Bring your own device (BYOD) 03333 219 000 advice@bishopfleming.co.uk www.bishopfleming.co.uk



Similar documents
Data Protection Act Bring your own device (BYOD)

Central London Community Healthcare NHS Trust. Data protection audit report

How To Write A Mobile Device Policy

Guidance on data security breach management

EXECUTIVE DECISION NOTICE. ICT, Communications and Media. Councillor John Taylor. Deputy Executive Leader

State of South Carolina Policy Guidance and Training

So the security measures you put in place should seek to ensure that:

Information Security Policy for Associates and Contractors

A practical guide to IT security

DATA AND PAYMENT SECURITY PART 1

Bring Your Own Device

Guidance on data security breach management

Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom

CHECK POINT THE MYTHS OF MOBILE SECURITY

Appendix 1b. DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA. Review of Mobile Portable Devices Management

AGENDA ITEM: SUMMARY. Author/Responsible Officer: John Worts, ICT Team Leader

Secure Mobile Solutions

Bring Your Own Devices (BYOD) Information Governance Guidance

Yes MAM: How Mobile Device Management Plus Mobile Application Management Protects and Addresses BYOD

Data Protection Act Guidance on the use of cloud computing

Bring Your Own Device (BYOD) Policy

Small businesses: What you need to know about cyber security

Good Practice in Records Management and Information Security

Data Protection Policy

Managing Mobility. 10 top tips for Enterprise Mobility Management

MIS Privacy Statement. Our Privacy Commitments

Bring Your Own Device (BYOD) Policy

Emerging threats for the healthcare industry: The BYOD. By Luca Sambucci

[BRING YOUR OWN DEVICE POLICY]

Notification of data security breaches to the Information Commissioner s

Cleveland Police. Data protection audit report. Executive summary November 2014

"Bring Your Own Device" Brings its Own Challenges

Small businesses: What you need to know about cyber security

Advanced Configuration Steps

Guidance End User Devices Security Guidance: Apple ios 7

Mobile Security & BYOD Policy

DATA PROTECTION POLICY

Dene Community School of Technology Staff Acceptable Use Policy

Privacy and Electronic Communications Regulations

OWA vs. MDM. Once important area to consider is the impact on security and compliance policies by users bringing their own devices (BYOD) to work.

Data Access Request Service

Data Protection Policy

Data Protection Act. Conducting privacy impact assessments code of practice

Data Security Breach Management - A Guide

CCG LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY

Configuring an Android device to access Staff Wi-Fi and .

Birmingham Women s NHS Foundation Trust

INFORMATION SECURITY POLICY

Data Transfer Policy. Data Transfer Policy London Borough of Barnet

BYOD How-To Guide. How do I securely deliver my company s applications and data to BYOD?

Cloud Software Services for Schools

BYOD Policy. Handout

Name: Position held: Company Name: Is your organisation ISO27001 accredited:

Cloud Software Services for Schools

Standard Operating Procedure. Secure Use of Memory Sticks

Renfrewshire Council. Data protection audit report. Executive summary January 2013

2.1 It is an offence under UK law to transmit, receive or store certain types of files.

BYOD BRING YOUR OWN DISASTER?

This policy outlines different requirements for the use of PSDs based on the classification of information.

White Paper. Data Security. journeyapps.com

If you have any questions about any of our policies, please contact the Customer Services Team.

Consumer Device Policy (Smartphones / Tablets) BYOD (Bring Your Own Device)

Bring Your Own Devices (BYOD) Information Governance Guidance

Computer Services Staff and Operations

Data Protection and Privacy Policy

Data Protection for Charities

DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE

Web Site Download Carol Johnston

Cloud Software Services for Schools

Personal Data Protection Policy

Cloud Software Services for Schools

Everyone in the workplace has a legal duty to protect the privacy of information about individuals. AEP/BELB/LJ/2010 Awareness Session

Neoscope

Security, privacy, and incident response issues are often

PS177 Remote Working Policy

IT ACCESS CONTROL POLICY

TERMS & CONDITIONS of SERVICE for MSKnote. Refers to MSKnote Limited. Refers to you or your organisation

10 Hidden IT Risks That Might Threaten Your Business

10 Hidden IT Risks That Threaten Your Financial Services Firm

USE OF PERSONAL MOBILE DEVICES POLICY

ing and Texting with Patients

GUIDE TO MANAGING DATA BREACHES

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS

Data Protection Avoiding Information Commissioner Fines. Caroline Egan 5 June 2014

Cloud Software Services for Schools

NHSmail mobile configuration guide Android mobile devices

Why do we need to protect our information? What happens if we don t?

Cloud Software Services for Schools. Supplier self-certification statements with service and support commitments. SafeGuard Software Limited

Data Security and Extranet

IT asset disposal for organisations

REMOTE WORKING POLICY

Policy. Mobile Phone Use Policy. Contents

LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY

Do you want to mobilize your entire work process efficiently? Do you want to protect your most valuable asset data?

Remote Working and Portable Devices Policy

Online Viewing and Payment FAQ s

NHS Information Governance:

Cloud Software Services for Schools

E-SAFETY POLICY 2014/15 Including:

Q. I use a MAC How do I change my password so I can send and receive my ?

Transcription:

Bring your own device (BYOD)

Bring your own device (BYOD) Some employees will often prefer to use their own personal mobile devices to access company networks/systems. However, this is potentially a security loophole which places the organisation at risk from reputational damage and legal proceedings. Firms need to have a formal policy with regard to the use of personal devices at work. Bring Your Own Device refers to this type of policy - which defines what mobile devices (if any), employees can use to access company networks/systems. We consider how to structure such a policy, and what it may contain. Broadly what should a BYOD policy cover? Firms need a policy which sets out the devices which may or may not be connected to a firms network; procedures to ensure that non-approved devices can never be accidentally connected; and appropriate mechanisms in place to maintain security over personal data which may be stored on mobile devices. Audit of existing devices and access rights The first step is to perform an audit of the current situation. Which devices use the network, and what for? What does the law say? As the employer (who is the data controller) there are obligations under the Data Protection Act 1998 (DPA) to take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. There is a high risk that confidential corporate and client data can find its way onto personal devices which are usually not very secure and can be easily lost/mislaid/stolen. The risks of reputational damage Imagine the scenario, an employee receives an email with an attachment containing a mailing list of all clients and their contact details which they open and save onto their mobile device. If that device then goes missing the data stored on it could find its way into the public domain, or be mis-used, or sold onto a competitor. What s worse is that the ICO will need to be notified of the loss of data, as will each individual on that mailing list. This can cause major reputational damage as well as a large financial penalty. Which devices are acceptable? Having performed an audit, the second stage is to decide what to include or exclude from a BYOD policy, and this is usually done at device level. Level Device 1 No devices (zero-tolerance) 2 A list of approved devices 3 Any/all devices

1 - Zero-tolerance This may be the quickest, easiest and simplest solution, but may not necessarily be the most pragmatic or practical. It may also serve to hinder rather than help some employees perform certain tasks, which can lead to job dissatisfaction and a lowering of morale. So an outright ban could prove to be counter-productive. It can also be quite difficult (and therefore expensive) to control and police a zero-tolerance policy without strong network security controls. 2 - Approved devices This allows a set list of devices, or, devices with particular operating software (e.g. ios devices only or Android and Windows devices only). The approved device approach can make it easier to manage and control access, but may leave some employees disadvantaged if their device is not covered. It can also be difficult to manage, as new models and new devices emerge on a daily basis. 3 - Any device This allows any device to be plugged in. This approach is entirely opposite to zero-tolerance and allows any device to be plugged in at any time. Advantages are a) for the employee who is not restricted by device, and b) for the company which does not have to keep updating a list of approved devices. However, strong controls such as mobile device management systems need to be employed with this type of approach. An alternative option! In an increasing trend, some firms have decided to abandon BYOD and have a zero-tolerance policy, in favour of providing devices to employees. Which applications are acceptable? The firm may wish to restrict access to certain applications most often to email and internet access only. Full blown access to networks and applications should be avoided where possible, other than from PCs or laptops and then only via trusted intranets or secure remote access tools. Business v. private use BYOD devices owned by an employee are likely to be used for both business and private purposes. On the one hand the employee has be confident that the company will not access personal material stored on the device or use device monitoring tools, whilst on the other hand the company will want to protect corporate and client confidential information which may also be stored (or visible) on the device. Employers also need to be aware that devices may be used (for personal purposes) not just by the employee, but also by other family members.

Wireless security The easiest and quickest way for devices to be attached to a network is for employees to use their device to login to a network, wirelessly. Some firms publish their wireless key to employees without realising that they are using the key on all devices including personal devices. So, one of the cheapest methods of providing device security is to make the wireless key very strong (i.e. difficult to remember), only available on request and only entered into the device by a member of the IT support team or other nominated individual. Thus control can be maintained at device level relatively easily. Device registration Most current versions of network operating software (Windows and Mac) have inbuilt security tools which can be used to maintain a list of approved devices. This is done through a registration process whereby the device is presented and registered on the network. If a device gets mislaid or an employee leaves, the device can be blocked/removed from the list of registered devices. Mobile device management (MDM)/Mobile applications management (MAM) A more expensive way of providing device security is to use MDM services these may either be provided as part of the network operating software, or this service may be provided by a third-party. There are different levels of this type of service ranging from simple registration and device reset services, to sandboxing personal and corporate data which will allow separate wiping of corporate data only. Employees will have to agree/consent to whichever mobile device management system is used if they want to adopt BYOD. Employees must also agree/consent if MDM software is used to monitor the device, the activities which are monitored and whether or not geo-location is used. Finally, employees will need to understand what will happen to their own personal data stored on the device, in the event the device has to be disabled. Data encryption A BYOD policy in itself is not enough to provide sufficient safeguards. All confidential/personal data must be encrypted. Just setting a document/spreadsheet as read-only, or creating a password to open the document/spreadsheet is not the same as encrypting the data. Firms must assess what personal data is being transferred from and to which devices, perform a risk assessment of the chances of the data getting into the public domain, and then use appropriate encryption methods to protect that confidential/personal data. Other issues to consider Device password protection - Each BYOD device must have a start-up password/pin and should lock if not active for a specified number of minutes Mislaid devices as part of the BYOD policy the employee will need to know who to contact and what will happen to the device if it is mislaid (i.e. what data might be wiped from the device)

Cost the firm may or may not agree to pay for certain mobile device charges Acceptable use policy the firm will want to ensure that any acceptable use policy also applies to BYOD devices Devices which have been rooted/jail-broken should not be permitted Storage media the firm may want to specify the approach with regard to memory/sd cards. Implementing the BYOD policy BYOD can either be formulated as a separate policy, added to an existing acceptable use policy, or added to an existing Internet and email policy or social media policy. Company devices, by default, will come under the scope of BYOD. Employees with their own personal devices should be given the opportunity to opt-out or opt-in to the BYOD policy - Opt-out - Decline to sign-up for the BYOD policy in which case the employee will not be able to use any personal devices for work. Opt-in - Agree to sign-up for the BYOD policy in which case their device will need to be registered on the network and also, if applicable, with a mobile device management service. See our summary for our 4 easy steps in defining and implementing a BYOD policy. Summary It is important that the employer (who is the data controller) remains compliant with the DPA with regards to the processing of personal data. In the event of a security breach, the employer must be able to demonstrate that all personal data stored on a particular device is secured, controlled or deleted. Having a BYOD policy will go a long way towards meeting that objective. 4 steps to defining and implementing a BYOD Step 1 - Audit devices and usage What devices are currently allowed onto the network? What access rights do they have? What applications do they use? Step 2 - Level of BYOD Decide which level of BYOD is to be adopted: 1. No devices 2. Approved list 3. All/any devices 4. Define which applications are accessible to mobile devices Step 3 - BYOD policy Formulate and write the BYOD policy. Make appropriate network infrastructure security changes and procure any additional services. (such as MDM) Decide if additional security is required such as data encryption tools. Define and communicate a date for implementing the policy.

Step 4 - Implementation date Remove all current devices. Register approved devices. Employees who own such devices sign BYOD. How we can help Please contact us if you require help in the following areas: Performing a security/information audit of corporate/client data and who and what access this data Defining a BYOD policy Implementing a BYOD policy and training staff. For information of users: This material is published for the information of clients. It provides only an overview of the regulations in force at the date of publication, and no action should be taken without consulting the detailed legislation or seeking professional advice. Therefore no responsibility for loss occasioned by any person acting or refraining from action as a result of the material can be accepted by the authors or the firm.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information