BYOD Policy Part I: Risk Assessment
June 10, 2013 Leave a comment
This has probably been the most challenging post I’ve written. Not because of the topic or content, but because I have more than once during its writing fallen victim to one of the cautions I make to you which is not attempt to “Boil the Ocean”. As I would start detailing one aspect of the subject, six more would come to mind. As you will have to do, I had to step back and reassess the foundation question around what the goal is.
My last post “BYOD…..It’s Complicated” provided information on BYOD as a reality; upwards of 65% in corporations today who allow access from non-corporate managed devices. This number is only expected to grow larger and if recent Gartner research is correct. In four years-time 50% of employers will actually require employees to supply their own devices for work purposes.
While there is some inconsistency in survey data on the number of enterprises with BYOD policies actually in place, what is certain is that policy development is a high priority and concern for the majority of companies. Many companies simply applied their existing corporate device use or general security policies with minor changes and a large number, nearly 38% according to a recent TechRepublic survey, have no plans for BYOD policies.
This is the first of two parts to give you what you need to develop a sound and manageable BYOD policy. This post deals with a much needed precursor to developing that policy. In my previous post, I said that BYOD Policy development should be taken from a “Risk” viewpoint and that the place to start would be conducting a Risk Assessment around mobile technology in the enterprise. The results of such an assessment will provide valuable information for developing policy that meets the needs and culture of the enterprise and employees alike. No policy will ever cover every contingency, but a sound policy should reflect common sense, recognition of existing law, the risk tolerance of the corporation, and the respect for and privacy of the employees.
If you have a mobility strategy and have not conducted a Risk Assessment previously, this will also be invaluable for re-evaluation of that strategy to be sure it still reflects the role mobile technology is intended to play strategically for the enterprise.
The primary purpose of any policy is that of protection. In the case of BYOD, specific guidelines must be in place to protect corporate data and intellectual and other “property” assets. These assets are essentially the “keys to the kingdom” and unauthorized access and/or dissemination of them could cost an enterprise dearly. Direct monetary impacts aside, protecting corporate reputation and credibility is a top priority. What BYOD does is dramatically increase the number of threats and players who could potentially compromise those assets whether intentional or accidental.
It is important to have a simple, but complete analysis of the risks keeping in mind that the Risk Assessment alone will not fix any security problems. However, it will provide you a tool in identifying, classifying, and weighing the risks and provide the information to use in developing mitigation strategies. The key is to not get overwhelmed and paralyzed by over analyzing risk. It is critical to look at this from the perspective of your company; its business strategy, mobile technology strategy, and what your business’ tolerance for risk is. It is very easy for a Risk Assessment to take on a life of its own and take months to complete. The purpose should be to get a good high-to-medium level view of the areas of impact through the use of mobile technology.
What follows are key considerations for performing a Risk Assessment to support the development of BYOD Policy:
Identify the key decision makers and stakeholders in the enterprise who will be instrumental in the development or significantly impacted by the BYOD Policy. This should be a manageable number (8 – 12), but the objective is to have as complete representation as possible for the assessment. This includes people from IT, Operations, Finance, the C-Suite, etc. This group will not have all the answers, but with the right type of questioning and analysis they will undoubtedly provide information that would have otherwise not been considered.
One technique that I have found valuable is to ask each team member to provide you with 5 – 10 questions they would ask if they were conducting the Risk Assessment. Most won’t be able to come up with more than 5, but most likely, they will come up with extremely valid questions you would not have thought of otherwise.
At a high level there are four major areas of evaluation:
- Data Asset Assessment
- Threat Assessment
- Process Assessment
- People/Management Assessment
Data Asset Assessment
In performing the Data Asset Assessment you want to identify the types of data, their location and a classification or ranking for the data types by level of priority or risk. For example public information would be obviously have a low risk ranking where regulated information would be ranked as a high risk potential. Other types of data might include internal data that is not sensitive or mission critical, sensitive and confidential internal business or market information, sensitive and possible secret internal strategic information such as M&A plans, layoffs, financial restructuring, etc.
For each of these data classes you next want to map them to their location(s). Are they on individual desktops, file servers or in a data warehouse, etc. Also assess the lowest level (least secure) access to the data from each location. The aim here is to understand what data is accessible to a mobile user.
This exercise does not need to be performed at necessarily a file level, but definitely to the level that matches the risk tolerance appetite of the company and auditors and depending on the classification of a given data type.
Threat Assessment and Modeling
Without getting into the detail of planning for asteroid strikes or other highly improbable scenarios, the threat assessment is an objective view of common and/or potential threats that would impact the company through the use of mobile technology.
This is accomplished by conducting a threat-modeling exercise. Several years ago Microsoft came out with a method called STRIDE which modeled threats categorized as:
- Spoofing of Identity
- Tampering with Data
- Repudiation of Transactions
- Information Disclosure
- Denial of Service
- Elevation of Privilege
The process is to build a matrix listing the assets along the “y” axis and the STRIDE threat categories along the “X” axis. I have included links below from Microsoft that explain the STRIDE method and an article that appeared in “Small Business Computing.com” in August, 2010 that gives a very good example of how to use the model.
Evaluating existing (or lack of) processes around mobile technology is a critical aspect of the Risk Assessment. The intention is to look at the entire life-cycle of the use of mobile technology and should include at a minimum:
- Device/Service vendor selection and management
- Vendor service level and contract management
- On-boarding of personnel and devices (corporate or BYOD)
- Identity and Access management (corporate data, email, etc.)
- Support of personnel and devices
- Security process (dealing with device theft, loss, or data compromise)
- Change in employee’s devices, contracts, etc.
- Termination or separation of an employee
The purpose of this aspect of the Risk Assessment is to deal with exceptions and monitoring for and dealing with abuse. One of the most difficult aspects of BYOD is an employees’ personal use of their own device containing access to corporate assets. Do you have the tools, processes, and skills to make sure personal devices and the employees’ use of them are complying with the intent of the policy? Do you have the necessary tools, processes and skills to insure the employees’ personal privacy?
Another critical aspect is dealing with executives who want to play by a different set of rules. Do you have the requisite support at the highest levels that polices developed and managed will apply to all? If not, how will the exception be managed?
I hope this helps you in putting together a framework for a solid assessment of the risk associated with mobile technology. Like a lot of issues we face within IT, we get one chance to get it right the first time. We are still in the very early stages of this BYOD phenomenon, but like the Big Bang, the universe of mobility and its use in the corporate environment is expanding rapidly. BYOD is one “by product” if you will, of mobile technology. As the pace of devices, Operating System capabilities, applications, etc. continues to make the 18 month cycle of Moore’s Law look like the “good ole days”, getting a grip on how your company will manage it is imperative.
My next post will be Part II and deal with the actual BYOD policy development.