Policy and risk issues for byod

658 views

Published on

Presentation to industry colleagues on Oct 31, 2013,

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
658
On SlideShare
0
From Embeds
0
Number of Embeds
11
Actions
Shares
0
Downloads
18
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Policy and risk issues for byod

  1. 1. Effective Security Policies for a BYOD Environment A Presentation to Industry Colleagues Delivered on Wednesday, October 31, 2012 in Scottsdale, AZ Harry Contreras - CISSP Information Security Policy Manager
  2. 2. Presentation Key Points  Mobility issues facing businesses today  Addressing risk and liability issues through policy  Writing effective mobile security policies  Policy re-use: What can remote access teach us about mobile issues?  Policy program challenges and solutions  Sign-off and delivery of policies  Policy enforcement and updating  Q&A  References and Resources followingH. Contreras - CISSP Presentation - Slide 2© COMPANY NAME
  3. 3. Addressing risk and liability issues through policy Address company risks through policy for newer mobility technologies introduced by consumer owned and managed platforms. Your goal –  A mobility BYOD policy that negotiates the risk landscape obstacles.H. Contreras - CISSP Presentation - Slide 3© COMPANY NAME
  4. 4. Addressing risk and liability issues through policy What’s that? You said you addressed this before…  Enter the “BYOD” mobility model Reflection point – A newer mobility approach that introduces consumer owned and managed platforms.  Risk and liability remains for the company regardless of the mobility approach.  Only now, these are not Company assets to control…H. Contreras - CISSP Presentation - Slide 4© COMPANY NAME
  5. 5. Addressing risk and liability issues through policy What is policy?  Company/business position statements  Declaration of expected behaviors for business operations and employees to follow Effectiveness of policy is based on its integration into the Company culture and the clearly identified enforcement outcomes that are visible to employees.  Key point here is - “visible” enforcement. Without consequence there is no behavior modification.H. Contreras - CISSP Presentation - Slide 5© COMPANY NAME
  6. 6. Addressing risk and liability issues through policy There is hierarchy of policy for Companies to address Internal External Company derived Regulatory/legislated Industry based  Company internal and external issues not “vs.”  Both are influencing factors to addressH. Contreras - CISSP Presentation - Slide 6© COMPANY NAME
  7. 7. Addressing risk & liability issues through policy Regulatory “entanglements”  Personal, Health and Card Holder privacy regulations  SEC regulation  Rule 26 / e-Discovery  IRS regulation and use reporting requirements  Forensics and investigations Company and operations specific issues  Company contractual obligations  Business “verticals” – i.e. Health, government, industry  Global operation and regional regulatory issuesH. Contreras - CISSP Presentation - Slide 7© COMPANY NAME
  8. 8. Addressing risk and liability issues through policy … we are only porting Company email to our users personal devices… Why all this concern? - Liability and Risk -  Will the company information remain captive on these devices?  Do employees “conduct business” on their personal devices?  Now that you comingled Company information the liability and risk issues are compounded.H. Contreras - CISSP Presentation - Slide 8© COMPANY NAME
  9. 9. Addressing risk and liability issues through policy Remember… You don’t own it! - Audit Question? -  “You put the Company data where?”  Secured by how and who? Now that you comingled Company information the liability and risk issues are compounded… You know that auditors will inspect, document and report. (That is their mission.)H. Contreras - CISSP Presentation - Slide 9© COMPANY NAME
  10. 10. Addressing risk and liability issues through policy Communicating policy and expected behaviors - Employees are introduced to Company policy at time of hire and continually reminded of the expectations stated in legacy and newly introduced policies.  Key point here is continual reminder of compliance to the operational and behavioral expectations in stated policies. Are your Company policies out in front of the risk and liability issues?  This is a critical factor in introducing BYOD policies to a Company today.H. Contreras - CISSP Presentation - Slide 10© COMPANY NAME
  11. 11. Addressing risk and liability issues through policy Addressing policy effectiveness  Assimilate with existing Company policies for compliance  Implementation of an employee signed “Opt-In” Agreement to participate in a BYOD Mobility program.  Consult with Legal and Human Resources  Corporate governance must endorse These are critical factors in introducing BYOD policies to a Company.H. Contreras - CISSP Presentation - Slide 11© COMPANY NAME
  12. 12. Addressing risk and liability issues through policyH. Contreras - CISSP Presentation - Slide 12© COMPANY NAME
  13. 13. Writing effective mobile security policies Policy in this specific technology space –  Must be clear, concise and definitive Not effective if subject to differing interpretations. Does not conflict with precedent Company policies. What is required in policy statements for BYOD  Statements of behavioral expectations  Declaration of implemented enforcement controlsH. Contreras - CISSP Presentation - Slide 13© COMPANY NAME
  14. 14. Writing effective mobile security policies Policy abstract – types of policy  Behavioral - Voluntary participation or consensual Some examples – Agreements, “Opt-In”  Control enforcement declaration Automated management and enforcement systems Logical event or conditional based actions - MDM systems - New or existing control systemsH. Contreras - CISSP Presentation - Slide 14© COMPANY NAME
  15. 15. Writing effective mobile security policies Policy examples of other Company compensating controls (Legal) binding agreements  Non-Compete Agreements  Non-Disclosure Agreements (NDA) Some other example instruments  Intellectual property agreementsH. Contreras - CISSP Presentation - Slide 15© COMPANY NAME
  16. 16. Writing effective mobile security policies Policy in this specific technology space –  Must be clear, concise and definitive Some example written statements contain -  Do, do not, will, must, always …  Is enforced…  In the event of…  Will be subject to…H. Contreras - CISSP Presentation - Slide 16© COMPANY NAME
  17. 17. Writing effective mobile security policiesH. Contreras - CISSP Presentation - Slide 17© COMPANY NAME
  18. 18. Writing effective mobile security policies What’s that? You said you addressed this before…  The “BYOD” mobility model is an entirely different technology problem and risk acceptance model Critical success point –  Signed “Opt-In Acknowledgement” for program participation Addresses the introduction of consumer owned and managed platforms as these are not Company assets to controlH. Contreras - CISSP Presentation - Slide 18© COMPANY NAME
  19. 19. Writing effective mobile security policies What’s in that “Opt-In” agreement?  Policy objective – acknowledgement of implemented company controls and behavioral expectations when an “event” condition occurs regarding personal information and physical access to the personal device brought into the program. Clearly delineates agreement violation consequences. Critical success point – Ask counsel…  Is it defensible? Even with an “Opt-In” you have a two-legged stool.H. Contreras - CISSP Presentation - Slide 19© COMPANY NAME
  20. 20. Writing effective mobile security policies Some example provisions in an “Opt-In” agreement  Signed acknowledgement and consent to adhere to the usage provisions stated therein  Consent to the implementation of the Company security controls applied to the device and restriction to not modify these controls  Consent to surrender the device for Company forensic investigation and/or e-Discovery when requested  Consent to surrender the associated mobile device phone number if requested by the Company  Clearly delineated agreement violation consequences.H. Contreras - CISSP Presentation - Slide 20© COMPANY NAME
  21. 21. Writing effective mobile security policies Addressing the introduction of consumer owned and basically un-managed platforms into Company networks and services What are some issues –  Comingled personal and Company information  Are Company resources and services being “miss- appropriated”?  Are activities “auditable” and have accountability? Note: user devices will be audited. Consumer use mentality is an “insider threat” reality.H. Contreras - CISSP Presentation - Slide 21© COMPANY NAME
  22. 22. Policy re-use: What can remote access teach us about mobile issues? Addressed remote access services before… What’s different?  Less control and more risk in connecting platforms of questionable integrity to Company platforms and services  Extending basically remote access services to platforms not Company owned  Exact parallel to connecting “third-party” systems  Same trust and control issues as third-party risk modelH. Contreras - CISSP Presentation - Slide 22© COMPANY NAME
  23. 23. Policy program challenges and solutions Traditional policy driven controls for Company platformsH. Contreras - CISSP Presentation - Slide 23© COMPANY NAME
  24. 24. Policy program challenges and solutions What’s different from the traditional approach?  It is not a Company owned asset (third-party asset) What is viable, supportable and allowable to implement on employee owned assets? Will it be rejected as “intrusive” or “invading” technology?  User presence, Geo-locating, web content filtering  Services utilization reporting  Remote control and data erasure actions  Company requested surrender of personal deviceH. Contreras - CISSP Presentation - Slide 24© COMPANY NAME
  25. 25. Policy program challenges and solutions Security will be a paramount issue  Mobile platforms represent the next and largest attack surface facing consumers and businesses  Asset loss – you already know the consumer track record in this space  Can the required support and security control expenses be met?  Will users accept application white-listing?  New and more aggressive mobile device exploits are on the wayH. Contreras - CISSP Presentation - Slide 25© COMPANY NAME
  26. 26. Policy program challenges and solutions Integrating “BYOD policy” into automated controls (MDM)H. Contreras - CISSP Presentation - Slide 26© COMPANY NAME
  27. 27. Policy program challenges and solutions What are we up against with Mobility BYOD policy? Lack of the following -  Command, Control, Contain Even the “maintain” aspects for assets is out of reach. And hopefully we do not have to…  Explain – data losses and escapes due to platform compromises outside of the policy control set. Consideration - Your “walled garden” has a backdoor...H. Contreras - CISSP Presentation - Slide 27© COMPANY NAME
  28. 28. Sign-off and delivery of policies Recommendations and critical delivery actions  Conduct “walk-through” exercises for policy and controls elements  Conduct “table-top” exercise of a BYOD “incidents” Validation activity  Testing of support services  Policy is vetted and endorsed  Mobility program is amended to include BYOD services  Availability of BYOD services is communicatedH. Contreras - CISSP Presentation - Slide 28© COMPANY NAME
  29. 29. Policy enforcement and updating Recommendations and critical delivery actions  Policy enforcement actions clearly visible  Findings of abuse and negligent activity consequences communicated in Company newsletter Policy maintenance is a unilateral activity by all Corporate functional stakeholders supporting risk and compliance concerns  Legal, Human Resources, Compliance, Business and IT Leadership all have vested interest  Policy remains vetted, endorsed and “in-place”H. Contreras - CISSP Presentation - Slide 29© COMPANY NAME
  30. 30. Summary Reality check – BYOD - it is not “if we build it they will come” Policy exists in two realms  Behavior modification based on stated directives  Implemented controls automatically enforcing the stated policy directives Adherence to policy is ___________ (fill in the blank).  Without consequence there is no behavior modification.H. Contreras - CISSP Presentation - Slide 30© COMPANY NAME
  31. 31. Q&A Effective Security Policies for a BYOD Environment - Resources list follows -H. Contreras - CISSP Presentation - Slide 31© COMPANY NAME
  32. 32. Effective Security Policies for a BYOD Environment Resources What Could Go Wrong?By Grant Moerschel - November 7, 2011, Published: informationweek.com Information Week Reports – 2012 State of Mobile SecurityBy Michael Finnerman - May 11, 2012, Published: reports.informationweek.com When BYOD Goes WrongBy Darraugh Delaney – July 11, 2012, Published: http://blogs.computerworld.com For BYOD Best Practices, Secure Data not DevicesBy Thor Olavsrud - July 17, 2012, Published www.cio.com.com Mobile policy resource – Information Security Policies Made Easyhttp://www.informationshield.com/ispmemain.htm Mobile policy resource – Individual Liable User Policy Considerationshttp://www1.good.com/mobility-management-solutions Mobile policy resource – Mobile Policy Samplehttp://www.tangoe.com/White-Papers/sample-of-mobile-policy.htmlH. Contreras - CISSP Presentation - Slide 32© COMPANY NAME
  33. 33. Effective Security Policies for a BYOD Environment ResourcesSpecial Webcast: How to Develop a Bring-Your-Own-Device PolicyWHEN: Thursday, November 15, 2012 at 1:00 PM EDT (1700 UTC/GMT) Featuring: Benjamin Wright https://www.sans.org/webcasts/develop-bring-your-own-device-byod- policy-95564 Abstract - As mobile devices like tablets, laptops and smartphones have become the typical tools for professionals to do their work, many employers have allowed and even encouraged employees to use their own devices. Some employers today subsidize the cost of mobile devices that employees purchase and then use part time for work. But setting policy on employee-owned devices can be really hard. This webinar will examine case law and policy options related to such topics as security and record retention and destruction. It will offer sample language as a starting place for drafting policy, while explaining the risks and benefits of wording a policy one way or another. Mr. Wright will give practical tips and suggestions on how to develop a policy that everyone in an enterprise can (more or less) live with, while explaining pitfalls and suggestions for employee training and education.H. Contreras - CISSP Presentation - Slide 33© COMPANY NAME

×