It’s no surprise that Mobile is one of the four competencies which will need to be addressed in 2013. I addressed the mobile competencies in some detail in one of my blogs last year so for the sake of completeness I will revisit to ensure my recommendations are still valid.
Many information-security and IT teams are under pressure to rapidly support mobility. Although time is of the essence, successfully managing risks requires coordinating stakeholders, creating policy and processes and integrating security into mobile plans and educating users. A basic checklist for a BYOD program must include terms and conditions, including enterprise and end-user rights and responsibilities for using a personal mobile device for work. Here are a few recommendations to get you started:
- Make signing a legal agreement a prerequisite to using a personal mobile device in fact; a lot of organizations include mandatory training at this stage so the user understands the risks.
- Stolen or lost devices must be reported within a specific period of time
- Ensure employees understand the company’s rights with respect to monitoring and wiping devices. Also, users must understand that their personal data may also be wiped.
- Include specific provisions on how the company will monitor the device, retain the device or wipe the device (complete wipe or just the corporate container)
- Require the use of an organizations corporate account for storing data in the cloud.
- Ensure end-users are responsible for backing up personal data
- Clarify lines of responsibility for device maintenance, support and costs
- Require employees to remove apps at the request of the organization
- Establish that the company will disable a device’s access to the network if a blacklisted app is installed or if the device has been jail-broken or tampered with in any way
- Specify the consequences for any violations to the policy
It seems to me that a lot of these recommendations should be common practice for a good security program as a lot of these actually apply to a corporate issued laptop anyway and let’s face it; most of us have personal information on our corporate laptops anyway…
All of these recommendations will require an enterprise to truly understand the nature of their BYOD estate. I fear a lot of organizations are under so much time pressure that BYOD has been implemented by stealth and not as part of the overall Security program. But the quicker you can gain control of the reigns puts you in a much stronger position to implement a comprehensive BYOD program.