SlideShare une entreprise Scribd logo

Policy and risk issues for byod

H Contrex
H Contrex

Presentation to industry colleagues on Oct 31, 2013,

1  sur  33
Télécharger pour lire hors ligne
Effective Security Policies for a BYOD Environment A Presentation to Industry Colleagues Delivered on Wednesday, October 31, 2012 in Scottsdale, AZ Harry Contreras - CISSP Information Security Policy Manager
Presentation Key Points  Mobility issues facing businesses today  Addressing risk and liability issues through policy  Writing effective mobile security policies  Policy re-use: What can remote access teach us about mobile issues?  Policy program challenges and solutions  Sign-off and delivery of policies  Policy enforcement and updating  Q&A  References and Resources following H. Contreras - CISSP Presentation - Slide 2 © COMPANY NAME
Addressing risk and liability issues through policy Address company risks through policy for newer mobility technologies introduced by consumer owned and managed platforms. Your goal –  A mobility BYOD policy that negotiates the risk landscape obstacles. H. Contreras - CISSP Presentation - Slide 3 © COMPANY NAME
Addressing risk and liability issues through policy What’s that? You said you addressed this before…  Enter the “BYOD” mobility model Reflection point – A newer mobility approach that introduces consumer owned and managed platforms.  Risk and liability remains for the company regardless of the mobility approach.  Only now, these are not Company assets to control… H. Contreras - CISSP Presentation - Slide 4 © COMPANY NAME
Addressing risk and liability issues through policy What is policy?  Company/business position statements  Declaration of expected behaviors for business operations and employees to follow Effectiveness of policy is based on its integration into the Company culture and the clearly identified enforcement outcomes that are visible to employees.  Key point here is - “visible” enforcement. Without consequence there is no behavior modification. H. Contreras - CISSP Presentation - Slide 5 © COMPANY NAME
Addressing risk and liability issues through policy There is hierarchy of policy for Companies to address Internal External Company derived Regulatory/legislated Industry based  Company internal and external issues not “vs.”  Both are influencing factors to address H. Contreras - CISSP Presentation - Slide 6 © COMPANY NAME
Addressing risk & liability issues through policy Regulatory “entanglements”  Personal, Health and Card Holder privacy regulations  SEC regulation  Rule 26 / e-Discovery  IRS regulation and use reporting requirements  Forensics and investigations Company and operations specific issues  Company contractual obligations  Business “verticals” – i.e. Health, government, industry  Global operation and regional regulatory issues H. Contreras - CISSP Presentation - Slide 7 © COMPANY NAME
Addressing risk and liability issues through policy … we are only porting Company email to our users personal devices… Why all this concern? - Liability and Risk -  Will the company information remain captive on these devices?  Do employees “conduct business” on their personal devices?  Now that you comingled Company information the liability and risk issues are compounded. H. Contreras - CISSP Presentation - Slide 8 © COMPANY NAME
Addressing risk and liability issues through policy Remember… You don’t own it! - Audit Question? -  “You put the Company data where?”  Secured by how and who? Now that you comingled Company information the liability and risk issues are compounded… You know that auditors will inspect, document and report. (That is their mission.) H. Contreras - CISSP Presentation - Slide 9 © COMPANY NAME
Addressing risk and liability issues through policy Communicating policy and expected behaviors - Employees are introduced to Company policy at time of hire and continually reminded of the expectations stated in legacy and newly introduced policies.  Key point here is continual reminder of compliance to the operational and behavioral expectations in stated policies. Are your Company policies out in front of the risk and liability issues?  This is a critical factor in introducing BYOD policies to a Company today. H. Contreras - CISSP Presentation - Slide 10 © COMPANY NAME
Addressing risk and liability issues through policy Addressing policy effectiveness  Assimilate with existing Company policies for compliance  Implementation of an employee signed “Opt-In” Agreement to participate in a BYOD Mobility program.  Consult with Legal and Human Resources  Corporate governance must endorse These are critical factors in introducing BYOD policies to a Company. H. Contreras - CISSP Presentation - Slide 11 © COMPANY NAME
Addressing risk and liability issues through policy H. Contreras - CISSP Presentation - Slide 12 © COMPANY NAME
Writing effective mobile security policies Policy in this specific technology space –  Must be clear, concise and definitive Not effective if subject to differing interpretations. Does not conflict with precedent Company policies. What is required in policy statements for BYOD  Statements of behavioral expectations  Declaration of implemented enforcement controls H. Contreras - CISSP Presentation - Slide 13 © COMPANY NAME
Writing effective mobile security policies Policy abstract – types of policy  Behavioral - Voluntary participation or consensual Some examples – Agreements, “Opt-In”  Control enforcement declaration Automated management and enforcement systems Logical event or conditional based actions - MDM systems - New or existing control systems H. Contreras - CISSP Presentation - Slide 14 © COMPANY NAME
Writing effective mobile security policies Policy examples of other Company compensating controls (Legal) binding agreements  Non-Compete Agreements  Non-Disclosure Agreements (NDA) Some other example instruments  Intellectual property agreements H. Contreras - CISSP Presentation - Slide 15 © COMPANY NAME
Writing effective mobile security policies Policy in this specific technology space –  Must be clear, concise and definitive Some example written statements contain -  Do, do not, will, must, always …  Is enforced…  In the event of…  Will be subject to… H. Contreras - CISSP Presentation - Slide 16 © COMPANY NAME
Writing effective mobile security policies H. Contreras - CISSP Presentation - Slide 17 © COMPANY NAME
Writing effective mobile security policies What’s that? You said you addressed this before…  The “BYOD” mobility model is an entirely different technology problem and risk acceptance model Critical success point –  Signed “Opt-In Acknowledgement” for program participation Addresses the introduction of consumer owned and managed platforms as these are not Company assets to control H. Contreras - CISSP Presentation - Slide 18 © COMPANY NAME
Writing effective mobile security policies What’s in that “Opt-In” agreement?  Policy objective – acknowledgement of implemented company controls and behavioral expectations when an “event” condition occurs regarding personal information and physical access to the personal device brought into the program. Clearly delineates agreement violation consequences. Critical success point – Ask counsel…  Is it defensible? Even with an “Opt-In” you have a two-legged stool. H. Contreras - CISSP Presentation - Slide 19 © COMPANY NAME
Writing effective mobile security policies Some example provisions in an “Opt-In” agreement  Signed acknowledgement and consent to adhere to the usage provisions stated therein  Consent to the implementation of the Company security controls applied to the device and restriction to not modify these controls  Consent to surrender the device for Company forensic investigation and/or e-Discovery when requested  Consent to surrender the associated mobile device phone number if requested by the Company  Clearly delineated agreement violation consequences. H. Contreras - CISSP Presentation - Slide 20 © COMPANY NAME
Writing effective mobile security policies Addressing the introduction of consumer owned and basically un-managed platforms into Company networks and services What are some issues –  Comingled personal and Company information  Are Company resources and services being “miss- appropriated”?  Are activities “auditable” and have accountability? Note: user devices will be audited. Consumer use mentality is an “insider threat” reality. H. Contreras - CISSP Presentation - Slide 21 © COMPANY NAME
Policy re-use: What can remote access teach us about mobile issues? Addressed remote access services before… What’s different?  Less control and more risk in connecting platforms of questionable integrity to Company platforms and services  Extending basically remote access services to platforms not Company owned  Exact parallel to connecting “third-party” systems  Same trust and control issues as third-party risk model H. Contreras - CISSP Presentation - Slide 22 © COMPANY NAME
Policy program challenges and solutions Traditional policy driven controls for Company platforms H. Contreras - CISSP Presentation - Slide 23 © COMPANY NAME
Policy program challenges and solutions What’s different from the traditional approach?  It is not a Company owned asset (third-party asset) What is viable, supportable and allowable to implement on employee owned assets? Will it be rejected as “intrusive” or “invading” technology?  User presence, Geo-locating, web content filtering  Services utilization reporting  Remote control and data erasure actions  Company requested surrender of personal device H. Contreras - CISSP Presentation - Slide 24 © COMPANY NAME
Policy program challenges and solutions Security will be a paramount issue  Mobile platforms represent the next and largest attack surface facing consumers and businesses  Asset loss – you already know the consumer track record in this space  Can the required support and security control expenses be met?  Will users accept application white-listing?  New and more aggressive mobile device exploits are on the way H. Contreras - CISSP Presentation - Slide 25 © COMPANY NAME
Policy program challenges and solutions Integrating “BYOD policy” into automated controls (MDM) H. Contreras - CISSP Presentation - Slide 26 © COMPANY NAME
Policy program challenges and solutions What are we up against with Mobility BYOD policy? Lack of the following -  Command, Control, Contain Even the “maintain” aspects for assets is out of reach. And hopefully we do not have to…  Explain – data losses and escapes due to platform compromises outside of the policy control set. Consideration - Your “walled garden” has a backdoor... H. Contreras - CISSP Presentation - Slide 27 © COMPANY NAME
Sign-off and delivery of policies Recommendations and critical delivery actions  Conduct “walk-through” exercises for policy and controls elements  Conduct “table-top” exercise of a BYOD “incidents” Validation activity  Testing of support services  Policy is vetted and endorsed  Mobility program is amended to include BYOD services  Availability of BYOD services is communicated H. Contreras - CISSP Presentation - Slide 28 © COMPANY NAME
Policy enforcement and updating Recommendations and critical delivery actions  Policy enforcement actions clearly visible  Findings of abuse and negligent activity consequences communicated in Company newsletter Policy maintenance is a unilateral activity by all Corporate functional stakeholders supporting risk and compliance concerns  Legal, Human Resources, Compliance, Business and IT Leadership all have vested interest  Policy remains vetted, endorsed and “in-place” H. Contreras - CISSP Presentation - Slide 29 © COMPANY NAME
Summary Reality check – BYOD - it is not “if we build it they will come” Policy exists in two realms  Behavior modification based on stated directives  Implemented controls automatically enforcing the stated policy directives Adherence to policy is ___________ (fill in the blank).  Without consequence there is no behavior modification. H. Contreras - CISSP Presentation - Slide 30 © COMPANY NAME
Q&A Effective Security Policies for a BYOD Environment - Resources list follows - H. Contreras - CISSP Presentation - Slide 31 © COMPANY NAME
Effective Security Policies for a BYOD Environment Resources  What Could Go Wrong? By Grant Moerschel - November 7, 2011, Published: informationweek.com  Information Week Reports – 2012 State of Mobile Security By Michael Finnerman - May 11, 2012, Published: reports.informationweek.com  When BYOD Goes Wrong By Darraugh Delaney – July 11, 2012, Published: http://blogs.computerworld.com  For BYOD Best Practices, Secure Data not Devices By Thor Olavsrud - July 17, 2012, Published www.cio.com.com  Mobile policy resource – Information Security Policies Made Easy http://www.informationshield.com/ispmemain.htm  Mobile policy resource – Individual Liable User Policy Considerations http://www1.good.com/mobility-management-solutions  Mobile policy resource – Mobile Policy Sample http://www.tangoe.com/White-Papers/sample-of-mobile-policy.html H. Contreras - CISSP Presentation - Slide 32 © COMPANY NAME
Effective Security Policies for a BYOD Environment Resources Special Webcast: How to Develop a Bring-Your-Own-Device Policy WHEN: Thursday, November 15, 2012 at 1:00 PM EDT (1700 UTC/GMT) Featuring: Benjamin Wright https://www.sans.org/webcasts/develop-bring-your-own-device-byod- policy-95564 Abstract - As mobile devices like tablets, laptops and smartphones have become the typical tools for professionals to do their work, many employers have allowed and even encouraged employees to use their own devices. Some employers today subsidize the cost of mobile devices that employees purchase and then use part time for work. But setting policy on employee-owned devices can be really hard. This webinar will examine case law and policy options related to such topics as security and record retention and destruction. It will offer sample language as a starting place for drafting policy, while explaining the risks and benefits of wording a policy one way or another. Mr. Wright will give practical tips and suggestions on how to develop a policy that everyone in an enterprise can (more or less) live with, while explaining pitfalls and suggestions for employee training and education. H. Contreras - CISSP Presentation - Slide 33 © COMPANY NAME

Recommandé

pentesting-and-buzzwords
pentesting-and-buzzwordspentesting-and-buzzwords
pentesting-and-buzzwordsClint Bodungen
 
BYOD: A Global Perspective
BYOD: A Global PerspectiveBYOD: A Global Perspective
BYOD: A Global PerspectiveCisco Services
 
Mobile app security nov 2015
Mobile app security nov 2015 Mobile app security nov 2015
Mobile app security nov 2015 Chanjin Park
 
BYOD: Bring Your Own Device Implementation and Security Issues
BYOD: Bring Your Own Device Implementation and Security IssuesBYOD: Bring Your Own Device Implementation and Security Issues
BYOD: Bring Your Own Device Implementation and Security IssuesHarsh Kishore Mishra
 
10 Steps to a Successful BYOD Strategy
10 Steps to a Successful BYOD Strategy10 Steps to a Successful BYOD Strategy
10 Steps to a Successful BYOD StrategySirius
 
Privacy is an Illusion and you’re all losers! - Cryptocow - Infosecurity 2013
Privacy is an Illusion and you’re all losers! - Cryptocow - Infosecurity 2013Privacy is an Illusion and you’re all losers! - Cryptocow - Infosecurity 2013
Privacy is an Illusion and you’re all losers! - Cryptocow - Infosecurity 2013Cain Ransbottyn
 
Creating an effective mobility policy for your business
Creating an effective mobility policy for your businessCreating an effective mobility policy for your business
Creating an effective mobility policy for your businessVisageMobile
 
Intermountain CFO Summit - Managing Financial Risks
Intermountain CFO Summit - Managing Financial RisksIntermountain CFO Summit - Managing Financial Risks
Intermountain CFO Summit - Managing Financial RisksDavid Chase
 

Recommandé

pentesting-and-buzzwords
pentesting-and-buzzwordspentesting-and-buzzwords
pentesting-and-buzzwordsClint Bodungen
 
BYOD: A Global Perspective
BYOD: A Global PerspectiveBYOD: A Global Perspective
BYOD: A Global PerspectiveCisco Services
 
Mobile app security nov 2015
Mobile app security nov 2015 Mobile app security nov 2015
Mobile app security nov 2015 Chanjin Park
 
BYOD: Bring Your Own Device Implementation and Security Issues
BYOD: Bring Your Own Device Implementation and Security IssuesBYOD: Bring Your Own Device Implementation and Security Issues
BYOD: Bring Your Own Device Implementation and Security IssuesHarsh Kishore Mishra
 
10 Steps to a Successful BYOD Strategy
10 Steps to a Successful BYOD Strategy10 Steps to a Successful BYOD Strategy
10 Steps to a Successful BYOD StrategySirius
 
Privacy is an Illusion and you’re all losers! - Cryptocow - Infosecurity 2013
Privacy is an Illusion and you’re all losers! - Cryptocow - Infosecurity 2013Privacy is an Illusion and you’re all losers! - Cryptocow - Infosecurity 2013
Privacy is an Illusion and you’re all losers! - Cryptocow - Infosecurity 2013Cain Ransbottyn
 
Creating an effective mobility policy for your business
Creating an effective mobility policy for your businessCreating an effective mobility policy for your business
Creating an effective mobility policy for your businessVisageMobile
 
Intermountain CFO Summit - Managing Financial Risks
Intermountain CFO Summit - Managing Financial RisksIntermountain CFO Summit - Managing Financial Risks
Intermountain CFO Summit - Managing Financial RisksDavid Chase
 
How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?PECB
 
What CIOs and CFOs Need to Know About Cyber Security
What CIOs and CFOs Need to Know About Cyber SecurityWhat CIOs and CFOs Need to Know About Cyber Security
What CIOs and CFOs Need to Know About Cyber SecurityPhil Agcaoili
 
Mobility Risk, Strategy and Policy
Mobility Risk, Strategy and PolicyMobility Risk, Strategy and Policy
Mobility Risk, Strategy and PolicyH Contrex
 
Speaker Kiersten E. Todt, President and Managing Partner, Liberty Group Ventu...
Speaker Kiersten E. Todt, President and Managing Partner, Liberty Group Ventu...Speaker Kiersten E. Todt, President and Managing Partner, Liberty Group Ventu...
Speaker Kiersten E. Todt, President and Managing Partner, Liberty Group Ventu...Investorideas.com
 
Cyber security framework
Cyber security frameworkCyber security framework
Cyber security frameworkYann Lecourt
 
From checkboxes to frameworks
From checkboxes to frameworksFrom checkboxes to frameworks
From checkboxes to frameworksVincent Bellamy
 
The Physical Security_&_Risk_Management_book
The Physical Security_&_Risk_Management_bookThe Physical Security_&_Risk_Management_book
The Physical Security_&_Risk_Management_bookJAMES E. McDONALD, PSNA
 
Implementing Business Aligned Security Strategy Dane Warren Li
Implementing Business Aligned Security Strategy Dane Warren LiImplementing Business Aligned Security Strategy Dane Warren Li
Implementing Business Aligned Security Strategy Dane Warren LiDaneWarren
 
Responding to the Pandemic: Information Security and Technology Trends
Responding to the Pandemic: Information Security and Technology Trends Responding to the Pandemic: Information Security and Technology Trends
Responding to the Pandemic: Information Security and Technology Trends Enterprise Management Associates
 
Trends in Digital 2019
Trends in Digital 2019Trends in Digital 2019
Trends in Digital 2019Kalev Peekna
 
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...centralohioissa
 
CBS guest teaching Cand. Merc. - September 2020
CBS guest teaching Cand. Merc. - September 2020CBS guest teaching Cand. Merc. - September 2020
CBS guest teaching Cand. Merc. - September 2020Jens Brinksten
 
Booz Allen's 10 Cyber Priorities for Boards of Directors
Booz Allen's 10 Cyber Priorities for Boards of DirectorsBooz Allen's 10 Cyber Priorities for Boards of Directors
Booz Allen's 10 Cyber Priorities for Boards of DirectorsBooz Allen Hamilton
 
IT Guide for Mobility: Making the case for Security leaders
IT Guide for Mobility: Making the case for Security leadersIT Guide for Mobility: Making the case for Security leaders
IT Guide for Mobility: Making the case for Security leadersCisco Mobility
 
Tour d'horizons de la Sécurité Mobile en 2015 et prédictions 2016
Tour d'horizons de la Sécurité Mobile en 2015 et prédictions 2016Tour d'horizons de la Sécurité Mobile en 2015 et prédictions 2016
Tour d'horizons de la Sécurité Mobile en 2015 et prédictions 2016AGILLY
 
Debunking Myths for Cyber-Insurance
Debunking Myths for Cyber-InsuranceDebunking Myths for Cyber-Insurance
Debunking Myths for Cyber-InsurancePriyanka Aash
 
Enterprise cyber security
Enterprise cyber securityEnterprise cyber security
Enterprise cyber securitynsheel
 
Enterprise cyber security
Enterprise cyber securityEnterprise cyber security
Enterprise cyber securitynsheel
 
SecureTech 2014: Risk, Business Continuity and Cybersecurity - A Resiliency ...
SecureTech 2014: Risk, Business Continuity and Cybersecurity - A Resiliency ...SecureTech 2014: Risk, Business Continuity and Cybersecurity - A Resiliency ...
SecureTech 2014: Risk, Business Continuity and Cybersecurity - A Resiliency ...poore120
 
What Small Business Can Do To Protect Themselves Now in Cybersecurity
What Small Business Can Do To Protect Themselves Now in CybersecurityWhat Small Business Can Do To Protect Themselves Now in Cybersecurity
What Small Business Can Do To Protect Themselves Now in CybersecurityReading Works Detroit
 

Contenu connexe

Similaire à Policy and risk issues for byod

How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?PECB
 
What CIOs and CFOs Need to Know About Cyber Security
What CIOs and CFOs Need to Know About Cyber SecurityWhat CIOs and CFOs Need to Know About Cyber Security
What CIOs and CFOs Need to Know About Cyber SecurityPhil Agcaoili
 
Mobility Risk, Strategy and Policy
Mobility Risk, Strategy and PolicyMobility Risk, Strategy and Policy
Mobility Risk, Strategy and PolicyH Contrex
 
Speaker Kiersten E. Todt, President and Managing Partner, Liberty Group Ventu...
Speaker Kiersten E. Todt, President and Managing Partner, Liberty Group Ventu...Speaker Kiersten E. Todt, President and Managing Partner, Liberty Group Ventu...
Speaker Kiersten E. Todt, President and Managing Partner, Liberty Group Ventu...Investorideas.com
 
Cyber security framework
Cyber security frameworkCyber security framework
Cyber security frameworkYann Lecourt
 
From checkboxes to frameworks
From checkboxes to frameworksFrom checkboxes to frameworks
From checkboxes to frameworksVincent Bellamy
 
The Physical Security_&_Risk_Management_book
The Physical Security_&_Risk_Management_bookThe Physical Security_&_Risk_Management_book
The Physical Security_&_Risk_Management_bookJAMES E. McDONALD, PSNA
 
Implementing Business Aligned Security Strategy Dane Warren Li
Implementing Business Aligned Security Strategy Dane Warren LiImplementing Business Aligned Security Strategy Dane Warren Li
Implementing Business Aligned Security Strategy Dane Warren LiDaneWarren
 
Responding to the Pandemic: Information Security and Technology Trends
Responding to the Pandemic: Information Security and Technology Trends Responding to the Pandemic: Information Security and Technology Trends
Responding to the Pandemic: Information Security and Technology Trends Enterprise Management Associates
 
Trends in Digital 2019
Trends in Digital 2019Trends in Digital 2019
Trends in Digital 2019Kalev Peekna
 
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...centralohioissa
 
CBS guest teaching Cand. Merc. - September 2020
CBS guest teaching Cand. Merc. - September 2020CBS guest teaching Cand. Merc. - September 2020
CBS guest teaching Cand. Merc. - September 2020Jens Brinksten
 
Booz Allen's 10 Cyber Priorities for Boards of Directors
Booz Allen's 10 Cyber Priorities for Boards of DirectorsBooz Allen's 10 Cyber Priorities for Boards of Directors
Booz Allen's 10 Cyber Priorities for Boards of DirectorsBooz Allen Hamilton
 
IT Guide for Mobility: Making the case for Security leaders
IT Guide for Mobility: Making the case for Security leadersIT Guide for Mobility: Making the case for Security leaders
IT Guide for Mobility: Making the case for Security leadersCisco Mobility
 
Tour d'horizons de la Sécurité Mobile en 2015 et prédictions 2016
Tour d'horizons de la Sécurité Mobile en 2015 et prédictions 2016Tour d'horizons de la Sécurité Mobile en 2015 et prédictions 2016
Tour d'horizons de la Sécurité Mobile en 2015 et prédictions 2016AGILLY
 
Debunking Myths for Cyber-Insurance
Debunking Myths for Cyber-InsuranceDebunking Myths for Cyber-Insurance
Debunking Myths for Cyber-InsurancePriyanka Aash
 
Enterprise cyber security
Enterprise cyber securityEnterprise cyber security
Enterprise cyber securitynsheel
 
Enterprise cyber security
Enterprise cyber securityEnterprise cyber security
Enterprise cyber securitynsheel
 
SecureTech 2014: Risk, Business Continuity and Cybersecurity - A Resiliency ...
SecureTech 2014: Risk, Business Continuity and Cybersecurity - A Resiliency ...SecureTech 2014: Risk, Business Continuity and Cybersecurity - A Resiliency ...
SecureTech 2014: Risk, Business Continuity and Cybersecurity - A Resiliency ...poore120
 
What Small Business Can Do To Protect Themselves Now in Cybersecurity
What Small Business Can Do To Protect Themselves Now in CybersecurityWhat Small Business Can Do To Protect Themselves Now in Cybersecurity
What Small Business Can Do To Protect Themselves Now in CybersecurityReading Works Detroit
 

Similaire à Policy and risk issues for byod (20)

How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?
 
What CIOs and CFOs Need to Know About Cyber Security
What CIOs and CFOs Need to Know About Cyber SecurityWhat CIOs and CFOs Need to Know About Cyber Security
What CIOs and CFOs Need to Know About Cyber Security
 
Mobility Risk, Strategy and Policy
Mobility Risk, Strategy and PolicyMobility Risk, Strategy and Policy
Mobility Risk, Strategy and Policy
 
Speaker Kiersten E. Todt, President and Managing Partner, Liberty Group Ventu...
Speaker Kiersten E. Todt, President and Managing Partner, Liberty Group Ventu...Speaker Kiersten E. Todt, President and Managing Partner, Liberty Group Ventu...
Speaker Kiersten E. Todt, President and Managing Partner, Liberty Group Ventu...
 
Cyber security framework
Cyber security frameworkCyber security framework
Cyber security framework
 
From checkboxes to frameworks
From checkboxes to frameworksFrom checkboxes to frameworks
From checkboxes to frameworks
 
The Physical Security_&_Risk_Management_book
The Physical Security_&_Risk_Management_bookThe Physical Security_&_Risk_Management_book
The Physical Security_&_Risk_Management_book
 
Implementing Business Aligned Security Strategy Dane Warren Li
Implementing Business Aligned Security Strategy Dane Warren LiImplementing Business Aligned Security Strategy Dane Warren Li
Implementing Business Aligned Security Strategy Dane Warren Li
 
Responding to the Pandemic: Information Security and Technology Trends
Responding to the Pandemic: Information Security and Technology Trends Responding to the Pandemic: Information Security and Technology Trends
Responding to the Pandemic: Information Security and Technology Trends
 
Trends in Digital 2019
Trends in Digital 2019Trends in Digital 2019
Trends in Digital 2019
 
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
 
CBS guest teaching Cand. Merc. - September 2020
CBS guest teaching Cand. Merc. - September 2020CBS guest teaching Cand. Merc. - September 2020
CBS guest teaching Cand. Merc. - September 2020
 
Booz Allen's 10 Cyber Priorities for Boards of Directors
Booz Allen's 10 Cyber Priorities for Boards of DirectorsBooz Allen's 10 Cyber Priorities for Boards of Directors
Booz Allen's 10 Cyber Priorities for Boards of Directors
 
IT Guide for Mobility: Making the case for Security leaders
IT Guide for Mobility: Making the case for Security leadersIT Guide for Mobility: Making the case for Security leaders
IT Guide for Mobility: Making the case for Security leaders
 
Tour d'horizons de la Sécurité Mobile en 2015 et prédictions 2016
Tour d'horizons de la Sécurité Mobile en 2015 et prédictions 2016Tour d'horizons de la Sécurité Mobile en 2015 et prédictions 2016
Tour d'horizons de la Sécurité Mobile en 2015 et prédictions 2016
 
Debunking Myths for Cyber-Insurance
Debunking Myths for Cyber-InsuranceDebunking Myths for Cyber-Insurance
Debunking Myths for Cyber-Insurance
 
Enterprise cyber security
Enterprise cyber securityEnterprise cyber security
Enterprise cyber security
 
Enterprise cyber security
Enterprise cyber securityEnterprise cyber security
Enterprise cyber security
 
SecureTech 2014: Risk, Business Continuity and Cybersecurity - A Resiliency ...
SecureTech 2014: Risk, Business Continuity and Cybersecurity - A Resiliency ...SecureTech 2014: Risk, Business Continuity and Cybersecurity - A Resiliency ...
SecureTech 2014: Risk, Business Continuity and Cybersecurity - A Resiliency ...
 
What Small Business Can Do To Protect Themselves Now in Cybersecurity
What Small Business Can Do To Protect Themselves Now in CybersecurityWhat Small Business Can Do To Protect Themselves Now in Cybersecurity
What Small Business Can Do To Protect Themselves Now in Cybersecurity
 

Policy and risk issues for byod

  • 1. Effective Security Policies for a BYOD Environment A Presentation to Industry Colleagues Delivered on Wednesday, October 31, 2012 in Scottsdale, AZ Harry Contreras - CISSP Information Security Policy Manager
  • 2. Presentation Key Points  Mobility issues facing businesses today  Addressing risk and liability issues through policy  Writing effective mobile security policies  Policy re-use: What can remote access teach us about mobile issues?  Policy program challenges and solutions  Sign-off and delivery of policies  Policy enforcement and updating  Q&A  References and Resources following H. Contreras - CISSP Presentation - Slide 2 © COMPANY NAME
  • 3. Addressing risk and liability issues through policy Address company risks through policy for newer mobility technologies introduced by consumer owned and managed platforms. Your goal –  A mobility BYOD policy that negotiates the risk landscape obstacles. H. Contreras - CISSP Presentation - Slide 3 © COMPANY NAME
  • 4. Addressing risk and liability issues through policy What’s that? You said you addressed this before…  Enter the “BYOD” mobility model Reflection point – A newer mobility approach that introduces consumer owned and managed platforms.  Risk and liability remains for the company regardless of the mobility approach.  Only now, these are not Company assets to control… H. Contreras - CISSP Presentation - Slide 4 © COMPANY NAME
  • 5. Addressing risk and liability issues through policy What is policy?  Company/business position statements  Declaration of expected behaviors for business operations and employees to follow Effectiveness of policy is based on its integration into the Company culture and the clearly identified enforcement outcomes that are visible to employees.  Key point here is - “visible” enforcement. Without consequence there is no behavior modification. H. Contreras - CISSP Presentation - Slide 5 © COMPANY NAME
  • 6. Addressing risk and liability issues through policy There is hierarchy of policy for Companies to address Internal External Company derived Regulatory/legislated Industry based  Company internal and external issues not “vs.”  Both are influencing factors to address H. Contreras - CISSP Presentation - Slide 6 © COMPANY NAME
  • 7. Addressing risk & liability issues through policy Regulatory “entanglements”  Personal, Health and Card Holder privacy regulations  SEC regulation  Rule 26 / e-Discovery  IRS regulation and use reporting requirements  Forensics and investigations Company and operations specific issues  Company contractual obligations  Business “verticals” – i.e. Health, government, industry  Global operation and regional regulatory issues H. Contreras - CISSP Presentation - Slide 7 © COMPANY NAME
  • 8. Addressing risk and liability issues through policy … we are only porting Company email to our users personal devices… Why all this concern? - Liability and Risk -  Will the company information remain captive on these devices?  Do employees “conduct business” on their personal devices?  Now that you comingled Company information the liability and risk issues are compounded. H. Contreras - CISSP Presentation - Slide 8 © COMPANY NAME
  • 9. Addressing risk and liability issues through policy Remember… You don’t own it! - Audit Question? -  “You put the Company data where?”  Secured by how and who? Now that you comingled Company information the liability and risk issues are compounded… You know that auditors will inspect, document and report. (That is their mission.) H. Contreras - CISSP Presentation - Slide 9 © COMPANY NAME
  • 10. Addressing risk and liability issues through policy Communicating policy and expected behaviors - Employees are introduced to Company policy at time of hire and continually reminded of the expectations stated in legacy and newly introduced policies.  Key point here is continual reminder of compliance to the operational and behavioral expectations in stated policies. Are your Company policies out in front of the risk and liability issues?  This is a critical factor in introducing BYOD policies to a Company today. H. Contreras - CISSP Presentation - Slide 10 © COMPANY NAME
  • 11. Addressing risk and liability issues through policy Addressing policy effectiveness  Assimilate with existing Company policies for compliance  Implementation of an employee signed “Opt-In” Agreement to participate in a BYOD Mobility program.  Consult with Legal and Human Resources  Corporate governance must endorse These are critical factors in introducing BYOD policies to a Company. H. Contreras - CISSP Presentation - Slide 11 © COMPANY NAME
  • 12. Addressing risk and liability issues through policy H. Contreras - CISSP Presentation - Slide 12 © COMPANY NAME
  • 13. Writing effective mobile security policies Policy in this specific technology space –  Must be clear, concise and definitive Not effective if subject to differing interpretations. Does not conflict with precedent Company policies. What is required in policy statements for BYOD  Statements of behavioral expectations  Declaration of implemented enforcement controls H. Contreras - CISSP Presentation - Slide 13 © COMPANY NAME
  • 14. Writing effective mobile security policies Policy abstract – types of policy  Behavioral - Voluntary participation or consensual Some examples – Agreements, “Opt-In”  Control enforcement declaration Automated management and enforcement systems Logical event or conditional based actions - MDM systems - New or existing control systems H. Contreras - CISSP Presentation - Slide 14 © COMPANY NAME
  • 15. Writing effective mobile security policies Policy examples of other Company compensating controls (Legal) binding agreements  Non-Compete Agreements  Non-Disclosure Agreements (NDA) Some other example instruments  Intellectual property agreements H. Contreras - CISSP Presentation - Slide 15 © COMPANY NAME
  • 16. Writing effective mobile security policies Policy in this specific technology space –  Must be clear, concise and definitive Some example written statements contain -  Do, do not, will, must, always …  Is enforced…  In the event of…  Will be subject to… H. Contreras - CISSP Presentation - Slide 16 © COMPANY NAME
  • 17. Writing effective mobile security policies H. Contreras - CISSP Presentation - Slide 17 © COMPANY NAME
  • 18. Writing effective mobile security policies What’s that? You said you addressed this before…  The “BYOD” mobility model is an entirely different technology problem and risk acceptance model Critical success point –  Signed “Opt-In Acknowledgement” for program participation Addresses the introduction of consumer owned and managed platforms as these are not Company assets to control H. Contreras - CISSP Presentation - Slide 18 © COMPANY NAME
  • 19. Writing effective mobile security policies What’s in that “Opt-In” agreement?  Policy objective – acknowledgement of implemented company controls and behavioral expectations when an “event” condition occurs regarding personal information and physical access to the personal device brought into the program. Clearly delineates agreement violation consequences. Critical success point – Ask counsel…  Is it defensible? Even with an “Opt-In” you have a two-legged stool. H. Contreras - CISSP Presentation - Slide 19 © COMPANY NAME
  • 20. Writing effective mobile security policies Some example provisions in an “Opt-In” agreement  Signed acknowledgement and consent to adhere to the usage provisions stated therein  Consent to the implementation of the Company security controls applied to the device and restriction to not modify these controls  Consent to surrender the device for Company forensic investigation and/or e-Discovery when requested  Consent to surrender the associated mobile device phone number if requested by the Company  Clearly delineated agreement violation consequences. H. Contreras - CISSP Presentation - Slide 20 © COMPANY NAME
  • 21. Writing effective mobile security policies Addressing the introduction of consumer owned and basically un-managed platforms into Company networks and services What are some issues –  Comingled personal and Company information  Are Company resources and services being “miss- appropriated”?  Are activities “auditable” and have accountability? Note: user devices will be audited. Consumer use mentality is an “insider threat” reality. H. Contreras - CISSP Presentation - Slide 21 © COMPANY NAME
  • 22. Policy re-use: What can remote access teach us about mobile issues? Addressed remote access services before… What’s different?  Less control and more risk in connecting platforms of questionable integrity to Company platforms and services  Extending basically remote access services to platforms not Company owned  Exact parallel to connecting “third-party” systems  Same trust and control issues as third-party risk model H. Contreras - CISSP Presentation - Slide 22 © COMPANY NAME
  • 23. Policy program challenges and solutions Traditional policy driven controls for Company platforms H. Contreras - CISSP Presentation - Slide 23 © COMPANY NAME
  • 24. Policy program challenges and solutions What’s different from the traditional approach?  It is not a Company owned asset (third-party asset) What is viable, supportable and allowable to implement on employee owned assets? Will it be rejected as “intrusive” or “invading” technology?  User presence, Geo-locating, web content filtering  Services utilization reporting  Remote control and data erasure actions  Company requested surrender of personal device H. Contreras - CISSP Presentation - Slide 24 © COMPANY NAME
  • 25. Policy program challenges and solutions Security will be a paramount issue  Mobile platforms represent the next and largest attack surface facing consumers and businesses  Asset loss – you already know the consumer track record in this space  Can the required support and security control expenses be met?  Will users accept application white-listing?  New and more aggressive mobile device exploits are on the way H. Contreras - CISSP Presentation - Slide 25 © COMPANY NAME
  • 26. Policy program challenges and solutions Integrating “BYOD policy” into automated controls (MDM) H. Contreras - CISSP Presentation - Slide 26 © COMPANY NAME
  • 27. Policy program challenges and solutions What are we up against with Mobility BYOD policy? Lack of the following -  Command, Control, Contain Even the “maintain” aspects for assets is out of reach. And hopefully we do not have to…  Explain – data losses and escapes due to platform compromises outside of the policy control set. Consideration - Your “walled garden” has a backdoor... H. Contreras - CISSP Presentation - Slide 27 © COMPANY NAME
  • 28. Sign-off and delivery of policies Recommendations and critical delivery actions  Conduct “walk-through” exercises for policy and controls elements  Conduct “table-top” exercise of a BYOD “incidents” Validation activity  Testing of support services  Policy is vetted and endorsed  Mobility program is amended to include BYOD services  Availability of BYOD services is communicated H. Contreras - CISSP Presentation - Slide 28 © COMPANY NAME
  • 29. Policy enforcement and updating Recommendations and critical delivery actions  Policy enforcement actions clearly visible  Findings of abuse and negligent activity consequences communicated in Company newsletter Policy maintenance is a unilateral activity by all Corporate functional stakeholders supporting risk and compliance concerns  Legal, Human Resources, Compliance, Business and IT Leadership all have vested interest  Policy remains vetted, endorsed and “in-place” H. Contreras - CISSP Presentation - Slide 29 © COMPANY NAME
  • 30. Summary Reality check – BYOD - it is not “if we build it they will come” Policy exists in two realms  Behavior modification based on stated directives  Implemented controls automatically enforcing the stated policy directives Adherence to policy is ___________ (fill in the blank).  Without consequence there is no behavior modification. H. Contreras - CISSP Presentation - Slide 30 © COMPANY NAME
  • 31. Q&A Effective Security Policies for a BYOD Environment - Resources list follows - H. Contreras - CISSP Presentation - Slide 31 © COMPANY NAME
  • 32. Effective Security Policies for a BYOD Environment Resources  What Could Go Wrong? By Grant Moerschel - November 7, 2011, Published: informationweek.com  Information Week Reports – 2012 State of Mobile Security By Michael Finnerman - May 11, 2012, Published: reports.informationweek.com  When BYOD Goes Wrong By Darraugh Delaney – July 11, 2012, Published: http://blogs.computerworld.com  For BYOD Best Practices, Secure Data not Devices By Thor Olavsrud - July 17, 2012, Published www.cio.com.com  Mobile policy resource – Information Security Policies Made Easy http://www.informationshield.com/ispmemain.htm  Mobile policy resource – Individual Liable User Policy Considerations http://www1.good.com/mobility-management-solutions  Mobile policy resource – Mobile Policy Sample http://www.tangoe.com/White-Papers/sample-of-mobile-policy.html H. Contreras - CISSP Presentation - Slide 32 © COMPANY NAME
  • 33. Effective Security Policies for a BYOD Environment Resources Special Webcast: How to Develop a Bring-Your-Own-Device Policy WHEN: Thursday, November 15, 2012 at 1:00 PM EDT (1700 UTC/GMT) Featuring: Benjamin Wright https://www.sans.org/webcasts/develop-bring-your-own-device-byod- policy-95564 Abstract - As mobile devices like tablets, laptops and smartphones have become the typical tools for professionals to do their work, many employers have allowed and even encouraged employees to use their own devices. Some employers today subsidize the cost of mobile devices that employees purchase and then use part time for work. But setting policy on employee-owned devices can be really hard. This webinar will examine case law and policy options related to such topics as security and record retention and destruction. It will offer sample language as a starting place for drafting policy, while explaining the risks and benefits of wording a policy one way or another. Mr. Wright will give practical tips and suggestions on how to develop a policy that everyone in an enterprise can (more or less) live with, while explaining pitfalls and suggestions for employee training and education. H. Contreras - CISSP Presentation - Slide 33 © COMPANY NAME