Pub. 8 2013-2014 Issue 2

www.nebankers.org 20 Extraordinary Service for Extraordinary Members. Bring Your Own Device Personal or Business? Russ Horn , CISA, CISSP, CRISC, President, CoNetrix B ring Your Own Device (BYOD) is a hot topic in businesses to- day. I think every security and technology conference I have attended over the past few months has had a session covering BYOD. One of the recent programs I attended included a session titled “BYOD, Bring Your Own Device or Disaster?” In the session, like many others, the presenter discussed some of the issues related to introduc- ing personal devices into a business. The issue is escalated to another level within the financial sector as confi- dentiality and security become more important. By allowing employees to use risk management process of consider- ing how personal mobile devices fit into your institution. Security Considerations Security of potentially confidential customer information on the device or possible access to the bank network is of high concern. Below are common security settings many institutions have chosen to implement: • Require a password to access the device; • Set password expirations; • Set the device to automatically wipe after a certain number of consecutive incorrect password attempts (e.g., 10 failed attempts); • Require a password after a specified period of inactivity (e.g., 5 minutes); • Require device encryption; • Install anti-malware software on the device (particularly for Android de- vices; at the time of this article, there is not a good known anti-malware app for the iOS). Policy Considerations Additional control considerations may be included in either an accept- able use agreement or a BYOD policy. Below are common policy controls many institutions have chosen to imple- ment: • Prohibit modifying the device in such a way as to circumvent security controls (e.g., “jailbreaking,” “root- ing,” etc.); • Install security patches as they be- come available or are approved; • Reserve the right and ability to wipe the device as necessary (e.g., if lost, stolen, employment is terminated, malware is suspected, etc.); • Disclaim any liability for loss of personal information on the mobile device. Other Considerations Other questions and concerns you will likely want to consider during your risk assessment and policy creation phase include, but are not limited to: • What kinds of mobile devices will be supported? tech talk their personal devices for bank-related activities (e.g., email, access to the net- work, bank applications, etc.), the bank must deal with security issues, which can conflict with employees’ personal expectations. In many cases, we tend to treat mo- bile devices like iPhones and Androids differently than other bank systems like laptops, workstations, or servers. However, if we allow mobile devices to use bank resources or applications, then the device must be managed ac- cordingly. Beloware considerations and questions to ask as you go through your