peshkova - Fotolia
Enforce GRC essentials for a strong BYOD security policy
In this #GRCChat, find out what GRC features to keep top of mind when designing a BYOD security policy -- and how to ensure employees are on board.
If you've ever dealt with bring your own device (BYOD) security issues, chances are many of them have stemmed from employees engaging in risky behavior that put corporate data at risk. Usually, they're not fully aware they're at fault, nor how much of a role they play in protecting mobile data, said security veteran Michael Cobb. "Breaches often occur because employees don't appreciate the potential consequences of their actions, such as circumventing access restrictions to save time and hassle," he explained.
In a recent joint study by Ponemon Institute and mobile software provider Acellion Inc., 88% of surveyed enterprise employees reported accessing corporate data on their mobile devices, while only 20% of those respondents were trained in mobile content access and management. Furthermore, only 22% of these respondents believe that behavior such as using unapproved mobile apps puts their company at risk.
These numbers show it's not enough to include governance, risk management and compliance (GRC) processes in your mobile use policy; it's critical that your employees fully understand them as well. In this #GRCChat, participants shared what GRC fundamentals should be included in your BYOD security policy, and how to make sure the rest of your organization is in the know.
What GRC elements are crucial to a BYOD policy?
Organizations that are readying themselves for a BYOD program often focus on the benefits and challenges of implementing it, but frequently overlook the data itself. SearchCompliance Editor Ben Cole stressed that when crafting BYOD policies, it's important to consider the types of data created, the risks that surround them and whether certain types of data are necessary to retain:
A2 Data classification is key, must know exactly what data have and its unique risks to determine risk mitigation/compliance policy #GRCChat
— Ben Cole (@BenjaminCole11) January 22, 2015
A2 Might also want to include what data is deletable in the policy – get rid of what don't need to avoid compliance #risk #GRCChat
— Ben Cole (@BenjaminCole11) January 22, 2015
Different types of information carry different risk profiles, so it's important that a BYOD policy delineates which data categories are allowed on personal devices and which aren't. For example, customer data or patient records might be considered too valuable to store on an employee-owned device unless there's reasonable business justification to do so. Plus, as Cole pointed out, many mobile GRC processes only focus on new content and not on old file stores that have been accumulated over time, otherwise known as "dark data." Sorting through dark data could help weed out unnecessary files that could expose your organization to additional risk.
Senior Managing Editor Rachel Lebeaux stressed how it's one thing to make sure BYOD policies address mobile security controls, acceptable use and business rights, but enforcing them is another matter:
@ITCompliance A2 Employees need to understand what corporate info/apps they can access via device, and also which apps they can't. #GRCChat
— RachelTT (@RachelatTT) January 22, 2015
@Kristen_Lee_34 @ITCompliance Good Q. Employees should be asked to sign an agreement annually + undergo training, at the very least #GRCChat
— RachelTT (@RachelatTT) January 22, 2015
On top of informing and training your employees on all aspects of your BYOD policy, third-party mobile device management (MDM) tools can help with policy enforcement. They often feature support for such processes as lifecycle management, certificate distribution, device configuration, data protection, app inventory control and more.
Tweet chat participant FinServGRC added that companies checking employees' understanding of policies isn't a one-time deal. He offered the following ways to test for comprehension:
@RachelatTT @Kristen_Lee_34 @ITCompliance Adding to that, semi-regular policy comprehension assessments #GRCChat
— FinServGRC (@FinServGRC) January 22, 2015
@ITCompliance A2 constant risk register exception review (maybe even quarterly), two-factor auth and employee awareness events #GRCChat
— FinServGRC (@FinServGRC) January 22, 2015
Figuring out which BYOD data to incorporate into your asset register and risk assessments is particularly important. Industry standards like ISO 27001 require firms to include all data assets within the scope that they want certified.
Many tweet chatters concurred that employees themselves must learn to appreciate their vital role in data security:
A2 Also must train/educate employees on that policy and their role in mobile data protection and compliance #GRCChat
— Ben Cole (@BenjaminCole11) January 22, 2015
@TT_Nicole @BenjaminCole11 Exactly. As the old saying goes it takes a village to ensure data security. That's how that goes, right? #GRCChat
— FinServGRC (@FinServGRC) January 22, 2015
According to wireless and mobility expert Craig Mathias, one way to get employees to grasp the consequences of circumventing your BYOD security policy is to craft, with the help of the HR and legal departments, a well-balanced policy that also has users in mind. Difficult security guidelines, warned Mathias, tempt employees to create workarounds.
SearchCIO Senior News Writer Nicole Laskowski wondered whether the following tactic could help companies with mobile governance:
yes @TT_Nicole internal app stores might help improve GRC by giving the company more control of mobile data #GRCChat
— Ben Cole (@BenjaminCole11) January 22, 2015
Corporate app stores function as a central repository for company-approved apps: IT reviews internal and external apps before they're made available for download -- a process known as whitelisting. App stores also aid with the distribution process, highlighting which apps are approved for certain users based on their unique profile, mobile device and mobile OS.
Forvalaka41, however, was more cautious:
@TT_Nicole #grcchat I'd guess not since the apps and data all end up together on the device in most cases.
— Forvalaka41 (@Forvalaka41) January 22, 2015
@TT_Nicole #grcchat Perhaps, but a standard is only useful if it can be enforced and/audited. If they write apps themselves, they get cntrl.
— Forvalaka41 (@Forvalaka41) January 22, 2015
While whitelisting controls can help prevent malicious applications from getting into your network, companies still need to make sure employees are on board so they don't try to evade them.
Similar to the usage policies that address other devices and applications, Forvalaka remarked that BYOD policies should also contain the following GRC elements:
A2: Classification, retention, access to VPN or wi-fi, corp. ability to monitor, acceptable use, penalties. Pretty much all of GRC. #grcchat
— Forvalaka41 (@Forvalaka41) January 22, 2015
How do make sure your employees are aware of every GRC aspect of your BYOD policy? Please tell us in the comments section below.
Join the conversation
5 comments
The first thing we did was explain the risks facing computing resources. We let them know with power comes responsibility. They had to ensure corporate data resided in the corporate container.
Next, we explained low and high-tech methods of compromising security. This done, the next step was to train employees how to keep their devices secure e.g. strong passwords. We periodically review and go over security issues/policies and practices.