Sergey Nivens - Fotolia


Crafting a bring your own device security policy

Bring your own device initiatives are now commonplace in the enterprise, but any BYOD policy is incomplete without addressing acceptable use, enforcement and privacy.

Businesses are buying into the concept of mobility management as a way to ensure that all mobile devices are properly configured, secured, backed up and otherwise in compliance with the organization's mobility goals. But many enterprises today do not yet have a device security policy that focuses specifically on bring your own device.

Such a deficiency can result in critical failures in security, wasted resources -- in terms of productivity as well as dollars -- and many more potential pitfalls. Security failures and inefficiencies can affect the bottom line and the overall reputation of the organization itself.

Before focusing specifically on a bring your own device (BYOD) security policy, companies should first have an overall IT security policy with a focus on, but not limited to, mobility. That policy document can cover a wide variety of topics, but at a minimum it must define the following:

  • What information is sensitive and thus worthy of protection?
  • Who can have access to this information and under what circumstances?
  • How do you respond in the event of a breach?

In general, a corporate IT security policy need not define specific technologies, such as which VPN is used or what authentication mechanism is applied, but it must remind everyone that, once compromised, sensitive information remains so forever. As with the "Loose lips sink ships" posters from World War II, the security of strategic information is everyone's responsibility.

One pixelTransparency, foresight key to overcoming
BYOD security risks

Even before an organization implements security mechanisms and conducts detailed analyses, a carefully considered plan is important to successfully contain breaches. Depending upon the nature of the organization's mission and its regulatory environment, background checks on specific individuals may also be required.

More than one staff member should regularly monitor compliance with enterprise security policies. This will minimize the possibility of errors and identify any inside activity that may compromise corporate systems or data, either unintentionally or otherwise.

Also, note that the enterprise security policy is often independent of local bring your own device strategies. But once such a security policy is in place, there are a few more items to address, including BYOD and acceptable use.

BYOD needs written agreements

A BYOD policy specifies who may use their own devices for business activities and the responsibilities of the company and employees. It's a good idea to restrict possible mobile device/operating system combinations, specify which authentication mechanisms may be applied and describe what management procedures are permissible (whether implemented or not). A BYOD policy could even state which enterprise mobility management products may be used.

As with other services, a written agreement ensures that both parties are aware of the terms and conditions of mobile device use. The restricted set of choices for devices and mobile OSes is essential for minimizing support costs and making sure that important updates are applied. Older OSes often have vulnerabilities that have been identified, but newer releases usually feature improved security.

Some organizations, particularly in highly regulated sectors such as finance, healthcare and government, allow only devices that they own. Remember, while BYOD may dominate the device-provisioning landscape, the corresponding acronym for "bring any device" is in fact BAD -- in more ways than one!

That’s why it’s important to define acceptable use for your end users. Regardless of whether an endpoint device is supplied by the user or the organization, an acceptable-use policy defines what activities can be legitimately conducted on a laptop, smartphone or tablet, as well as the corporate network and related IT infrastructure to which it connects.

An acceptable-use policy -- possibly as part of a BYOD agreement -- helps to protect the organization from any acts on the part of individuals that might be counter to policy or even illegal. Regular reminders to staffers of the policy's terms are also important.

Using EMM for mobile policy management

While many people assume that mobile device management (MDM) is the backbone of mobility management, it is in fact only one component of the larger framework of enterprise mobility management (EMM).

EMM also includes mobile application management (MAM) and especially mobile content management (MCM), both of which are just as important as MDM. MAM determines what applications may be used -- and which ones cannot. MCM secures sensitive data in a "container" on the mobile device that is centrally managed by the organization.

There is a fundamental tension between making information available to those who need it and still keeping it secure.

MAM and MCM are essential to the effective management of operating costs and security overall. Both can also be used to monitor and ensure compliance with corporate mobility policies and industry regulations. Technologies and polices must be kept up to date to deal with increasing use of services in the cloud.

It's a good idea to obtain legal advice regarding mobility, privacy and security policies because case law is not yet well-established. Regulations can vary widely among jurisdictions, industries and especially nations.

It is vital to carefully think through training requirements, which might include both classroom time and Web-based documents. Educating staffers can provide regular (if subtle) reinforcement of best practices. As monitoring technologies and organizational requirements change, any training should mirror these changes.

A bring your own device security policy can be reinforced by raising awareness. On the technology side, enterprises should use effective encryption, authentication and EMM products. In addition, they can increasingly use analytics to discover potential problems before they become major sources of risk, cost and embarrassment.

It's important to caution once again that there is no such thing as absolute security. There is a fundamental tension between making information available to those who need it and still keeping it secure. It is possible, however, to minimize BYOD risks by verifying the integrity of individual users, setting organizational policies, and monitoring actual mobile usage and data access.

Next Steps

Using management to get the most out of BYOD

How much to reimburse employees for taking part in BYOD

Tackling cost control in a BYOD program

Deciding which fits your enterprise better: BYOD or COPE

Dig Deeper on Wearable devices and emerging technology