Bring Your Own Policy: Internet Use/BYOD Policy by consensus

424 views

Published on

How to write (by consensus) Information Security, Internet use and privacy policies, come away with a policy written by the group. (and you will see why it’s hard to please everyone). We will start with a downloaded sample BYOD / smartphone policy, talk about the basics, what is BYOD, legal issues, security issues, safety issues and write a BYOD / mobile device policy. Takeaways include 15 most important policies, policy checklist, Sample BYOD / smartphone policy

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
424
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Bring Your Own Policy: Internet Use/BYOD Policy by consensus

  1. 1. Michael Scheidell, CISO OWASP SF-ISSA BYOP(IF YOU DARE) Security Priva(eers™
  2. 2. © 2013 All Rights Reserved Security Priva(eers • Corporate InfoSec Consultant • Certified CISO for Hire, Contract or Retainer • Founded Three South Florida Tech Companies • Digital Privacy Expert • Member ISSA, IAPP, ISACA, IEEE, FBI InfraGard and SFTA • Finalist EE Times ACE Innovator of the year award Sub headline AGENDABring Your Own Policy Michael Scheidell, CISO Security Priva(eers @scheidell 561-948-1305 / michael@securityprivateers.com http://www.securityprivateers.com Additional Resources at: http://www.securityprivateers.com/owasp-issa-byop.html
  3. 3. © 2013 All Rights Reserved Security Priva(eers Sub headline AGENDA What is your policy? Do you allow smartphones or not?
  4. 4. Sample BYOD Policies • Do you allow external access? • Do you provide all employee equipment? • Do you allow ‘BYOD’? • Do you pay for CELL/Data access? If you answered YES to ANY of these above, you NEED A BYOD POLICY Even if the policy says NO!
  5. 5. Written by ISO He understands the 24/7 nature of his team, and understands the risks. Sample BYOD Policies Written by Dir IT They need access to everything, IT is KING! • Only Senior InfoSec executives can make external connections • NON InfoSec employees must use workstations at their desk • The CEO and CFO pay our checks, so they can do anything they want, with or without written policies
  6. 6. Sample BYOD Policies Written by Dir IT They need access to everything, IT is KING! Written by Legal We went to Harvard. We make almost as much as the plumber makes. We need to cross the I’s and dot the t’s. The policy must be large, multiple pages, and undecipherable, except by lawyers • We have the Exchange Admin Password • We can do anything we want • We can add you if you buy us toys • The CEO and CFO pay our checks, so they can do anything they want, with or without written policies
  7. 7. Sample BYOD Policies Written by Legal We went to Harvard. We make almost as much as the plumber makes. We need to cross the I’s and dot the t’s. The policy must be large, multiple pages, and undecipherable, except by lawyers Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut sodales porta lacus, non auctor enim adipiscing id. Mauris non urna venenatis, blandit mi aliquam, tristique quam. Suspendisse egestas ac libero id tincidunt. Proin malesuada dolor ultrices enim fermentum pharetra consequat ut sapien. Fusce scelerisque dignissim orci sit amet tincidunt. Aenean luctus sodales lobortis. Ut non auctor velit. Sed molestie arcu ac convallis consectetur. Integer sed laoreet velit. Donec eleifend turpis id tellus volutpat, eu ultricies augue sollicitudin. Donec a felis eget ante consectetur porttitor dignissim aliquet velit. Cras consectetur tortor ac enim sodales elementum. Nullam purus felis, dapibus eu viverra sodales, adipiscing et erat. Etiam rhoncus feugiat ullamcorper. Duis nisl urna, malesuada eget dolor imperdiet, viverra rutrum nisl. Sed consequat semper iaculis. Donec lorem mi, eleifend ullamcorper viverra eget, hendrerit in dolor. Quisque pellentesque tellus neque, ut eleifend quam volutpat ut. Nullam lorem ligula, ultrices a turpis et, viverra semper dolor. Donec nec tellus eget risus feugiat ultricies at et mi. Morbi fringilla ipsum odio, vitae convallis augue pretium tristique. Pellentesque consectetur nisl id metus imperdiet viverra. Nunc sodales pulvinar turpis non congue. Quisque odio nisl, tincidunt in lobortis tincidunt, mattis sit amet mi. Cras id vehicula lectus, non ultrices elit. Quisque lacinia laoreet lectus. In imperdiet, nibh sit amet tincidunt condimentum, mauris diam ultricies leo, vitae sollicitudin lacus risus eu justo. Duis ornare diam ut lorem tincidunt, id laoreet mauris molestie. Quisque dapibus, nibh non consectetur varius, sapien felis pretium libero, blandit molestie sem tellus ac leo. Morbi diam turpis, aliquam non ipsum id, convallis lobortis nisi. Aenean placerat purus quis leo ultrices, vitae gravida nunc sagittis. Donec ut venenatis sapien. Cras eget dui est. Donec commodo iaculis dictum. Morbi malesuada lacus sed condimentum eleifend. Donec mattis varius interdum. Curabitur sodales libero vel venenatis ullamcorper. Nam tempor nibh sit amet nisi pharetra, sed egestas eros auctor. In adipiscing sem ut vehicula scelerisque. Vestibulum tempor lorem eget sollicitudin iaculis. Morbi faucibus consequat dui ac egestas. Phasellus scelerisque ultricies neque eu suscipit. Etiam venenatis quam quis sapien gravida adipiscing. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Curabitur consequat nibh vel enim rutrum, eget elementum orci semper. Vestibulum quis adipiscing dui. Aliquam erat volutpat. Etiam at diam id ipsum ornare fringilla in vel elit. Praesent suscipit eros in erat luctus, sit amet consectetur purus pretium. Maecenas fringilla elit ipsum, porttitor ultrices sem luctus sit amet. Integer nec rhoncus justo, sit amet bibendum urna. Vivamus at tortor non ante molestie consequat ut in quam. Donec eget elit arcu. Pellentesque dictum massa nunc, sed venenatis eros elementum non. Fusce at justo purus. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut sodales porta lacus, non auctor enim adipiscing id. Mauris non urna venenatis, blandit mi aliquam, tristique quam. Suspendisse egestas ac libero id tincidunt. Proin malesuada dolor ultrices enim fermentum pharetra consequat ut sapien. Fusce scelerisque dignissim orci sit amet tincidunt. Aenean luctus sodales lobortis. Ut non auctor velit. Sed molestie arcu ac convallis consectetur. Integer sed laoreet velit. Donec eleifend turpis id tellus volutpat, eu ultricies augue sollicitudin. Donec a felis eget ante consectetur porttitor dignissim aliquet velit. Cras consectetur tortor ac enim sodales elementum. Nullam purus felis, dapibus eu viverra sodales, adipiscing et erat. Etiam rhoncus feugiat ullamcorper. Duis nisl urna, malesuada eget dolor imperdiet, viverra rutrum nisl. Sed consequat semper iaculis. Donec lorem mi, eleifend ullamcorper viverra eget, hendrerit in dolor. Quisque pellentesque tellus neque, ut eleifend quam volutpat ut. Nullam lorem ligula, ultrices a turpis et, viverra semper dolor. Donec nec tellus eget risus feugiat ultricies at et mi. Morbi fringilla ipsum odio, vitae convallis augue pretium tristique. Pellentesque consectetur nisl id metus imperdiet viverra. Nunc sodales pulvinar turpis non congue. Quisque odio nisl, tincidunt in lobortis tincidunt, mattis sit amet mi. Cras id vehicula lectus, non ultrices elit. Quisque lacinia laoreet lectus. In imperdiet, nibh sit amet tincidunt condimentum, mauris diam ultricies leo, vitae sollicitudin lacus risus eu justo. Duis ornare diam ut lorem tincidunt, id laoreet mauris molestie. Quisque dapibus, nibh non consectetur varius, sapien felis pretium libero, blandit molestie sem tellus ac leo. Morbi diam turpis, aliquam non ipsum id, convallis lobortis nisi. Aenean placerat purus quis leo ultrices, vitae gravida nunc sagittis. Donec ut venenatis sapien. Cras eget dui est. Donec commodo iaculis dictum. Morbi malesuada lacus sed condimentum eleifend. Donec mattis varius interdum. Curabitur sodales libero vel venenatis ullamcorper. Nam tempor nibh sit amet nisi pharetra, sed egestas eros auctor. In adipiscing sem ut vehicula scelerisque. Vestibulum tempor lorem eget sollicitudin iaculis. Morbi faucibus consequat dui ac egestas. Phasellus scelerisque ultricies neque eu suscipit. Etiam venenatis quam quis sapien gravida adipiscing. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Curabitur consequat nibh vel enim rutrum, eget elementum orci semper. Vestibulum quis adipiscing dui. Aliquam erat volutpat. Etiam at diam id ipsum ornare fringilla in vel elit. Praesent suscipit eros in erat luctus, sit amet consectetur purus pretium. Maecenas fringilla elit ipsum, porttitor ultrices sem luctus sit amet. Integer nec rhoncus justo, sit amet bibendum urna. Vivamus at tortor non ante molestie consequat ut in quam. Donec eget elit arcu. Pellentesque dictum massa nunc, sed venenatis eros elementum non. Fusce at justo purus. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut sodales porta lacus, non auctor enim adipiscing id. Mauris non urna venenatis, blandit mi aliquam, tristique quam. Suspendisse egestas ac libero id tincidunt. Proin malesuada dolor ultrices enim fermentum pharetra consequat ut sapien. Fusce scelerisque dignissim orci sit amet tincidunt. Aenean luctus sodales lobortis. Ut non auctor velit. Sed molestie arcu ac convallis consectetur. Integer sed laoreet velit. Donec eleifend turpis id tellus volutpat, eu ultricies augue sollicitudin. Donec a felis eget ante consectetur porttitor dignissim aliquet velit. Cras consectetur tortor ac enim sodales elementum. Nullam purus felis, dapibus eu viverra sodales, adipiscing et erat. Etiam rhoncus feugiat ullamcorper. Duis nisl urna, malesuada eget dolor imperdiet, viverra rutrum nisl. Sed consequat semper iaculis. Donec lorem mi, eleifend ullamcorper viverra eget, hendrerit in dolor. Quisque pellentesque tellus neque, ut eleifend quam volutpat ut. Nullam lorem ligula, ultrices a turpis et, viverra semper dolor. Donec nec tellus eget risus feugiat ultricies at et mi. Morbi fringilla ipsum odio, vitae convallis augue pretium tristique. Pellentesque consectetur nisl id metus imperdiet viverra. Nunc sodales pulvinar turpis non congue. Quisque odio nisl, tincidunt in lobortis tincidunt, mattis sit amet mi. Cras id vehicula lectus, non ultrices elit. Quisque lacinia laoreet lectus. In imperdiet, nibh sit amet tincidunt condimentum, mauris diam ultricies leo, vitae sollicitudin lacus risus eu justo. Duis ornare diam ut lorem tincidunt, id laoreet mauris molestie. Quisque dapibus, nibh non consectetur varius, sapien felis pretium libero, blandit molestie sem tellus ac leo. Morbi diam turpis, aliquam non ipsum id, convallis lobortis nisi. Aenean placerat purus quis leo ultrices, vitae gravida nunc sagittis. Donec ut venenatis sapien. Cras eget dui est. Donec commodo iaculis dictum. Morbi malesuada lacus sed condimentum eleifend. Donec mattis varius interdum. Curabitur sodales libero vel venenatis ullamcorper. Nam tempor nibh sit amet nisi pharetra, sed egestas eros auctor. In adipiscing sem ut vehicula scelerisque. Vestibulum tempor lorem eget sollicitudin iaculis. Morbi faucibus consequat dui ac egestas. Phasellus scelerisque ultricies neque eu suscipit. Etiam venenatis quam quis sapien gravida adipiscing.
  8. 8. Written by ISO He understands the 24/7 nature of his team, and understands the risks. Sample BYOD Policies Written by Dir IT They need access to everything, IT is KING! Written by Legal We went to Harvard. We make almost as much as the plumber makes. We need to cross the I’s and dot the t’s. The policy must be large, multiple pages, and undecipherable, exce pt by lawyers
  9. 9. © 2013 All Rights Reserved Security Priva(eers 1 Restrict Platform Apple, Blackberry, Android? Do you have MDM software that can control all three? Do you have pre-approved models? Sub headline AGENDASome Points BYOD 3 Policy Enforcement Unlock Code/Pin/Pattern/Print? Device Encryption? Restrict removable media? 2 BYOD Reimbusement Do you provide reimbursement for the phone, accessories? Do you pay for or have a plan allowance?
  10. 10. © 2013 All Rights Reserved Security Priva(eers 4 Share Status in Real Time Are you sharing your real time status? GPS, Twitter, Facebook, Latitudes? Sub headline AGENDASome Points BYOD 6 HR / Legal Policies Use of device by hourly employees, Use of device while driving 5 Unencrypted Wifi Prohibit Access to unencrypted Wifi/Free/ Starbucks/ Airports, etc.
  11. 11. © 2013 All Rights Reserved Security Priva(eers 7 Lost Device / Termination Report Lost device immediately, who replaces it? MDM Software, Wipe device upon loss or termination? Sub headline AGENDASome Points BYOD 9 Restrict Downloads/Programs / Rooting / Jailbreak Flashlight tracks GPS locations, Jailbroken phones can allow programs access to contacts, passwords, files 8 Employee Use only No Family, No Friends, Business Use only. Buy your 3 year old his own tablet to play angry birds
  12. 12. © 2013 All Rights Reserved Security Priva(eers 10 Support / Management What level of IT support does user get? Do we install MDM software and perform backups? Sub headline AGENDASome Points BYOD 12 Right to Audit Right to log calls, texts, list of installed software (FINRA, SOX, GLBA, FFIEC) 11 Access Rights Right to disable or restrict access for security or policy reasons.
  13. 13. © 2013 All Rights Reserved Security Priva(eers The Fine Print How do we get there? Articulate Clear Goals • Why a policy • Reduce Capex • Productivity • Satisfaction • Technology • Company Portal 1 Existing Policies • Internet Use • AUP • Password Policy • HR Policies • Security • Privacy • Regulations 2 Eligibility • Who • Job Function • Executive • Types of Jobs • External Users • Existing Devices • Rollout / Pilot 3
  14. 14. © 2013 All Rights Reserved Security Priva(eers The Fine Print How do we get there? Stakeholders • Executive • Finance • Legal • HR • IT • Telecom • Security • Compliance 4 Limit Device Tech • Platform • Devices • Upgrades • Versions • Software • Security Tools 5 Minimum Security • MDM / DLP • Remote Wipe • Encryption • Screen Passcode • Screen Timeout • AV Software • Logging 6
  15. 15. © 2013 All Rights Reserved Security Priva(eers The Fine Print How do we get there? Level of Support • Tier 1 / Tier 2 • Vendor Contact • Connectivity • Remote/Wifi • Bluetooth • Training • Candy Crush 7 Listen • Business Leaders • User Feedback • Too Strict • User Buy-In • Insider Threat • Trust/both ways • Awareness 8 Frequent Updates • Technology • Ipaq, Feature Phone, SmartPhone, Iphone, tablets, phablet, smart watch, google glasses, medically implanted bluetooth • Focus on data 9
  16. 16. Last Step, Not Official Policy Yet Draft Policy Finished Do you buy MDM software? Make an announcement? Block all the iPhones?, Pull up the drawbridge? 1 Executive Approval You can’t enforce a policy without Executive Approval. Formal Process, and be ready to explain all of your choices 2
  17. 17. Download Sample at https://db.tt/BRNrlcbH Lets start… Lets write a policy 1 Time to Vote on it2 Publish Draft and take it to management for approval. . 3
  18. 18. 15 Must Have Policies © 2013 All Rights Reserved Security Priva(eers Sub headline AGENDABring Your Own Policy 1. Firewall Policy 2. Anti-Virus Policy 3. Downtime Policy 4. Password Policy 5. Purchasing Policy 6. Help Desk Triage Policy 7. Third-Party Access Policy 8. Server Configuration Policy 9. Software Development Policy 10.Internet Acceptable Use Policy 11.Hardware Asset Disposal Policy 12.Mobile Device Acceptable Use Policy 13.Remote Access Policy 14.Telephony Service Policy 15.Routine COTS Application Policy
  19. 19. © 2013 All Rights Reserved Security Priva(eers Policy Gap Analysis Review current policies, compare against best practices and current government regulations. Policy Updates / Presentation Sometimes the hardest part is getting Management Buy-in Call or email for a consultation Sub headline AGENDABring Your Own Policy Where to get Help Security Priva(eers @scheidell 561-948-1305 / michael@securityprivateers.com http://www.securityprivateers.com Additional resources for BYOP: http://www.securityprivateers.com/owasp-issa-byop.html

×