BYOD significantly impacts the traditional security model by blurring the security perimeter. With personal devices now being used to access corporate email, calendars, applications and data, many organizations are struggling with how to fully define the impact to their security posture and establish acceptable procedures and support models that balance both their employees’ needs and their security concerns.
Against this background, creating an acceptable but safe BYOD forces companies to think things through before they turn their employees loose with their own devices on the organization’s network. Questions that must be settled by leadership during the planning stage include: which web browsers should employees use, which security tools offer the best protection for the range of devices that will be allowed to connect to the network and what level of support is IT expected to provide?
Follow these 6 steps to boost employee flexibility while reassuring stakeholders that information security will be safeguarded.
1. Create a strategy for BYOD with a business case and a goal statement
As technology continues to advance and change the way we live and work, building a smart, flexible mobile strategy will allow you to explore innovative ways to empower your workforce and drive greater productivity.
Involve stakeholders early through the formation of a mobility group. A cross-business mobility group will help to vet the needs of the business and make sure nothing gets overlooked. The group could consist of executives, HR, legal, support, IT, and potentially representatives for key user groups.
An effective way of generating powerful usage cases is to model day-in-the-life scenarios that envision how mobility will ease the everyday work situation of key employee groups. Establishing key success factors will help the group to measure the success of the implementation and mould it moving forward.
2. Create a support and operations model
Using the scenarios formed by the mobility group, identify and quantify costs and benefits; this will help build the overall business case for BYOD. Ensure that hidden costs such as increased data bills and support expansion are considered, together with potential advantages such as increased recruiting success rates with younger demographics.
3. Analyze the risk
Learning from the usage cases, you can assess the data stored and processed in the devices, as well as the access granted for the devices to corporate resources and apps. By paying special attention to scenarios that are more likely for mobile devices, such as a lost or stolen device, you can focus the effort.
Don't forget to incorporate geographically relevant data and privacy laws, and consider the impact of the mobile workforce traveling to countries with data import/export restrictions.
4. Create a BYOD policy
Creating a flexible but enforceable policy is key to ensuring that it effectively limits risk to the organization. The BYOD policy should complement other information security and governance policies, and should provide the following guidance to the user:
- General security requirements for mobile devices
- Authentication (passcode/PIN) requirements
- Storage/transmission encryption requirements
- Requirements to automatically wipe devices after a number of failed login attempts
- Usage restrictions for mobile devices
- Company liability
- Rights to monitor, manage and wipe
- Support model
- Leading practices for mobile data usage on international travel
- Acceptable use (if different from the normal acceptable use policy)
- Secure devices and apps
Implementing a Mobile Device management (MDM) solution, or other container-focused management utilities, will greatly help you in managing and securing the devices. The policies on the devices or within managed containers should be defined by the risk assessment.
In terms of ISO 27001, this policy is a 'Management Instruction', which will incorporate multiple controls from your Annex A implementation and other high level arrangements. A BYOD policy is very organization-specific, but the generic policy included in our toolbox is a great place to start!
5. Test and verify the security of the implementation
Perform security testing and review of the implemented solution. Assessments should be performed using an integrated testing approach combining automated tools and manual penetration testing, and preferably utilizing a trusted third party that has a proven track record assessing mobile deployments.
We recommend that you assess the implementation as a whole, and test devices, apps, and the management solution together. In addition, it is important to test the infrastructural changes that are performed to allow mobile devices to connect to the enterprise network, such as Wi-Fi deployments or VPN endpoints.
6. Seek continual improvement by measuring success, ROI, and capturing lessons learned
Define and measure key performance indicators of the BYOD program, and seek extensive direct user feedback. Use these measurements to identify areas for improvement.