How to manage BYOD security policies and stay compliant
The best BYOD security policies help enterprises stay compliant with security and privacy regulations. Here's what BYOD policies should include and how best to manage them.
Mobile device usage has exploded in the enterprise, and many companies have developed bring your own device (BYOD) policies for employees. But with the usage of employee-owned devices in the enterprise comes increased mobile security risks. Organizations with legal and regulatory compliance obligations must approach BYOD efforts with increased scrutiny to ensure they do not run afoul of external security and privacy obligations.
Begin with policy and education
As with any security initiative, organizations that begin their efforts by building a policy foundation will have the greatest likelihood of success. Take the time to clearly articulate the bounds of personal device use within the enterprise. Enterprise BYOD security policies should answer many common questions about personal device use for both end users and IT professionals. Who is authorized to access enterprise data from personal devices? Under what conditions may personal devices connect to enterprise networks? Does the organization require explicit approval for each BYOD instance? What security controls must exist on BYOD endpoints?
How to manage BYOD security policies and stay compliant
Simply establishing BYOD security policies isn't sufficient to meet compliance obligations. Users must follow the requirements of the policy, and this is only possible if they're familiar with the policy details in the first place. That's where training and awareness efforts come into play. At a minimum, every employee in an enterprise should know BYOD security policies exist and they should consult IT staff before using personal devices. Users who opt-in to a BYOD program may receive more extensive training on what the policy allows and prohibits.
Segregate enterprise and personal data
One of the greatest challenges for BYOD in organizations is balancing the protection of corporate information without adversely impacting personal use of the device. After all, employees are unlikely to react well to corporate security requirements that restrict personal use of a device they purchased with their own funds. Organizations approach this segregation issue with different solutions.
Mobile device management (MDM) products offer the ability to conduct policy-based management of mobile devices. MDM offerings enforce corporate security requirements, such as encrypting device contents, requiring a passcode to access the device, and facilitating the remote wiping of lost or stolen phones and tablets. Some MDM products also allow IT staff to specify the applications that may run on a device or those that may access sensitive corporate information. Each organization must handle the installation and configuration of MDM for personal devices with an approach that meets the organization's compliance obligations, and also fits within the constraints of corporate culture.
Simply establishing policy isn't sufficient to meet compliance obligations. Users must follow the requirements of the policy, and this is only possible if they're familiar with the policy details in the first place.
Some organizations facing strict compliance obligations, such as HIPAA or the Sarbanes-Oxley Act, may choose to approach BYOD through the use of containerization technology. In this approach, employees seeking to work with enterprise data on a personal device will access that data through a secure container that lives as an application on the device. When the employee opens the application, he or she may access corporate information through the application's interface. When the application closes, it deletes all enterprise information from the device, leaving it to handle personal data as the device owner sees fit. Enterprises may view this approach as building a secure island on an otherwise unmanaged personal device.
Audit regularly
No matter what approach an organization chooses for handling BYOD issues, it should regularly audit the reality of its IT operations against stated BYOD security policies. Organizations that prohibit BYOD entirely should take steps to verify that only corporate-owned devices connect to enterprise networks. Those that allow BYOD should verify that BYOD users operate within the bounds of enterprise computing policies and external compliance obligations.
Remember the words of Ronald Reagan during the Cold War: "Trust but verify!" Organizations that follow this approach will find it is possible to balance the desire of end users for BYOD with the organization's compliance requirements.
Next Steps
Check out why you shouldn't skip the BYOD security policy