

Embrace the technology, and educate yourself and others.

“We live in a mobile world and geolocation is here to stay. It brings obvious benefits both to individuals and enterprises, but if not managed properly the associated risk will be substantial,” said Ramsés Gallego, a member of ISACA’s Guidance and Practices Committee.

“It directly impacts individuals’ and enterprises’ privacy and confidentiality, and the consequences of poor governance over geolocation can be disastrous.”

The white paper is available here.

view counter
Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.