In the previous post, I suggested that because mobile devices (smart phones and PDA’s) were not that functionally different in how they process, transmit, and store information than other mobile computing devices like laptops, a separate policy wasn’t necessary. Since data security, confidentiality and integrity concerns were the same as other devices, you should be able to simply extend your existing policy to include them. But in fact the risks are greater, and often more difficult to control, resulting in substantially higher residual risk (risk remaining after the application of controls) than other computing devices. Because of this, employee-owned mobile devices really represent an exception to your policies as opposed to an extension of them. And because all policy exceptions must be approved by your Board, perhaps separate policies and procedures are appropriate.
The FFIEC is fairly silent on this topic, but fortunately the NIST is in the process of formulating several pieces of guidance on risk managing BYOD, and it is always useful to see where they are on this issue as very often we’ve seen NIST guidelines make their way into other federal regulations.
NIST Special Publication 800-124 entitled “Guidelines for Managing and Securing Mobile Devices in the Enterprise” is currently in draft status, and is an update to a 2008 document “Guidelines on Cell Phone and PDA Security”. The updated guidance recognizes the evolution of the technology over the past few years, as well as the unique security challenges inherent in both corporation and employee-owned mobile computing devices. They advise institutions to implement the following guidelines to improve the security of their mobile devices:
- Develop system threat models for mobile devices and the resources that are accessed through the mobile devices. Recognize that these devices are not the same as your other computing devices. The threats are not the same and the available controls are not the same, therefore both the probability and the impact of an attack on these devices is likely greater. Make sure your threat model understands how the device will connect to your network, and what data it will transmit and store. Data-flow diagrams can be very helpful in this modeling process.
- Once the threat is understood, deploy only those devices that offer the minimum threat required given the job requirements of the employee. This will be one of the biggest challenges for institutions, as many employees will want the latest devices with all the bells and whistles. Prior to deploying, make sure you have centralized mobile device management that offers the following minimum capabilities:
• Ability to enforce enterprise security policies, such as user rights and permissions, as well as the ability to report policy violations.
• Data communication and storage should be encrypted, with the ability to remotely wipe the device.
• User authentication should be required before the device can access enterprise resources, with incorrect password lockout periods consistent with your other computing devices.
• Restrict which applications may be installed, and have procedures in place for updating the applications and the operating system.
- Have a separate mobile device policy. The policy should define which types of mobile devices are permitted to access the institution’s resources, the degree of access that mobile devices may have, and how they will be managed. It should differentiate between institution-owned and employee-owned devices, and be as consistent as possible with your policy for non-mobile devices.
- Test the policy initially, and periodically thereafter, to verify management capabilities. Perform either passive (log review) or active (PEN testing) assessments to confirm that the mobile device policies, procedures and practices are being followed properly.
- Secure each device prior to deployment. This is slightly easier for institution-owned devices, much harder (but arguably more important) for already deployed, employee-owned devices.
I’m sure you can already hear the howls of protest for this last one, but the guidance actually states that for employee-owned (BYOD) devices organizations should recover them, restore them to a known good state, and fully secure them before returning them to their users.
So when it comes to BYOD you basically have two choices; you can properly manage the devices and the risks consistent with your other computing devices, or you can recognize that they represent a deviation from your risk management policies and get Board approval for the exception. And if you choose to classify them as policy exceptions, you should be prepared to explain the potential impact of the higher risk to the organization, and exactly how the higher risk is justified.