www.pwchk.com Bring Your Own Device (BYOD) & Customer Data Protection Are You Ready?
Why is this important to you? Background Enterprise mobility through Bring-Your-Own-Device (BYOD) has been around for at least 3 years and there have been lots of lessons learnt in many organisations in relation to leakage and loss of customer data and sensitive information. In October 2014, the restriction of implementing BYOD for banks in Hong Kong was removed by the Hong Kong Monetary Authority (HKMA) through the issuance of an updated circular Customer Data Protection (first introduced in 2008). While this updated circular has tightened the enterprise-wide control requirements to protect the confidentiality of customer data, it includes new guidance over the implementation of BYOD, with reference to the control requirements specified in the paper entitled Recommended Standards of Bring Your Own Devices for Work by Bank Staff in Hong Kong issued by the Hong Kong Association of Banks (HKAB). As there are more compliance requirements to follow, is your bank ready to enjoy the business benefit brought by enterprise mobility and BYOD? Are you comfortable that you have adequate enterprise-wide controls over the protection of customer data to ensure compliance? What are your new challenges? Time is short, hands are tight: Complete a critical review of your customer data protection controls by Q1 2015 You have been safeguarding and protecting customer data. However, there is an additional requirement now - you are expected to conduct a comprehensive review over the adequacy of customer data protection controls by Q1 2015 and perform periodic independent audits going forward. Within such a short time span, you will need to identify right resources to conduct an effective review in accordance with the new requirements. New skills required: Review your BYOD program to ensure that it meets the new requirements Your bank may have already identified several use cases with BYOD which are promising in boosting productivity within the working environment. In light of the new HKAB standards, what are the reasonable approaches to implement controls required for each of the identified use cases? What is your plan to deploy appropriate solutions to reduce risks and ensure regulatory compliance? Do you have adequate expertise to review and validate the control effectiveness? The Big Picture: Some highlights in the updated Customer Data Protection Circular (October 2014) A. Data classification & risk assessment: all data should be classified into different levels of sensitivity or risk; appropriate level of protection should be built, deployed and assessed accordingly. B. Data security policies and awareness: policies and procedures should be reviewed and enhanced in line with the relevant supervisory guidance from time to time; annual awareness programme should be extended to cover safeguards against customer data loss/ leakage. C. Logical access controls: controls should be data-oriented ; apply controls along the data flow and its lifecycle with layered security measures; high risk scenarios (e.g., data exchange with external parties, massive data download) should be identified and monitored. D. Transmission of consumer data: effective controls should be implemented to prohibit unauthorised transmission between internal and external systems via Internet services or high-risk software, and monitor unusual or suspicious activities. E. Storage of customer data: in addition to portable storage media, banks should establish capabilities in identifying unusual downloading activities (or data exfiltration); various safeguards such as data encryption, key management, log monitoring should be considered; sample checks should be conducted to ensure that controls have been operating effectively. F. Personally-owned computing devices: comply with the new standards established by HKAB for both BYOD and bank s own computing devices. G. Physical security controls: perform adequate reconciliation or inventory check after relocation / transportation. H. Periodic audits: banks should conduct regular audits to assess the adequacy and compliance status of controls on customer data protection by an independent party. I. Controls over service providers: demand service providers to comply with bank s data security policies and procedures in outsourcing arrangements; monitor and validate the service providers compliance. Bring Your Own Device (BYOD) & Customer Data Protection 1
Emerging risks associated with BYOD Area of focus What can happen New challenges User Users may share their mobile devices containing customer and corporate data with friends and family members. How to safeguard sensitive data and prevent unauthorised access? Data Users may use their mobile devices for illegitimate purposes or downloading inappropriate / copyrightinfringing materials. How to segregate personal and enterprise data? How to achieve the right balance between convenience and security? Device Security Network Users may not use and maintain their mobile devices in a secured manner, such as jailbreaking / rooting the devices, downloading illicit apps, not installing critical updates, disabling security features, etc. Users may connect their mobile devices to insecure Internet access points in public areas, such as cafes, airports, hotels, shopping centres, etc. How to control and align security configurations among different devices running on various platforms (e.g., Android, ios, etc.) and service releases? How to protect the integrity of devices? How to mitigate the risk of data loss / leakage through insure access points in public areas? BYOD leading practices to consider (examples) Robust governance Access controls Application vetting Data protection and other security measures Data classification including personal data collected from BYOD users Policies, terms and conditions to include BYOD scenarios Regular risk assessment on the supportable operating systems and devices Periodic independent audit Access rights granted on a need-to-have basis Device registration and enrolment 2-factor authentication on mobile for remote access (e.g., VPN) Password, account lockout and session timeout controls Encryption of data throughout the lifecycle (at-rest, in-transit and in-use) Audit trail integrated with the existing information and event management process Blacklist malicious apps and timely update the list Ensure apps downloaded via approved app sources (e.g., Apple s Apps Store, Google Play, enterprise s own apps stores, etc.) Prevent and detect jailbreaking / rooting activities Prevent data sharing between enterprise and personal apps (e.g., prohibit copy and paste, disallow storage of corporate data on removable storage media) Delete temporary data upon session termination Wipe the company and customer data immediately after detecting violations of security policies Timely report and handle lost devices Ensure security patches / operating system updates are installed and remind staff where they are available Sandbox architecture Anti-virus software Encryption of data stored in mobile devices 2 PwC
How PwC can help? What is the maturity level of the customer data protection capability within your bank? PwC s Customer Data Protection Health-check can assist you and cover the following aspects (including but not limited to): Enforcement of data classification Access controls commensurate with data classification Device registration and enrolment Asset management Incident response Data exchange with third party service providers Physical security controls Third-party vendor management People Process Technology Security awareness programme Organisation and management Motives and incentives Familiarity with data loss / leakage prevention & detection practices Data loss / leakage prevention and detection tools Logging and monitoring System configuration In your journey of implementing a BYOD program, we can advise you in each of the various implementation stages to align your solution with security best practices and regulatory requirements: Stage 1: Plan for success Use case analysis Customer data impact analysis Stage 2: Gather requirements Security requirements analysis Compliance requirements analysis Stage 3: Select technologies Security assessments over technologies (e.g., Mobile device/ application management tool)* Technologies comparison and selection Stage 4: Implement solution Mobile application security assessment* Configuration review Access control review Stage 5: Maintainence Vulnerability assessment Data loss / leakage assessment Periodic audits * This service will be facilitated by PwC Proprietary Tools and Methodology to identify design weaknesses / vulnerabilities hidden in the technology solution including key areas such as device memory, system files and application that could result in the leakage of customer data and sensitive corporate information. Bring Your Own Device (BYOD) & Customer Data Protection 3
Contacts For more information, please contact: Kenneth Wong Partner Kenneth.ks.wong@hk.pwc.com +852 2289 2719 Gary Ng Partner Gary.kh.ng@hk.pwc.com +852 2289 2967 Kok Tin Gan Senior Manager kok.t.gan@hk.pwc.com +852 2289 1935 www.pwchk.com This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors. 2014 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.