How to create a mobile device policy in the BYOD era
- 23 July, 2012 12:20
Bring-your-own device (BYOD) policies might placate workers who can't live without their iPhone but several steps, including employee agreements, are needed to ensure a potential security nightmare is avoided, according to one analyst.
Speaking at the recent Gartner Security and Risk Summit in Sydney, US analyst John Girard told the audience that when forming a policy, IT executives first needed to realise that BYOD may actually end up costing the company more.
“Charges are a big issue because we’re telling people to use their own equipment,” he said. “If you pass all the costs on to the user you have to accept that it changes service-level agreements.”
Girard provided the following tips for a successful BYOD policy.
Get employee agreements in writing
According to Girard, a signed piece of paper can help to avoid arguments between CIOs and other C-level executives. For example, if a C-level executive loses data on their mobile device and tries to blame it on the IT manager, the IT manager can show the executive a copy of the document they signed which shows they are responsible for their own backups.
“Your biggest problem is data exposure and compliance. If the user loses their device or it’s a shared device, at some point you have to provide accountability such as who had access [to data] and where was it shared,” he said.
“That’s the essence of fines, disclosure and operational difficulties that a lot of companies get into. We’ve seen some big fines come out but it can be extremely expensive to mitigate all the breach disclosures that go on after information has been lost.”
Mobile device certificates
If the company uses applications where data is stored on the mobile device, Girard suggested the use of certificates to invite people to get access to the virtual private network (VPN), email or Wi-Fi services.
“Certificates are an in-depth imbedded part of mobile application architecture and operating system architecture,” he said. “If you are using a mobile device management [MDM] tool, you get a very simple console that allows you to specify use patterns for people who are getting access by certificate,” he said.
According to Girard, MDM tools will cost the enterprise money but save IT executives time and effort.
For example, he cited a Symantec MDM product that includes a requirement for user authentication, rules on if users can store business data on the device and when that information has to be deleted.
“This leads to a dashboard which shows which of your users are following the policy and leads you to an exception report which indicates if anyone tries to jailbreak their device,” he said.
“If the device is jailbroken, the mobile management system will show what actions were taken such as no more access to email or the VPN while the device remains jailbroken.”
Latest mobile operating systems
In addition, IT executives needed to impose strict a BYOD policy with regards to older iOS and Android operating systems (OS) because of vulnerabilities.
For example, Girard said that the iPhone would need to be the 3GS model running iOS 5 or a newer version of the OS.
“If it’s an Android device you have to say Android 4 or later and ask for proof that the [Android] device has encryption. That is because Android certification does not require proof of encryption.”
Follow Hamish Barwick on Twitter: @HamishBarwick
Follow CIO Australia on Twitter: @CIO_Australia
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
Cloud debate now about speed and sophistication
Yahoo Mail still down for some users, after an attempted fix
Queensland government to provide 200 services online by 2015
CIOs need to get their house in order, CFO panel says
Is Data Complexity Blinding Your IT Decision-Making?
Pathways Course Curriculum 2014
Developed by the CIO Executive Council, Pathways is a unique, flexible, self-managed, self-paced 12-month professional development program that brings together best practices, thought leadership and business insights for today’s most promising ICT professionals. Pathways is designed and delivered by leading local and global CIOs; enabling participants to capitalise on mentor CIOs personal experiences, expertise and knowledge.
The New Disruption for Brands
The new frontier of mobile and social is a game changer, opening new channels in which consumers and brands can interact. This whitepaper details the results of a survey spanning consumers in the US, UK, Singapore and Australia, exploring their expectations of using mobile devices and social media to engage with brands. The results confirm that consumers live across various channels, and as part of their experience there is an expectation of consistency, value and individualised attention. Read more to learn who you’re talking to, what to say and where to say it.
Siemens Redefines Efficiency
Siemens is leading the migration to a smarter energy grid by enabling utilities to collect and analyse data from the new generation of smart meters, providing both utilities and their customers usable information to make smarter energy decisions. In this case study, we look at how they could provision full stack environments quickly and flexibly leveraging a shared hardware model, and one the delivered performance and scale to meet large testing requirements.