Planning Considerations for BYOD and Consumerization of IT (Part 5)

by [Published on 22 Oct. 2014 / Last Updated on 22 Oct. 2014]

In this, Part 5, we’ll move on to the discussion of BYOD compliance with government and industry security and privacy standards.

If you would like to read the other parts in this article series please go to :

Introduction

In the first part of this series on planning considerations for security BYOD and consumerization of IT, we looked at the Bring Your Own Device (BYOD) problem domain and discussed key aspects of planning and design. We finished up the article by looking at the structure of a planning frame work that you can use to guide your planning decisions. In Part 2, we discussed a collection of solution requirements that cuts across all secure BYOD deployments. This encompasses the technical capabilities that are required in all BYOD solutions. In Part 3, we continued our coverage of the BYOD requirements and the history and intent behind them. In Part 4, offered some thoughts about the need for your BYOD strategy to support modern authentication mechanisms.

Living in a regulated world

In the early days of IT, we worked in a largely “lawless” environment. Unlike other fields such as medicine, law, and even hairdressing, there weren’t many rules regarding how computer networks had to be set and operate. Companies were free to design their own policies and set their own standards for themselves, decide how much or how little security to implement, how to treat customers’ personal information, and so forth.

Life was simpler then, but those days are gone forever. Today regulatory compliance might be the bane of the IT admin’s existence, but it’s also very big business. A large number of jobs owe their existence to the ever-increasing number of governmental and industry rules and regulations that businesses must obey. Failure to do so means risking withdrawal of privileges, fines or even criminal charges.

The regulatory agencies themselves employ thousands of people tasked with enforcing the often obscure, constantly changing and difficult-to-understand requirements imposed by law or administrative fiat. Then on the other side of the fence, the companies affected by these regulations are hiring thousands of people to insure that they don’t get zapped by the “enforcers.” In fact, according to a Wall Street Journal article at the beginning of this year, compliance officer is one job category that is booming even in a not-so-great job market.

Why we must comply

It was inevitable that IT would eventually come under the purview of outside authorities, just as so many other professions have. In the American colonies in the 1600s, there was little regulation of doctors, but by the mid-1700s to 1800s, medical societies had been formed to establish standards and rules, which eventually led to mandatory training requirements and state licensing. It seems likely that at some point in the future, you won’t be allowed to “practice” as an IT professional without fulfilling similar minimum education and training and IT pros may eventually have to sit for state exams and be licensed before they can get a job in the field.

It’s partly due to a general trend of more and more government control over all aspects of business and private life, but that was exacerbated by the events of September 11, 2001 that kick started a big jump in security awareness and focus on the many methods by which terrorists could attack, with the threat of cyberterrorism looming large. In the wake of this, a backlash was building among ordinary citizens who felt their privacy being eroded.

Thus laws were passed in an attempt to address both of these issues. The two big goals of these regulations are:

  • Increase security to prevent attacks that can compromise essential services and infrastructure on which people depend, such as attacks against the financial and banking systems that could wreak havoc with the stock market and monetary systems or attacks on the systems that run healthcare services that could create panic and cause deaths by tampering with medical information and orders.
  • Increase security to protect the privacy of customers’ (clients’, patients’) personal information, including contact info, ID info the exposure of which could enable identity theft, banking/credit card and other financial information, medical history and information.

When you consider what a profound impact the configuration of a computer network can have on people’s lives, it begins to seem amazing that the field isn’t even more highly regulated than it is. That’s little consolation, however to those who must navigate the maze of regulations to not only insure compliance but also properly document the proof of that compliance in case of audit.

Navigating the compliance maze

It’s not so much the requirements for security as the minutia of those requirements that make compliance difficult. Regulatory laws, like most legislation, are generally a product of compromise, negotiation, amendments and addendums that can make the end result a disjointed conglomeration of legalese that’s almost impossible for a non-lawyer to interpret (and sometimes pretty unintelligible even to those with legal training). This is one of the reasons companies are hiring specialists who are trained specifically in and can exclusively focus on compliance issues.

Depending on your company’s primary industry, it may be subject to compliance with one or more of the following in the U.S.:

  • PCI DSS – Payment card Industry – Data Security Standards: Organizations that store, transmit or process credit card data.
  • FISMA – Federal Information Security Management Act: government agencies and contractors and companies that deal with government agencies and exchange information with government systems.
  • SOX – Sarbanes Oxley Act: publicly held companies and public accounting firms.
  • HIPAA – Health Insurance Portability and Accountability Act: organizations that store or exchange patient healthcare information.
  • GLBA – Gramm-Leach-Bliley Act: financial institutions and financial services companies.

The European Union and other countries outside the U.S. have similar legislation to protect electronic data and privacy, such as the EU’s Data Protection Directive 95/46/EC.

ISO 27001 – ISMS (Information Security Management System): this is an international standard established by the International Organization for Standardization which is the basis for voluntary compliance by organizations throughout the world.

Throwing BYOD into the mix

Ensuring compliance requires control, and the problem with adding BYOD to the mix is that by its very nature, it removes some of the control that IT has traditionally exercised over users’ devices and software. If your company is in a regulated industry, as more and more are, compliance must be an integral part of your BYOD policy and not just an afterthought.

The first steps toward integrating regulatory compliance into your BYOD policies include the following:

  • Determine which data that is generated/stored by your organization is subject to regulatory compliance.
  • Determine under which legislation/regulation(s) that data falls.
  • Determine what government agencies or industry bodies are tasked with enforcing the compliance regulations.
  • Determine which regulated data needs to be accessed via, transmitted by or stored on employee-owned devices.
  • Determine which employees need to access, transmit or store regulated data on their devices.
  • Consider using a Compliance Requirement Matrix as a cross-reference tool to verify compliance for the relevant regulations, that can be used to document compliance in case of an audit.

More information on constructing a Compliance Requirement Matrix can be found here.

Ensuring BYOD compliance

Companies in regulated industries should consider adding some or all of the following provisions to their BYOD policies:

  • Prohibit the storage of any personal information pertaining to customers, clients, patients, etc. on individual employee-owned devices.
  • Ban certain apps that are used for public file storage and transfers such as Dropbox, OneDrive, Google Drive etc. Ensure that regulated data cannot be transferred from a secure app to a non-secure one.
  • Restrict access to personal customer, client or patient information via BYOD devices.
  • Use containers (secure workspaces) to isolate regulated data on BYOD devices from the employee’s personal data and apps. Virtualization can be used to isolate separate work and personal workspaces. Virtual private networks (VPN) can be used to securely connect to regulated data resources on the corporate network from employee-owned devices.
  • Require that any personal information of customers, clients, or patients that is accessed via BYOD devices be accessed via a secure encrypted connection only.
  • Institute web site and application blacklisting and/or whitelisting to reduce risk of compromise of BYOD devices.
  • Monitor device integrity, including configuration and malware protection.
  • Monitor and log access to regulated data, track and control access details including user, device, time/date, location and the specific files that are accessed.
  • Generate compliance reports for all BYOD devices.

Summary

Regulatory compliance is already a complicated subject and BYOD adds to its complexity, but by building compliance into your BYOD policies from the beginning, you can maintain compliance while still providing employee and the company with all the benefits of BYOD.

Next time, in Part 6, we will talk more about how you can enable robust reporting capabilities for your BYOD environment, which can be utilized to demonstrate compliance.

If you would like to read the other parts in this article series please go to :

See Also


The Author — Deb Shinder

Deb Shinder avatar

Debra Littlejohn Shinder, MCSE, MVP (Security) is a technology consultant, trainer and writer who has authored a number of books on computer operating systems, networking, and security.