BYOD

A comparison of BYOD security policies

Created by Tyler Blake Devin Clapp

What is BYOD?

• Bring Your Own Device
• Policy of allowing employees to bring personal devices to work

Advantages

&

Disadvantages

Advantages

• Increased productivity
• Improved morale
• Makes the job look more flexible and attractive
• Cost savings for the company

Disadvantages

• Increased chance of data breaches
• Employee forgetting to wipe memory when reselling devices
• Employee losing devices with confidential work data on them
• Harder to monitor usage
• Scalability issues for company infrastructure

Overview of Project

• Compare and contrast BYOD policies in 2 different settings
• Discuss the security policies related to BYOD for each
• Assess the risks each company endures
• Determine how they manage/handle such risks

DevCo

Overview

• Healthcare Firm
• Provides medical assistance and insurance to their customers

BYOD Policy

• Strict as they are a covered entity
• VPN portal allowed from any device
• Guest wireless offered for personal devices

Risks

• HIPAA, they must remain compliant with regulations
• Data theft/leaks
• Lost or stolen devices

Risk Management

• Physical access controls limit access to certain areas
• Logical access controls limit access to data and assets
• User ID with role based permissions
• Cheaper for healthcare industries to provide devices than suffer financial penalties from an attack

TyCo

Overview

• IT consulting firm
• Provides cloud based solutions for many different organizations

BYOD Policy

• Relaxed poicy
• All devices are allowed
• Login to access company network and assets
• No VPN requirement for remote access
• No monitoring software required
• No prohibited applications

Risks

• HIPAA compliance when working with covered entities
• Malicious code planted in project solutions
• Compromise of login to client system/network
• Compromise of login to their own system/network
• Device gets lost/stolen

Risk Management

• Physical access controls to certain company assets
• Logical access controls
• Login with authentication/authorization
• Role-based access controls
• Group based access controls
• Transfer risks to their cloud service provider
• Transfer risks to the client they are working for

Comparison

• DevCo
• Strict policy
• Only authorized personal devices in limited contexts
• Requires login to access guest network
• Must use VPN for romote acess
• TyCo
• Relaxed policy
• All personal devices are allowed
• Requires login to access internal network
• No VPN required for remote access

Ideal Solution

• Only allow certain devices (ex. laptops only)
• Login for acess to company network
• Must use VPN for remote access
• Use of monitoring software on devices
• Requirement of anti-virus/malware software installed
• Train employees on acceptable use of devices
• Set up an employee exit strategy

Questions?