Policy and risk issues for byod

Effective Security Policies for a BYOD

Environment

A Presentation to Industry Colleagues

Delivered on Wednesday, October 31, 2012 in Scottsdale, AZ

Harry Contreras - CISSP Information Security Policy Manager

H. Contreras - CISSP Presentation - Slide 2© COMPANY NAME

Mobility issues facing businesses today

Addressing risk and liability issues through policy

Writing effective mobile security policies

Policy re-use: What can remote access teach us about mobile issues?

Policy program challenges and solutions

Sign-off and delivery of policies

Policy enforcement and updating

Q & A

References and Resources following

Presentation Key Points


Address company risks through policy for newer mobility technologies introduced by consumer owned and managed platforms.

Your goal –

A mobility BYOD policy that negotiates the risk landscape obstacles.



What’s that? You said you addressed this before…

Enter the “BYOD” mobility model

Reflection point –

A newer mobility approach that introduces consumer owned and managed platforms.

Risk and liability remains for the company regardless of the mobility approach.

Only now, these are not Company assets to control…



What is policy?

Company/business position statements

Declaration of expected behaviors for business operations and employees to follow

Effectiveness of policy is based on its integration into the Company culture and the clearly identified enforcement outcomes that are visible to employees.

Key point here is - “visible” enforcement.

Without consequence there is no behavior modification.



There is hierarchy of policy for Companies to address

Internal External

Company derived Regulatory/legislated

Industry based

Company internal and external issues not “vs.”

Both are influencing factors to address



Regulatory “entanglements”

Personal, Health and Card Holder privacy regulations

SEC regulation

Rule 26 / e-Discovery

IRS regulation and use reporting requirements

Forensics and investigations

Company and operations specific issues

Company contractual obligations

Business “verticals” – i.e. Health, government, industry

Global operation and regional regulatory issues

Addressing risk & liability issues through policy


… we are only porting Company email to our users personal devices…

Why all this concern?

- Liability and Risk -

Will the company information remain captive on these devices?

Do employees “conduct business” on their personal devices?

Now that you comingled Company information the liability and risk issues are compounded.



Remember…You don’t own it!

- Audit Question? -

“You put the Company data where?”

Secured by how and who?

Now that you comingled Company information the liability and risk issues are compounded…

You know that auditors will inspect, document and report.

(That is their mission.)



Communicating policy and expected behaviors -

Employees are introduced to Company policy at time of hire and continually reminded of the expectations stated in legacy and newly introduced policies.

Key point here is continual reminder of compliance to the operational and behavioral expectations in stated policies.

Are your Company policies out in front of the risk and liability issues?

This is a critical factor in introducing BYOD policies to a Company today.



Addressing policy effectiveness

Assimilate with existing Company policies for compliance

Implementation of an employee signed “Opt-In” Agreement to participate in a BYOD Mobility program.

Consult with Legal and Human Resources

Corporate governance must endorse

These are critical factors in introducing BYOD policies to a Company.





Policy in this specific technology space –

Must be clear, concise and definitive

Not effective if subject to differing interpretations.

Does not conflict with precedent Company policies.

What is required in policy statements for BYOD

Statements of behavioral expectations

Declaration of implemented enforcement controls



Policy abstract – types of policy

Behavioral - Voluntary participation or consensual

Some examples – Agreements, “Opt-In”

Control enforcement declaration

Automated management and enforcement systems

Logical event or conditional based actions

- MDM systems

- New or existing control systems



Policy examples of other Company compensating controls (Legal) binding agreements

Non-Compete Agreements

Non-Disclosure Agreements (NDA)

Some other example instruments

Intellectual property agreements



Policy in this specific technology space –

Must be clear, concise and definitive

Some example written statements contain -

Do, do not, will, must, always …

Is enforced…

In the event of…

Will be subject to…





Writing effective mobile security policiesWhat’s that? You said you addressed this before…

The “BYOD” mobility model is an entirely different technology problem and risk acceptance model

Critical success point –

Signed “Opt-In Acknowledgement” for program participation

Addresses the introduction of consumer owned and managed platforms as these are not Company assets to control


Writing effective mobile security policiesWhat’s in that “Opt-In” agreement?

Policy objective – acknowledgement of implemented company controls and behavioral expectations when an “event” condition occurs regarding personal information and physical access to the personal device brought into the program. Clearly delineates agreement violation consequences.

Critical success point – Ask counsel…

Is it defensible?

Even with an “Opt-In” you have a two-legged stool.


Writing effective mobile security policiesSome example provisions in an “Opt-In” agreement

Signed acknowledgement and consent to adhere to the usage provisions stated therein

Consent to the implementation of the Company security controls applied to the device and restriction to not modify these controls

Consent to surrender the device for Company forensic investigation and/or e-Discovery when requested

Consent to surrender the associated mobile device phone number if requested by the Company

Clearly delineated agreement violation consequences.


Addressing the introduction of consumer owned and basically un-managed platforms into Company networks and services

What are some issues –

Comingled personal and Company information

Are Company resources and services being “miss- appropriated”?

Are activities “auditable” and have accountability?

Note: user devices will be audited.

Consumer use mentality is an “insider threat” reality.



Addressed remote access services before…

What’s different?

Less control and more risk in connecting platforms of questionable integrity to Company platforms and services

Extending basically remote access services to platforms not Company owned

Exact parallel to connecting “third-party” systems

Same trust and control issues as third-party risk model

Policy re-use: What can remote access teach us about mobile issues?


Policy program challenges and solutionsTraditional policy driven controls for Company platforms


Policy program challenges and solutionsWhat’s different from the traditional approach?

It is not a Company owned asset (third-party asset)

What is viable, supportable and allowable to implement on employee owned assets?

Will it be rejected as “intrusive” or “invading” technology?

User presence, Geo-locating, web content filtering

Services utilization reporting

Remote control and data erasure actions

Company requested surrender of personal device


Policy program challenges and solutionsSecurity will be a paramount issue

Mobile platforms represent the next and largest attack surface facing consumers and businesses

Asset loss – you already know the consumer track record in this space

Can the required support and security control expenses be met?

Will users accept application white-listing?

New and more aggressive mobile device exploits are on the way


Policy program challenges and solutionsIntegrating “BYOD policy” into automated controls (MDM)


Policy program challenges and solutionsWhat are we up against with Mobility BYOD policy?

Lack of the following -

Command, Control, Contain

Even the “maintain” aspects for assets is out of reach.

And hopefully we do not have to…

Explain – data losses and escapes due to platform compromises outside of the policy control set.

Consideration - Your “walled garden” has a backdoor...


Recommendations and critical delivery actions

Conduct “walk-through” exercises for policy and controls elements

Conduct “table-top” exercise of a BYOD “incidents”

Validation activity

Testing of support services

Policy is vetted and endorsed

Mobility program is amended to include BYOD services

Availability of BYOD services is communicated

Sign-off and delivery of policies


Policy enforcement and updatingRecommendations and critical delivery actions

Policy enforcement actions clearly visible

Findings of abuse and negligent activity consequences communicated in Company newsletter

Policy maintenance is a unilateral activity by all Corporate functional stakeholders supporting risk and compliance concerns

Legal, Human Resources, Compliance, Business and IT Leadership all have vested interest

Policy remains vetted, endorsed and “in-place”


Reality check –

BYOD - it is not “if we build it they will come”

Policy exists in two realms

Behavior modification based on stated directives

Implemented controls automatically enforcing the stated policy directives

Adherence to policy is ___________ (fill in the blank).

Without consequence there is no behavior modification.

Summary


Q & A

Effective Security Policies for a BYOD Environment

- Resources list follows -


What Could Go Wrong?By Grant Moerschel - November 7, 2011, Published: informationweek.com

Information Week Reports – 2012 State of Mobile SecurityBy Michael Finnerman - May 11, 2012, Published: reports.informationweek.com

When BYOD Goes WrongBy Darraugh Delaney – July 11, 2012, Published: http://blogs.computerworld.com

For BYOD Best Practices, Secure Data not DevicesBy Thor Olavsrud - July 17, 2012, Published www.cio.com.com

Mobile policy resource – Information Security Policies Made Easyhttp://www.informationshield.com/ispmemain.htm

Mobile policy resource – Individual Liable User Policy Considerationshttp://www1.good.com/mobility-management-solutions

Mobile policy resource – Mobile Policy Samplehttp://www.tangoe.com/White-Papers/sample-of-mobile-policy.html

Effective Security Policies for a BYOD Environment Resources

http://www.cio.com.com/


Special Webcast: How to Develop a Bring-Your-Own-Device Policy

WHEN: Thursday, November 15, 2012 at 1:00 PM EDT (1700 UTC/GMT) Featuring: Benjamin Wright https://www.sans.org/webcasts/develop-bring-your-own-device-byod- policy-95564

Abstract -

As mobile devices like tablets, laptops and smartphones have become the typical tools for professionals to do their work, many employers have allowed and even encouraged employees to use their own devices. Some employers today subsidize the cost of mobile devices that employees purchase and then use part time for work. But setting policy on employee-owned devices can be really hard. This webinar will examine case law and policy options related to such topics as security and record retention and destruction. It will offer sample language as a starting place for drafting policy, while explaining the risks and benefits of wording a policy one way or another. Mr. Wright will give practical tips and suggestions on how to develop a policy that everyone in an enterprise can (more or less) live with, while explaining pitfalls and suggestions for employee training and education.

Effective Security Policies for a BYOD Environment Resources

https://www.sans.org/webcasts/develop-bring-your-own-device-byod-policy-95564

https://www.sans.org/webcasts/develop-bring-your-own-device-byod-policy-95564

Documents

Policy and risk issues for byod