Every organisation should be considering policies for the use of BYOD within their environment and need to bear in mind that restrictive polices often fail if employees; from the senior level downwards; feel the policies interfere with doing their job and can’t see the implication of their actions on the security and governance of their employers business will continue with unsanctioned behaviour as they try and meet deadlines.
Organisations need to have well thought out policies and have in places procedures for implementing them, employees need to be informed of and frequently refreshed about the policies and implications to the organisation of breeches to information security as part of a continual information security education programme.
Policies on the use of BYOD should outline the privacy issues affecting both the owner of the equipment and the employer; it should cover the privacy the employee should expect from connecting their device to the corporate systems. Another important section of the policy is that it should cover what happens when a device is lost or upgraded. Requirements for notifying the IT department about such circumstances need to be included, the possibility needs to be considered if it is not possible to wipe the corporate data only then the whole device could be wiped losing all data for the employee.
The employee would need to agree to the policy before being able to use their own devices. There is often an advantage of allowing employees to use their own devices in terms of improved productivity, reduced expenditure; however there are costs and negative implications to both the employee and the employer.
Topics to be covered by a policy include
- Device Selection
- Encryption
- Authentication
- Remote Wipe Capabilities
- Incident Management
- Control Third-Party Apps
- Network Access Controls
- Intrusion Prevention / Detection Software (IPS/IDS)
- Anti Virus - AV
- Connectivity (Bluetooth/Wifi mobile hotspot)
It is not possible for an organisation to be able to support all devices on the market; therefore it may be necessary to limit allowed devices to a subset of those available. Selection of those devices will be a contested decision with various camps complaining their favourite manufacture or OS is not included. Ensuring the list is circulated to employees and reviewing the supported devices on a regularly basis will help alleviate device selection problems.
There are a large number of technical solutions that are available; however the selected solution should support the organisations aims and mission, within the selection process as with the policy generation it may be necessary to seek expert opinion.
There is no reason why the use of BYOD within the organisation cannot be allowed, giving greater flexibility to employees with improved productivity in a controlled environment that will protect the organisation. This is far better than having employees using their own devices in an uncontrolled manner and possible in an unknown manner leaving an organisation vulnerable to a problem they are not aware of. Having a policy that supports employees makes it easier to have sanctions for those who do not comply, no policy allows a situation where there is no control and a restrictive policy will often force employees to use their devices on the quiet.
No comments:
Post a Comment