HKCert
HKCERT logo Hong Kong Computer Emergency Response Team Coordination Centre

HKCERT logo Hong Kong Computer Emergency Response Team Coordination Centre

Security Guideline

Bring Your Own Device (BYOD) Security Guidelines

Release Date: 26 / 09 / 2013
Last Update: 08 / 03 / 2016

banner

 

What is BYOD?

 

In the past, corporations purchase electronic devices, such as laptops and mobile phones, for staff worked outside of the office. Security of these electronic devices are centralized and managed by IT departments.

 

In recent years, as the mobile devices develop rapidly, staff can take advantage of smart phones and tablets to attain higher productivity. Staff can use their mobile devices to check the company's e-mail and access to company documents anytime, anywhere. This new model of work is called BYOD (Bring Your Own Device).

 

Security threats of BYOD

 

BYOD is a win-win policy. Staff can use their favorite choice of devices, and work in their daily life. At the same time, company can save money and increase productivity. However, the BYOD brings security risks to the enterprise, such as data leakage, and remote intrusions. Therefore, we provide a BYOD Security Guidelines to help you to build a secure BYOD working environment.

 

BYOD Security Guidelines

 

This guideline is categorized in four different security levels, (1) information security policy and practice, (2) data communication and storage, (3) user and device authentication, and (4) application. And, from two perspectives: corporation and staff.

 
(1) Information Security Policy and Practice
 
Corporation
  • Analyze and determine which corporation's information and service are for BYOD
  • Build a clear policy and best practice for BYOD, including allow / deny activities
  • Provide training and educate staff to increase the knowledge of security

Staff

  • Understand and follow the policy and practice provided by company
  • Ensure your own device are complied with your corporation's security policy
 
(2) Data Communication and Storage
 
Corporation
  • Enforce BYOD device using secure communication network, e.g. encrypted WiFi network, VPN
  • Setup a firewall for BYOD device to connect to corporate network, and apply security policy
  • Enforce BYOD device to install Anti-Virus software, and ensure the device is safe before connecting to corporation's network
  • Restrict BYOD device to access corporation's sensitive data
  • Enforce using BYOD device equipped with built-in encrypted storage
  • Ensure data inside the BYOD device is completely removed before the device is disposed or replaced

Staff

  • Use a secure communication network, and avoid using public WiFi network.
  • Disable the communication settings, e.g. WiFi, Bluetooth, NFC, GPS, when they are not in use
  • Encrypt the storage of BYOD device
  • Ensure data inside the BYOD device is completely removed before the device is disposed or replaced
  • Setup a backup or create a synchronization of data inside the device to corporation's storage server.
  • Keep your device safe. Do not leave your BYOD device unattended.
 
(3) User and Device Authentication
 
Corporation
  • Enroll BYOD device with staff identify, and restrict devices without registration
  • Enforce login authentication and password policy when staff access corporation's information and services
  • Enfore to setup a secure screen lock password
  • Provide a wipe device function for the replaced or disposed devices to remove the data on the device
  • Enforce to remove the data on the device and de-register the account for the leaving staff

Staff

  • Setup a secure screen lock password
  • Do not save any login account and password on the BYOD device
  • Wipe the BYOD device before replacing or disposing. And, ask the corporation to update the registration information actively
  • Remove the data on the BYOD device and login setting when resign
 
(4) Application
 
Corporation
  • Define the white-list or black-list of apps installation, such as block-list cloud services, to avoid data leak
  • Deploy Mobile Device Management (MDM) software #
  • Enforce the device to setup remote wipe application, so the data can be removed remotely if the device is lost

Staff

  • Install anti-virus and security software
  • Keep the system and applications up-to-dated
  • If cloud service are in use on the device, ensure setup properly, and follow the information security policy
  • Install trusted apps from official app store if smart device is in use
  • Do not "jailbreak" or "root" the device to avoid breaking the system security, if smart device is in use
  
# Mobile Device Management
 
Mobile Device Management (MDM) software can help to deploy security management on BYOD devices. When applying the software, the following 4 security managements could be considered::
 

Device management

  • Allow authorized device models only
  • Control the location of using mobile device
  • Create a profile and apply security group policy for the devices

Application management

  • Track and control running apps

Email/IM management

  • Ensure secure connection to corporate email / IM service
  • Ensure encrypted mailbox / IM history on the device

Content management

  • Secured sensitive files and folders