Bring Your Own Device (BYOD)

Transcription

1 1. Introduction Introduction This document outlines the considerations that the Council needs to consider in relation to its decision whether or not to adopt the current trend (arising from the consumerisation of ICT) to use personal devices for work purposes, known as BYOD (Bring Your Own Device). 2. Background A couple of independently run internal (Horsham D.C. and Mid Sussex D.C) trials are in progress to investigate the business benefit of using IPAD s in the workplace i.e. printing costs savings being one. The Horsham trial is currently on-going and is being project managed through the Horsham Business Transformation Team and the Mid Sussex project managed by the Members Services section. A recommendation report is going forward to the Mid Sussex senior management team week commencing 10th September. With regard to BYOD currently CenSus ICT (at Mid Sussex) are in the process of running a Proof of Concept against a couple of BYOD software tools that would be required to manage a BYOD service. It has not been possible to set dates for completing the Proof of Concept work as the software tools are relatively new and CenSus ICT are dependant on the software suppliers to provide release dates when the software available for testing. The software tested so far with it being relatively new is rather clunky in operation and if adopted now may appear to ICT users as a backward step future releases should over come this problem. The following is some indicative BYOD Management licence pricing costs: 350 user licence (probably shared across partnership) = 80,000 1 user license = circa BYOD Considerations These sections summarise the considerations that need to take in development of a BYOD service taking into account security, legalities and effect on the CenSus ICT service. 3.1 Policies a. The Council s information security policy suite requires certain security controls in order to comply with legislation and codes of connection. Is it possible to match these controls on personal devices? b. How will we enforce appropriate use policies on a personal device? c. Do the current policies protect the Council whilst allowing for the use of BYOD? Page 1 of 5

2 c.1. No, either a new Personal Device Use Policy is needed (as the current Information Security Policy Suite prohibits the connection of personal devices to the Council s network unless permission from CenSus ICT Services management has been received) or the existing Acceptable Use Policy and ICT Security Policy need updating to take account of any changes in the Council s approach to BYOD. 3.2 Legal a. If the individual owns the device then what rights do the council have in respect of a personal device used for council business? b. What are the legal ramifications of the Council losing an individual s personal data? c. What are the legal implications in relation to the Council s monitoring rules to meet its obligations under RIPA and the Computer Misuse Act? Monitoring may not be appropriate on a personal device. d. Individuals should sign a waiver consenting to any activities deemed necessary and holding the Council harmless for any such damage, loss of use or data loss Investigations a. What happens in the event of an investigation? a.1. The captured data is likely to include the employee s / Member s private personal information. However, if the Council is not able to preserve data that may constitute evidence in litigation, it could face court sanctions. b. It may be difficult to actually obtain access to or possession of the device (especially if the individual is the subject of an investigation). c. The individual would be unable to use their personal device while it is being investigated (potentially by a third party on the Council s behalf). 3.3 Data Confidentiality a. What if we didn t store any data on the device in the first place and used virtual desktops to ensure that council data stays on the council network? b. The problem is that people want the integration, e.g. ability to see all their personal and corporate s and appointments in one view. So, if we do allow data to be stored on a device: b.1. How do we effectively wipe Council data from a personal device when lost or stolen? Page 2 of 5

3 b.2. What happens if the individual leaves the Council and takes their BYOD with council data on it to another company? b.3. Does the Council have the ability to selectively wipe data from lost or stolen devices remotely, i.e. wipe Council data but preserver personal? c. How will we segregate personal and corporate data, and apply the necessary controls to protect sensitive Council information? c.1. Do we accept a lesser set of controls and prohibit the storage of sensitive data on personal devices in the policy?. 3.4 Technical Device Management and Support a. Which individuals will be permitted to use personal devices? a.1. Bear in mind that some people handle personal information on behalf of other organisations due to shared services, e.g. CenSus Revenues and Benefits, Building Control and Crawley BC (CBC), Procurement (CBC, HDC and MSDC). Where this is the case is our implementation of BYOD in accordance with any information sharing protocols or data exchange agreements? b. Who manages the device? Individual versus Council c. Who supports the device? Individual versus Council d. Which devices will be permitted as part of the BYOD policy? d.1. All personal devices? d.2. Restricted to approved devices? e. How will we effectively track and manage authorised personal devices and differentiate from rogue devices? f. How will we control what is installed on and update/patch these devices? g. What level of support will CenSus ICT Services offer across the huge number of new devices, across multiple OS platforms and carrier specific implementations of each? h. Where is the corporate information backed up to? h.1. Use of a home backup system would not be permitted. h.2. Council information should only stored on the Council network Mobile Application Management a. How will we securely distribute corporate mobile applications to personal devices? Page 3 of 5

4 b. How will we determine which platforms/devices to support from an application development standpoint? c. Will we even have the right skills to support secure mobile application development? 4. For the Individual This section outlines the implications that need to be fully understood by the individual who wishes to use their own device for council business. 4.1 Personal Data Loss a. Is the data in my device susceptible to automatic or remote deletion? b. What events trigger the automatic deletion? c. Is remote deletion part of the standard employee leaver process? d. Is my approval sought or required for the remote deletion? e. Is my personal data retained in case of automatic or remote wipe? f. Does the Council provide a means to recover the personal data deleted? g. Am I entitled to any reimbursement for the loss of personal content such as songs, videos or applications? 4.2 Personal Privacy a. May I be required to produce my personal devices for forensic analysis? b. Does this apply to devices shared with other family members? c. Who will get access to the personal information stored in my device? d. Is the Council able to track my location? Potentially yes. In exchange for using the corporate network, ICT may have the ability to locate your device at any time. d.1. Under what circumstances can this happen? d.2. Is my approval sought and required to track my location? d.3. Do I get notified? d.4. Are these systems active outside regular work hours? e. Is my personal online activity whilst connected to the Council s Wi-Fi network monitored and logged? f. Is this information retained when I leave the Council? Page 4 of 5

5 4.3 Device seizure and loss of use a. Under what circumstances may I be asked to surrender my personal device? b. Is the Council going to provide a replacement? c. Who is responsible for backing up and restoring personal data and applications if the device is seized? d. Under what circumstances can the Council initiate a remote lock of the device? e. Is my approval sought and required? f. What is the process to regain use of my device? 5. Recommendation If a CenSus Partnership Authority chooses to go down the BYOD route then it makes sense for BYOD to become a partnership project as it is critical that a standardise approach is used as having a disjointed approach to BYOD could seriously effect the CenSus ICT level of support. The relevant parties to be involved in a BYOD project are Business Transformation, CenSus ICT Services, the partnership Information Security Manager, Legal and Personnel services. A key factor being the development of a policy to support BYOD (together with appropriate standards, guidelines and procedures) to ensure that the Council does not increase its risk of an information security breach which could result in financial and reputational penalties. Main sources: 1. Article: The Security, Privacy and Legal Implications of BYOD (Bring Your Own Device) Info Law Group 2. Blog: BringYourOwnIT.com - Consumerization, BYOD and Mobile Security Page 5 of 5