A Successful Byod Policy

Published Date: 02 Nov 2017

Based on the bank requirements mentioned in Chapter 3 and the research done in the literature review, this thesis investigates the delivery of the BYOD project implementation and security plan to minimize any data leak as much as possible.

This project will be delivered in two phases:-

Give free Wi-Fi connectivity to all employees personal devices for personal use.

Give access to internal network over the BYODs to the users without compromising the security.

In the advantages/disadvantages of the BYODs it became evident that every company before deploying a BYOD project needs to put in place a good BYOD policy, promote it and train employees on data security awareness, in doing this the employees that are eager to use their personal devices to do work related jobs are made aware of the impact on security that BYODs bring with it.

4.1 - BYOD Policy

A successful BYOD policy needs to protect the bank's infrastructure as well as the employee and company privacy; to implement such a policy, it requires communication, training, budget justification, and collaboration between IT, HR and sometimes the Legal department. All these departments need to play an active role in creating this policy, and because BYOD is in part an organizational liability, HR must prepare training and educate the workforce on BYOD usage and help create policies that minimize risk of data leak and maximize the benefits for the Bank.

The below are considerations that were taken into consideration while creating the Banks BYOD policy:-

Eligibility

Reimbursement

Security

End User Support

Policy Violations

4.1.2 - Eligibility Considerations

The eligibility considerations were based on the following set of questions :-

Are all Bank's employees eligible for the BYOD environment?

Will the Bank restrict access, even within the Individual Liable device, based on role, title, manager approval, geography, or other considerations?

Will you the Bank access for Individually Liable users to particular company applications or data? If so, which apps and data?

Will you support any individual device?

The considerations made based on the above questions are that all employees are eligible to have free Wi-Fi internet access on their personal devices upon request. To request this the employee must fill in an application form which can be found in Appendix X, giving device details such as make, model and MAC address then hand it over to the IT department. Through the internet the employees have restricted access to work related data, they can access only to the Bank's webmail and extranet. This will give all employees some degree of mobility. The IT department will not give any type of support on devices for this of type environment.

For those employees that need access to the company data, an official signed request must be made to their superior giving the necessary information and accepting all risks and responsibilities which will then be have to be approved by their respective department manager, passed to HR for record keeping and IT for review and implementation. Only devices that approved by IT will be eligible to be used, like the Apple iPad and Google Nexus. The whole list of approved devices can be found in the Appendix. IT will give the necessary support on these devices for these group of employees.

Furthermore, the Bank reserves the right to disable or disconnect some or all services without prior notification, if the need arises.

4.1.3 - Reimbursement Considerations

The reimbursement considerations were based on the following set of questions :-

Are any employees going to be entitled for reimbursement?

If so, for which services and under what conditions (e.g., voice usage, data usage, Wi-Fi hotspot usage, roaming usage; business vs. personal usage; manager approval, etc.)?

Are any services not eligible for reimbursement (e.g., SMS/MMS, ringtone downloads, any service not explicitly identified as eligible for reimbursement)

Are any employees eligible for full or partial reimbursement of device acquisition or replacement costs?

Are the employees eligible for reimbursement for any application they buy that is required by the Bank like antivirus/antimalware, or an application that might be a useful for work like stock market applications.

It was decided that none of the employee shall be considered for reimbursement for any data usage, voice usage and roaming usage. This is because the Bank has already distributed a considerable number of Blackberry smartphones contracts to employee for work related calls/SMSs and access to email.

The Bank has decided to distribute the latest generation of iPads Version 4, 128gb of internal storage with 3G/4G support to the departmental managers and board of directors, which have been agreed that they can use these for personal use as well as for work. If these users want to connect using the 3G/4G mobile connectivity they have to pay for the data plan themselves and no one is eligible for monthly stipends.

The Bank will reimburse money spent on applications that are required by the Bank and will consider by request any application that maybe useful and empower the work of the employee after being approved by the IT department.

4.1.4 - Security considerations

The security considerations were based on the following set of questions :-

Does the Bank have policy for handling a lost or stolen device?

Does the Bank have policy for handling the decommissioning of devices?

Will the Bank ever wipe the whole device?

Will the Bank wipe the whole device, corporate data and apps only or both?

Will the user have the ability to initiate wipe action themselves?

What shall the user do if BYOD is faulty and needs to be repaired by a third party company?

Will the device be set and enforce the use of whole device password?

Will the Bank enforce full disk encryption?

Will the Bank set limits on the use of cameras, browsers, Bluetooth, or other applications and services?

Will the Bank require users to acquire and install anti-malware as condition of corporate apps and data access? Will the Bank provide such anti-malware? Will the Bank require particular vendors or versions?

What is the Bank's policy for a case where a user believes that his/her device has become infected with malware?

Does the Bank have policy regarding cracked software?

What is the Bank's policy regarding OS modification like Rooting and Jailbreaking?

Will the Bank allow the installation of software with or without authorization?

Will the Bank allow the installation of free or purchased software not from official app-stores?

Will the Bank allow the use of Third-Party free Cloud storage services for Personal or Bank's Documents?

Will the Bank take periodical or any type of backups of the BYOD devices?

Every BYOD as described in the literature review can be a potential source of security breach, thus it has been given the most attention while building the BYOD policy which gives as much detail as possible, on how the device must be secured and in the case of emergency what to do.

To start with it was decided that every device that will connect to the BYOD network has to be approved by the IT Department, prior purchasing a personal device that the user intents to connect with the BYOD network the user must seek advice from the IT department to check that it is in line with the Bank's policy.

Every device must have a device password, which must be in line with Bank's password policy and procedure, in terms of complexity. No facial recognition or line drawing or any type of secure features other then complex password may be used. The device must be set to lock every thirty minutes requiring password re-entry and must include a password change every ninety days.

The storage of each device must be fully encrypted using industry standard encryption. It is good to point out the devices that were chosen and are list in the approved device list will automatically carry out a full disk encryption once a whole device password is enabled.

Data containing business-related information which is loaded or stored on mobile devices should be kept to the minimum required for business purposes. Such information should be deleted from the device immediately once it is no longer required. It is strictly prohibited to use free cloud services such as Dropbox to backup or transfer corporate data, although it is permissible to use the cloud services for personal use. None of the BYOD device will be periodically backed up, if the user needs a backup he/she must do it him/herself.

Users are free to install free and purchasable apps. Only apps downloaded from official app stores are allowed to be installed on devices. Ideally before installing any type of software IT advice is sot. As mentioned in the literature review, cracked software or software downloaded from rogue or third party market places may not be installed at all costs, as there is a great possibility that it will install mal-ware with it, which can leak data to unauthorized third parties.

Devices must not be modified in any way so as to allow access or installation to applications or features that are restricted through licensing or vendor controls, or to which the user is otherwise not entitled access to. Such modification includes jailbreaking, rooting or similar procedures and OS modifications.

The Bank will hold the right to wipe the device if it deems necessary. The device will be remote wiped if:-

The device is lost,

Job is terminated,

IT detects a data policy breach,

The device is infected with virus or any type of Mal-ware,

If the user enters the password incorrectly ten consecutive times.

If the user detects or notices a virus or abnormal activity on the device, he/she must immediately switch off the device and inform IT so that necessary actions are taken to reduce the damage as much as possible. In the case that the user is abroad or cannot contact the IT, he/she must be able to wipe the device himself/herself to remove the threat.

The device shall only be allowed to connect to the BYOD network through specific wireless networks as designated by IT. USB, Bluetooth, NFC and/or other similar connectivity shall not be used for any reason to connect to Bank systems, including workstations, laptops and other corporate devices.

If the device is faulty and needs to be repaired it is imperative that the user takes a backup of the data which is present on the device and informs the IT department to wipe the device and set it back to factory defaults.

When devices are going to be decommissioned or sold, the user must inform IT to allow proper sanitisation of the device and removal of any corporate data from it.

4.1.5- End User Support.

Support will be given to does selected users that are granted access to the BYOD network. The support will be given on device support, basic wifi communication issues and on basic apps, including those apps which are required by the bank, if there will be any.

The users can open a support case using the ticketing system already in use by the bank or phone IT directly but it is suggested that ticketing system is used first.

Users which will connect their personal devices to the free Wifi internet and not to the BYOD Wifi network will be not supported by the IT department as the variance of devices will make it very difficult and time consuming to tackle each case.

4.1.6 - Policy violation.

If a BYOD user should violate the BYOD policy he/she will be treated as if he/she has violated any other Bank policy, every user will be treated different according to the severity of the case. The Bank has a clear policy on policy and procedure violation and the consequences that go with it according to the severity which can lead to court, if the need is just.