Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

How to create a mobile device policy in the BYOD era

Tips for creating a policy that will keep users happy and the enterprise secure

Bring-your-own device (BYOD) policies might placate workers who can't live without their iPhone but several steps, including employee agreements, are needed to ensure a potential security nightmare is avoided, according to one analyst.

Speaking at the recent Gartner Security and Risk Summit in Sydney, US analyst John Girard told the audience that when forming a policy, IT executives first needed to realise that BYOD may actually end up costing the company more.

“Charges are a big issue because we’re telling people to use their own equipment,” he said. “If you pass all the costs on to the user you have to accept that it changes service-level agreements.”

BYOD necessary but increases costs: IDC

Girard provided the following tips for a successful BYOD policy.

Get employee agreements in writing

According to Girard, a signed piece of paper can help to avoid arguments between CIOs and other C-level executives. For example, if a C-level executive loses data on their mobile device and tries to blame it on the IT manager, the IT manager can show the executive a copy of the document they signed which shows they are responsible for their own backups.

“Your biggest problem is data exposure and compliance. If the user loses their device or it’s a shared device, at some point you have to provide accountability such as who had access [to data] and where was it shared,” he said.

“That’s the essence of fines, disclosure and operational difficulties that a lot of companies get into. We’ve seen some big fines come out but it can be extremely expensive to mitigate all the breach disclosures that go on after information has been lost.”

Mobile device certificates

If the company uses applications where data is stored on the mobile device, Girard suggested the use of certificates to invite people to get access to the virtual private network (VPN), email or Wi-Fi services.

“Certificates are an in-depth imbedded part of mobile application architecture and operating system architecture,” he said. “If you are using a mobile device management [MDM] tool, you get a very simple console that allows you to specify use patterns for people who are getting access by certificate,” he said.

MDM tools

According to Girard, MDM tools will cost the enterprise money but save IT executives time and effort.

For example, he cited a Symantec MDM product that includes a requirement for user authentication, rules on if users can store business data on the device and when that information has to be deleted.

“This leads to a dashboard which shows which of your users are following the policy and leads you to an exception report which indicates if anyone tries to jailbreak their device,” he said.

“If the device is jailbroken, the mobile management system will show what actions were taken such as no more access to email or the VPN while the device remains jailbroken.”

Latest mobile operating systems

In addition, IT executives needed to impose strict a BYOD policy with regards to older iOS and Android operating systems (OS) because of vulnerabilities.

For example, Girard said that the iPhone would need to be the 3GS model running iOS 5 or a newer version of the OS.

“If it’s an Android device you have to say Android 4 or later and ask for proof that the [Android] device has encryption. That is because Android certification does not require proof of encryption.”

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow CIO Australia on Twitter: @CIO_Australia

Related Articles

  1. From CMO to CEO: Anametrix’s Pelin Thorogood

    CMO

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: etwork, Gartner, IDC, Symantec
References show all

Comments

vlad

1

Apps are what is needed to make your smartphone smart and unique.Im fond of app creating and find it really helpful to use site like Snappii where i can build apps in minutes.

Comments are now closed.
Related Whitepapers
Latest Stories
Community Comments
Latest Blog Posts
Whitepapers
  • Building Maturity and Experience in Successful Virtualisation Strategies
    Current trends in the adaption and deployment of virtualisation suggest that as an organisation gains experience, each implementation requires a different technique. A stratified approach to a company’s long-term virtualisation and cloud computing strategy allows the right skills set to be built alongside the resolution of each scale and complexity issue presented. Read more to understanding where you are and how you can compare for the future.
    Learn more »
  • Cloud Computing for Midsize Businesses: Delivering Innovation and Efficiency
    It’s time for midsize companies to start thinking differently about infrastructure. This white paper provides a brief overview of cloud computing, explains how midsize companies can benefit, and describes the steps they can take to take advantage of what it has to offer. Read now.
    Learn more »
  • Six Strategies That Lead to Business-Critical Virtualisation
    While most organisations are able to virtualise the basic functions of its workplace, they can often hit a wall when moving beyond legacy systems to business-critical servers and applications. This report lists six proactive strategies that business specialists have cited as assisting in building a virtualised state. Find out how these strategies lead to organisations becoming the beneficiary to virtualisation.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments