BYOD Policy Workshop

BYOD? Why? What? How? This presentation is the personal opinion of Doug Newdick and does not represent the official view of any organisation or government. Disclaimer BYOD is a reaction to the increased power, usability and sheer usefulness of consumer ICT services over corporate ICT services Why do you want to do BYOD? Some answers others have given Increase productivity
Increase satisfaction
Reduce cost
Reduce security risks
Executive demand What types of devices are you going to include? Why do you want to do BYOD? Recommendation Understand your organisation's drivers, but use them to build a solid BYOD and mobility platform What services are you going to offer? What approach to BYOD will you take? Three components for successful BYOD Form factors Smartphones
Tablets
Laptops Platforms Apple iOS
Android
Windows Phone Email
Calendar
Document distribution
File storage
Line-of-business applications Employees who don't get work devices can BYOD
Employees can substitute personal devices for work ones
Employees must substitute personal devices for work ones
Employees can choose their work device - CYOD What approach to employee costs will you take? BYOD at employees own cost
Expense claims
Regular allowance
Split billing Recommendation Be clear on the scope of your BYOD initiative.
Aim to support as wide a range of devices and platforms as possible.
Make BYOD part of an approach to mobility and device independence. What policies do you need to put in place? What education do you need to provide? What technologies will help? Policy Education Technology These policies may need to change ICT security policy
Mobile device policy
Acceptable use policy
Network policy Guidance and advice Contracts How to configure devices
Information classification
Secure behaviour What services will be provided
What policies apply
What support will be provided
Organisation obligations
Individual obligations Messaging sync products
Mobile Device Management (MDM)
Secure container
Virtual Desktop
App store
Virtual Phone
File distribution
Data Loss Prevention (DLP) Policies should state:
Device operating systems must be kept up to date
Devices may not be jail-broken or "rooted"
Anti-virus products must be installed and kept up-to-date (if applicable)
Policies should address:
Required security controls and whether they will be enforced through technology
Supported devices, OS, platforms
Remuneration and expense management
Whether personal data may be looked at by the organisation
Whether and under what circumstances a device may be remote wiped by the organisation
Whether use of cloud backup services is permissible
Whether other people may use the device
Whether the device can use organisation networks
What information may be stored on or accessed by personally owned devices
What information may not be stored on or accessed by personally owned devices
What apps are encouraged, required or approved
What apps are banned or discouraged
Use of wireless networks, especially unsecured ones
What happens in case of loss or destruction of the device
What happens when the employee leaves (the BYOD programme or the organisation) Security controls should state:
Passwords are required
Encryption of data on devices is required
Remote wipe should be enabled
Security controls should cover:
Password length, complexity and expiration
Whether a device must be wiped after a certain number of failed password attempts - I recommend a number 10 or higher
Required security applications
Whether bluetooth should be disabled Recommendations Look at all three components: policy, education, technology.
Technology in this space is changing rapidly - look at SaaS models.
Use empowering contracts.
Tailor policies to your needs and your approach to BYOD.
Try and give the individual as much control and privacy as possible.
Make device-independence and multi-platform support part of your strategy.
Understand mobile security threats.
Perform a security risk assessment of your BYOD solution. There is no single technology for BYOD What approach to support will you take? Support only provided services
Limited amount of support
Support only some devices
Require staff to provide/procure support
Full support