Employee-owned mobile devices are everywhere, and they’re being used for everything from email to document storage and editing. Proper risk management procedures are defined in your policies, but do you need a separate mobile device policy, or can you simply mention them in the same policy sections that address other portable devices? Or is there another option you need to consider? Let’s follow the same risk management process for mobile device deployment as you would to deploy any other new technology:
- First, before mobile devices are deployed, a decision is made that they should be considered for implementation because they will somehow further the goals and objectives of the strategic plan.
- Next, a cost-benefit analysis is done, and the results should reinforce the decision to implement.
- Finally, a risk assessment is conducted that identifies potential risk exposure due to unauthorized disclosure of customer, confidential, or sensitive information.
Since most mobile devices can process, store, and transmit information, this looks very similar to your risk assessment for other portable computing devices like laptops. (Indeed the FFIEC mentions “…laptops and other mobile devices…” together in their Information Security Handbook, suggesting the risks are similar.) Except in this case the risk is magnified by the extreme portability of the devices, the “always-on” and “always-remote” nature of them, and the fact that many more people will use mobile devices than will use laptops.
Once the inherent risk is assessed (most likely higher than your other computing devices), controls are identified to reduce the risk. Again, since the capabilities are similar, the list of potential administrative and technical controls looks very similar to those on your other computing devices. Your existing policy probably mandates that there first be a legitimate business reason for the employee to use a portable device. Once need is established, the employee agrees to a “proper use” policy, i.e. what is allowed and what isn’t. Finally, technical controls are applied; 8-10 character complex passwords, encrypted storage, patch management, Anti-virus/Anti-malware software, user rights and permissions restrictions, Active Directory integration, etc. But even if you’ve followed your risk management procedures to the letter so far, this is where the real challenges begin, because mobile devices simply don’t have the same controls available to them that other portable devices like laptops do. There are some additional controls available (like remote-wipe capability), but the end result of your risk assessment would most likely be that you have a higher inherent risk and insufficient controls, leading to a higher residual risk. Under “normal” conditions, this would lead to a decision to NOT deploy mobile devices until risks can be reduced within acceptable levels, right?
And yet they are ubiquitous.
So back to the original question. I’m not a big believer of writing a new policy to accommodate every new piece of technology you decide to implement unless the technology cannot be accommodated within your existing policy framework. It is far easier to make a simple policy change by mentioning the new technology, thereby acknowledging that it exists and that it fits within your current policy framework. But in this case you are not really making a change, you are actually making a policy exception. You are admitting that the residual risk of BYOD is unacceptably high, but that you are willing to accept the additional risk in return for potential productivity gains. Since the Board of Directors is responsible for providing “…clear guidance regarding acceptable risk exposure levels…”, and for ensuring that “…appropriate policies, procedures, and practices have been established”, policy exceptions must be approved by the Board as well. It is your responsibility to make sure they understand exactly what the risks are, and why you feel they are risks worth taking.
Hopefully risk management controls for mobile devices will continue to evolve and mature to the point where they match controls for the other portable devices you currently manage. But until they do, until they are capable of being risk managed consistent with your existing policies, they (and all policy exceptions) represent an net reduction in your existing security profile. And you cannot rationalize or justify taking short-cuts just because “everyone else is doing it”…or even worse, “we can’t stop it”.
Next, I’ll discuss possible solutions to this risk management challenge.