Bring Your Own Device (BYOD) is a hot topic in businesses today. I think every security and technology conference I have attended over the past few months has had a session over BYOD. One of the recent ones I went to labeled their session "BYOD, Bring Your own Device or Disaster?" In the session, like many others, the presenter discussed some of the issues related to introducing personal devices into a business. I think the issue escalates even more within the financial sector as confidentiality and security are more important. By allowing employees to use their personal devices for bank-related activities (e.g. email, access to the network, bank applications, etc.), the bank must deal with security issues, which can conflict with employees' personal expectations.
In many cases we tend to treat mobile devices, like iPhones and Androids, differently than other bank systems, like laptops, workstations or servers. However, if we allow mobile devices to use bank resources or applications, then the device must be managed accordingly. Below are some considerations and questions to ask as you go through your risk management process of considering how personal mobile devices fit into your institution.
Security of potential customer confidential information on the device or possible access to the bank network is of high concern. Below are some common security settings many institutions have chosen to implement:
- Require a password to access the device
- Set password expirations
- Set the device to automatically wipe after a certain number of consecutive incorrect password attempts (e.g. 10 failed attempts)
- Require a password after a specified period of inactivity (e.g. 5 minutes)
- Require device encryption
- Install anti-malware software on the device (particularly for Android devices – at the time of this article, there is not a good known anti-malware app for the iOS)
Additional control considerations may be included in either an acceptable use agreement or a BYOD policy. Below are some common policy controls many institutions have chosen to implement:
- Prohibit modifying the device in such a way as to circumvent security controls (e.g. "jailbreaking," "rooting," etc.)
- Install security patches as they become available or are approved
- Reserve the right and ability to wipe the device as necessary (e.g. if lost, stolen, employment is terminated, malware is suspected, etc.)
- Disclaim any liability for loss of personal information on the mobile device
Other questions and concerns you will probably want to consider during your risk assessment and policy creation phase include, but are not limited to:
- What kinds of mobile devices will be supported?
- Who will be allowed to use their device for company data?
- Who will support personally owned mobile devices? Will your internal IT department support them?
- What kind of Mobile Device Management (MDM) solution will you use?
- Will you limit use of applications, browsing, camera, etc. on the device?
- Will you have a policy regarding access or use of a device by non-company individuals? (i.e. letting a family member or friend borrow the device)
- Should you audit the devices and if so, how?
- What is your plan for decommissioning a device?
- What should happen if a user violates a policy or circumvents security controls?
As with defining other new processes, agreements or policies, it is wise to include multiple areas, such as HR, IT, Legal, Compliance and Operations, in the risk assessment and policy creation phase. Also, ensure your legal counsel reviews and approves the final user agreements or bank policies regarding mobile devices.