control, and governance
Auditing the BYOD Program
The growing business use of personal smartphones and other devices raises new security risks.
Many organizations are taking advantage of “bring your own device” (BYOD) practices that allow employees to use their own personal portable devices to access the company’s email and internal network. Among other benefits, businesses can save significant resources when employees are able to use their own smartphones, laptops, and tablets to do their work (see “BYOD Advantages” below).
However, BYOD programs can introduce data security, compliance, and privacy risks such as data leakage when employees forward sensitive documents to unauthorized individuals or make them available through unsecured cloud file-sharing providers. To mitigate these concerns, organizations need to have an effective BYOD policy in place, including a mobile device management (MDM) solution. For their part, internal auditors should evaluate compliance with the policy and assess the MDM’s ability to provide multilayered security, policy enforcement, and control across a variety of devices.
Many of today’s personal devices are prone to vulnerabilities. For example, a September 2012 article by mobile security firm Duo Security reports that more than half of Android devices have security flaws that could be exploited by malicious applications to gain access to the data stored on them. In addition, unsecured portable devices may be vulnerable to security exploits such as unauthorized carrier billing charges incurred by cybercriminals; illicit sign-up of costly premium text messaging services; and installation of spyware that can steal sensitive data, including credit card numbers, email account logon credentials, online banking credentials, and contact list information. Some hackers have found ways to wipe data stored on a device by sending a text message.
Another concern for organizations is e-discovery litigation associated with storing company email and data outside their control. Moreover, unsecured storage of sensitive customer information increases regulatory exposure.
MANAGING DEVICES REMOTELY
An MDM solution is a best practice that can enable organizations to manage employee-owned portable devices and enforce security policies remotely, once employees have installed the software on their devices and agreed to the organization’s terms and conditions. Ideally, an MDM solution should strike a balance between providing enterprise security and preserving the employee’s user experience, convenience, and privacy. Indeed, some products can configure portable devices to have two separate logical “containers” that segregate business from personal data. This method permits the employee’s personal data to remain private while enabling the organization to control only the business container where the organization’s apps, data, and email reside.
Once installed, an MDM solution can enforce numerous security policies. Auditors should verify these policies are in place:
THE LOW-END APPROACH
Organizations that do not yet have an MDM solution in place can still provide guidance for those employees who use their mobile devices to access company data and email. As an interim measure, management can have employees read and sign an acceptable-use document stipulating that they agree to take proactive measures to secure their portable devices as well as give the organization’s IT or information security department the right to inspect devices for policy compliance. Devices that fail inspection should be disconnected from the organization’s network, and business content should be wiped until the device is brought back into compliance. Internal auditors should evaluate inspection practices to ensure that they are in place and operating as designed.
As much as practical, employees should conform to the same security policies used by MDM solutions. Moreover, organizations should consider a variety of additional measures including:
Furthermore, organizations should advise employees to consult their owner’s manual or seek assistance from their service provider if they are unsure of how to configure their personal devices.
An equitable BYOD reimbursement policy should be considered to compensate employees for work-related activities when they are mandated by the organization. Employees are accountable for paying their monthly bill to their service provider because a contractual relationship exists between them, not the organization. Two popular compensation models to consider are a monthly usage stipend or expense reimbursement based on the percentage of use for business purposes. Regardless of the model used, auditors should evaluate reimbursement practices to ensure controls are in place to prevent abuse, as well as assess compliance with compensation policies.
ASSESSING RISKS AND POLICIES
Based on growth projections for BYOD and its potential risks, internal auditors should get involved in assessing their organization’s BYOD risks and evaluating MDM and other policy solutions to determine their adequacy to protect the organization’s proprietary and sensitive information. Moreover, they should ensure that the organization’s BYOD practices comply with privacy and data security requirements imposed by applicable industry standards, laws, and regulations.
Lance Semer, CIA, CISA, CISSP, is the information security officer for Washington Federal based in Seattle.
COMMENT ON THIS ARTICLE
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.