8/13/2019 pg 23 25 27

1/4

ITAuditBY LANCE SEMER EDITED BY STEVE MAR

AUDITING THE BYOD PROGRAMThe growingbusiness useof personalsmartphones andother devices raisesnew security risks.

any organizationsare taking advan-tage of bringyour own device

(BYOD) practices that allowemployees to use their ownpersonal portable devicesto access the company'semail and internal network.Among o ther benefits, busi-nesses can save significantresources when employeesare able to use their ownsmartphones, laptops, andtablets to do their work (see BYOD Advantages onpage 25).

However, BYOD pro-grams can introduce data

security, compliance, andprivacy risks such as dataleakage when employeesforward sensitive documentsto unauthorized individu-als or make them availablethrough unsecured cloudfile-sharing providers. Tomitigate these concerns,organizations need to havean effective BYOD policyin place, including a mobiledevice management (MDM)solution. For their part.

internal auditors shouldevaluate compliance with thepolicy and assess the MDM'sability to provide multilay-ered security, policy enforce-ment, and control across avariety of devices.

Unsecure DevicesMany of today s personaldevices are prone to vulner-abilities. For example, aSeptember 2012 article bymobile security firm DuoSecurity reports that morethan half of Android deviceshave security flaws thatcould be exploited by mali-cious applications to gainaccess to the data stored onthem. In add ition, unse-cured po rtable devices maybe vulnerable to securityexploits such as unauthor-ized carrier billing chargesincurred by cybercriminals;illicit sign-up of costlypremium text messagingservices; and installationof spyware that can stealsensitive data, includ ing

credit card numbers, emailaccount logon credentials.

online banking credentials,and contact list informa-tion. Some hackers havefound ways to wipe datastored on a device by send-ing a text message.

Another concern fororganizations is e-discovery

litigation associated withstoring company email anddata outside their control.Moreover, unsecured stor-age of sensitive customerinformation increases regu-latory exposure.

Managing DevicesRemotelyAn M DM solution is a bestpractice that can enableorganizations to manageemployee-owned por-table devices and enforcesecurity policies remotely,once em ployees haveinstalled the software ontheir devices and agreedto the organization's termsand conditions. Ideally,an MDM solution shouldstrike a balance between

providing enterprise secu-rity and preserving the

8/13/2019 pg 23 25 27

2/4

Practices/ITAudit

BYOD ADVANTAGESImplementing a BYOD program can have benefits for both employees and their organization.

ORGANIZATION Eases overhe ad by eliminating the need to manage

a service provider. Eliminates overhead needed to monitor usage and

cost overruns exceeding contractual limits. Eliminates need to manage and pay for service

plans, individu ally managed ca lls, and data usage.

Increases employees produ ctivity by enabling themto work when traveling or away from the office. Eliminates or reduces IT infra stru ctu re resources

and associated costs. Provides a recruiting incentive for prospective

employees who want to use their own devices.

EMPLOYEES

Employees are free to choose thedevice they want.

Employees avoid burden ofcarrying an additional company-issued de vice.

Morale may be higher becauseemployees are not forced to usedevices they don t like.

The ability to telecommute usingtheir own devices can enhanceemployees quality of work andpersonal life.

employee's user experience, convenience, and privacy.Indeed, some products can configure portable devices tohave two separate logical containers tha t segregate busi-

ness from personal data. This method permits the employ-ee's personal data to remain private while enabling theorganization to control only the business container wherethe organization's apps, data, and email reside.

Once installed, an MDM solution can enforce numer-ous security policies. Auditors should verify these policies arein place:O Anti-m alware and firewall policy. Mandates instal-

lation of security software to protec t the device's apps,content, and operating system.

O App /operatin g syste m update policy. Requiresdevices to he configured to receive and install sofiwareupdates and security patches automatically.

O App -vetting policy. Ensures that only trustworthy wh ite listed apps can be installed; blocks blacklisted apps that could contain malicious code.

Encryption policy. Ensures that the contents of thedevice's business container are encrypted and secured.

PIN policy. Sets up PIN complexity rules and expira-tion periods, as well as prevents reuse of old PINs.

Inactiv e-dev ice lockout policy. Makes the deviceinoperahle after a predetermined period of inactivity,after which a PIN must be entered to unlock it.

Jail break policy. Prohibits unauthorized alterationof device's system settings configured by the manu-facturer which can leave devices susceptible to secu-

Re mo te wipe policy. Erases the device's husiness con-tainer contents should the device be lost or stolen.

Revoke ac ce ss policy. Disconnects the employee's

device from the organization's network when theM DM 's remote m onitoring feature determines that it isno longer in comphance.

The Low-end ApproachOrganizations that do not yet have an MDM solution inplace can still provide guidance for those employees whouse their mohile devices to access company data and email.As an interim measure, management can have employeesread and sign an acceptable-use docum ent stipulating thatthey agree to take proactive measures to secure their por-table devices as well as give the organization's IT or infor-mation security department the right to inspect devices forpolicy compliance. Devices that fail inspection should bedisconnected from the organization's network, and busi-ness content should he wiped un til the device is hroughtback into com pliance. Internal auditors should evaluateinspection practices to ensure that they are in place andoperating as designed.

As much as practical, employees should conform tothe same security policies used by MD M solutions. More-over, organizations should consider a variety of additionalmeasures including:

Setting the Bluetooth feature to nondiscoverable modeor disabling it altogether if it is not needed. This canprotect against connections with other devices that

8/13/2019 pg 23 25 27

3/4

TO COMMENT on this articleEMAiL tiie author at lance.semerC^theiia.org

Practices/ITAudit

Using a virtual private network or secured websiteconnection when accessing company email and datathrough a public Wi-Fi hotspot.

G N ot forwarding com pany email messages to non com -pany computer systems, personal email accounts, cloudservice providers, or file-sharing services, which maycause data leakage.

Protec ting against unau thorize d observation of sensitiveinformation in public places.

Furthermore, organizations should advise employees toconsu lt their owner s ma nual o r seek assistance from theirservice provider if they are unsure of how to configure theirpersonal devices.

Reimbursement StrategyAn equitable BYOD reimbursement policy should be con-sidered to compensate employees for work-related activitieswhen they are mandated by the organization. Employeesare accountable for paying their monthly bill to their serviceprovider because a contractual relationship exists between

them, n ot the organization. Two popular compensationmodels to consider are a monthly usage stipend or expensereimbursement based on the percentage of use for businesspurposes. Regardless of the model used, auditors shouldevaluate reimbursement practices to ensure controls are inplace to prevent abuse, as well as assess compliance withcompensation policies.

Assessing Risks and PoliciesBased on growth projections for BYOD and its potential risks,internal auditors should get involved in assessing their organi-zation s BY OD risks and evaluating M D M and other policysolutions to determine their adequacy to protect the organiza-tion s proprietary and sensitive inform ation. Moreover, the yshould ensure tha t the otganization s BY OD practices com plywith privacy and data security requirements imposed by appli-cable industry standard s, laws, and regulations. Dl

LANCE J. SEMER CIA CISA CISSP s the informationsecurity officer for Was hington Federal based in Seattle

Use the new CiA Transition Planning ooi to identify your path du ring the four-part to three-parttransition of the exam to earn your CIA the only globally recognized internal audit designation.

Visit www.tiieiia.org/goto/CiA2013 to view the transition schedule and build your plan for becominga Certified Internal Auditor.

CCSA CFS CGAP

8/13/2019 pg 23 25 27

4/4

Copyright of Internal Auditor is the property of Internal Auditor and its content may not be copied or emailed to

multiple sites or posted to a listserv without the copyright holder's express written permission. However, users

may print, download, or email articles for individual use.