Bring Your Own Policy: Internet Use/BYOD Policy by consensus

Michael Scheidell
Michael ScheidellChief Information Security Officer
Michael Scheidell, CISO OWASP SF-ISSA BYOP(IF YOU DARE) Security Priva(eers™
© 2013 All Rights Reserved Security Priva(eers • Corporate InfoSec Consultant • Certified CISO for Hire, Contract or Retainer • Founded Three South Florida Tech Companies • Digital Privacy Expert • Member ISSA, IAPP, ISACA, IEEE, FBI InfraGard and SFTA • Finalist EE Times ACE Innovator of the year award Sub headline AGENDABring Your Own Policy Michael Scheidell, CISO Security Priva(eers @scheidell 561-948-1305 / michael@securityprivateers.com http://www.securityprivateers.com Additional Resources at: http://www.securityprivateers.com/owasp-issa-byop.html
© 2013 All Rights Reserved Security Priva(eers Sub headline AGENDA What is your policy? Do you allow smartphones or not?
Sample BYOD Policies • Do you allow external access? • Do you provide all employee equipment? • Do you allow ‘BYOD’? • Do you pay for CELL/Data access? If you answered YES to ANY of these above, you NEED A BYOD POLICY Even if the policy says NO!
Written by ISO He understands the 24/7 nature of his team, and understands the risks. Sample BYOD Policies Written by Dir IT They need access to everything, IT is KING! • Only Senior InfoSec executives can make external connections • NON InfoSec employees must use workstations at their desk • The CEO and CFO pay our checks, so they can do anything they want, with or without written policies
Sample BYOD Policies Written by Dir IT They need access to everything, IT is KING! Written by Legal We went to Harvard. We make almost as much as the plumber makes. We need to cross the I’s and dot the t’s. The policy must be large, multiple pages, and undecipherable, except by lawyers • We have the Exchange Admin Password • We can do anything we want • We can add you if you buy us toys • The CEO and CFO pay our checks, so they can do anything they want, with or without written policies
Sample BYOD Policies Written by Legal We went to Harvard. We make almost as much as the plumber makes. We need to cross the I’s and dot the t’s. The policy must be large, multiple pages, and undecipherable, except by lawyers Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut sodales porta lacus, non auctor enim adipiscing id. Mauris non urna venenatis, blandit mi aliquam, tristique quam. Suspendisse egestas ac libero id tincidunt. Proin malesuada dolor ultrices enim fermentum pharetra consequat ut sapien. Fusce scelerisque dignissim orci sit amet tincidunt. Aenean luctus sodales lobortis. Ut non auctor velit. Sed molestie arcu ac convallis consectetur. Integer sed laoreet velit. Donec eleifend turpis id tellus volutpat, eu ultricies augue sollicitudin. Donec a felis eget ante consectetur porttitor dignissim aliquet velit. Cras consectetur tortor ac enim sodales elementum. Nullam purus felis, dapibus eu viverra sodales, adipiscing et erat. Etiam rhoncus feugiat ullamcorper. Duis nisl urna, malesuada eget dolor imperdiet, viverra rutrum nisl. Sed consequat semper iaculis. Donec lorem mi, eleifend ullamcorper viverra eget, hendrerit in dolor. Quisque pellentesque tellus neque, ut eleifend quam volutpat ut. Nullam lorem ligula, ultrices a turpis et, viverra semper dolor. Donec nec tellus eget risus feugiat ultricies at et mi. Morbi fringilla ipsum odio, vitae convallis augue pretium tristique. Pellentesque consectetur nisl id metus imperdiet viverra. Nunc sodales pulvinar turpis non congue. Quisque odio nisl, tincidunt in lobortis tincidunt, mattis sit amet mi. Cras id vehicula lectus, non ultrices elit. Quisque lacinia laoreet lectus. In imperdiet, nibh sit amet tincidunt condimentum, mauris diam ultricies leo, vitae sollicitudin lacus risus eu justo. Duis ornare diam ut lorem tincidunt, id laoreet mauris molestie. Quisque dapibus, nibh non consectetur varius, sapien felis pretium libero, blandit molestie sem tellus ac leo. Morbi diam turpis, aliquam non ipsum id, convallis lobortis nisi. Aenean placerat purus quis leo ultrices, vitae gravida nunc sagittis. Donec ut venenatis sapien. Cras eget dui est. Donec commodo iaculis dictum. Morbi malesuada lacus sed condimentum eleifend. Donec mattis varius interdum. Curabitur sodales libero vel venenatis ullamcorper. Nam tempor nibh sit amet nisi pharetra, sed egestas eros auctor. In adipiscing sem ut vehicula scelerisque. Vestibulum tempor lorem eget sollicitudin iaculis. Morbi faucibus consequat dui ac egestas. Phasellus scelerisque ultricies neque eu suscipit. Etiam venenatis quam quis sapien gravida adipiscing. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Curabitur consequat nibh vel enim rutrum, eget elementum orci semper. Vestibulum quis adipiscing dui. Aliquam erat volutpat. Etiam at diam id ipsum ornare fringilla in vel elit. Praesent suscipit eros in erat luctus, sit amet consectetur purus pretium. Maecenas fringilla elit ipsum, porttitor ultrices sem luctus sit amet. Integer nec rhoncus justo, sit amet bibendum urna. Vivamus at tortor non ante molestie consequat ut in quam. Donec eget elit arcu. Pellentesque dictum massa nunc, sed venenatis eros elementum non. Fusce at justo purus. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut sodales porta lacus, non auctor enim adipiscing id. Mauris non urna venenatis, blandit mi aliquam, tristique quam. Suspendisse egestas ac libero id tincidunt. Proin malesuada dolor ultrices enim fermentum pharetra consequat ut sapien. Fusce scelerisque dignissim orci sit amet tincidunt. Aenean luctus sodales lobortis. Ut non auctor velit. Sed molestie arcu ac convallis consectetur. Integer sed laoreet velit. Donec eleifend turpis id tellus volutpat, eu ultricies augue sollicitudin. Donec a felis eget ante consectetur porttitor dignissim aliquet velit. Cras consectetur tortor ac enim sodales elementum. Nullam purus felis, dapibus eu viverra sodales, adipiscing et erat. Etiam rhoncus feugiat ullamcorper. Duis nisl urna, malesuada eget dolor imperdiet, viverra rutrum nisl. Sed consequat semper iaculis. Donec lorem mi, eleifend ullamcorper viverra eget, hendrerit in dolor. Quisque pellentesque tellus neque, ut eleifend quam volutpat ut. Nullam lorem ligula, ultrices a turpis et, viverra semper dolor. Donec nec tellus eget risus feugiat ultricies at et mi. Morbi fringilla ipsum odio, vitae convallis augue pretium tristique. Pellentesque consectetur nisl id metus imperdiet viverra. Nunc sodales pulvinar turpis non congue. Quisque odio nisl, tincidunt in lobortis tincidunt, mattis sit amet mi. Cras id vehicula lectus, non ultrices elit. Quisque lacinia laoreet lectus. In imperdiet, nibh sit amet tincidunt condimentum, mauris diam ultricies leo, vitae sollicitudin lacus risus eu justo. Duis ornare diam ut lorem tincidunt, id laoreet mauris molestie. Quisque dapibus, nibh non consectetur varius, sapien felis pretium libero, blandit molestie sem tellus ac leo. Morbi diam turpis, aliquam non ipsum id, convallis lobortis nisi. Aenean placerat purus quis leo ultrices, vitae gravida nunc sagittis. Donec ut venenatis sapien. Cras eget dui est. Donec commodo iaculis dictum. Morbi malesuada lacus sed condimentum eleifend. Donec mattis varius interdum. Curabitur sodales libero vel venenatis ullamcorper. Nam tempor nibh sit amet nisi pharetra, sed egestas eros auctor. In adipiscing sem ut vehicula scelerisque. Vestibulum tempor lorem eget sollicitudin iaculis. Morbi faucibus consequat dui ac egestas. Phasellus scelerisque ultricies neque eu suscipit. Etiam venenatis quam quis sapien gravida adipiscing. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Curabitur consequat nibh vel enim rutrum, eget elementum orci semper. Vestibulum quis adipiscing dui. Aliquam erat volutpat. Etiam at diam id ipsum ornare fringilla in vel elit. Praesent suscipit eros in erat luctus, sit amet consectetur purus pretium. Maecenas fringilla elit ipsum, porttitor ultrices sem luctus sit amet. Integer nec rhoncus justo, sit amet bibendum urna. Vivamus at tortor non ante molestie consequat ut in quam. Donec eget elit arcu. Pellentesque dictum massa nunc, sed venenatis eros elementum non. Fusce at justo purus. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut sodales porta lacus, non auctor enim adipiscing id. Mauris non urna venenatis, blandit mi aliquam, tristique quam. Suspendisse egestas ac libero id tincidunt. Proin malesuada dolor ultrices enim fermentum pharetra consequat ut sapien. Fusce scelerisque dignissim orci sit amet tincidunt. Aenean luctus sodales lobortis. Ut non auctor velit. Sed molestie arcu ac convallis consectetur. Integer sed laoreet velit. Donec eleifend turpis id tellus volutpat, eu ultricies augue sollicitudin. Donec a felis eget ante consectetur porttitor dignissim aliquet velit. Cras consectetur tortor ac enim sodales elementum. Nullam purus felis, dapibus eu viverra sodales, adipiscing et erat. Etiam rhoncus feugiat ullamcorper. Duis nisl urna, malesuada eget dolor imperdiet, viverra rutrum nisl. Sed consequat semper iaculis. Donec lorem mi, eleifend ullamcorper viverra eget, hendrerit in dolor. Quisque pellentesque tellus neque, ut eleifend quam volutpat ut. Nullam lorem ligula, ultrices a turpis et, viverra semper dolor. Donec nec tellus eget risus feugiat ultricies at et mi. Morbi fringilla ipsum odio, vitae convallis augue pretium tristique. Pellentesque consectetur nisl id metus imperdiet viverra. Nunc sodales pulvinar turpis non congue. Quisque odio nisl, tincidunt in lobortis tincidunt, mattis sit amet mi. Cras id vehicula lectus, non ultrices elit. Quisque lacinia laoreet lectus. In imperdiet, nibh sit amet tincidunt condimentum, mauris diam ultricies leo, vitae sollicitudin lacus risus eu justo. Duis ornare diam ut lorem tincidunt, id laoreet mauris molestie. Quisque dapibus, nibh non consectetur varius, sapien felis pretium libero, blandit molestie sem tellus ac leo. Morbi diam turpis, aliquam non ipsum id, convallis lobortis nisi. Aenean placerat purus quis leo ultrices, vitae gravida nunc sagittis. Donec ut venenatis sapien. Cras eget dui est. Donec commodo iaculis dictum. Morbi malesuada lacus sed condimentum eleifend. Donec mattis varius interdum. Curabitur sodales libero vel venenatis ullamcorper. Nam tempor nibh sit amet nisi pharetra, sed egestas eros auctor. In adipiscing sem ut vehicula scelerisque. Vestibulum tempor lorem eget sollicitudin iaculis. Morbi faucibus consequat dui ac egestas. Phasellus scelerisque ultricies neque eu suscipit. Etiam venenatis quam quis sapien gravida adipiscing.
Written by ISO He understands the 24/7 nature of his team, and understands the risks. Sample BYOD Policies Written by Dir IT They need access to everything, IT is KING! Written by Legal We went to Harvard. We make almost as much as the plumber makes. We need to cross the I’s and dot the t’s. The policy must be large, multiple pages, and undecipherable, exce pt by lawyers
© 2013 All Rights Reserved Security Priva(eers 1 Restrict Platform Apple, Blackberry, Android? Do you have MDM software that can control all three? Do you have pre-approved models? Sub headline AGENDASome Points BYOD 3 Policy Enforcement Unlock Code/Pin/Pattern/Print? Device Encryption? Restrict removable media? 2 BYOD Reimbusement Do you provide reimbursement for the phone, accessories? Do you pay for or have a plan allowance?
© 2013 All Rights Reserved Security Priva(eers 4 Share Status in Real Time Are you sharing your real time status? GPS, Twitter, Facebook, Latitudes? Sub headline AGENDASome Points BYOD 6 HR / Legal Policies Use of device by hourly employees, Use of device while driving 5 Unencrypted Wifi Prohibit Access to unencrypted Wifi/Free/ Starbucks/ Airports, etc.
© 2013 All Rights Reserved Security Priva(eers 7 Lost Device / Termination Report Lost device immediately, who replaces it? MDM Software, Wipe device upon loss or termination? Sub headline AGENDASome Points BYOD 9 Restrict Downloads/Programs / Rooting / Jailbreak Flashlight tracks GPS locations, Jailbroken phones can allow programs access to contacts, passwords, files 8 Employee Use only No Family, No Friends, Business Use only. Buy your 3 year old his own tablet to play angry birds
© 2013 All Rights Reserved Security Priva(eers 10 Support / Management What level of IT support does user get? Do we install MDM software and perform backups? Sub headline AGENDASome Points BYOD 12 Right to Audit Right to log calls, texts, list of installed software (FINRA, SOX, GLBA, FFIEC) 11 Access Rights Right to disable or restrict access for security or policy reasons.
© 2013 All Rights Reserved Security Priva(eers The Fine Print How do we get there? Articulate Clear Goals • Why a policy • Reduce Capex • Productivity • Satisfaction • Technology • Company Portal 1 Existing Policies • Internet Use • AUP • Password Policy • HR Policies • Security • Privacy • Regulations 2 Eligibility • Who • Job Function • Executive • Types of Jobs • External Users • Existing Devices • Rollout / Pilot 3
© 2013 All Rights Reserved Security Priva(eers The Fine Print How do we get there? Stakeholders • Executive • Finance • Legal • HR • IT • Telecom • Security • Compliance 4 Limit Device Tech • Platform • Devices • Upgrades • Versions • Software • Security Tools 5 Minimum Security • MDM / DLP • Remote Wipe • Encryption • Screen Passcode • Screen Timeout • AV Software • Logging 6
© 2013 All Rights Reserved Security Priva(eers The Fine Print How do we get there? Level of Support • Tier 1 / Tier 2 • Vendor Contact • Connectivity • Remote/Wifi • Bluetooth • Training • Candy Crush 7 Listen • Business Leaders • User Feedback • Too Strict • User Buy-In • Insider Threat • Trust/both ways • Awareness 8 Frequent Updates • Technology • Ipaq, Feature Phone, SmartPhone, Iphone, tablets, phablet, smart watch, google glasses, medically implanted bluetooth • Focus on data 9
Last Step, Not Official Policy Yet Draft Policy Finished Do you buy MDM software? Make an announcement? Block all the iPhones?, Pull up the drawbridge? 1 Executive Approval You can’t enforce a policy without Executive Approval. Formal Process, and be ready to explain all of your choices 2
Download Sample at https://db.tt/BRNrlcbH Lets start… Lets write a policy 1 Time to Vote on it2 Publish Draft and take it to management for approval. . 3
15 Must Have Policies © 2013 All Rights Reserved Security Priva(eers Sub headline AGENDABring Your Own Policy 1. Firewall Policy 2. Anti-Virus Policy 3. Downtime Policy 4. Password Policy 5. Purchasing Policy 6. Help Desk Triage Policy 7. Third-Party Access Policy 8. Server Configuration Policy 9. Software Development Policy 10.Internet Acceptable Use Policy 11.Hardware Asset Disposal Policy 12.Mobile Device Acceptable Use Policy 13.Remote Access Policy 14.Telephony Service Policy 15.Routine COTS Application Policy
© 2013 All Rights Reserved Security Priva(eers Policy Gap Analysis Review current policies, compare against best practices and current government regulations. Policy Updates / Presentation Sometimes the hardest part is getting Management Buy-in Call or email for a consultation Sub headline AGENDABring Your Own Policy Where to get Help Security Priva(eers @scheidell 561-948-1305 / michael@securityprivateers.com http://www.securityprivateers.com Additional resources for BYOP: http://www.securityprivateers.com/owasp-issa-byop.html
1 of 19

Bring Your Own Policy: Internet Use/BYOD Policy by consensus

How to write (by consensus) Information Security, Internet use and privacy policies, come away with a policy written by the group. (and you will see why it’s hard to please everyone). We will start with a downloaded sample BYOD / smartphone policy, talk about the basics, what is BYOD, legal issues, security issues, safety issues and write a BYOD / mobile device policy. Takeaways include 15 most important policies, policy checklist, Sample BYOD / smartphone policy

Michael Scheidell
Michael ScheidellChief Information Security Officer

Recommended

Techwards uploadfile updated changes by
Techwards uploadfile updated changesTechwards uploadfile updated changes
Techwards uploadfile updated changeselastica 123
37 views4 slides
Horaris 1ª jornada lliga by
Horaris 1ª jornada lliga Horaris 1ª jornada lliga
Horaris 1ª jornada lliga cfvmonistrol
286 views1 slide
1. ramos, andré luiz santa cruz direito empresarial by
1. ramos, andré luiz santa cruz direito empresarial1. ramos, andré luiz santa cruz direito empresarial
1. ramos, andré luiz santa cruz direito empresarialMarcia Regina Mourao
706 views384 slides
Actividad 1 presentacion julián romero ante by
Actividad 1 presentacion julián romero anteActividad 1 presentacion julián romero ante
Actividad 1 presentacion julián romero anteJulián Romero Ante
430 views4 slides
Presentación:Proyecto de AT-Asociaciones by
Presentación:Proyecto de AT-AsociacionesPresentación:Proyecto de AT-Asociaciones
Presentación:Proyecto de AT-AsociacionesAna Arias
919 views22 slides
Presentación 3 taller Narraciones Digitales "Hagamos radio en la escuela" by
Presentación 3 taller Narraciones Digitales "Hagamos radio en la escuela"Presentación 3 taller Narraciones Digitales "Hagamos radio en la escuela"
Presentación 3 taller Narraciones Digitales "Hagamos radio en la escuela"DGCYE (educación de la prov. Bs As)
307 views19 slides

More Related Content

Viewers also liked

Diptico by
DipticoDiptico
DipticoCarlos Jesus Lachira Zamora
415 views2 slides
Arendts: Sports betting licensing procedure in Germany by
Arendts: Sports betting licensing procedure in Germany Arendts: Sports betting licensing procedure in Germany
Arendts: Sports betting licensing procedure in Germany Martin Arendts
4.4K views2 slides
Figuras retóricas. Textos literarios del siglo de oro. GRAdo arte. Uned by
Figuras retóricas. Textos literarios del siglo de oro. GRAdo arte. UnedFiguras retóricas. Textos literarios del siglo de oro. GRAdo arte. Uned
Figuras retóricas. Textos literarios del siglo de oro. GRAdo arte. Uned--- ---
11K views4 slides
Indices financieros by
Indices financierosIndices financieros
Indices financierosRicardo Pabón Martinez
9.4K views10 slides
Voce é diferente by
Voce é diferenteVoce é diferente
Voce é diferenteClaudiaDemolin
2.8K views40 slides
Aula 6 fatp tipico direito penal by
Aula 6 fatp tipico direito penalAula 6 fatp tipico direito penal
Aula 6 fatp tipico direito penalDanny de Campos
4K views33 slides

Viewers also liked(7)

Diptico by Carlos Jesus Lachira Zamora
DipticoDiptico
Diptico
Carlos Jesus Lachira Zamora415 views
Arendts: Sports betting licensing procedure in Germany by Martin Arendts
Arendts: Sports betting licensing procedure in Germany Arendts: Sports betting licensing procedure in Germany
Arendts: Sports betting licensing procedure in Germany
Martin Arendts4.4K views
Figuras retóricas. Textos literarios del siglo de oro. GRAdo arte. Uned by --- ---
Figuras retóricas. Textos literarios del siglo de oro. GRAdo arte. UnedFiguras retóricas. Textos literarios del siglo de oro. GRAdo arte. Uned
Figuras retóricas. Textos literarios del siglo de oro. GRAdo arte. Uned
--- ---11K views
Indices financieros by Ricardo Pabón Martinez
Indices financierosIndices financieros
Indices financieros
Ricardo Pabón Martinez9.4K views
Voce é diferente by ClaudiaDemolin
Voce é diferenteVoce é diferente
Voce é diferente
ClaudiaDemolin2.8K views
Aula 6 fatp tipico direito penal by Danny de Campos
Aula 6 fatp tipico direito penalAula 6 fatp tipico direito penal
Aula 6 fatp tipico direito penal
Danny de Campos4K views
Nuevo bienestar animal by Andres Gonzalez Camacho
Nuevo bienestar animalNuevo bienestar animal
Nuevo bienestar animal
Andres Gonzalez Camacho276 views

Similar to Bring Your Own Policy: Internet Use/BYOD Policy by consensus

Empowering users to reclaim their Privacy by
Empowering users to reclaim their PrivacyEmpowering users to reclaim their Privacy
Empowering users to reclaim their PrivacyOperando Consortium
300 views19 slides
Running head KONY 2017 SAMPLE TEMPLATE .docx by
Running head KONY 2017 SAMPLE TEMPLATE .docxRunning head KONY 2017 SAMPLE TEMPLATE .docx
Running head KONY 2017 SAMPLE TEMPLATE .docxcowinhelen
3 views21 slides
170424 isaca lux slides by
170424 isaca lux slides170424 isaca lux slides
170424 isaca lux slidesHenri Kuiper
126 views70 slides
Sample Presentation by
Sample PresentationSample Presentation
Sample Presentationcacurtis123
301 views10 slides
6Properly Formatted Formal ReportTHE TITLE OF YOUR REP.docx by
6Properly Formatted Formal ReportTHE TITLE OF YOUR REP.docx6Properly Formatted Formal ReportTHE TITLE OF YOUR REP.docx
6Properly Formatted Formal ReportTHE TITLE OF YOUR REP.docxtroutmanboris
3 views25 slides
week3_garst_107357_mockupv1 by
week3_garst_107357_mockupv1week3_garst_107357_mockupv1
week3_garst_107357_mockupv1Ashley Garst
101 views10 slides

Similar to Bring Your Own Policy: Internet Use/BYOD Policy by consensus (20)

Empowering users to reclaim their Privacy by Operando Consortium
Empowering users to reclaim their PrivacyEmpowering users to reclaim their Privacy
Empowering users to reclaim their Privacy
Operando Consortium300 views
Running head KONY 2017 SAMPLE TEMPLATE .docx by cowinhelen
Running head KONY 2017 SAMPLE TEMPLATE .docxRunning head KONY 2017 SAMPLE TEMPLATE .docx
Running head KONY 2017 SAMPLE TEMPLATE .docx
cowinhelen3 views
170424 isaca lux slides by Henri Kuiper
170424 isaca lux slides170424 isaca lux slides
170424 isaca lux slides
Henri Kuiper126 views
Sample Presentation by cacurtis123
Sample PresentationSample Presentation
Sample Presentation
cacurtis123301 views
6Properly Formatted Formal ReportTHE TITLE OF YOUR REP.docx by troutmanboris
6Properly Formatted Formal ReportTHE TITLE OF YOUR REP.docx6Properly Formatted Formal ReportTHE TITLE OF YOUR REP.docx
6Properly Formatted Formal ReportTHE TITLE OF YOUR REP.docx
troutmanboris3 views
week3_garst_107357_mockupv1 by Ashley Garst
week3_garst_107357_mockupv1week3_garst_107357_mockupv1
week3_garst_107357_mockupv1
Ashley Garst101 views
Social Media Basics & Application (for Indexers) by Sara Truscott
Social Media Basics & Application (for Indexers)Social Media Basics & Application (for Indexers)
Social Media Basics & Application (for Indexers)
Sara Truscott806 views
Newspaper by ESA Fabrication
NewspaperNewspaper
Newspaper
ESA Fabrication17 views
Pitch deck premium by energiadeportugal2015
Pitch deck premiumPitch deck premium
Pitch deck premium
energiadeportugal2015418 views
4.3 mixed scheme by hamza bekkali
4.3 mixed scheme4.3 mixed scheme
4.3 mixed scheme
hamza bekkali36 views
4.3 mixed scheme dark version by hamza bekkali
4.3 mixed scheme dark version4.3 mixed scheme dark version
4.3 mixed scheme dark version
hamza bekkali37 views
4.3 blue scheme by hamza bekkali
4.3 blue scheme4.3 blue scheme
4.3 blue scheme
hamza bekkali31 views
4.3 red scheme by hamza bekkali
4.3 red scheme4.3 red scheme
4.3 red scheme
hamza bekkali34 views
ITT 2014 - Max Seelemann - Hello TextKit! by Istanbul Tech Talks
ITT 2014 - Max Seelemann - Hello TextKit!ITT 2014 - Max Seelemann - Hello TextKit!
ITT 2014 - Max Seelemann - Hello TextKit!
Istanbul Tech Talks300 views
Tunnel Technologies Datasheet Template by TDSmaker
Tunnel Technologies Datasheet TemplateTunnel Technologies Datasheet Template
Tunnel Technologies Datasheet Template
TDSmaker138 views
Talis Insight Asia-Pacific 2017: Rodney Tamblyn, Talis by Talis
Talis Insight Asia-Pacific 2017: Rodney Tamblyn, TalisTalis Insight Asia-Pacific 2017: Rodney Tamblyn, Talis
Talis Insight Asia-Pacific 2017: Rodney Tamblyn, Talis
Talis195 views
SlidesDesigner's Portfolio by slidesdesigner.com
SlidesDesigner's PortfolioSlidesDesigner's Portfolio
SlidesDesigner's Portfolio
slidesdesigner.com247 views
Operando Presentation in Athens 2018 by Operando Consortium
Operando Presentation in Athens 2018Operando Presentation in Athens 2018
Operando Presentation in Athens 2018
Operando Consortium222 views
Pitch Deck Premium Classic by Improve Presentation
Pitch Deck Premium ClassicPitch Deck Premium Classic
Pitch Deck Premium Classic
Improve Presentation1.6K views
Epsilon.pptx by Ostoor
Epsilon.pptxEpsilon.pptx
Epsilon.pptx
Ostoor6 views

More from Michael Scheidell

Not IF, but WHEN by
Not IF, but WHENNot IF, but WHEN
Not IF, but WHENMichael Scheidell
170 views18 slides
Spy vs Spy: Protecting Secrets by
Spy vs Spy: Protecting SecretsSpy vs Spy: Protecting Secrets
Spy vs Spy: Protecting SecretsMichael Scheidell
1.1K views20 slides
Protecting the Castle: CYBER CRIME HAS BECOME THE NUMBER ONE PROPERTY CRIME ... by
Protecting the Castle: CYBER CRIME HAS BECOME THE NUMBER ONE PROPERTY CRIME ...Protecting the Castle: CYBER CRIME HAS BECOME THE NUMBER ONE PROPERTY CRIME ...
Protecting the Castle: CYBER CRIME HAS BECOME THE NUMBER ONE PROPERTY CRIME ...Michael Scheidell
4.7K views32 slides
Risky Business by
Risky BusinessRisky Business
Risky BusinessMichael Scheidell
5.6K views32 slides
Running with Scissors: Balance between business and InfoSec needs by
Running with Scissors: Balance between business and InfoSec needsRunning with Scissors: Balance between business and InfoSec needs
Running with Scissors: Balance between business and InfoSec needsMichael Scheidell
1.7K views37 slides
Governance and Security in Cloud and Mobile Apps by
Governance and Security in Cloud and Mobile AppsGovernance and Security in Cloud and Mobile Apps
Governance and Security in Cloud and Mobile AppsMichael Scheidell
5K views19 slides

More from Michael Scheidell(6)

Not IF, but WHEN by Michael Scheidell
Not IF, but WHENNot IF, but WHEN
Not IF, but WHEN
Michael Scheidell170 views
Spy vs Spy: Protecting Secrets by Michael Scheidell
Spy vs Spy: Protecting SecretsSpy vs Spy: Protecting Secrets
Spy vs Spy: Protecting Secrets
Michael Scheidell1.1K views
Protecting the Castle: CYBER CRIME HAS BECOME THE NUMBER ONE PROPERTY CRIME ... by Michael Scheidell
Protecting the Castle: CYBER CRIME HAS BECOME THE NUMBER ONE PROPERTY CRIME ...Protecting the Castle: CYBER CRIME HAS BECOME THE NUMBER ONE PROPERTY CRIME ...
Protecting the Castle: CYBER CRIME HAS BECOME THE NUMBER ONE PROPERTY CRIME ...
Michael Scheidell4.7K views
Risky Business by Michael Scheidell
Risky BusinessRisky Business
Risky Business
Michael Scheidell5.6K views
Running with Scissors: Balance between business and InfoSec needs by Michael Scheidell
Running with Scissors: Balance between business and InfoSec needsRunning with Scissors: Balance between business and InfoSec needs
Running with Scissors: Balance between business and InfoSec needs
Michael Scheidell1.7K views
Governance and Security in Cloud and Mobile Apps by Michael Scheidell
Governance and Security in Cloud and Mobile AppsGovernance and Security in Cloud and Mobile Apps
Governance and Security in Cloud and Mobile Apps
Michael Scheidell5K views

Bring Your Own Policy: Internet Use/BYOD Policy by consensus

  • 1. Michael Scheidell, CISO OWASP SF-ISSA BYOP(IF YOU DARE) Security Priva(eers™
  • 2. © 2013 All Rights Reserved Security Priva(eers • Corporate InfoSec Consultant • Certified CISO for Hire, Contract or Retainer • Founded Three South Florida Tech Companies • Digital Privacy Expert • Member ISSA, IAPP, ISACA, IEEE, FBI InfraGard and SFTA • Finalist EE Times ACE Innovator of the year award Sub headline AGENDABring Your Own Policy Michael Scheidell, CISO Security Priva(eers @scheidell 561-948-1305 / michael@securityprivateers.com http://www.securityprivateers.com Additional Resources at: http://www.securityprivateers.com/owasp-issa-byop.html
  • 3. © 2013 All Rights Reserved Security Priva(eers Sub headline AGENDA What is your policy? Do you allow smartphones or not?
  • 4. Sample BYOD Policies • Do you allow external access? • Do you provide all employee equipment? • Do you allow ‘BYOD’? • Do you pay for CELL/Data access? If you answered YES to ANY of these above, you NEED A BYOD POLICY Even if the policy says NO!
  • 5. Written by ISO He understands the 24/7 nature of his team, and understands the risks. Sample BYOD Policies Written by Dir IT They need access to everything, IT is KING! • Only Senior InfoSec executives can make external connections • NON InfoSec employees must use workstations at their desk • The CEO and CFO pay our checks, so they can do anything they want, with or without written policies
  • 6. Sample BYOD Policies Written by Dir IT They need access to everything, IT is KING! Written by Legal We went to Harvard. We make almost as much as the plumber makes. We need to cross the I’s and dot the t’s. The policy must be large, multiple pages, and undecipherable, except by lawyers • We have the Exchange Admin Password • We can do anything we want • We can add you if you buy us toys • The CEO and CFO pay our checks, so they can do anything they want, with or without written policies
  • 7. Sample BYOD Policies Written by Legal We went to Harvard. We make almost as much as the plumber makes. We need to cross the I’s and dot the t’s. The policy must be large, multiple pages, and undecipherable, except by lawyers Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut sodales porta lacus, non auctor enim adipiscing id. Mauris non urna venenatis, blandit mi aliquam, tristique quam. Suspendisse egestas ac libero id tincidunt. Proin malesuada dolor ultrices enim fermentum pharetra consequat ut sapien. Fusce scelerisque dignissim orci sit amet tincidunt. Aenean luctus sodales lobortis. Ut non auctor velit. Sed molestie arcu ac convallis consectetur. Integer sed laoreet velit. Donec eleifend turpis id tellus volutpat, eu ultricies augue sollicitudin. Donec a felis eget ante consectetur porttitor dignissim aliquet velit. Cras consectetur tortor ac enim sodales elementum. Nullam purus felis, dapibus eu viverra sodales, adipiscing et erat. Etiam rhoncus feugiat ullamcorper. Duis nisl urna, malesuada eget dolor imperdiet, viverra rutrum nisl. Sed consequat semper iaculis. Donec lorem mi, eleifend ullamcorper viverra eget, hendrerit in dolor. Quisque pellentesque tellus neque, ut eleifend quam volutpat ut. Nullam lorem ligula, ultrices a turpis et, viverra semper dolor. Donec nec tellus eget risus feugiat ultricies at et mi. Morbi fringilla ipsum odio, vitae convallis augue pretium tristique. Pellentesque consectetur nisl id metus imperdiet viverra. Nunc sodales pulvinar turpis non congue. Quisque odio nisl, tincidunt in lobortis tincidunt, mattis sit amet mi. Cras id vehicula lectus, non ultrices elit. Quisque lacinia laoreet lectus. In imperdiet, nibh sit amet tincidunt condimentum, mauris diam ultricies leo, vitae sollicitudin lacus risus eu justo. Duis ornare diam ut lorem tincidunt, id laoreet mauris molestie. Quisque dapibus, nibh non consectetur varius, sapien felis pretium libero, blandit molestie sem tellus ac leo. Morbi diam turpis, aliquam non ipsum id, convallis lobortis nisi. Aenean placerat purus quis leo ultrices, vitae gravida nunc sagittis. Donec ut venenatis sapien. Cras eget dui est. Donec commodo iaculis dictum. Morbi malesuada lacus sed condimentum eleifend. Donec mattis varius interdum. Curabitur sodales libero vel venenatis ullamcorper. Nam tempor nibh sit amet nisi pharetra, sed egestas eros auctor. In adipiscing sem ut vehicula scelerisque. Vestibulum tempor lorem eget sollicitudin iaculis. Morbi faucibus consequat dui ac egestas. Phasellus scelerisque ultricies neque eu suscipit. Etiam venenatis quam quis sapien gravida adipiscing. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Curabitur consequat nibh vel enim rutrum, eget elementum orci semper. Vestibulum quis adipiscing dui. Aliquam erat volutpat. Etiam at diam id ipsum ornare fringilla in vel elit. Praesent suscipit eros in erat luctus, sit amet consectetur purus pretium. Maecenas fringilla elit ipsum, porttitor ultrices sem luctus sit amet. Integer nec rhoncus justo, sit amet bibendum urna. Vivamus at tortor non ante molestie consequat ut in quam. Donec eget elit arcu. Pellentesque dictum massa nunc, sed venenatis eros elementum non. Fusce at justo purus. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut sodales porta lacus, non auctor enim adipiscing id. Mauris non urna venenatis, blandit mi aliquam, tristique quam. Suspendisse egestas ac libero id tincidunt. Proin malesuada dolor ultrices enim fermentum pharetra consequat ut sapien. Fusce scelerisque dignissim orci sit amet tincidunt. Aenean luctus sodales lobortis. Ut non auctor velit. Sed molestie arcu ac convallis consectetur. Integer sed laoreet velit. Donec eleifend turpis id tellus volutpat, eu ultricies augue sollicitudin. Donec a felis eget ante consectetur porttitor dignissim aliquet velit. Cras consectetur tortor ac enim sodales elementum. Nullam purus felis, dapibus eu viverra sodales, adipiscing et erat. Etiam rhoncus feugiat ullamcorper. Duis nisl urna, malesuada eget dolor imperdiet, viverra rutrum nisl. Sed consequat semper iaculis. Donec lorem mi, eleifend ullamcorper viverra eget, hendrerit in dolor. Quisque pellentesque tellus neque, ut eleifend quam volutpat ut. Nullam lorem ligula, ultrices a turpis et, viverra semper dolor. Donec nec tellus eget risus feugiat ultricies at et mi. Morbi fringilla ipsum odio, vitae convallis augue pretium tristique. Pellentesque consectetur nisl id metus imperdiet viverra. Nunc sodales pulvinar turpis non congue. Quisque odio nisl, tincidunt in lobortis tincidunt, mattis sit amet mi. Cras id vehicula lectus, non ultrices elit. Quisque lacinia laoreet lectus. In imperdiet, nibh sit amet tincidunt condimentum, mauris diam ultricies leo, vitae sollicitudin lacus risus eu justo. Duis ornare diam ut lorem tincidunt, id laoreet mauris molestie. Quisque dapibus, nibh non consectetur varius, sapien felis pretium libero, blandit molestie sem tellus ac leo. Morbi diam turpis, aliquam non ipsum id, convallis lobortis nisi. Aenean placerat purus quis leo ultrices, vitae gravida nunc sagittis. Donec ut venenatis sapien. Cras eget dui est. Donec commodo iaculis dictum. Morbi malesuada lacus sed condimentum eleifend. Donec mattis varius interdum. Curabitur sodales libero vel venenatis ullamcorper. Nam tempor nibh sit amet nisi pharetra, sed egestas eros auctor. In adipiscing sem ut vehicula scelerisque. Vestibulum tempor lorem eget sollicitudin iaculis. Morbi faucibus consequat dui ac egestas. Phasellus scelerisque ultricies neque eu suscipit. Etiam venenatis quam quis sapien gravida adipiscing. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Curabitur consequat nibh vel enim rutrum, eget elementum orci semper. Vestibulum quis adipiscing dui. Aliquam erat volutpat. Etiam at diam id ipsum ornare fringilla in vel elit. Praesent suscipit eros in erat luctus, sit amet consectetur purus pretium. Maecenas fringilla elit ipsum, porttitor ultrices sem luctus sit amet. Integer nec rhoncus justo, sit amet bibendum urna. Vivamus at tortor non ante molestie consequat ut in quam. Donec eget elit arcu. Pellentesque dictum massa nunc, sed venenatis eros elementum non. Fusce at justo purus. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut sodales porta lacus, non auctor enim adipiscing id. Mauris non urna venenatis, blandit mi aliquam, tristique quam. Suspendisse egestas ac libero id tincidunt. Proin malesuada dolor ultrices enim fermentum pharetra consequat ut sapien. Fusce scelerisque dignissim orci sit amet tincidunt. Aenean luctus sodales lobortis. Ut non auctor velit. Sed molestie arcu ac convallis consectetur. Integer sed laoreet velit. Donec eleifend turpis id tellus volutpat, eu ultricies augue sollicitudin. Donec a felis eget ante consectetur porttitor dignissim aliquet velit. Cras consectetur tortor ac enim sodales elementum. Nullam purus felis, dapibus eu viverra sodales, adipiscing et erat. Etiam rhoncus feugiat ullamcorper. Duis nisl urna, malesuada eget dolor imperdiet, viverra rutrum nisl. Sed consequat semper iaculis. Donec lorem mi, eleifend ullamcorper viverra eget, hendrerit in dolor. Quisque pellentesque tellus neque, ut eleifend quam volutpat ut. Nullam lorem ligula, ultrices a turpis et, viverra semper dolor. Donec nec tellus eget risus feugiat ultricies at et mi. Morbi fringilla ipsum odio, vitae convallis augue pretium tristique. Pellentesque consectetur nisl id metus imperdiet viverra. Nunc sodales pulvinar turpis non congue. Quisque odio nisl, tincidunt in lobortis tincidunt, mattis sit amet mi. Cras id vehicula lectus, non ultrices elit. Quisque lacinia laoreet lectus. In imperdiet, nibh sit amet tincidunt condimentum, mauris diam ultricies leo, vitae sollicitudin lacus risus eu justo. Duis ornare diam ut lorem tincidunt, id laoreet mauris molestie. Quisque dapibus, nibh non consectetur varius, sapien felis pretium libero, blandit molestie sem tellus ac leo. Morbi diam turpis, aliquam non ipsum id, convallis lobortis nisi. Aenean placerat purus quis leo ultrices, vitae gravida nunc sagittis. Donec ut venenatis sapien. Cras eget dui est. Donec commodo iaculis dictum. Morbi malesuada lacus sed condimentum eleifend. Donec mattis varius interdum. Curabitur sodales libero vel venenatis ullamcorper. Nam tempor nibh sit amet nisi pharetra, sed egestas eros auctor. In adipiscing sem ut vehicula scelerisque. Vestibulum tempor lorem eget sollicitudin iaculis. Morbi faucibus consequat dui ac egestas. Phasellus scelerisque ultricies neque eu suscipit. Etiam venenatis quam quis sapien gravida adipiscing.
  • 8. Written by ISO He understands the 24/7 nature of his team, and understands the risks. Sample BYOD Policies Written by Dir IT They need access to everything, IT is KING! Written by Legal We went to Harvard. We make almost as much as the plumber makes. We need to cross the I’s and dot the t’s. The policy must be large, multiple pages, and undecipherable, exce pt by lawyers
  • 9. © 2013 All Rights Reserved Security Priva(eers 1 Restrict Platform Apple, Blackberry, Android? Do you have MDM software that can control all three? Do you have pre-approved models? Sub headline AGENDASome Points BYOD 3 Policy Enforcement Unlock Code/Pin/Pattern/Print? Device Encryption? Restrict removable media? 2 BYOD Reimbusement Do you provide reimbursement for the phone, accessories? Do you pay for or have a plan allowance?
  • 10. © 2013 All Rights Reserved Security Priva(eers 4 Share Status in Real Time Are you sharing your real time status? GPS, Twitter, Facebook, Latitudes? Sub headline AGENDASome Points BYOD 6 HR / Legal Policies Use of device by hourly employees, Use of device while driving 5 Unencrypted Wifi Prohibit Access to unencrypted Wifi/Free/ Starbucks/ Airports, etc.
  • 11. © 2013 All Rights Reserved Security Priva(eers 7 Lost Device / Termination Report Lost device immediately, who replaces it? MDM Software, Wipe device upon loss or termination? Sub headline AGENDASome Points BYOD 9 Restrict Downloads/Programs / Rooting / Jailbreak Flashlight tracks GPS locations, Jailbroken phones can allow programs access to contacts, passwords, files 8 Employee Use only No Family, No Friends, Business Use only. Buy your 3 year old his own tablet to play angry birds
  • 12. © 2013 All Rights Reserved Security Priva(eers 10 Support / Management What level of IT support does user get? Do we install MDM software and perform backups? Sub headline AGENDASome Points BYOD 12 Right to Audit Right to log calls, texts, list of installed software (FINRA, SOX, GLBA, FFIEC) 11 Access Rights Right to disable or restrict access for security or policy reasons.
  • 13. © 2013 All Rights Reserved Security Priva(eers The Fine Print How do we get there? Articulate Clear Goals • Why a policy • Reduce Capex • Productivity • Satisfaction • Technology • Company Portal 1 Existing Policies • Internet Use • AUP • Password Policy • HR Policies • Security • Privacy • Regulations 2 Eligibility • Who • Job Function • Executive • Types of Jobs • External Users • Existing Devices • Rollout / Pilot 3
  • 14. © 2013 All Rights Reserved Security Priva(eers The Fine Print How do we get there? Stakeholders • Executive • Finance • Legal • HR • IT • Telecom • Security • Compliance 4 Limit Device Tech • Platform • Devices • Upgrades • Versions • Software • Security Tools 5 Minimum Security • MDM / DLP • Remote Wipe • Encryption • Screen Passcode • Screen Timeout • AV Software • Logging 6
  • 15. © 2013 All Rights Reserved Security Priva(eers The Fine Print How do we get there? Level of Support • Tier 1 / Tier 2 • Vendor Contact • Connectivity • Remote/Wifi • Bluetooth • Training • Candy Crush 7 Listen • Business Leaders • User Feedback • Too Strict • User Buy-In • Insider Threat • Trust/both ways • Awareness 8 Frequent Updates • Technology • Ipaq, Feature Phone, SmartPhone, Iphone, tablets, phablet, smart watch, google glasses, medically implanted bluetooth • Focus on data 9
  • 16. Last Step, Not Official Policy Yet Draft Policy Finished Do you buy MDM software? Make an announcement? Block all the iPhones?, Pull up the drawbridge? 1 Executive Approval You can’t enforce a policy without Executive Approval. Formal Process, and be ready to explain all of your choices 2
  • 17. Download Sample at https://db.tt/BRNrlcbH Lets start… Lets write a policy 1 Time to Vote on it2 Publish Draft and take it to management for approval. . 3
  • 18. 15 Must Have Policies © 2013 All Rights Reserved Security Priva(eers Sub headline AGENDABring Your Own Policy 1. Firewall Policy 2. Anti-Virus Policy 3. Downtime Policy 4. Password Policy 5. Purchasing Policy 6. Help Desk Triage Policy 7. Third-Party Access Policy 8. Server Configuration Policy 9. Software Development Policy 10.Internet Acceptable Use Policy 11.Hardware Asset Disposal Policy 12.Mobile Device Acceptable Use Policy 13.Remote Access Policy 14.Telephony Service Policy 15.Routine COTS Application Policy
  • 19. © 2013 All Rights Reserved Security Priva(eers Policy Gap Analysis Review current policies, compare against best practices and current government regulations. Policy Updates / Presentation Sometimes the hardest part is getting Management Buy-in Call or email for a consultation Sub headline AGENDABring Your Own Policy Where to get Help Security Priva(eers @scheidell 561-948-1305 / michael@securityprivateers.com http://www.securityprivateers.com Additional resources for BYOP: http://www.securityprivateers.com/owasp-issa-byop.html