BYOD: Policy with Trust, or Ignore and Bust?!

May 21, 2013

Gone forever, are the days when businesses could afford to adopt a laissez-faire attitude and let employees set their own pace to adopt and deploy Commercial off the Shelf (COTS) technologies and tools without solid central oversight.  In addition to anti-harassment, customer and vendor relations, travel and expense accounts, and as otherwise advisable for regulatory compliance, policies became necessary for computer hardware, then computer software, mobile phones, and social media usage.  Now, a policy is also needed for the use of personal devices for business purposes – or Bring Your own Device (BYOD), where and when the employer so allows for same.

 

Whether a single policy will be written with separate and distinct sections for each of these sub-elements, or separate policies will be written for each one, is a matter of case-by-case decision for each employer.  However, many elements will be common to more than one of these policies, and ignoring or avoiding a BYOD policy can lead to “quite” a bust.^[1] The essence of a BYOD policy – to be implemented with employee buy-in, input, and trust, can have (depending on the size, scope of operations, and headcount of the employer) up to 11 (“eleven”) core elements that must be addressed.  I will now introduce these below.

 

 

CORE ELEMENTS OF A BYOD POLICY:

 

1. S-ystems and Products.

At the bare minimum, you must let all of your staff know which operating systems (Windows OS version(s), Mac OS, Linux kernel^[2]), and which products (phones, tablets, laptops, desktops), will be supported as the designated personal work “device” under that BYOD policy.  It should not be a free-for-all with an anything goes and everything must be supported mentality.  That is a recipe for open revolt in the IT department due to the undue configuration and compatibility challenges that this would impose.

 

2. P-rivacy.

This is tricky, but it must be addressed.  To the extent that work information is accessible through the device or held on the device, then passwords must be shared with the employer.  Any employee who has a problem with this should quietly back-out of the policy, or ensure that nothing “untoward” is found or left on the device; because that password access should include acceptance of random audits and monitoring to ensure: (i) security protocols are being followed; (ii) comingling of personal and business data is not the norm; and (iii) employees are not engaging in other activities, including illicit activities, that might subject the BYOD (work) device to legal impoundment, or the data thereon to compulsory disclosure.

 

3. E-fficiency Enhancements.

Having likely configured the device to “play nice” with legacy systems and be interoperable across the employer’s IT space, there will be restrictions on what a device owner can and cannot load onto the device, post-configuration.  The BYOD policy should specify whether individuals can download updates on their own (some notifications can be malicious), or use an enterprise update and install function with regular logins and daily backups and syncs to a hard site.  This goes for both system upgrades as well as protective software (antivirus and antimalware).  Another question the policy might address, after taking an initial inventory of all programs and utilities on the device, is which ones can stay and which ones must go, as well as whether or not any favourite games or other utilities – sometimes hurriedly made with inadvertent vulnerabilities, and often needing far too much in the nature of system access and Admin. controls to “function properly” – can be added.

 

4. C-are and Custody.

It should be heavily-stressed, that once a device has been proposed and accepted for inclusion under the policy, then the “owner” of the device is beholden to the data owner (being the employer, in the case of business proprietary information), and to the data subject (including the client or customer in the case of Personally Identifiable Information/PII, and Personal Health Information/PHI and the like), for the care and custody of both the device, and all data that is on the device or accessible by means of the device.  The device “must” remain in the “sole” care and custody of the employee, and can no longer be used by a child to play games during downtime on a long journey or as a reward for completing homework or household chores on time.

 

5. I-nformation.

This section should remind employees that they will still need to adhere to any internal rules that required them to show a business need for any data before they could access it; as well as enforcing any Identity and Access Management (IAM) procedures, and continued segregation of duties for working data (create, access, update, store, share, send, shred); system data (upload, download, wipe); and logs (write, access, edit, collate, wipe).  Tie-ins with other policies on information (confidentiality including passwords and proper screensaver and automatic sleep mode usage, social media usage, and regarding audits and internal investigations) can also be made here, or in other sections of the BYOD policy.

 

6. A-ccountability.

Appropriate logs should be maintained of all data accessed through and residing on the device, at all relevant times.  This will help track and assess the degree of loss, control the damage, tailor an appropriate response to the breach population, and otherwise comply with regulatory imperatives in the case of any data breach or corruption, or any device loss.  Of course, the “only” copy should never be held on just one portable device without it also being backed-up in several secure physical locations.

 

7. L-egal.

While the employer will certainly lay-out those things for which the employee will be responsible, in terms of policy violation, it should also take the opportunity to list those things for which it will neither accept nor assume responsibility.  Whether or not ultimately successful should a claim or claims arise, these might include distracted driving or walking or flying or riding, repetitive stress syndrome, and unlawful or antisocial behaviour (bullying, cyberbullying, sexting, IP infringement, or online defamation).

Clear defense and indemnification provisions would not be out of order; along with: (i) some form of funding for the employer’s personal device use; (ii) stated and mutually understood to be consideration for accepting the policy as a binding agreement; and (iii) coupled with some employee contribution therefrom into a pool from which BYOD, privacy, and other advisable liability insurance coverages would be secured with the employer as beneficiary.

 

8. I-mplementation.

Here, the employer would give additional rationales for the policy, its scope, its purpose, and its importance to the organization as a whole and its mission, in particular.  Along with a preamble at the start of the policy, this section would be key to achieving buy-in at all levels, and for demonstrating the entity’s commitment at the highest levels, to ensuring that the policy was both welcome and workable.  Any staggered implementation or other pertinent details on how the policy would be managed and modified from time to time or with changing laws – and with employee input, might also be disclosed.  A few words on enforcement, and the reporting and investigation of suspected policy violations should also be included here.

 

9. Z-one of Control.

This section would further delineate a “zone of control” (ZOC) within which the employer reserves a right to act with or without notice to employees, and that the employees accept that as a bargained-fact.  This ZOC would include matters with regard to internal investigations (it is not always best to warn a target); for reasons of Law Enforcement & National Security (with or without stating specific provisions, but reminding all subscribers/adherents to a BYOD policy that laws of the employer’s originating jurisdiction – including export restrictions and generalized trade or directed sanctions – may also apply); and in the case of contingencies (for example, where employees in areas under actual, threatened, or suspected terror attack, or who’se devices show impending travel further afield than authorized, may find that sensitive data has been remotely wiped from those devices, or that they have been remotely locked, as a security precaution).  Less draconian but still useful in ZOC, of course, are wide and public sms alerts.

 

10. E-ncyption.

Encryption has recently been touted as the be all and end all of security solutions with regard to data in static situ, in mobile situ, and in transit – whether by email or as accessible through some Cloud platform.  While it is true that encryption has a part to play, what is the use of it when the device has a stored profile that contains one or several of the “current” encryption keys?  In addition, some jurisdictions may offer safe harbors that limit or even avoid breach disclosures when the lost or stolen data is sufficiently encrypted or anonymized to make it indecipherable; and moving the protection closer to or onto the data itself, may also serve to limit the ability of an intruder that penetrates the outer layer(s) of enterprise protection, to retrieve and retreat with, anything useful from within the firewall or data stream.  Some have called this a “Secure Breach” state.^[3]

 

11. D-ecommissioning and Disposal.

Both disposal of the data, and the decommissioning or disposal of the device need to be better and closely managed.  Deletion does not always remove every trace of the data.  Indeed, sometimes it is very easy to recover in the right hands, and with the appropriate tools.  There must be an accepted understanding that devices will not be traded-in for upgrades or environmental credits without first being run through a wringer (in-house or outsourced) to ensure that they are truly clean.  As the BYOD phenomenon gains pace, stability, and defined structures, a burgeoning business in such “outsourced pre-cleans” will likely develop.  The results of lax cleans prior to disposal range from the embarrassing,^[4] to the quite disastrous.^[5]

 

 

SUMMARY:

BYOD adds significantly more attack surface to an entity’s vulnerability matrix, and offers myriad additional attack vectors.  The IT security space is constantly expanding ever further beyond the proverbial firewall, and evolving by running adaptation to meet multiple generations of threat at a time.

 

A BYOD policy that addresses and covers the above points in sufficient depth and detail can still be and remain relevant, and protect both the employer and the employer’s data while educating the workforce.  But, this schema is by no means presented or intended as the last word, because change is a pure constant.

 

 

************************************************************************

Author:

Ekundayo George is a sociologist and a lawyer, with over a decade of legal experience including business law and counseling (business formation, outsourcing, commercial leasing, healthcare privacy, Cloud applications, social media, and Cybersecurity); diverse litigation, as well as ADR; and regulatory practice (planning and zoning, environmental controls, landlord and tenant, and GRC – governance, risk, and compliance investigations, audits, and counseling) in both Canada and the United States. He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S.A.). Please See: http://www.ogalaws.com

He is an experienced strategic and management consultant; sourcing, managing, and delivering on high stakes, strategic projects with multiple stakeholders and multidisciplinary teams. Please See: http://www.simprime-ca.com

Backed by courses in management, organizational behaviour and micro-organizational behaviour, and a Certificate in Field Security from the United Nations Department of Safety and Security (UNDSS), in New York, Mr. George is also a writer, tweeter and blogger (as time permits), and a published author in Environmental Law & Policy (National Security aspects).

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”), in whole or in part for their content, or their accuracy, or their availability.

This article does not constitute legal advice or create any lawyer-client relationship.

[1] See e.g. DoD IG Audit Report: DODIG-2013-060. Information Assurance, Security, and Privacy: Improvements Needed with Tracking and Configuring Army Commercial Mobile Devices. Published by United States Department of Defence, March 26, 2013, on dodig.mil. Online: >http://www.dodig.mil/pubs/report_summary.cfm?id=5082<; See also Ekundayo George.  What about hospital BYOD?  Published October 7, 2012, on ogalaws.wordpress.com.  Online:>https://ogalaws.wordpress.com/2012/10/07/med-tech-byod-is-really-catching-on/ <

[2] Open source elements and compilations should always be used with caution, as licensing protocols will differ.

[3] SafeNet. A New Security Reality: The Secure Breach. Published in 2013, on safenet-inc.com. Online: >http://www2.safenet-inc.com/securethebreach/downloads/secure_the_breach_manifesto.pdf<

[4] Shaun Waterman – The Washington Times. Selling state secrets to North Korea? Japan sold hi-tech ship without wiping data. Published April 29, 2013, on washingtontimes.com. Online: >http://www.washingtontimes.com/news/2013/apr/29/japans-coast-guard-sold-hi-tech-ship-north-koreans/<

[5] Amar Toor. NASA Accidentally Sells Off Computers With Sensitive Data. Published December 8, 2010 on switched.com. Online: >http://www.switched.com/2010/12/08/nasa-accidentally-sells-off-computers-with-sensitive-data/<