2. INTRODUCTION
•
Bring Your Own Device (BYOD) has become one of the most influential
trends that has or will touch each and every IT organization.
•
The term has come to define a megatrend occurring in IT that requires
sweeping changes to the way devices are used in the workplace.
2
3. WHAT IS BYOD?
•
Bring your own device (BYOD) (also called bring your own technology
(BYOT), bring your own phone (BYOP), and bring your own PC (BYOPC))
refers to the policy of permitting employees to bring personally owned
mobile devices (laptops, tablets, and smart phones) to their workplace,
and to use those devices to access privileged company information and
applications.
Source: Wikipedia
3
4. THE CONFLICT
Corporate space
Consumer space
Devices with functionality
limited to phone calls and email
Mobile phones
Smart phones offering tens of
thousands of useful apps, typically
iPhone
Restricted storage for official files and
email
What to Store
Providers such as Google and Yahoo
offering virtually unlimited storage to
store whatever you want
Long replacement cycles – up to four
years for hardware and eight years for
software
Update Cycles
Very rapid updated hardware –
immediate download of new apps and
services
Highly standardized, inflexible and
often restricted environment
Style and Customization
High variety of consumer devices,
systems, applications and “skins”
4
8. CHALLENGES FOR IT ORGANIZATION
Unclear cost
benefits
Providing Device
Choice and
Support
Maintaining
Secure Access
to the Corporate
Network
On-Boarding of
New Devices
Enforcing
Company
Acceptable
Usage Policies
Visibility of
Devices on the
Network
Protecting Data
and Loss
Prevention
Revoking Access
Potential for New
Attack Vectors
Ensuring Wireless
LAN
Performance
and Reliability
Managing the
Increase in
Connected
Devices
8
9. CHALLENGES FOR END USER
Keeping it
Simple
Mixing
Personal
Device With
Work
Getting the
Productivity
and
Experience
Needed
9
10. PRIVACY CHALLENGES
•
Personal nature of device and expectation of privacy
•
•
•
Mobile nature of the devices
•
•
Remote working and travel (checking to see if employee is where they are supposed to
be)
Where monitoring may occur on a personal device:
•
•
•
•
•
Is prohibited web surfing on a company device allowed on the personal device?
Personal data: pictures, videos, personal emails, bank statements, tax returns, social
security numbers, chat histories, user names/passwords, medical information
While connected to the network
Data in transmission between personal device and network
Monitoring of “sandboxed” or company area of mobile device.
Monitoring of entire device (e.g. key stroke logger; recording browser history, etc.)
Location
10
12. INCIDENT RESPONSE CHALLENGES
•
Obtaining access to the device and data thereon
•
•
•
Physical possession
Unlocked/login credentials
Unencrypted
•
Remote wiping
•
Timing issues
•
•
•
Damage to the device
•
•
•
•
•
Incident detection
Litigation holds/tampering of evidence
Installation of software may be required
Data loss
Software corruption
Loss of use
Privacy issues
•
•
Cooperation issue
Ability to tie to business need and limit scope
12
15. BYOD GOVERNANCE
•
Creation of organization-specific BYOD policies developed in conjunction
with Legal, HR, IT, Procurement, Sales, and others
•
Transparent guidelines on who is eligible or not for the program
•
New employee agreements for support, risk, and responsibility.
•
Adjustments to service levels and service desk training.
•
Funding and reimbursement strategies.
•
Employee education and IT publishing specifications on acceptable
devices.
•
Customization by country and possible tax implications for both employee
and employer
15
16. BYOD GOVERNANCE
•
Individual responsibility needs are heightened under BYOD programs
•
Corporate management needs to be transparent in requiring greater
management control over an individual’s devices in order to allow BYOD
programs to work
•
Internal audit team’s knowledge of the organization’s mobile strategy
needs to evolve just as quickly as the mobile landscape
•
Governance must include an interdisciplinary Steering Committee to
identify, discuss, and evaluate risks from an interdisciplinary perspective
16
17. RISK ANALYSIS
•
Performing a risk analysis prior to implementing a BYOD program is crucial
•
Interdisciplinary teams should be involved in the risk analysis
•
Risk assessment should incorporate the likelihood as well as the impact of
the risks
•
Risk analysis should address identification of the associated BYOD
information risks to the organization:
•
•
•
•
Handling of personally identifiable information (PII)
Handling of high value organizational information
Handling of other data impacted by regulatory compliance (healthcare data, credit card
data)
Risk assessment mitigation plans must be owned by the business and IT
stakeholders and properly implemented
17
19. MOBILE DEVICE MANAGEMENT
•
Mobile Device Management (MDM) software secures, monitors, manages
and supports mobile devices deployed across mobile operators, service
providers and enterprises
•
MDM functionality typically includes over-the-air distribution of
applications, data and configuration settings for all types of mobile devices,
including mobile phones, smartphones, tablet computers, ruggedized
mobile computers, mobile printers, mobile POS devices, etc.
•
By controlling and protecting the data and configuration settings for all
mobile devices in the network, MDM can reduce support costs and
business risks
•
The intent of MDM is to optimize the functionality and security of a mobile
communications network while minimizing cost and downtime
19
20. MOBILE DEVICE MANAGEMENT
•
Mobile Device Management software (MDM) can consist of four main
components:
•
•
•
•
Software management - Manage and support mobile applications, content and
operating systems (configuration, updates, patches/fixes)
Network service management - Gain information off of the device that captures
location, usage, and cellular and WLAN network info (provisioning, usage, service,
reporting)
Hardware management - Provisioning and support (asset/inventory, activation) beyond
basic asset management.
Security management - Enforcement of standard device security, authentication and
encryption (remote wipe, policy enforcement).
20