Embed Size (px)
Citation preview
Industry predic ons point to tablets outselling laptops; at the same me smartphone shipments will shortly exceed those of feature phones. These numbers seem set to con nue their meteoric rise.
In parallel with the huge popularity of these devices, the modern worker wants to use them all the me: in par cular, they want to connect their personally-owned tablets and smartphones to their organisa ons’ systems, resul ng in bring your own device (BYOD) programmes. Organisa ons fi nd this a rac ve too: they can use BYOD to a ract and retain talent and increase produc vity. So it sounds like an easy win all round. But is it?
The answer is ‘Yes, but…’ as adding personally-owned smartphones and tablets into the mix can expose organisa ons to diff erent risks which in turn must be managed. And while risk management doesn’t come free, it can be approached using many of the techniques you already deploy, structured as part of a BYOD programme.
These risks, along with a process for assessing and managing them, are set out in the ISF report Managing BYOD Risk: Staying ahead of your mobile workforce which concludes that the risks stem from the one fundamental considera on with BYOD – the ownership of the device.
While device ownership may sound rela vely trivial, it can signifi cantly increase risk in two ways:
Managing BYOD Risk Staying ahead of your mobile workforce
Where next?
About the ISFFounded in 1989, the Informa on Security Forum (ISF) is an independent, not-for-profi t associa on of leading organisa ons from around the world. It is dedicated to inves ga ng, clarifying and resolving key issues in cyber, informa on security and risk management and developing best prac ce methodologies, processes and solu ons that meet the business needs of its Members.
ISF Members benefi t from harnessing and sharing in-depth knowledge and prac cal experience drawn from within their organisa ons and developed through an extensive research and work programme. The ISF provides a confi den al forum and framework, which ensures that Members adopt leading-edge informa on security strategies and solu ons. And by working together, Members avoid the major expenditure required to reach the same goals on their own.
ContactsFor further informa on contact:Michael de CrespignyUK Tel: +44 (0)20 7213 1745Fax: +44 (0)20 7213 4813Email: [email protected]: www.securityforum.org
DisclaimerThis document has been published to provide general informa on only. It is not intended to provide advice of any kind. Neither the Informa on Security Forum nor the Informa on Security Forum Limited accept any responsibility for the consequences of any use you make of the informa on contained in this document.
Reference: ISF 13 07 02 Copyright © 2013 Information Security Forum Limited.All rights reserved. Classifi cation: Public, no restrictions
consequences of any use you make of the informa on contained in this document.
Reference: ISF 13 07 02 Copyright © 2013 Information Security Forum Limited.All rights reserved. Classifi cation: Public, no restrictions
About the ISF
Managing BYOD Risk: Staying ahead of your mobile workforce helps organisa ons to understand and manage the risk of bring your own device programmes. It does this by:
• providing guidance on the implementa on of a BYOD programme• explaining how to take a risk-based approach to implemen ng a
BYOD programme• iden fying the risks and threats associated with BYOD programmes• presen ng BYOD leading prac ces in the form of controls, policies, and
opera onal recommenda ons• describing the ISF BYOD Implementa on Tool.
Input for the report was gathered from ISF solu on development workshops, discussions and interviews with ISF Members worldwide – in par cular Members of the ISF’s Mobile Devices Special Interest Group (MD SIG) – input from subject ma er experts, thought leadership provided by the ISF Global Team, informa on submi ed by Members via ISF Live, and news ar cles, conference presenta ons, blogs, and online research.
The report is supported by an implementa on space on the ISF Member website, ISF Live, which contains a facilitated forum for Members to discuss related issues and solu ons, along with addi onal resources including a webcast and presenta ons.
Managing BYOD Risk: Staying ahead of your mobile workforceis available free of charge to Members of the ISF.
Non-Members are able to purchase a copy of the report by visi ng the ISF Store at h ps://www.securityforum.org/research or by contac ng Steve Durbin at [email protected]
An employee’s tablet or smartphone may be used in ways which would not be acceptable if it was owned by the organisa on; for example, it may be taken to unsuitable loca ons, shared with family and friends, or have unauthorised or unsuitable apps or material on it.
It brings diff erent behaviours with it You can’t wholly rely on exis ng controls
The organisa on may be unable to use exis ng controls on a device that it doesn’t own. Opera ng systems and security so ware may not be up-to-date and patched. Controls can also be more diffi cult to scale across theever-growing range of devices and opera ng systems.
The underlying message is that if BYOD is for you, then you may have to compromise on the level of control you have, meaning you have to accept more risk. Also bear in mind that BYOD may not be for every organisa on, par cularly when sensi ve informa on would be involved.
But it’s not all doom and gloom: the ISF report Managing BYOD Risk: Staying ahead of your mobile workforce shows a way forward based on an informa on-centric approach to managing the risks, aligned with the ISF’s Informa on Risk Analysis Methodology (IRAM), resul ng in an eff ec ve and adaptable BYOD programme. It also shows how many of the lessons learned along the way with laptops can be adapted for use with smartphones and tablets.
BYOD key business issues
Information Security Forum • Managing BYOD Risk Managing BYOD Risk • Information Security Forum
What’s different about BYOD?
What are thekey actionsfor BYOD?
Topic
Is it already infected?
Has it been jailbroken?
Has the user loaded inappropriate apps or some form of malware?
TopicTopicopic
Is it loaned or used by friends and family?
l d f d
Typical questions Topic Typical questions
Does it contain inappropriate material?
Where do they take it for maintenance?
Topic Example actions Topic Example actions
on usability and scalability
technical controls
Look to use much or all of the infrastructure and policies deployed for
Build a BYOD programme
Topic Example actionsE Topic Example actions
Leverage
behaviours available
Industry predictions point to tablets outselling laptops; at the same time smartphone shipments will shortly exceed those of feature phones. These numbers seem set to continue their meteoric rise.
In parallel with the huge popularity of these devices, the modern worker wants to use them all the time: in particular, they want to connect their personally-owned tablets and smartphones to their organisations’ systems, resulting in bring your own device (BYOD) programmes. Organisations find this attractive too: they can use BYOD to attract and retain talent and increase productivity. So it sounds like an easy win all round. But is it?
The answer is ‘Yes, but…’ as adding personally-owned smartphones and tablets into the mix can expose organisations to different risks which in turn must be managed. And while risk management doesn’t come free, it can be approached using many of the techniques you already deploy, structured as part of a BYOD programme.
These risks, along with a process for assessing and managing them, are set out in the ISF report Managing BYOD Risk: Staying ahead of your mobile workforce which concludes that the risks stem from the one fundamental consideration with BYOD – the ownership of the device.
While device ownership may sound relatively trivial, it can significantly increase risk in two ways:
Managing BYOD Risk Staying ahead of your mobile workforce
Where next?
About the ISFFounded in 1989, the Information Security Forum (ISF) is an independent, not-for-profit association of leading organisations from around the world. It is dedicated to investigating, clarifying and resolving key issues in cyber, information security and risk management and developing best practice methodologies, processes and solutions that meet the business needs of its Members.
ISF Members benefit from harnessing and sharing in-depth knowledge and practical experience drawn from within their organisations and developed through an extensive research and work programme. The ISF provides a confidential forum and framework, which ensures that Members adopt leading-edge information security strategies and solutions. And by working together, Members avoid the major expenditure required to reach the same goals on their own.
ContactsFor further information contact:Steve DurbinUK Tel: +44 (0)20 7213 1745US Tel: +1 (347) 767 6772Fax: +44(0)20 7213 4813Email: [email protected]: www.securityforum.org
DisclaimerThis document has been published to provide general information only. It is not intended to provide advice of any kind. Neither the Information Security Forum nor the Information Security Forum Limited accept any responsibility for the consequences of any use you make of the information contained in this document.
Reference: ISF 13 07 02 Copyright © 2013 Information Security Forum Limited.All rights reserved. Classification: Public, no restrictions
Managing BYOD Risk: Staying ahead of your mobile workforce helps organisations to understand and manage the risk of bring your own device programmes. It does this by:
• providing guidance on the implementation of a BYOD programme• explaining how to take a risk-based approach to implementing a
BYOD programme• identifying the risks and threats associated with BYOD programmes• presenting BYOD leading practices in the form of controls, policies, and
operational recommendations• describing the ISF BYOD Implementation Tool.
Input for the report was gathered from ISF solution development workshops, discussions and interviews with ISF Members worldwide – in particular Members of the ISF’s Mobile Devices Special Interest Group (MD SIG) – input from subject matter experts, thought leadership provided by the ISF Global Team, information submitted by Members via ISF Live, and news articles, conference presentations, blogs, and online research.
The report is supported by an implementation space on the ISF Member website, ISF Live, which contains a facilitated forum for Members to discuss related issues and solutions, along with additional resources including a webcast and presentations.
Managing BYOD Risk: Staying ahead of your mobile workforceis available free of charge to Members of the ISF.
Non-Members are able to purchase a copy of the report by visiting the ISF Store at https://www.securityforum.org/research or by contacting Steve Durbin at [email protected]
An employee’s tablet or smartphone may be used in ways which would not be acceptable if it was owned by the organisation; for example, it may be taken to unsuitable locations, shared with family and friends, or have unauthorised or unsuitable apps or material on it.
It brings different behaviours with it You can’t wholly rely on existing controls
The organisation may be unable to use existing controls on a device that it doesn’t own. Operating systems and security software may not be up-to-date and patched. Controls can also be more difficult to scale across the ever-growing range of devices and operating systems.
The underlying message is that if BYOD is for you, then you may have to compromise on the level of control you have, meaning you have to accept more risk. Also bear in mind that BYOD may not be for every organisation, particularly when sensitive information would be involved.
But it’s not all doom and gloom: the ISF report Managing BYOD Risk: Staying ahead of your mobile workforce shows a way forward based on an information-centric approach to managing the risks, aligned with the ISF’s Information Risk Analysis Methodology (IRAM), resulting in an effective and adaptable BYOD programme. It also shows how many of the lessons learned along the way with laptops can be adapted for use with smartphones and tablets.
