Nalneesh Gaur, Director at PwC, on the importance of establishing standards and guidelines in the “Age of BYOD:”
“It is critical to develop standards and guidelines in support of the policy (Acceptable Use Policy). If you do not have a standard, your employees will set their own standard… Setting the standard is not enough. The landscape is changing rapidly and to keep up you should expect to update your standards.”
In order to govern new technologies and personal devices entering the workplace, you need to establish a stricter policy to address authentication. That includes things like passwords, device registration, and device authentication. The biggest concerns are around loss and theft. The concerns for loss primarily come from a compliance angle. There may be a situation where a company loses some tapes. For all they know the tapes could be sitting somewhere in the warehouse but now they are required to go through this huge disclosure process. When it comes to loss and theft you have to find a way to let everybody know what happens when you lose a device. How would the organization respond?
You also need to find out how you are going to support the devices. Some organizations take the following stance: it is your device so we are not responsible for supporting it. However you will soon start to find out that there is an area in-between where they are not able to connect with the wireless network or service so you have to ensure there is sufficient help desk support available. Encryption is very important both from a data-at-rest and a data-in-motion perspective.
Another integral issue is how you backup and restore these devices. Some devices actually have the ability to insert a storage card. Obviously a lost or stolen storage card containing confidential information is something you have to consider. If you do not make a tool like SharePoint available then people will turn to storage cards and such to hold their information. Those results could be disastrous.
Be sure to update your acceptable use policy. One of the biggest problems is companies realize they need a policy so they rush to create one. Unfortunately that rush means creating policy that is not as comprehensive as it probably should be, thus leaving many loopholes. This is a problem because your employees are intelligent and they will find these loopholes, knowing you really have no way of enforcing the policy at that rate. Awareness training needs to be a part of this process too. Employees should know the consequences of violating the policy.
On a related note, it is critical to develop standards and guidelines in support of the policy. If you do not have a standard, your employees will set their own standard. When developing these standards everyone should be involved in creating the initial standard so everyone is on the same page. Setting the standard is not enough. The landscape is changing rapidly and to keep up you should expect to update your standards.
Then you have to think about oversight and the correct form of governance. Federated or central? Cost or functionality? In some organizations you may have rather large onsite bodies. In other words, you may have four people from Europe, six from Latin America, and ten from the U.S. Generally with this setup people just talk and hold meetings with nothing getting accomplished. When you have someone like the construction worker who wants to introduce a new opportunity like the iPad IT needs to find a way to enable it. Security in particular has to come to the table too and decide how to enable that for the enterprise. One idea is to place something like that in a lab environment. Then you can work with the individual as well as IT and Security and it becomes a collaborative effort.
The preceding is a passage from “Security Considerations for Being Mobile and Social While Riding the Cloud.” You can find this report (and hundreds of others on a variety of IT topics) at TheIMF.com in our Reports section. The presenter of this material, PwC Director Nalneesh Gaur, is speaking on “Building and Governing a Security Operating Model” at our Security Forum June 6-7 in Washington, D.C. Find out who else is speaking and how you can attend by viewing the Forum Agenda!