If you have not yet instituted a Bring Your Own Device (BYOD) policy at your company, even if you already have one, you should review the new government BYOD Toolkit. On August 23, 2012, A Toolkit to Support Federal Agencies Implementing Bring Your Own Device (BYOD) Programs was released by the Digital Services Advisory Group and the White House.
In order to keep track of all of your organization's BYODs, consider implementing a Configuration Management Data Base (CMDB). To learn more about implementing a CMDB, click on the offer below.
Not having a policy in place can create some difficulties, while having a policy can help to assist the various parties involved - users, IT staff, accounting. Another valuable government resource is the July 2012, Guidelines for Managing and Securing Mobile Devices in the Enterprise (Draft) Recommendations of the National Institute of Standards and Technology (NIST). In the Mobile Device Overview section, NIST defines high-level threats and vulnerabilities including Lack of Physical Security Controls, Use of Untrusted Mobile Devices, and Use of Untrusted Networks.
"The devices' mobile nature makes them much more likely to be lost or stolen than other devices, so their data is at increased risk of compromise. When planning mobile device security policies and controls, organizations should assume that mobile devices will be acquired by malicious parties who will attempt to recover sensitive data either directly from the devices themselves or indirectly by using the devices to access the organization's remote resources."
Although your organization may not employ secret agents, one area you may not have considered restricting is the Use of Location Services on the devices. "In terms of organization security, mobile devices with location services enabled are at increased risk of targeted attacks because it is easier for potential attackers to determine where the user and the mobile device are, and to correlate that information with other sources about who the user associates with and the kinds of activities they perform in particular locations."
The rise in Smartphone use has created not only security concerns for organizations, but also many potential areas of legal conflict including violations of the Fair Labor Standards Act (FLSA). For example, the May 2012 Littler Initiative entitled The "Bring Your Own Device" to Work Movement, notes that the adoption of BYOD will increase certain employment and labor law risks in the areas of Time Recording and Overtime; Harassment, Discrimination, and Equal Employment Opportunities; Workplace Safety; Acceptable Use of Technology; Confidentiality and Trade Secret Protection and more.
BYOD guidelines should also address confidentiality and data ownership - including need to wipe data due to a lost or stolen device or employee separation. Of course, those in the highly regulated industries also need to consider compliance of PCI, HIPAA, GLBA, SOX... These regulations require that your devices take the added precaution of safeguarding sensitive data such as patient/client information.
Allowing BYOD into your secure environment is one issue, but what about mandatory BYOD. Taking this discussion of issues surrounding BYOD one step further, is the possibility of Mandatory BYOD being implemented. In the Federal Times, Nicole Blake Johnson's article "Agencies can mandate personal phones" examines this possibility. She interviewed CIO Chris Cruz of California's Department of Health Care Services. He foresees that most department employees in the next 3-5 years will be participating in a mandatory BYOD program. In cash strapped California, his department has saved more than $300,000 over the past year.
BYOD raises so many questions. Does IT fully support the myriad of user devices? Who actually owns the device? Who is responsible for repairs? What about content inappropriate for a business environment on a user's personal device? What are the expectations on work email afterhours? Ensuring that your organization's BYOD policies address these questions will help to make your IT organization safe and secure.
Flickr Image: Cory M. Grenier