My organization has decided to implement acceptable use agreements (AUAs) to outline security policies for employee-owned/BYOD mobile devices. Could you provide some best practices for the content that should be included in these AUAs and how to get users to accept it smoothly?
Ask a question
SearchSecurity.com expert Michael Cobb is standing by to answer your questions about enterprise application security and platform security. Submit your question via email: firstname.lastname@example.org.
Enterprises facing BYOD security issues tend to deal with a common problem: employees don’t appreciate that using their own mobile device in a work context doesn’t exempt them from following security policy. Breaches often occur because employees don’t appreciate the potential consequences of their actions, such as circumventing access restrictions to save time and hassle. The line between personal use and business use is certainly not easy to draw, but overall enterprise security should not be undermined by these devices.
How an enterprise structures its policy depends to some extent on the type of BYOD it operates. If it’s shared management, in which employees give the right to manage, lock down or even wipe clean the devices, or corporate ownership, in which the organization purchases and retains ownership of the device, the enterprise is in a much better position to enforce its acceptable use agreement. If the devices are employee-owned I would push for a legal transfer system, which would involve the enterprise purchasing the devices from the employees, and returning ownership of the devices to them if they leave the organization.
A mobile phone, whether it’s owned by an enterprise or a user, is effectively a cross between a laptop and a communications device, so a good starting point for drafting a BYOD AUA is an enterprise’s acceptable usage policy covering laptop and email use. Some key topics to cover when creating an AUA include: a code of conduct when communicating on business matters, what can and can't be discussed, what actions should be taken if the device is lost or stolen, and which types of data can and can't be accessed from or copied to the device. To avoid confusion, always provide examples of how data should be handled on a BYOD device.
Involving staff in the development of an AUA is vital in order to keep them onboard whilst still achieving the necessary security objectives. If a policy is impractical, employees – including executives – won’t follow it. First, help employees understand the threat mobile devices pose to security by sharing the results of the organization’s risk assessment. Employees will usually suggest ways to mitigate some of the risks and, more importantly, they will accept the need for what they might initially perceive as tedious and unnecessary controls. When employees understand the reasoning behind a particular security control, they are far less likely to ignore it. By ensuring their needs are either met or an acceptable compromise is provided, employees are more likely to embrace the resulting policy and working practices instead of utilizing non-compliant and unsecure workarounds.
Data ownership is a key aspect of any security policy, so make sure employees fully appreciate their role and responsibilities in keeping data secure. A mobile device, for example, can easily hold tens of thousands of Word documents, emails or other types of sensitive data files. These devices make it easier for employees, service providers or data thieves to access, copy or lose an organization's intellectual property or customer data. If employees take ownership of information assets, the strength of an enterprise’s security will improve dramatically.
However, these policies still need to be reinforced by technology-based controls. All evidence points to the need to actively enforce security policies with monitoring to deter and prevent employees from exploiting their legitimate access to enterprise data. If employees know there’s a chance that network filters and log analyzers will catch inappropriate activity, they are far more likely to follow procedure, particularly if disobedience incurs strict disciplinary measures. Technologies such as network access control and mobile device management can provide visibility into whether unmanaged devices are in use, and support limiting corporate network access based on those factors.
This was first published in May 2012