peshkova - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Enforce GRC essentials for a strong BYOD security policy

In this #GRCChat, find out what GRC features to keep top of mind when designing a BYOD security policy -- and how to ensure employees are on board.

If you've ever dealt with bring your own device (BYOD) security issues, chances are many of them have stemmed from employees engaging in risky behavior that put corporate data at risk. Usually, they're not fully aware they're at fault, nor how much of a role they play in protecting mobile data, said security veteran Michael Cobb. "Breaches often occur because employees don't appreciate the potential consequences of their actions, such as circumventing access restrictions to save time and hassle," he explained.

In a recent joint study by Ponemon Institute and mobile software provider Acellion Inc., 88% of surveyed enterprise employees reported accessing corporate data on their mobile devices, while only 20% of those respondents were trained in mobile content access and management. Furthermore, only 22% of these respondents believe that behavior such as using unapproved mobile apps puts their company at risk.

These numbers show it's not enough to include governance, risk management and compliance (GRC) processes in your mobile use policy; it's critical that your employees fully understand them as well. In this #GRCChat, participants shared what GRC fundamentals should be included in your BYOD security policy, and how to make sure the rest of your organization is in the know.

What GRC elements are crucial to a BYOD policy?

Organizations that are readying themselves for a BYOD program often focus on the benefits and challenges of implementing it, but frequently overlook the data itself. SearchCompliance Editor Ben Cole stressed that when crafting BYOD policies, it's important to consider the types of data created, the risks that surround them and whether certain types of data are necessary to retain:    

Different types of information carry different risk profiles, so it's important that a BYOD policy delineates which data categories are allowed on personal devices and which aren't. For example, customer data or patient records might be considered too valuable to store on an employee-owned device unless there's reasonable business justification to do so. Plus, as Cole pointed out, many mobile GRC processes only focus on new content and not on old file stores that have been accumulated over time, otherwise known as "dark data." Sorting through dark data could help weed out unnecessary files that could expose your organization to additional risk.

Senior Managing Editor Rachel Lebeaux stressed how it's one thing to make sure BYOD policies address mobile security controls, acceptable use and business rights, but enforcing them is another matter:

On top of informing and training your employees on all aspects of your BYOD policy, third-party mobile device management (MDM) tools can help with policy enforcement. They often feature support for such processes as lifecycle management, certificate distribution, device configuration, data protection, app inventory control and more.

Tweet chat participant FinServGRC added that companies checking employees' understanding of policies isn't a one-time deal. He offered the following ways to test for comprehension:

Figuring out which BYOD data to incorporate into your asset register and risk assessments is particularly important. Industry standards like ISO 27001 require firms to include all data assets within the scope that they want certified.

Many tweet chatters concurred that employees themselves must learn to appreciate their vital role in data security:

According to wireless and mobility expert Craig Mathias, one way to get employees to grasp the consequences of circumventing your BYOD security policy is to craft, with the help of the HR and legal departments, a well-balanced policy that also has users in mind. Difficult security guidelines, warned Mathias, tempt employees to create workarounds.

SearchCIO Senior News Writer Nicole Laskowski wondered whether the following tactic could help companies with mobile governance:

Corporate app stores function as a central repository for company-approved apps: IT reviews internal and external apps before they're made available for download -- a process known as whitelisting. App stores also aid with the distribution process, highlighting which apps are approved for certain users based on their unique profile, mobile device and mobile OS.

Forvalaka41, however, was more cautious:

While whitelisting controls can help prevent malicious applications from getting into your network, companies still need to make sure employees are on board so they don't try to evade them.

Similar to the usage policies that address other devices and applications, Forvalaka remarked that BYOD policies should also contain the following GRC elements:

How do make sure your employees are aware of every GRC aspect of your BYOD policy? Please tell us in the comments section below.

Next Steps

See what mobile security experts advise when putting together a BYOD policy amid mounting reglations. Then, find out how to work with both HR and legal teams when designing BYOD policies.

Dig Deeper on Managing governance and compliance

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Success of any BYOD policy depends on getting all personnel to participate. Software may make it easier, yet true success lies with getting everyone onboard.
Absolutely- everyone in the organization, from the top execs on down, need to be on board with BYOD policy and understand their role in protecting mobile information. Are there any training tactics that have proven particularly effective to show employees how they can protect mobile data? How often should this training occur?
Absolutely, david48. IT, security, compliance, or whichever department can create and push out such policies but they're no good if everyone is not on board. This requires strong buy-in and backup on the part of executive management - including the fact that executive management must adhere to the policy as well (they're often exempt). Any loophole or deficiency along the way, however, and problems (i.e. breaches) will be introduced.
We used containerization to separate our organization's data and software on employees' devices. We found restricting ourselves to corporate-issued Blackberries didn't sit too well with most employees, especially the younger generation.

The first thing we did was explain the risks facing computing resources. We let them know with power comes responsibility. They had to ensure corporate data resided in the corporate container.

Next, we explained low and high-tech methods of compromising security. This done, the next step was to train employees how to keep their devices secure e.g. strong passwords. We periodically review and go over security issues/policies and practices.
Yes that sounds like a good trade-off david48- if employees want to use the device of their choice, they must play their part when it comes to protecting company data.