- BYOD a reality that all CIOs need to address in order to implement best practices
- Business Continuity, Security and Safety Program are all needed to meet mandated requirements
BYOD a reality that all CIOs need to address in order to implement best practices
With the advent of user owned devices and the ever increasing mandated requirements for record retention and security CIOs are challenged to manage in an ever more complex and changing environment. Before the CIO and enterprise can start the process of implementing BYOD policies they need to ensure that what is created meets the an enterprise's compliance, culture and operational requirements. This requires defining the scope and objectives of the policy:
- Cost - Who will pay for the data plan? What rewards will be provided to get people to buy in?
- Agree to Acceptable Use - What terms will be included in the Acceptable Usage Policy, and how will the enterprise ensure its employees understand and agree to it?
- Mandated requirements : the enterprise will have to account for factors such as open source variables for Android implementations for different devices and any security or regulatory requirements that relate to your industry (i.e. Healthcare HIPAA compliance)
- Security: Will the policy state how the passwords be enforced? Encryption? Will the enterprise blacklist any applications?
- Management: how will the enterprise manage the devices connected to your network?
The steps to do this are well defined in Janco's BYOD Policy template which includes a detail best practices that:
- Implement remote wipe from the enterprise - As the number of personal devices used increases, the greater the chance that one of them will be lost or stolen. Given that a remote wipe that can be generated from the enterprise with all of its implications should be implemented.
- Provide simple workable solutions that even novices can use - Solutions should allow users to log-on to the user interface and access a list of their enrolled devices. From there, they can locate their device, lock it, reset its password, or wipe it. The user interface should be able to self-audit the device and report compliance issues.
- Build a facility to deal with terminated employees - Even before an employee is leaves the enterprise they are a security risk. That risk is magnified once the process of termination begins - either voluntarily or involuntarily.
- Protect sensitive and personal information - Personal devices are full of personal information, documents, and applications that are on the device for non-work purposes. There should be a way to identify your personal vs. corporate owned devices, and apply a particular policy to hide the personal information from IT administrators.
- Implement a records management policy for business records - Records management is a critical compliance requirement and should be controlled by the enterprise and not left to the individual user. A clear definition of what is a business record and how it should be saved and archived should be defined. (See Record Classification, Management, Retention, and Destruction policy)
- Isolate corporate data - When supporting BYOD, you need to be able to isolate corporate data on the phone, which includes, but is not limited to: Mandated records management requirements for archive and revival; Disaster recovery and business continuity implications; e-mail Accounts; VPN and Wireless settings; and Enterprise applications that have been pushed down Documents.
- Continuously monitor automated actions - The enterprise should have the ability to monitor the state of each device accessing the network wither it is approved or not: Is the device enrolled: ? Is it in compliance?: and Does it have any new applications? Answering these questions will allow the enterprise to make adjustments based on the data you're seeing. This information will tell you if you need to make new policies or compliance rules. Options that you can take include, but should not be limited to: Send a notification to the user with steps to be taken; Block the device from accessing the corporate network and/or email; and Wipe the device (full wipe or selective wipe).
Disaster Recovery Plan, Security Policies and Procedures, and Safety Program are all required to meet mandated requirements
No Reason to Re-Invent - All the Heavy Lifting has already been done
When recovery from a disaster starts, the environment often is hazardous and froth with danger. No one wants to put their employees at risk and yet the disaster recovery must proceed.
When natural disasters strike, enterprises realize that personnel must take care of themselves and your family first. There are serious problems to deal with before recovery begins. Illness or injury may result from contaminated water, debris-filled roadways, electrical and fire hazards, and displaced wildlife.
At the same time sensitive data often is often open to attack via damage to it or the unauthorized availability to hackers, competitors or others. The reality is that many businesses don't truly know where they stand with data security. They usually cover the basics: The firewall is in place, systems are being patched, backups are being made and user accounts have strong passwords. But many managers assume these basic data security measures are enough. But you never really know how well you're protected until you take a look from the perspective of a malicious attacker or a rogue insider who may try to take advantage of the situation.