peshkova - Fotolia

Enforce GRC essentials for a strong BYOD security policy

In this #GRCChat, find out what GRC features to keep top of mind when designing a BYOD security policy -- and how to ensure employees are on board.

If you've ever dealt with bring your own device (BYOD) security issues, chances are many of them have stemmed from employees engaging in risky behavior that put corporate data at risk. Usually, they're not fully aware they're at fault, nor how much of a role they play in protecting mobile data, said security veteran Michael Cobb. "Breaches often occur because employees don't appreciate the potential consequences of their actions, such as circumventing access restrictions to save time and hassle," he explained.

In a recent joint study by Ponemon Institute and mobile software provider Acellion Inc., 88% of surveyed enterprise employees reported accessing corporate data on their mobile devices, while only 20% of those respondents were trained in mobile content access and management. Furthermore, only 22% of these respondents believe that behavior such as using unapproved mobile apps puts their company at risk.

These numbers show it's not enough to include governance, risk management and compliance (GRC) processes in your mobile use policy; it's critical that your employees fully understand them as well. In this #GRCChat, participants shared what GRC fundamentals should be included in your BYOD security policy, and how to make sure the rest of your organization is in the know.

What GRC elements are crucial to a BYOD policy?

Organizations that are readying themselves for a BYOD program often focus on the benefits and challenges of implementing it, but frequently overlook the data itself. SearchCompliance Editor Ben Cole stressed that when crafting BYOD policies, it's important to consider the types of data created, the risks that surround them and whether certain types of data are necessary to retain:    

Different types of information carry different risk profiles, so it's important that a BYOD policy delineates which data categories are allowed on personal devices and which aren't. For example, customer data or patient records might be considered too valuable to store on an employee-owned device unless there's reasonable business justification to do so. Plus, as Cole pointed out, many mobile GRC processes only focus on new content and not on old file stores that have been accumulated over time, otherwise known as "dark data." Sorting through dark data could help weed out unnecessary files that could expose your organization to additional risk.

Senior Managing Editor Rachel Lebeaux stressed how it's one thing to make sure BYOD policies address mobile security controls, acceptable use and business rights, but enforcing them is another matter:

On top of informing and training your employees on all aspects of your BYOD policy, third-party mobile device management (MDM) tools can help with policy enforcement. They often feature support for such processes as lifecycle management, certificate distribution, device configuration, data protection, app inventory control and more.

Tweet chat participant FinServGRC added that companies checking employees' understanding of policies isn't a one-time deal. He offered the following ways to test for comprehension:

Figuring out which BYOD data to incorporate into your asset register and risk assessments is particularly important. Industry standards like ISO 27001 require firms to include all data assets within the scope that they want certified.

Many tweet chatters concurred that employees themselves must learn to appreciate their vital role in data security:

According to wireless and mobility expert Craig Mathias, one way to get employees to grasp the consequences of circumventing your BYOD security policy is to craft, with the help of the HR and legal departments, a well-balanced policy that also has users in mind. Difficult security guidelines, warned Mathias, tempt employees to create workarounds.

SearchCIO Senior News Writer Nicole Laskowski wondered whether the following tactic could help companies with mobile governance:

Corporate app stores function as a central repository for company-approved apps: IT reviews internal and external apps before they're made available for download -- a process known as whitelisting. App stores also aid with the distribution process, highlighting which apps are approved for certain users based on their unique profile, mobile device and mobile OS.

Forvalaka41, however, was more cautious:

While whitelisting controls can help prevent malicious applications from getting into your network, companies still need to make sure employees are on board so they don't try to evade them.

Similar to the usage policies that address other devices and applications, Forvalaka remarked that BYOD policies should also contain the following GRC elements:

How do make sure your employees are aware of every GRC aspect of your BYOD policy? Please tell us in the comments section below.

Next Steps

See what mobile security experts advise when putting together a BYOD policy amid mounting reglations. Then, find out how to work with both HR and legal teams when designing BYOD policies.

Dig Deeper on Managing governance and compliance