Tips for Creating a BYOD PolicyLegal Expert Says Collaborative Effort is Key
How should organizations go about crafting a BYOD policy that addresses pertinent security and privacy issues? Attorney Stephen Wu offers advice to IT security leaders tasked with the project.
Before an organization begins developing a bring-your-own-device policy, it must first determine whether such a policy is correct for the organization, says Wu, a partner specializing in data security issues at law firm Cooke, Kobrick and Wu LLP.
"If you have an organization that has done a risk assessment that feels that this is just not a risk worth taking, then it should stick with company-issued devices," he says in an interview with Information Security Media Group [transcript below].
Wu recommends the following tips for CISOs crafting a BYOD policy:
- Collaborate with key departments: Crafting a BYOD policy is not something a CISO can do alone. "Bring together an inner-disciplinary team of people in legal, HR, IT security, IT support and the like," Wu recommends.
- Put into place policies and procedures: After completing a risk assessment, organizations should formulate policies that talk about topics such as the acceptable use of devices, Wu says.
- Implement technical standards: "When I'm talking about standards, I'm talking about technical items," the attorney says. "What kinds of devices would be permitted? What kind of parameters would they have?"
- Include employee agreements: When changes to policy occur, it's important to have employees agree to the changes.
- Procure the appropriate technology: After getting the standards, policies and procedures in place, the organization needs to consider what technology it will need. "There might be mobile device management software that the organization can source," Wu says. "Then, once it has considered mobile device management, it should include as part of that analysis a determination whether encryption is possible or desired."
In the interview, Wu also discusses:
- The privacy issues involved in the use of mobile devices;
- The security risks of BYOD when personally owned devices are used to access social media sites and cloud services. "If a [personal] device is connected to a [corporate] network, a compromise could spread," he says;
- Why the government, healthcare and financial services sectors are particularly vulnerable to BYOD risks.
Wu is former chair of the American Bar Association Section of Science & Technology Law and co-chair of its Information Security Committee. He has written or co-authored five books on data security law, including "A Guide to HIPAA Security and the Law," and is writing a book on handling mobile devices in the enterprise.
Key Mobile Device Risks
MARIANNE KOLBASUK MCGEE: Based on your experience as an attorney specializing in data security issues, what do you see as the key risks posed by the explosion in the use of mobile devices and especially the use of personal devices for work-related purposes?
STEPHEN WU: If I address this point, I start by saying that right now we're in fact seeing an explosion in the use of mobile devices. Executives and other people within companies are asking their IT staff to support policies by which they bring their own mobile devices to use for work. It's also the case that this may come as a transition for these organizations because they need to deal with executives who are very insistent on the use of these devices, and at the same time they're recognizing that there are legal, security and other types of issues involved with the use of mobile devices.
I'll start by saying that there are some risks that are not security-related and then we can switch to the security-related risks. To begin with some of the non-security related risks, there are privacy issues involved with mobile devices. If there's monitoring going on by the organization, this needs to be communicated to the people who are using the devices. If the device is being demanded later on in an investigation or the company should ask for that right, then people might need to provide their devices upon demand and there might be some private information of the person, of the user, on that device. The privacy understanding has to be something communicated between the organization and the user.
Also, there's a discovery issue. Discovery is the process by which parties disclose information to each other in a lawsuit. In this case, we're talking about electronic information on the mobile devices. If the organization is sued or if the organization is thinking of suing another entity or individual, the organization needs to preserve that information. If the information rests on mobile devices that legally belong to the user, then the organization needs to have some kind of process to make sure that it's collecting that information and preserving that information if it's needed later on in the litigation.
From the perspective of a demand, there might be a demand in the lawsuit to disclose certain information, and as that comes up in the lawsuit the organization may need to make a collection of information after the lawsuit is underway and the demand is made. The organization may need to get that device or somehow get access to the information on the device to be able to provide it to the other side. In a governmental investigation or internal investigation, the same kinds of considerations would apply. The organization might need to get those devices to be able to get the information needed to respond to the investigation.
There are also issues such as labor and employment matters. If you're using your mobile device after hours and if you're an hourly employee, it seems there's an issue of the compensation of the employee for the time used by the employee to use the mobile device. Those are some examples of some non-security issues.
Switching now to security issues related to the use of mobile devices and as it interfaces with the legal world, I would say that the number-one issue relating BYOD policies or the use of mobile devices has to do with the planning for the use of such devices. There are many organizations today that have a BYOD reality, even though they may be unaware that their employees are using their own devices for work matters. They may not have addressed the question of BYOD, and employees may be using their own devices without even telling their employers, and there are risks associated with doing that. The number-one risk would be an unknown BYOD occurrence.
The second thing is that there are the possibilities certainly of the loss of the device. If you can look at the history of records of data breaches, what you will see is that many occur because the devices were lost in the first place. Then in addition, there are risks to the network and information on the network. If a device has the ability to access all information on a company network, just as if it were a desktop sitting in the office, then there's the possibility that a device that's compromised could have access to all the information on the corporate network.
We're also aware that some people have used their device in ways that are not authorized. For example, there are means of jailbreaking phones, so having a policy to address jailbreaking is important. That's another risk associated with that.
Also, if a mobile device is connected to outside computers, outside cloud services or social media applications, it's possible that a compromise of the device due to that connectivity might then spread to the network. It's also the case that people are using their devices in wifi networks. If they don't have the proper protections for use of the device with wifi, then they create the risk by using that mobile device in insecure networks.
Also, it's possible that there might be risk associated with the fact that we're talking about different operating systems. Somebody's using Android, and somebody else is using an IOS device. The IT security teams need to be able to support and the IT staff needs to support the use of different types of operating systems, and if they're not prepared to do that, that also introduces risk.
Of course, these devices then have personal applications and they're being used for personal web-browsing and there may even be sharing of the device. If the child of the employee is using the device for applications or to browse websites, that then causes risk to the organization. That could create a security issue for the organization. Having policies and procedures to address the dual use of the devices would be important. That gives you some examples of some of the risks that are involved.
MCGEE: What industries are most vulnerable to data security and privacy breaches involving the use of personally-owned devices?
WU: What I would say there is that the industries that we're talking about are the regulated industries. Certainly, folks who are working in government or in the military have this as an issue, and even President Obama had an issue about the use of his BlackBerry in the past during his first term. But if you're talking about government or military users, then certainly concerns about the security of the device are important and these agencies basically don't have that opportunity available to them the way that private organizations do and companies.
If you're talking about the private sector, what we're talking about are regulated industries in healthcare, financial services and in the high-tech industry as well. It's possible, and I've heard stories about people who are working for high-tech companies who are being targeted, to try to get intelligence on the company, to try to find out plans, technical information and the like. If somebody is being targeted for a compromise, then somebody with access to information that's highly sensitive and proprietary in the technology-related business is most vulnerable.
MCGEE: What are some of the particular security concerns for bring-your-own-device in healthcare organizations?
WU: When you're talking about the healthcare field, you're talking about protecting health information of the patients. You're talking about the way that the information is collected. You need to have some programs and procedures in place to make sure that the information is being collected only if needed and that it's being collected on a device that has the security controls that we can talk about in a little bit, and we're talking about trying to prevent the compromise of protected health information.
Tips for Reducing Risk
MCGEE: What specific steps should organizations take to reduce their data security risks in light of the bring-your-own-device trend?
WU: The first and fundamental question is whether this type of policy is correct for the organization. Is it appropriate for the organization? If you have an organization that has done a risk assessment that feels that this is just not a risk worth taking, then it should stick with company-issued devices. If it feels that there are compelling needs and it can manage the risk, then it can start on a program of BYOD, and that program would include first and foremost planning for the program.
Bringing together an inner-disciplinary team of people in legal, HR, IT security, IT support and the like together in the same room to discuss the issue and discussing the budget for the program would be the first step. Going through the planning process includes putting together things like a risk analysis of exactly what are the information risks to the organization. What kinds of information does it hold? Does it hold value? Is it personally-identifiable information? Is it protected health information for patients in the healthcare setting? Understanding the risk includes understanding the possible threats to the information, determining the likelihood that these threats will come to pass and the magnitude of harm that would occur if the threat were to occur, and then balancing that against the cost of the safeguards put into place to prevent those vulnerabilities, and the likelihood that these safeguards will work and be effective to prevent the kinds of threats that we're talking about. Undertaking a risk analysis is part of the planning process.
Then, once the risk assessment is done, put into place policies and procedures. The policies and procedures can talk about, for example, the acceptable use of devices. They can talk about organizational access to the device. When can the organization demand the information? It would also cover the wiping of the device, when that wiping would occur and the types of usage that would be allowable underneath the policy.
Once the organization works on the policies and procedures, it can also include some work on standards and guidelines. When I'm talking about standards I'm talking about technical standards. What kinds of devices would be permitted? What kind of parameters would they have? It may be that the company allows a certain set of devices, and not just any old device. Having the standards put into place would be great, then working on the training and education materials that will be needed to communicate to users of the device, and then finally agreements.
Once you have that kind of documentation in place, the organization should consider the technology that would be needed or desired to implement a BYOD program. For example, there might be mobile device management software that the organization can source and procure as part of the process of rolling that out. Then, once it has considered the mobile device management, it should include as part of that analysis a determination whether encryption is possible or desirable in that case, reasonable and appropriate for healthcare organizations.
Encryption of the information is one of the ways it can protect it so that if the device is lost, whatever the person taking the device would see would be unreadable ciphertext. It can include possible technical controls on the network side. For example, if it lowers the types of functionality that mobile devices coming on that can do, then it could perhaps limit the possibility of damage to the company's networks by prohibiting it from doing certain high-value types of tasks that you could do if you were using a desktop to access the company network from inside the office. Those are some of the technology things that the organization can consider.
Finally, when it's going through the process of rolling out the program, it would need to enroll users. It would need to look at their devices and make sure their devices are ready to go with company network access, and having an inventory of those devices would be helpful so it understands who's got what devices.
It may also want to include a document-specific or document-focused type of look at information. As a matter of full disclosure, I have a company client called WatchDox. What I'm talking to you about is what WatchDox might tell you: that if you can focus on the security of individual files and pieces of information with specific parameters, such as how long somebody can access it, who can get access to it, who can then communicate it on and so forth, it may be that using a device can be done consistent with security by focusing on the security of individual files as opposed to trying to secure the network or secure the device. Those are some of the steps that an organization can go through to try to reduce data security risks.
Advice for CISOs
MCGEE: Is there any other mobile device security advice that you would offer to chief information security officers as they plan for 2013?
WU: One of the things I would emphasize is that this is not a program that a chief information security officer can roll out in the absence of collaboration with other groups. The CISO needs to talk with the CIO, general counsel and people in HR. This is an interdisciplinary effort. It shouldn't be done within the individual security silo of an organization.
As part of that, counsel has a role to play in looking at the types of legal risks involved with the organization, looking at compliance to make sure that, if it's a regulated business and has security requirements imposed by law, the BYOD program doesn't upset the compliance program that it has in place and should in fact be integrated with that program.
In addition, if there's some investigation to be done, having counsel involved can protect the communications about that investigation through the attorney-client privilege. If CISOs do this themselves, the attorney-client privilege doesn't apply. The attorney-client privilege means that if there were ever a lawsuit, if the opposing lawyer asked, "What did the user say to the company," then that's something that the opponent can ask in litigation, request e-mails or other kinds of communications. But if the attorney is asking that question of the employee, then that can be covered by the attorney-client privilege. If you have outside counsel, that even strengthens the attorney-client privilege even more.
It's important to keep in mind this is not an information security-only type of program. Also, this is not a technology-only program. People, procedures and technology have to work together to have a successful BYOD program. It's not a matter of simply buying some software off the shelf, putting it into place and saying we've got the problem solved. It's important to look at the BYOD program holistically from all of those angles, from personnel, security, training and procedures. For the kinds of procedures, make sure that people are properly enrolled, the devices are properly connected to the network and that they're authorized to use the network services. If there's a termination of the employee, have the procedures in place to get back the device, and then the technology, the types of network security controls we talked about and then the mobile device management software that we talked about.
Also, the BYOD program should be integrated into the regular security program. If BYOD is bolted on at the end, it makes it difficult for the information security teams and other teams within the organization to make sure that it's doing the work in an effective manner. If it integrates the program within the security program as a whole, then it can do a lot of the compliance work or a lot of the risk analysis work as a regular part of what it already does to save time.
Finally, it's really important to weigh the costs and benefits of the BYOD program and determine whether it makes sense from the perspective of the productivity of the workers and their desire for having new features that the mobile devices can provide, at the same time weighing that against the cost and the support involved with the BYOD program.