Pub. 2 2014 Issue 1

winter 2014 15 O ne of the recent programs I attended included session titled “BYOD, Bring Your Own Device or Disaster?” In the session, like many others, the presenter discussed some of the issues related to introducing personal devices into a busi- ness. The issue is escalated to another level within the financial sector as confidenti- ality and security become more import- ant. By allowing employees to use their personal devices for bank-related activities (e.g., email, access to the network, bank applications, etc.), the bank must deal with security issues, which can conflict with employees’ personal expectations. In many cases, we tend to treat mobile devices like iPhones and Androids differ- ently than other bank systems like laptops, workstations, or servers. However, if we allow mobile devices to use bank resources or applications, then the device must be managed accordingly. Below are consid- erations and questions to ask as you go through your risk management process of considering how personal mobile devices fit into your institution. Security Considerations Security of potentially confidential customer information on the device or possible access to the bank network is of high concern. Below are common security settings many institutions have chosen to implement: • Require a password to access the device; • Set password expirations; • Set the device to automatically wipe after a certain number of consecutive incorrect password attempts (e.g., 10 failed attempts); • Require a password after a specified period of inactivity (e.g., 5 minutes); • Require device encryption; • Install anti-malware software on the device (particularly for Android de- vices; at the time of this article, there is not a good known anti-malware app for the iOS). Policy Considerations Additional control considerations may be included in either an acceptable use agreement or a BYOD policy. Below are Bring Your Own Device (BYOD) is a hot topic in businesses today. I think every security and technology conference I have attended over the past few months has had a session covering BYOD. common policy controls many institutions have chosen to implement: • Prohibit modifying the device in such a way as to circumvent security controls (e.g., “jailbreaking,” “root- ing,” etc.); • Install security patches as they be- come available or are approved; • Reserve the right and ability to wipe the device as necessary (e.g., if lost, stolen, employment is terminated, malware is suspected, etc.); • Disclaim any liability for loss of personal information on the mobile device. Other Considerations Other questions and concerns you will likely want to consider during your risk assessment and policy creation phase include, but are not limited to: • What kinds of mobile devices will be supported? • Who will be allowed to use their device for company data? • Who will support personally owned mobile devices? Will your internal IT department support them? • What kind of Mobile Device Man- agement (MDM) solution will you use? • Will you limit use of applications, browsing, camera, etc. on the device? • Will you have a policy regarding ac- cess or use of a device by non-com- pany individuals (i.e., letting a family member or friend borrow the device)? • Should you audit the devices and if so, how? • What is your plan for decommis- sioning a device? • What should happen if a user vio- lates a policy or circumvents security controls? As with defining other new processes, agreements, or policies, it is wise to include multiple areas within your orga- nization such as human resources, IT, legal, compliance, and operations in the risk assessment and policy creation phase. Also, ensure your legal counsel reviews and approves the final user agreements or bank policies regarding mobile devices. n Russ Horn is the president of CoNetrix. CoNetrix is a provider of information security consulting, IT/GLBA audits and security testing, Aspire cloud hosting, and the developer of tandem, a security and compliance software suite designed to help financial institutions create and maintain their Information Security Program. Visit CoNetrix at www.conetrix. com. Tech Talk- Bring Your Own Device Personal or Business? By Russ Horn, CISA, CISSP, CRISC, CoNetrix