February 2013

Auditing the BYOD Program

The growing business use of personal smartphones and other devices raises new security risks.

Lance Semer

Many organizations are taking advantage of “bring your own device” (BYOD) practices that allow employees to use their own personal portable devices to access the company’s email and internal network. Among other benefits, businesses can save significant resources when employees are able to use their own smartphones, laptops, and tablets to do their work (see “BYOD Advantages” below).

However, BYOD programs can introduce data security, compliance, and privacy risks such as data leakage when employees forward sensitive documents to unauthorized individuals or make them available through unsecured cloud file-sharing providers. To mitigate these concerns, organizations need to have an effective BYOD policy in place, including a mobile device management (MDM) solution. For their part, internal auditors should evaluate compliance with the policy and assess the MDM’s ability to provide multilayered security, policy enforcement, and control across a variety of devices.


Many of today’s personal devices are prone to vulnerabilities. For example, a September 2012 article by mobile security firm Duo Security reports that more than half of Android devices have security flaws that could be exploited by malicious applications to gain access to the data stored on them. In addition, unsecured portable devices may be vulnerable to security exploits such as unauthorized carrier billing charges incurred by cybercriminals; illicit sign-up of costly premium text messaging services; and installation of spyware that can steal sensitive data, including credit card numbers, email account logon credentials, online banking credentials, and contact list information. Some hackers have found ways to wipe data stored on a device by sending a text message.

BYOD Advantages
Implementing a BYOD program can have benefits for both employees and their organization.

Organization Employees
  • Eases overhead by eliminating the need to manage a service provider.
  • Eliminates overhead needed to monitor usage and cost overruns exceeding contractual limits.
  • Eliminates need to manage and pay for service plans, individually managed calls, and data usage.
  • Increases employees’ productivity by enabling them to work when traveling or away from the office.
  • Eliminates or reduces IT infrastructure resources and associated costs.
  • Provides a recruiting incentive for prospective employees who want to use their own devices.
  • Employees are free to choose the device they want.
  • Employees avoid burden of carrying an additional company-issued device.
  • Morale may be higher because employees are not forced to use devices they don’t like.
  • The ability to telecommute using their own devices can enhance employees’ quality of work and personal life.


Another concern for organizations is e-discovery litigation associated with storing company email and data outside their control. Moreover, unsecured storage of sensitive customer information increases regulatory exposure.


An MDM solution is a best practice that can enable organizations to manage employee-owned portable devices and enforce security policies remotely, once employees have installed the software on their devices and agreed to the organization’s terms and conditions. Ideally, an MDM solution should strike a balance between providing enterprise security and preserving the employee’s user experience, convenience, and privacy. Indeed, some products can configure portable devices to have two separate logical “containers” that segregate business from personal data. This method permits the employee’s personal data to remain private while enabling the organization to control only the business container where the organization’s apps, data, and email reside.

Once installed, an MDM solution can enforce numerous security policies. Auditors should verify these policies are in place:

  • Anti-malware and firewall policy. Mandates installation of security software to protect the device’s apps, content, and operating system.
  • App/operating system update policy. Requires devices to be configured to receive and install software updates and security patches automatically.
  • App-vetting policy. Ensures that only trustworthy “white listed” apps can be installed; blocks “black listed” apps that could contain malicious code.
  • Encryption policy. Ensures that the contents of the device’s business container are encrypted and secured.
  • PIN policy. Sets up PIN complexity rules and expiration periods, as well as prevents reuse of old PINs.
  • Inactive-device lockout policy. Makes the device inoperable after a predetermined period of inactivity, after which a PIN must be entered to unlock it.
  • Jail break policy. Prohibits unauthorized alteration of a device’s system settings configured by the manufacturer, which can leave devices susceptible to security vulnerabilities.
  • Remote wipe policy. Erases the device’s business container contents should the device be lost or stolen.
  • Revoke access policy. Disconnects the employee’s device from the organization’s network when the MDM’s remote monitoring feature determines that it is no longer in compliance.


Organizations that do not yet have an MDM solution in place can still provide guidance for those employees who use their mobile devices to access company data and email. As an interim measure, management can have employees read and sign an acceptable-use document stipulating that they agree to take proactive measures to secure their portable devices as well as give the organization’s IT or information security department the right to inspect devices for policy compliance. Devices that fail inspection should be disconnected from the organization’s network, and business content should be wiped until the device is brought back into compliance. Internal auditors should evaluate inspection practices to ensure that they are in place and operating as designed.

As much as practical, employees should conform to the same security policies used by MDM solutions. Moreover, organizations should consider a variety of additional measures including:

  • Setting the Bluetooth feature to nondiscoverable mode or disabling it altogether if it is not needed. This can protect against connections with other devices that could upload malware.
  • Using a virtual private network or secured website connection when accessing company email and data through a public Wi-Fi hotspot.
  • Not forwarding company email messages to noncompany computer systems, personal email accounts, cloud service providers, or file-sharing services, which may cause data leakage.
  • Protecting against unauthorized observation of sensitive information in public places.

Furthermore, organizations should advise employees to consult their owner’s manual or seek assistance from their service provider if they are unsure of how to configure their personal devices.


An equitable BYOD reimbursement policy should be considered to compensate employees for work-related activities when they are mandated by the organization. Employees are accountable for paying their monthly bill to their service provider because a contractual relationship exists between them, not the organization. Two popular compensation models to consider are a monthly usage stipend or expense reimbursement based on the percentage of use for business purposes. Regardless of the model used, auditors should evaluate reimbursement practices to ensure controls are in place to prevent abuse, as well as assess compliance with compensation policies.


Based on growth projections for BYOD and its potential risks, internal auditors should get involved in assessing their organization’s BYOD risks and evaluating MDM and other policy solutions to determine their adequacy to protect the organization’s proprietary and sensitive information. Moreover, they should ensure that the organization’s BYOD practices comply with privacy and data security requirements imposed by applicable industry standards, laws, and regulations.

Lance Semer, CIA, CISA, CISSP, is the information security officer for Washington Federal based in Seattle.

Share This Article:    


Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.





To make something bold:
<strong>Text to bold</strong>

To make something italic:
<em>Text to italicize</em>

To make a hyperlink:
<a href="URL">Text to link</a>

ACGA Apr2014 Dbl


IIA SmartBrief

IIA Vision University






facebook IAO 




IIA Academic_Nov 2013

IIA SmartBrief

 IIA Vision University



facebook IAO