Bring Your Own Device Security Strategies – Part 3
Developing BYOD policy
Having established BYOD objectives, user needs, and the level of risk an enterprise is willing to take, the next step is developing the policy. A policy is essential to outline the responsibilities of the enterprise and its employees in regard of BYOD.
The policy should cover the following areas:
- Define the scope of tasks employees will be allowed to perform from their devices.
- Define the tasks employees will not be permitted to perform from their devices.
- Establish what services and what type of data within these services will be exposed to personal device users.
- Establish how much control will the employees be willing to grant over their devices, and how much control the enterprise requires.
Any policy is only as good as the degree to which it adheres. Hence part of any policy should define actions triggered in case users do not follow the steps outlined therein.
Policy Technical Controls
Most likely technical controls will have to be developed as part of efficient policy implementation, such as:
- Type of permitted client access
- Minimum standards for hardware and software version
- Types of policies enforced and methods of enforcing them.
– For example minimum passcode length and preventing copy and paste between work and personal apps. And whether these policies will apply at the device or application level, or both.
- Establishing a method used to remove access and corporate data in case an employee changes their device, or role or leaves the organisation.
- Type of service access policies in place.
– Such as compliance policies and strong authentication (such as MFA) to verify devices before they are allowed access to BYOD-approved enterprise services.
- Strict data access rules on individual services (only access to data in line with the enterprise’s risk policy).
- Point and type of policy enforcement (at an authentication service, network firewall, or perimeter of specific services).
- Method of enforcing separation between business and personal application to, for example, prevent corporate data from being opened or moved to personal applications.
- Appropriate security incident handling.
- Defining type (desktop, laptop, smartphone, tablet) and the number of devices allowed.
- Place of use of BYOD devices
– Will BYOD devices be used from a remote location only or will they be brought into office spaces and connected to ‘trusted’ networks? Will use abroad be permitted?
- Controls are in place to prevent unauthorised devices from accessing sensitive information.
- Ways to encourage users to adopt the policies.
How will the BYOD policies be communicated to users and what ways of encouraging users to follow them.
In next week’s blog, we will look at good practices for BYOD.