Enterprise_Mobility_BYOD.pdf
-
Upload
luzuko-terence-nelani -
Category
Documents
-
view
214 -
download
0
Transcript of Enterprise_Mobility_BYOD.pdf
-
7/27/2019 Enterprise_Mobility_BYOD.pdf
1/41
JUNE 2013
RiskManagement ofEnterpriseMobility
IncludingBringYourOwnDevice
-
7/27/2019 Enterprise_Mobility_BYOD.pdf
2/41
ii
TABLEOFCONTENTS
ExecutiveSummaryIntroductiontoEnterpriseMobility .......................................................................................1Potential
Benefits
of
Enterprise
Mobility .................................................................................................................. 2
PotentialBenefitsofUsingPersonallyOwnedDevices............................................................................................. 2DevelopanEnterpriseMobilityStrategy................................................................................................................... 3DeterminetheExtentofExistingEnterpriseMobility...............................................................................................3DevelopBusinessCasesWithSuitableMobilityApproaches.................................................................................... 3
ExampleBusinessCases ........................................................................................................................................ 3ExampleEnterpriseMobilityApproachesandScenarios ......................................................................................4ConsiderationsforChoosingEnterpriseMobilityApproaches .............................................................................6
IdentifyRegulatoryObligationsandLegislation........................................................................................................ 7AllocateBudgetandPersonnelResources ................................................................................................................ 8DevelopandCommunicateEnterpriseMobilityPolicy ............................................................................................. 9
TechnicalSupport ................................................................................................................................................ 10FinancialSupport ................................................................................................................................................. 11
MonitortheImplementationandReporttoManagement ....................................................................................12FacilitateOrganisationalTransformation................................................................................................................ 12FurtherInformation................................................................................................................................................. 12ContactDetails......................................................................................................................................................... 13AppendixA:ArbitraryUnmanagedDevicesforInternetAccess.............................................................................14
CorporatelyEnforcedRiskManagementControls ..............................................................................................15 FilteredandMonitoredNetworkTraffic ......................................................................................................... 15SeparationBetweentheOrganisationsCorporateNetworkandtheGuestWiFiNetwork..........................15CorporateWorkstationsConfiguredtoBlockAccesstoUnauthorisedDevices ............................................. 15
UserreliantRiskManagementControls .............................................................................................................15AntimalwareSoftware.................................................................................................................................... 15AvoidBehaviourthatisUnauthorised,Excessive,OffensiveorUnlawful ......................................................16
AppendixB:ArbitraryUnmanagedDevicesforNonsensitiveData ....................................................................... 17CorporatelyEnforcedRiskManagementControls ..............................................................................................17
SegmentationandSegregationBetweenDevicesandOrganisationalSystems ............................................. 17WebApplicationandOperatingSystemVulnerabilityAssessmentandSecurityHardening .........................17
-
7/27/2019 Enterprise_Mobility_BYOD.pdf
3/41
iii
AppendixC:CorporatelyApprovedandPartiallyManagedDevicesforSensitiveData.........................................18 CorporatelyEnforcedRiskManagementControls ..............................................................................................19
OverviewofManagedSeparation,RemoteVirtualDesktopandMobileDeviceManagement.....................19ManagedSeparation ....................................................................................................................................... 22RemoteVirtualDesktopSoftware ...................................................................................................................22MobileDeviceManagement ...........................................................................................................................25MultifactorAuthentication ............................................................................................................................26EncryptionofDatainTransit ...........................................................................................................................27RemoteTracking,LockingandWiping ............................................................................................................27LowPrivilegedCorporateUserAccounts ........................................................................................................ 27NetworkArchitectureControllingAccesstoOrganisationalDataandSystems ............................................. 28OperatingSystemExploitMitigationMechanisms .........................................................................................29
UserreliantRiskManagementControls .............................................................................................................29RegularBackupsofWorkData ........................................................................................................................29AccesstoEmails,FilesandOtherDataofArchivalSignificance...................................................................... 29AvoidUnauthorisedCloudServicesforDataBackup,StorageorSharing ...................................................... 30StrongPassphraseConfigurationSettings....................................................................................................... 30SecurityIncidentReportingandInvestigation ................................................................................................31 AvoidJailbreakingandRooting .......................................................................................................................31EmployeeEducationtoAvoidPhysicalConnectivitywithUntrustedOutletsorDevices............................... 31EmployeeEducationaboutBluetooth,NearFieldCommunicationandQuickResponseCodes ................... 32EmployeeEducationtoAvoidInstallingPotentiallyMaliciousApplications...................................................32EmployeeEducationtoAvoidBeingVictimsofShoulderSurfing ................................................................... 33EmployeeEducationtoAvoidCommonIntrusionVectors .............................................................................33SecurityPatches...............................................................................................................................................34OwnershipofIntellectualPropertyandCopyright..........................................................................................35 Encryption
of
Data
at
Rest............................................................................................................................... 35
AvoidPrintingviaUntrustedSystems ............................................................................................................. 36PersonalFirewall .............................................................................................................................................36
AppendixD:CorporatelyApprovedandManagedDevicesforHighlySensitiveData............................................ 37CorporatelyEnforcedRiskManagementControls ..............................................................................................37
DeviceSelection...............................................................................................................................................38MobileApplicationManagementandEnterpriseApplicationStores............................................................. 38
-
7/27/2019 Enterprise_Mobility_BYOD.pdf
4/41
1
EXECUTIVESUMMARYINTRODUCTIONTOENTERPRISEMOBILITY
Enterprisemobilityenablesemployeestoperformworkinspecifiedbusinesscasescenariosusingdevicessuch
assmartphones,
tablets
and
laptops,
while
leveraging
technologies
that
facilitate
remote
access
to
data.
A
well
designedenterprisemobilitystrategycancreateopportunitiesfororganisationstosecurelyimprovecustomer
servicedelivery,businessefficiencyandproductivity.Inaddition,employeesobtainincreasedflexibilityto
performworkregardlessoftheirphysicallocation.
ThisdocumentisdevelopedbytheAustralianSignalsDirectorate(ASD),alsoknownastheDefenceSignals
Directorate(DSD),toprovideseniorbusinessrepresentativeswithalistofenterprisemobilityconsiderations.
Theseincludebusinesscases,regulatoryobligationsandlegislation,availablebudgetandpersonnelresources,
andrisktolerance.Additionally,riskmanagementcontrolsareprovidedforcybersecuritypractitioners.
This
document
aims
to
assist
readers
to
understand
and
help
mitigate
the
significant
risks
associated
with
using
devicesforworkrelatedpurposesthathavethepotentialtoexposesensitivedata.Risksareprimarilydueto
thelikelihoodofdevicesstoringunprotectedsensitivedatabeinglostorstolen1
,useofcorporatelyunapproved
applicationsandcloudservicestohandlesensitivedata,inadequateseparationbetweenworkrelateduseand
personaluseofadevice,andtheorganisationhavingreducedassuranceintheintegrityandsecuritypostureof
devicesthatarenotcorporatelymanaged.Additionalrisksariseduetolegalliability,regulatoryobligationsand
legislationrequiringcompliance,andtheimplicationsfortheorganisationsbudgetandpersonnelresources.
Riskscanbepartiallymitigatedthroughapolicyoutliningthepermitteduseofdevices,includingtherequired
behaviourexpectedfromemployees,whichiscomplementedbytechnicalriskmanagementcontrolstoenforce
the
policy
and
detect
violations.
Businesscasesforenterprisemobilitythatinvolveaccessingnonsensitivedatamightpermitemployeestouse
theirpersonallyowneddevices,referredtoasBringYourOwnDevice(BYOD).
Businesscasesforenterprisemobilitythatinvolveaccessingandpotentiallystoringsensitivedatamightpermit
employeestousedevicesthatarelistedonacorporatelyapprovedshortlistofdevices.Suchdevicesare
partiallyorcompletelycorporatelymanagedtoenforcepolicyandtechnicalriskmanagementcontrols.These
controlscanincludepreventingunapprovedapplicationsfromrunningandaccessingsensitivedata,applying
patchestoapplicationsandoperatingsystemsinatimelymanner,andlimitingtheabilityofemployeestouse
devicesthatarejailbroken,rootedorotherwiserunwithadministrativeprivileges2
.Optionally,some
organisationsmightprovidedevicestoemployees,permitareasonabledegreeofpersonaluse,andretain
ownershipofthedevicesforlegalreasonsthatfacilitatetheorganisationmonitoringdevices,remotelywiping
sensitivedata,performingsecurityandlegalinvestigations,andretainingownershipofintellectualproperty.
Beforeimplementingenterprisemobilityforaspecificbusinesscase,organisationsmustdecidewhether
applyingthechosenriskmanagementcontrolswouldresultinanacceptablelevelofresidualrisk.
1http://www.amta.org.au/pages/amta/The.Mobile.Phone.Industry.Statement
2http://www.dsd.gov.au/infosec/top35mitigationstrategies.htm
http://www.amta.org.au/pages/amta/The.Mobile.Phone.Industry.Statementhttp://www.amta.org.au/pages/amta/The.Mobile.Phone.Industry.Statementhttp://www.amta.org.au/pages/amta/The.Mobile.Phone.Industry.Statementhttp://www.amta.org.au/pages/amta/The.Mobile.Phone.Industry.Statementhttp://www.dsd.gov.au/infosec/top35mitigationstrategies.htmhttp://www.dsd.gov.au/infosec/top35mitigationstrategies.htmhttp://www.dsd.gov.au/infosec/top35mitigationstrategies.htmhttp://www.dsd.gov.au/infosec/top35mitigationstrategies.htmhttp://www.amta.org.au/pages/amta/The.Mobile.Phone.Industry.Statement -
7/27/2019 Enterprise_Mobility_BYOD.pdf
5/41
2
POTENTIALBENEFITSOFENTERPRISEMOBILITY
Potentialbenefitsofenterprisemobilityinclude:
improvedcustomerservicedelivery,businessefficiencyandproductivity,especiallyforemployeeswhoworkoutoftheoffice,arefieldagents,orwhotravelfrequently
improvedproductivitythatisindependentofanemployeesphysicallocation,andprovidesemployeeswiththeopportunitytobeproductivewhenotherwiseidlesuchaswhentravellingonpublictransport
enablingtherecruitmentoftalentedpeoplefromanywhereintheworldwhodontwanttorelocatetothecityoftheorganisationsoffice
flexibleworkinghoursenablingemployeestoblendpersonaltimeandprofessionaltimetoachieveanintegrated
work
life
balance
opportunitiestotransitionemployeesonextendedleavebackintotheworkplacesoonerbyworkingparttimefromhome
reducedcostsofrealestate,buildingoperationsandbuildingmaintenanceifemployeeshotdeskandareencouragedtoworkoutoftheoffice
businesscontinuityifemployeesareunabletoworkintheoffice,forexampleduetoanairconditioningfailure,poweroutage,publictransportstrike,flood,fireorotherevent
environmentalbenefitssuchasreducedcommutingtotheofficeandreduceduseofprintedpaper.POTENTIALBENEFITSOFUSINGPERSONALLYOWNEDDEVICES
Potentialbenefitsofusingpersonallyowneddevicesforenterprisemobilityinclude:
reducedhardwarecostsfortheorganisationifemployeespayfortheirdeviceanincreasingnumberofemployeesalreadyownpowerfuldevicesandemployeesmighttakebettercareofadeviceifthey
contributetheirownmoneytowardsit
freedomforemployeestousedevicesthattheyprefer,arefamiliarwithandhavetailoredtotheirusagepreferencestoincreasetheirproductivity
negatingtheneedforemployeestocarryadeviceforworkuseandanotherdeviceforpersonaluse improvedemployeejobsatisfaction,staffretentionandrecruitmentofstaffwhodesiretheabilityto
usetheirowndevice
leveragingmoderntechnologiesthatempoweremployeestoinnovatefasteranddevelopmoreefficientwaystodotheirjob,bytakingadvantageofemployeeswhorefreshtheirsoftwareandhardwaremore
regularlythanorganisationsthatprovideoutdatedITcapabilitythatisrefreshedevery35years.
-
7/27/2019 Enterprise_Mobility_BYOD.pdf
6/41
3
DEVELOPANENTERPRISEMOBILITYSTRATEGY
Developinganenterprisemobilitystrategyisfundamentallyimportanttoanorganisationsuccessfully
implementingenterprise
mobility
to
achieve
business
outcomes
with
an
acceptable
level
of
risk.
In
the
absence
ofastrategy,theorganisationsmobilitymightbedrivenbyemployees,withoutclearmeasuresofsuccessand
withoutadequateconsiderationofrisks.
Anenterprisemobilitystrategymightinvolvestartingwithapilottrialconsistingofasmallnumberofusersand
abusinesscasethatislowrisk,highvalueandhasclearmeasuresofsuccess.Subsequentlyreviewingthe
successofthetrial,includingthecostsandtheimpacttotheorganisationssecurityposture,enablesthe
organisationtomakeaninformeddecisionastowhethertoincreasetheiruseofenterprisemobility.
Thefollowingsectionsinthisdocumentprovideguidanceforthestepsassociatedwithimplementingthe
enterprise
mobility
strategy
that
the
organisation
has
developed.
DETERMINETHEEXTENTOFEXISTINGENTERPRISEMOBILITY
Theextentofexistingauthorisedandunauthorisedenterprisemobilitycanbeinformedbytalkingtobusiness
representativesandemployees,reviewingtheorganisationsassetinventoryofassigneddevices,andusing
securitycontrolstodetect:
rogueWiFiaccesspointslocatedontheorganisationspremises unauthoriseddevicesaccessingthecorporatenetworkoraccessingtheInternetviatheorganisations
networkinfrastructure
employeesobtainingacopyoforganisationaldataviaremovablestoragemedia,emailorcloudservices.DEVELOPBUSINESSCASESWITHSUITABLEMOBILITYAPPROACHES
Justifiedbusinesscasesforenterprisemobilityhavetangibleandmeasuredbenefitstotheorganisation,its
employeesandcustomers.Thesebenefitsoutweightherisksandcoststotheorganisation.Clearlydefiningeach
businesscase,includingspecifyingwhatorganisationaldataneedstobeaccessed,providesabetter
understandingoftheopportunitiesandbenefitsversustherisksandcoststotheorganisation.
ExampleBusinessCases
Organisationsdevelopingenterprisemobilitybusinesscasesmightdecidetopermitemployeesto:
collaboratewithotheremployeesviainstantmessagingorvideoconferencing useworkrelatedsoftwareincludingapplicationsdevelopedbytheorganisation send,receiveandprintworkrelatedemailswithfileattachments
-
7/27/2019 Enterprise_Mobility_BYOD.pdf
7/41
4
access,develop,print,storeandshareworkrelatedfilesthatresideindatarepositoriessuchasSharePoint,networksharesorenterprisegradecloudstorage
accesscalendars,contacts,intranetwebsitesandintranetwebapplications accesstheInternetusingtheorganisationsnetworkinfrastructure.
ExampleEnterpriseMobilityApproachesandScenarios
Anexampleenterprisemobilityimplementationmightinvolveacombinationofthefollowingapproaches.
ScenarioA:Thisscenarioinvolvesusingdeviceswithahardwaremodelandoperatingsystemversionthat:
isarbitrarilychosenbytheemployee hasminimalriskmanagementcontrolsappliedfurtherdetailsareprovidedinAppendixA iscorporatelyunmanaged isusedtoaccesstheInternetviatheorganisationsnetworkinfrastructure.
ScenarioB:Thisscenarioinvolvesusingdeviceswithahardwaremodelandoperatingsystemversionthat:
isarbitrarilychosenbytheemployee hasminimalriskmanagementcontrolsappliedfurtherdetailsareprovidedinAppendixB iscorporatelyunmanaged isusedtoaccessnonsensitivedata.
ForAustraliangovernmentagencies,nonsensitivedataisdefinedforthepurposeofthisdocumentasdatathat
isunclassified.Examplesofnonsensitivedataareunclassifiedcomputerbasedtrainingcoursesandunclassified
intranetwebapplications.
ScenarioC:Thisscenarioinvolvesusingdeviceswithahardwaremodelandoperatingsystemversionthat:
ischosenbytheemployeefromacorporatelyapprovedshortlist hasmoderateriskmanagementcontrolsappliedfurtherdetailsareprovidedinAppendixC usescorporatelymanagedseparationoforganisationaldataandpersonaldata,forexampleusing
remotevirtualdesktopsoftware,amanagedcontainerorpartitioningfunctionalitybuiltintothe
operatingsystem
usesacorporatelymanagedmechanismtoaccessandpotentiallystoresensitivedata,forexampleusingremotevirtualdesktopsoftwareorcorporatelyapprovednativeapplicationscombinedwithaVirtual
PrivateNetwork.
-
7/27/2019 Enterprise_Mobility_BYOD.pdf
8/41
5
ForAustraliangovernmentagencies,sensitivedataisdefinedforthepurposeofthisdocumentasdatathatis
unclassifiedwithdisseminationlimitingmarkerssuchasForOfficialUseOnly(FOUO),Sensitive,Sensitive:Legal
orSensitive:Personal.Examplesofsensitivedataarecorporateemails,calendarsandcontacts,aswellasfiles
residingin
SharePoint,
network
shares
or
enterprise
grade
cloud
storage.
Devicesinthisscenariomightbeprovidedtoemployeesbytheorganisation,withareasonabledegreeof
personalusepermitted.Organisationsmightretainownershipofdevicesforlegalreasonsthatfacilitatethe
organisationmonitoringdevices,remotelywipingsensitivedata,performingsecurityandlegalinvestigations,
andretainingownershipofintellectualproperty.Enablingemployeestochooseadevicefromacorporately
approvedshortlistisreferredtobysomevendorsasChooseYourOwnDevice,especiallyifthedeviceis
purchased,ownedandmanagedbytheorganisation.
ScenarioD:Thisscenarioinvolvesusingdeviceswithahardwaremodelandoperatingsystemversionthat:
ischosenbytheemployeefromacorporatelyapprovedshortlist hascomprehensiveriskmanagementcontrolsappliedfurtherdetailsareprovidedinAppendixD iscompletelycorporatelymanaged,forexampleusingASDevaluatedBlackBerryEnterpriseServer3or
AppleConfigurationProfilescombinedwithSupervisedMode4
potentiallyincludescorporatelymanagedseparationoforganisationaldataandpersonaldata,forexampleusingremotevirtualdesktopsoftware,amanagedcontainerorpartitioningfunctionalitybuilt
intotheoperatingsystem
usesacorporatelymanagedmechanismtoaccessandpotentiallystorehighlysensitivedata,forexampleusingremotevirtualdesktopsoftwareorcorporatelyapprovednativeapplicationscombined
withaVirtualPrivateNetwork.
ForAustraliangovernmentagencies,highlysensitivedataisdefinedforthepurposeofthisdocumentasdataup
toPROTECTED.
Thecomprehensiveriskmanagementcontrolsmightrestrictthedevicesfunctionalitytoanextentthatwould
overlyfrustrateanemployeeusingapersonallyowneddevice.Therefore,devicesinthisscenariomightbe
providedtoemployeesbytheorganisation,withareasonabledegreeofpersonalusepermitted.Devicesonthe
shortlistmight
be
limited
to
smartphones
and
tablets
that
are
part
of
asingle
vendors
ecosystem
due
to
the
requiredcompatibilitywithriskmanagementcontrols.Organisationsmightretainownershipofdevicesforlegal
reasonsthatfacilitatetheorganisationmonitoringdevices,remotelywipingsensitivedata,performingsecurity
andlegalinvestigations,andretainingownershipofintellectualproperty.Enablingemployeestochoosea
devicefromacorporatelyapprovedshortlistisreferredtobysomevendorsasChooseYourOwnDevice,
especiallyifthedeviceispurchased,ownedandmanagedbytheorganisation.
3http://www.dsd.gov.au/infosec/epl/index_details.php?product_id=MTE2IyMjMjAzLjYuNjkuMg==
4http://www.dsd.gov.au/publications/iOS5_Hardening_Guide.pdf
http://www.dsd.gov.au/infosec/epl/index_details.php?product_id=MTE2IyMjMjAzLjYuNjkuMg==http://www.dsd.gov.au/infosec/epl/index_details.php?product_id=MTE2IyMjMjAzLjYuNjkuMg==http://www.dsd.gov.au/infosec/epl/index_details.php?product_id=MTE2IyMjMjAzLjYuNjkuMg==http://www.dsd.gov.au/publications/iOS5_Hardening_Guide.pdfhttp://www.dsd.gov.au/publications/iOS5_Hardening_Guide.pdfhttp://www.dsd.gov.au/publications/iOS5_Hardening_Guide.pdfhttp://www.dsd.gov.au/publications/iOS5_Hardening_Guide.pdfhttp://www.dsd.gov.au/infosec/epl/index_details.php?product_id=MTE2IyMjMjAzLjYuNjkuMg== -
7/27/2019 Enterprise_Mobility_BYOD.pdf
9/41
6
Figure1.Exampleenterprisemobilityscenariosvaryintheirsuitabilitytohandlesensitivedata,theircostandtheirimpacttotheemployeesuserexperience.
ConsiderationsforChoosingEnterpriseMobilityApproaches
Whenselectinganenterprisemobilityapproachforaparticularbusinesscase,considertheemployeesjobrole,
thesensitivity
of
the
data
to
be
accessed,
risk
management
controls
and
their
impact
to
employee
privacy
and
userexperience.Alsoconsiderwhetherthelevelofresidualriskisacceptabletotheorganisation,andcoststo
theorganisationsuchastheleveloftechnicalsupportandfinancialsupportprovidedtoemployees.
TheseconsiderationsarerepresentedinFigure1whichreflectstheexampleenterprisemobilityscenariosmentionedpreviously.Detailedriskmanagementcontrolsforeachenterprisemobilityscenarioareprovidedin
theappendicesofthisdocument.
High
Securit
ort
Low
yPosture
,User
Experience
Impact,
Te
chn
ica
lan
dFinanc
ialSupp
ScenarioC
Corporatelyapproveddevicemodel
andOS,
with
corporately
managed
access/storageforsensitivedata,
separatingpersonalandworkdata
ScenarioD
Corporatelymanagedandapproved
devicemodelandOS,toaccess/store
highlysensitivedata,potentially
separatingpersonalandworkdata
CharacteristicsofExampleEnterpriseMobility Scenarios
Corporatelyunmanagedarbitrary
devicemodelandOS,toaccessnon
sensitivedata
ScenarioB
Corporatelyunmanagedarbitrary
devicemodelandOS,toaccessthe
Internetviatheorganisationsnetwork
ScenarioA
OrganisationEmployee
Degreeof DeviceOwnership
-
7/27/2019 Enterprise_Mobility_BYOD.pdf
10/41
7
IDENTIFYRE
ISMadvises
nisational
systems.
ives
rminetowhatextententerprisemobilitycanbeusedbasedonregulatoryobligationsandlegislation
affectingtheirorganisation.RelevantlegislationincludesthePrivacyAct1988,thePrivacyAmendment
whethertheorganisationispermittedtomonitordevicesandnetworktraffictoidentifypolicy
the
telylocatingandtrackingadeviceslocationbasedonthe
devicesGPScoordinates,nearbymobilecelltowersorthelocationofnearbyknownWiFinetworks
a
contactsand
photos,
as
well
as
personal
data
stored
in
the
employees
personal
consumer
grade
oyeesdeviceornetworktraffic
tentiallycausesinjurysuch
damagemightoccurthroughnofaultoftheemployeesincludingwhileusingthedeviceintheofficefor
hasnotprovidedwrittenconsent,suchastheestateofadeceasedemployee
GULATORYOBLIGATIONSANDLEGISLATION
ASDdevelopsandpublishestheAustralianGovernmentInformationSecurityManual(ISM)5.Thethat
legal
advice
must
be
obtained
before
allowing
personally
owned
devices
to
connect
to
orga
NeithertheISMnorthisdocumentaretobeconsideredaslegaladvice.Anorganisationslegalrepresentat
mustdete
(EnhancingPrivacyProtection)Act20126,stateandterritoryprivacylawsincludingActscoveringsurveillanceofemployees
7,theArchivesAct1983andtheFreedomofInformationAct1982.Organisationsneedtomaintainan
awarenessofrelevantlegislationandaddressanyassociatedimpactstotheirorganisation.
Aspects
of
enterprise
mobility
requiring
legal
advice
might
include:
violationsandothersecurityincidents
whethertheorganisationispermittedtomonitortheuseofpersonallyowneddevicesoutsideoforganisationspremises,includingremo
whethertheorganisationispermittedtoaccesspersonaldatastoredonadevicewhenperformingsecurityorlegalinvestigationpersonaldataincludesemails,historyofwebsitesaccessed,calendar,
webmailorcloudstorageaccount
whatactionanorganisationshouldtakeifviolationsofcivillaworcriminallawareaccidentallydiscoveredwhileanalysinganempl
insuranceandliabilityforcompensation,repairorreplacementofanemployeesdevicethatislost,stolen,compromisedwithmalwareorisotherwisedamagedandpo
workrelatedpurposes
legalliabilityresultingfromanorganisationremotelywipingpersonaldata8,especiallyifthedeviceisownedbysomeonewho
5http://www.dsd.gov.au/infosec/ism/index.htm
s_privacy/Privacy_law_reform.html
1381/wipeoutwhenyourcompanykillsyouriphone
6http://www.oaic.gov.au/privacy portal/resource
7http://www.privacy.gov.au/law/states
8http://www.npr.org/2010/11/22/13151
http://www.dsd.gov.au/infosec/ism/index.htmhttp://www.dsd.gov.au/infosec/ism/index.htmhttp://www.dsd.gov.au/infosec/ism/index.htmhttp://www.oaic.gov.au/privacy-portal/resources_privacy/Privacy_law_reform.htmlhttp://www.oaic.gov.au/privacy-portal/resources_privacy/Privacy_law_reform.htmlhttp://www.npr.org/2010/11/22/131511381/wipeout-when-your-company-kills-your-iphonehttp://www.npr.org/2010/11/22/131511381/wipeout-when-your-company-kills-your-iphonehttp://www.npr.org/2010/11/22/131511381/wipeout-when-your-company-kills-your-iphonehttp://www.npr.org/2010/11/22/131511381/wipeout-when-your-company-kills-your-iphonehttp://www.npr.org/2010/11/22/131511381/wipeout-when-your-company-kills-your-iphonehttp://www.npr.org/2010/11/22/131511381/wipeout-when-your-company-kills-your-iphonehttp://www.npr.org/2010/11/22/131511381/wipeout-when-your-company-kills-your-iphonehttp://www.npr.org/2010/11/22/131511381/wipeout-when-your-company-kills-your-iphonehttp://www.npr.org/2010/11/22/131511381/wipeout-when-your-company-kills-your-iphonehttp://www.npr.org/2010/11/22/131511381/wipeout-when-your-company-kills-your-iphonehttp://www.npr.org/2010/11/22/131511381/wipeout-when-your-company-kills-your-iphonehttp://www.npr.org/2010/11/22/131511381/wipeout-when-your-company-kills-your-iphonehttp://www.npr.org/2010/11/22/131511381/wipeout-when-your-company-kills-your-iphonehttp://www.npr.org/2010/11/22/131511381/wipeout-when-your-company-kills-your-iphonehttp://www.oaic.gov.au/privacy-portal/resources_privacy/Privacy_law_reform.htmlhttp://www.oaic.gov.au/privacy-portal/resources_privacy/Privacy_law_reform.htmlhttp://www.oaic.gov.au/privacy-portal/resources_privacy/Privacy_law_reform.htmlhttp://www.privacy.gov.au/law/stateshttp://www.privacy.gov.au/law/stateshttp://www.privacy.gov.au/law/stateshttp://www.npr.org/2010/11/22/131511381/wipeout-when-your-company-kills-your-iphonehttp://www.npr.org/2010/11/22/131511381/wipeout-when-your-company-kills-your-iphonehttp://www.privacy.gov.au/law/stateshttp://www.oaic.gov.au/privacy-portal/resources_privacy/Privacy_law_reform.htmlhttp://www.dsd.gov.au/infosec/ism/index.htm -
7/27/2019 Enterprise_Mobility_BYOD.pdf
11/41
8
legalliabilitytotheorganisationresultingfromemployeeshavingortransferringtoorganisational
tis
s.
as:
subsidisingorcompletelypayingforthecostofdevicesandassociatedworkrelatedexpenses respondingtosecuritybreaches,policyviolationsandregulatorycomplianceviolations personnelresourcesneededfromavarietyofsectionsacrosstheorganisationtocollaboratively
upgradingtheorganisationsITinfrastructureincludingtheWiFinetwork10,Internetbandwidth,aswell
as
,especiallyiftheorganisationpaysforsoftwarelicencesperdeviceinstead
ofperuser
nsettingsandbasictrainingtoconnecttopermittedorganisationalnetworksandsystems
enhancingidentityandaccessmanagementinfrastructuretoperformauthenticationandauthorisation developingmobilewebapplicationsornativesoftwareapplicationstointeractwithorganisationaldata,
potentiallyrequiringtheuseofmiddlewaresolutionsenablingaccesstodatastoragerepositories.
legalliabilityresultingfromdevicesspreadingmalwareorotherwiseharmingothercomputers
systemsanysoftwareordatathatispirated,infringingcopyrightorisinappropriatelylicenced9
whethertheorganisationortheemployeeownstheintellectualpropertyandcopyrightofworkthaperformedonanemployeesdevice,especiallyifperformedoutsideoftraditionalbusinesshour
ALLOCATEBUDGETANDPERSONNELRESOURCES
Organisationsimplementingenterprisemobilitymightencounteravarietyofcostssuch
developtheenterprisemobilitystrategyandassociatedpolicies
implementingriskmanagementcontrolssuchaslicencingsecuritysoftwareandusereducation
asthedatacentresnetwork,storageandserverprocessingcapacity
cybersecuritypersonneltoarchitecttheITinfrastructureandperformongoingdevicemanagement,monitoring
and
reporting
additionalsoftwareClientAccessLicencesforMicrosoftWindowsserverandclientoperatingsystemswellasforMicrosoftOffice
trainingIThelpdeskstafftosupportavarietyofdevicesataminimumprovidingemployeeswithconfiguratio
modifyingintranetwebsitesandwebapplicationstosupportavarietyofwebbrowsers
ofemployeesanddevices
9http://www.zdnet.com/au/byod couldopenbusinessestocopyrightlitigationbsa7000010533/
10http://www.dsd.gov.au/publications/csocprotect/wireless_network_security_tech_advice.htm
http://www.zdnet.com/au/byod-could-open-businesses-to-copyright-litigation-bsa-7000010533/http://www.zdnet.com/au/byod-could-open-businesses-to-copyright-litigation-bsa-7000010533/http://www.zdnet.com/au/byod-could-open-businesses-to-copyright-litigation-bsa-7000010533/http://www.zdnet.com/au/byod-could-open-businesses-to-copyright-litigation-bsa-7000010533/http://www.zdnet.com/au/byod-could-open-businesses-to-copyright-litigation-bsa-7000010533/http://www.zdnet.com/au/byod-could-open-businesses-to-copyright-litigation-bsa-7000010533/http://www.zdnet.com/au/byod-could-open-businesses-to-copyright-litigation-bsa-7000010533/http://www.zdnet.com/au/byod-could-open-businesses-to-copyright-litigation-bsa-7000010533/http://www.zdnet.com/au/byod-could-open-businesses-to-copyright-litigation-bsa-7000010533/http://www.zdnet.com/au/byod-could-open-businesses-to-copyright-litigation-bsa-7000010533/http://www.zdnet.com/au/byod-could-open-businesses-to-copyright-litigation-bsa-7000010533/http://www.zdnet.com/au/byod-could-open-businesses-to-copyright-litigation-bsa-7000010533/http://www.zdnet.com/au/byod-could-open-businesses-to-copyright-litigation-bsa-7000010533/http://www.zdnet.com/au/byod-could-open-businesses-to-copyright-litigation-bsa-7000010533/http://www.zdnet.com/au/byod-could-open-businesses-to-copyright-litigation-bsa-7000010533/http://www.zdnet.com/au/byod-could-open-businesses-to-copyright-litigation-bsa-7000010533/http://www.zdnet.com/au/byod-could-open-businesses-to-copyright-litigation-bsa-7000010533/http://www.zdnet.com/au/byod-could-open-businesses-to-copyright-litigation-bsa-7000010533/http://www.zdnet.com/au/byod-could-open-businesses-to-copyright-litigation-bsa-7000010533/http://www.dsd.gov.au/publications/csocprotect/wireless_network_security_tech_advice.htmhttp://www.dsd.gov.au/publications/csocprotect/wireless_network_security_tech_advice.htmhttp://www.dsd.gov.au/publications/csocprotect/wireless_network_security_tech_advice.htmhttp://www.dsd.gov.au/publications/csocprotect/wireless_network_security_tech_advice.htmhttp://www.zdnet.com/au/byod-could-open-businesses-to-copyright-litigation-bsa-7000010533/ -
7/27/2019 Enterprise_Mobility_BYOD.pdf
12/41
9
Policyreliesonuseradherenceandislikelytobemoreeffectiveifitexhibitsthefollowingcharacteristics:
offersenterprisemobilityasoptininsteadofmandatory,unlesstheorganisationiswillingtocompletelypayforthecostofdevicesandassociatedworkrelatedcosts
isjointlydevelopedbyanadvisoryboardconsistingofstakeholdersincludingthecybersecurityteam,systemandnetworkadministrators,humanresources,finance,legal,seniormanagementand
employeesthisconsultativeprocesshelpstoensurethatstakeholdershavehadinput,arewillingto
adheretothepolicyandacceptanyadditionalresponsibilitiestoprotectorganisationaldata
clearlystateswhattypesoforganisationaldataarepermittedtobeaccessedfromwhichdevicesandwhichapplicationstheabsenceofanapplicationstrategymightresultinemployeesusingapplications
thathaventbeenvettedbytheorganisationtodeterminetheirpotentialtoexposesensitivedata
clearlystateshoworganisationaldataispermittedtobestoredanddistributed,forexampleusingcorporatelymanageddatarepositoriessuchasSharePoint,networksharesorenterprisegradecloud
storage,whileavoidingtheuseofconsumergradecloudstorageandpersonalconsumergradewebmail
clearlystateswhichriskmanagementcontrolsapplyanddetersemployeesfromcircumventingthesecontrols
by
helping
employees
to
understand
why
policy
rules
exist
requiresemployeestosignanAcceptableUsePolicythatclearlystatestherequiredbehaviourexpectedfromemployeesandtheconsequencesofviolations
iscommunicatedthroughouttheorganisationtoenableemployeestounderstandtheirobligationsandthepolicy,toensurefullawarenessoftheexistenceofthepolicyandramificationsofnoncompliance
theorganisationneedstodeterminewhichbusinessrepresentativesareresponsibleforremediating
noncompliance,whichiscomplementedbyadocumenteddisputeescalationandresolutionprocess
iscomplementedbytechnicalriskmanagementcontrolstoenforcethepolicyanddetectviolations,especially
in
cases
where
an
employee
dishonours
their
written
agreement
to
adhere
to
the
policy
minimisesnegativeimpactstotheemployeesuserexperiencenegativeimpactsincluderequiringaverycomplexunlockpassphrase,automaticallylockingadevicesscreenafteraveryshortidletimeout
period,excessivelylimitingadevicesfunctionality,anddeletingpersonaldatawhenwipinganentire
deviceremotelyorafteraverysmallnumberofconsecutiveincorrectunlockpassphraseattempts
statesthetechnicalsupportandfinancialsupportthatemployeescanobtain
DEVELOPANDCOMMUNICATEENTERPRISEMOBILITYPOLICY
ASDsISMadvisesthatenterprisemobilitypolicymustbedevelopedtogoverntheuseofdevicesaccessing
organisationaldata.
-
7/27/2019 Enterprise_Mobility_BYOD.pdf
13/41
10
r,
on
eoffboardingprocesstoremoveorganisationalsoftwareanddatafromdevicesthatare
epolicy
terprisemobilityisstillnewto
costswillbeshiftedfromtheorganisationtothem
thefunctionalityoftheirdevicewillbeexcessivelylimited
TechnicalSupport
fromalargevarietyofmanufacturers
runningalargevarietyofoperatingsystemswithalargevarietyofconfigurationsettings.Therefore,the
providingguests,contractorsandotheremployeeswithdetailsofhowtoconnecttotheorganisations
providingemployeeswithdetailsofhowtoconnecttopermittedorganisationalnetworksandsystems,
contributingtowebforumdiscussionstoanswerfrequentlyaskedquestionsaninternalwebforum
nsnetwork
infrastructureconfigurationwhenseekingassistanceonpubliclyvisibleInternetforums
documentstheonboardingprocessforemployeestoobtainsignedapprovalfromtheirmanageregistertheirdevice,havetheorganisationalpolicyapplied,andpotentiallyhavesoftwareinstalled
theirdevicetoassisttheorganisationtoconfigureandmanagethedevice
documentsthlost,stolenordeprovisionedincludingwhenemployeesceaseemployment
providesabusinessrepresentativepointofcontactincaseemployeeshavefeedbackaboutth isreviewedandrefinedifnecessary,initiallyonaquarterlybasiswhileen
theorganisation,andthenonanannualbasis.
Surveyingemployeescanhelprevealwhethertheywouldbewillingtoacceptthepolicyandparticipatein
enterprisemobilitybusinesscases,notingthatsomeemployeesmightperceivethat:
theirprivacywillbeinvaded
personaldatastoredontheirdevicewillbedeletedorexposed theywillbeexpectedtobeoncalltoansweremailsandphonecallsatalltimesoutsideoftraditional
businesshours.
ItisimpracticalforanorganisationsIThelpdesktosupportdevices
amountoftechnicalsupportprovidedtoemployeesdependsontheorganisationspersonnelresources,
whetherdevicesarelistedonacorporatelyapprovedshortlistofdevices,andthedegreetowhichdevicesare
necessaryforemployeestoperformtheirjob.Technicalsupportmightinclude:
guest
Wi
Fi
network
to
access
the
Internet
andtheorganisationobtainingvisibilityofsecurityincidentsthatplacetheorganisationsdataatrisk
providinganinternalselfservicecommunitysupportwebforumenablingemployeestoassisteachother,withtheIThelpdeskadvertisingtheexistenceoftheinternalwebforumandoccasionally
helpstomitigatetheriskofemployeesdisclosingdetailsabouttheorganisatio
-
7/27/2019 Enterprise_Mobility_BYOD.pdf
14/41
11
ort
providingemployeeswithfulltechnicalsupport,includingreplacingdamagedorbrokendevices.
foremployeestoperformtheirjob.Financialsupport
xdeductibleclaims
ipend,orotherwisesubsidisingorreimbursingthe
obligatingemployeestorepayaprorataportioniftheycease
employmentwithinasettimeperiod
providingemployeeswithadevicethatiscompletelypaidforbytheorganisation,contractuallyentwithinasettimeperiodorifthe
eeswithreimbursementfortheworkrelatedportionofthemonthlybillfromthe
employeestelecommunications
carrier
and
Internet
Service
Provider,
noting
that
rates
associated
with
htbehigherthanratesassociatedwithacorporateplan
scarrierintheforeigncountry,
orbydisablingdataroamingviaMobileDeviceManagementtoonlyallowWiFidataconnectivity12
rthecostofessentialworkrelatedsoftware,notingthat
softwarelicencedtoanemployeeviaaconsumerlicenceinsteadofanenterpriselicenceisunlikelyto
providingemployeeswithreimbursementforthecostofessentialperipheralsandaccessories.
providingemployeeswithasmuchtechnicalsupportastheIThelpdeskiscapableof,includingashtermloanofadevicetokeepanemployeeproductivewhiletheygettheirdamageddevicerepaired
FinancialSupport
FinancialsupportmighthaveFringeBenefitTaximplicationsduetotheorganisationpayingforadeviceor
Internetandtelecommunicationsconnectivitythatisusedforpersonaluse,especiallyoutsideofbusiness
hours11
.Theamountoffinancialsupportprovidedtoemployeesdependsontheorganisationsfinancial
resourcesandthedegreetowhichdevicesarenecessary
mightinclude:
acknowledgingworkrelatedcostsincurredinsupportofemployeesmakingta providingemployeeswithataxableallowanceorst
costofadevice,contractually
obligatingemployeestoreturnthedeviceiftheyceaseemploym
organisationretainsownershipofthedevice
providingemployaconsumerplanmig
providingemployeeswithacorporateSIMcardorotherwisearrangingInternetandtelecommunicationsconnectivityviaacorporateplan,usinganautomatedprocesstorecoverthe
employeesportionofthemonthlybillviapayrollbasedoncriteriathatindicatepersonaluse
expensivedataroamingchargesforemployeestravellingoverseascanbemitigatedbyproviding
employeeswithaprepaidSIMcardassociatedwithatelecommunication
providingemployeeswithreimbursementfobetransferabletoadifferentemployee
11http://www.ato.gov.au/businesses/content.aspx?doc=/content/00167381.htm
12http://www.zdnet.com/au/telstra phonetheftbillshockshowsroamingstillbroken7000008331/
http://www.ato.gov.au/businesses/content.aspx?doc=/content/00167381.htmhttp://www.ato.gov.au/businesses/content.aspx?doc=/content/00167381.htmhttp://www.ato.gov.au/businesses/content.aspx?doc=/content/00167381.htmhttp://www.zdnet.com/au/telstra-phone-theft-bill-shock-shows-roaming-still-broken-7000008331/http://www.zdnet.com/au/telstra-phone-theft-bill-shock-shows-roaming-still-broken-7000008331/http://www.zdnet.com/au/telstra-phone-theft-bill-shock-shows-roaming-still-broken-7000008331/http://www.zdnet.com/au/telstra-phone-theft-bill-shock-shows-roaming-still-broken-7000008331/http://www.zdnet.com/au/telstra-phone-theft-bill-shock-shows-roaming-still-broken-7000008331/http://www.zdnet.com/au/telstra-phone-theft-bill-shock-shows-roaming-still-broken-7000008331/http://www.zdnet.com/au/telstra-phone-theft-bill-shock-shows-roaming-still-broken-7000008331/http://www.zdnet.com/au/telstra-phone-theft-bill-shock-shows-roaming-still-broken-7000008331/http://www.zdnet.com/au/telstra-phone-theft-bill-shock-shows-roaming-still-broken-7000008331/http://www.zdnet.com/au/telstra-phone-theft-bill-shock-shows-roaming-still-broken-7000008331/http://www.zdnet.com/au/telstra-phone-theft-bill-shock-shows-roaming-still-broken-7000008331/http://www.zdnet.com/au/telstra-phone-theft-bill-shock-shows-roaming-still-broken-7000008331/http://www.zdnet.com/au/telstra-phone-theft-bill-shock-shows-roaming-still-broken-7000008331/http://www.zdnet.com/au/telstra-phone-theft-bill-shock-shows-roaming-still-broken-7000008331/http://www.zdnet.com/au/telstra-phone-theft-bill-shock-shows-roaming-still-broken-7000008331/http://www.zdnet.com/au/telstra-phone-theft-bill-shock-shows-roaming-still-broken-7000008331/http://www.zdnet.com/au/telstra-phone-theft-bill-shock-shows-roaming-still-broken-7000008331/http://www.zdnet.com/au/telstra-phone-theft-bill-shock-shows-roaming-still-broken-7000008331/http://www.zdnet.com/au/telstra-phone-theft-bill-shock-shows-roaming-still-broken-7000008331/http://www.zdnet.com/au/telstra-phone-theft-bill-shock-shows-roaming-still-broken-7000008331/http://www.zdnet.com/au/telstra-phone-theft-bill-shock-shows-roaming-still-broken-7000008331/http://www.zdnet.com/au/telstra-phone-theft-bill-shock-shows-roaming-still-broken-7000008331/http://www.ato.gov.au/businesses/content.aspx?doc=/content/00167381.htm -
7/27/2019 Enterprise_Mobility_BYOD.pdf
15/41
12
mentand
other
log
sources
such
as
network
logs,
user
authentication
logs
and
security
software.
ementhelpsthemtounderstandandaddressunacceptablerisks,andassess
whetherthebenefitsofenterprisemobilitytotheorganisationjustifytherisksandcoststotheorganisation.
erityandnumberofpolicyviolationsandothersecurityincidents
costburdenduetotheiruseofInternetbandwidth,data
storage,technicalsupportorfinancialsupport.
llyeven
riskthatisacceptabletotheorganisation.
ThisdocumentcomplementstheadviceinASDsISMandrelevantguidanceavailableathttp://www.dsd.gov.au.
MONITORTHEIMPLEMENTATIONANDREPORTTOMANAGEMENT
OngoingmonitoringoftheenterprisemobilityimplementationincludesreviewinglogsfromMobileDevice
Manage
Regularreportingtomanag
Informationtoreporttomanagementincludes:
thedegreeofcompliancewithregulatoryobligations,legislationandorganisationalpolicies thesev thenamesofemployeeswhoareregularlyinvolvedinpolicyviolationsandothersecurityincidents costsofITinfrastructureincludingnetworkupgrades,Internetbandwidth,datastorageandserver
processingcapacity
costsofriskmanagementcontrols costsofprovidingemployeeswithtechnicalsupportandfinancialsupport thenamesofemployeescausinganexcessive
FACILITATEORGANISATIONAL
TRANSFORMATION
Organisationsmightupdatetheirbusinessprocessestoleverageenterprisemobility,potentia
transformingtheorganisationtoembraceopportunitiessuchasactivitybasedworking13
by:
reviewingthesuccessofenterprisemobilitypilottrials,includingthecostsandtheimpacttotheorganisationssecurityposture
reviewingandupdatingtheorganisationsenterprisemobilitystrategy makinganinformeddecisionwhethertoincreasethescopeofenterprisemobilitytoidentifyand
pursueadditionalinnovativecosteffectiveopportunitiestoimprovecustomerservicedelivery,
efficiencyandproductivitywithalevelof
FURTHERINFORMATION
13http://www.smh.com.au/it pro/businessit/kpmgtestrunsfutureworkplace2012111929m1j.html
http://www.smh.com.au/it-pro/business-it/kpmg-testruns-future-workplace-20121119-29m1j.htmlhttp://www.smh.com.au/it-pro/business-it/kpmg-testruns-future-workplace-20121119-29m1j.htmlhttp://www.smh.com.au/it-pro/business-it/kpmg-testruns-future-workplace-20121119-29m1j.htmlhttp://www.smh.com.au/it-pro/business-it/kpmg-testruns-future-workplace-20121119-29m1j.htmlhttp://www.smh.com.au/it-pro/business-it/kpmg-testruns-future-workplace-20121119-29m1j.htmlhttp://www.smh.com.au/it-pro/business-it/kpmg-testruns-future-workplace-20121119-29m1j.htmlhttp://www.smh.com.au/it-pro/business-it/kpmg-testruns-future-workplace-20121119-29m1j.htmlhttp://www.smh.com.au/it-pro/business-it/kpmg-testruns-future-workplace-20121119-29m1j.htmlhttp://www.smh.com.au/it-pro/business-it/kpmg-testruns-future-workplace-20121119-29m1j.htmlhttp://www.smh.com.au/it-pro/business-it/kpmg-testruns-future-workplace-20121119-29m1j.htmlhttp://www.smh.com.au/it-pro/business-it/kpmg-testruns-future-workplace-20121119-29m1j.htmlhttp://www.smh.com.au/it-pro/business-it/kpmg-testruns-future-workplace-20121119-29m1j.htmlhttp://www.smh.com.au/it-pro/business-it/kpmg-testruns-future-workplace-20121119-29m1j.htmlhttp://www.smh.com.au/it-pro/business-it/kpmg-testruns-future-workplace-20121119-29m1j.htmlhttp://www.smh.com.au/it-pro/business-it/kpmg-testruns-future-workplace-20121119-29m1j.htmlhttp://www.smh.com.au/it-pro/business-it/kpmg-testruns-future-workplace-20121119-29m1j.htmlhttp://www.smh.com.au/it-pro/business-it/kpmg-testruns-future-workplace-20121119-29m1j.htmlhttp://www.smh.com.au/it-pro/business-it/kpmg-testruns-future-workplace-20121119-29m1j.html -
7/27/2019 Enterprise_Mobility_BYOD.pdf
16/41
13
RT
CONTACTDETAILS
AustraliangovernmentcustomerswithquestionsregardingthisadviceshouldcontactASDAdviceand
Assistanceat
or
by
calling
1300
CYBER1
(1300
292
371).
AustralianbusinessesorotherprivatesectororganisationsseekingfurtherinformationshouldcontactCE
-
7/27/2019 Enterprise_Mobility_BYOD.pdf
17/41
14
APPENDICES
GEDDEVICESFORINTERNET
CCESS
ThisappendixprovidesguidancetomanagerisksassociatedwithScenarioA.Thisscenarioinvolvesdeviceswith
ahardwaremodelandoperatingsystemversionthat:
isarbitrarilychosenbytheemployee hasminimalriskmanagementcontrolsapplied iscorporatelyunmanaged isusedtoaccesstheInternetviatheorganisationsnetworkinfrastructure.
Thisimplementationcanenableorganisationstoapplymorestringentwebcontentfilteringcontrolsonthe
corporatenetworktoreducetheriskofcorporateworkstationsbecomingcompromised.
Highlevelobjectivesassociatedwiththisexamplescenarioinclude:
avoidunauthorisedaccesstotheorganisationscorporatenetworktohelppreventemployeesintroducingmalwareontoorganisationalsystemsorexposingsensitivedata
mitigatethethreatofsensitiveworkrelateddiscussionsbeingrecordedbyInternettelephony,voicerecognitionorothervoicerecordingapplications
maintaintheavailabilityoforganisationalInternetconnectivityatanacceptablecost reducetheriskoflegalliabilitytotheorganisationresultingfrom:
o compromiseddevicesspreadingmalwareorharmingothercomputersontheInterneto employeesdownloadingcopyrightinfringingmovies,musicorsoftwarefromtheInterneto softwareordatathatispirated,infringingcopyright,orusedforworkrelatedpurposeseven
thoughitisonlylicencedforhomeuse,noncommercialuseoreducationaluse
o employeesaccessingpornographyorotheroffensivematerialwhileintheoffice,duringworkinghours,fromdevicessubsidisedbytheorganisationorviatheorganisationsnetwork
infrastructure.
UsingtheAppendices
Theseappendicesprovideguidanceforfourdifferentexampleenterprisemobilityimplementationscenarios.
APPENDIXA:ARBITRARYUNMANA
A
-
7/27/2019 Enterprise_Mobility_BYOD.pdf
18/41
15
CorporatelyEnforcedRiskMan ols
eriskbyenforcingthefollowingtechnicalcontrols.
Implement:
tes
reventemployeesfromusingexcessivebandwidth
onitoringto
help
identify
policy
violations
and
security
incidents.
NetworkandtheGuestWiFiNetwork
lcorporatenetworkfromtheguestWiFinetworkthatenablescorporately
Bdevices14
15,
Bluetoothdevices,WiFiaccesspoints,mobilehotspotsandotherdeviceswith3G/4Gconnectivity.Thishelps
ithunauthorised
devices,
or
tethering
to
UserreliantRiskManagementControls
ageriskrelyonemployeescomplyingwithpolicy.
mitigatedevicesbeing
compromised.
This lessapplicabletodevicesthatuseastrongsandboxdesign,andlimittheexecutionofapplications
to
marketplacewithagoodhistoryofcurationtoexcludemalware16
.
agementContr
Theorganisationisabletomanag
FilteredandMonitoredNetworkTraffic
basicInternetwebcontentfilteringtoblockaccesstoknownpiracy,pornographicandoffensivewebsi
bandwidththrottlingandQualityofServicetoprioritiseworkrelatednetworktraffic bandwidthquotasperuserandperdevicetop networktrafficlogging,archivingandm
SeparationBetweentheOrganisationsCorporate
Separatetheorganisationsinterna
unmanagedanduntrustworthydevicestoaccesstheInternet.
CorporateWorkstationsConfiguredtoBlockAccesstoUnauthorisedDevices
Configurecorporateworkstationstoblockaccesstounauthoriseddevices,forexampleUS
mitigatethe
risk
of
corporate
workstations
either
exchanging
data
w
devicesandaccessingtheInternetviaanunmonitoredandunfilteredInternetgateway.
Thefollowingtechnicalcontrolsandpolicycontrolstoman
AntimalwareSoftware
Obtainwrittenemployeeagreementtouseantimalwaresoftwarewhichhelps
controlis
onlythosethatarecryptographicallysignedbyatrustedauthorityandoriginatefromanapplication
14http:/
15http:/
16http:/ itcenter/security.html
/www.securelist.com/en/blog/805/Mobile_attacks
/www.dsd.gov.au/videos/cybersense1.htm
/www.apple.com/ipad/business/
http://www.securelist.com/en/blog/805/Mobile_attackshttp://www.securelist.com/en/blog/805/Mobile_attackshttp://www.dsd.gov.au/videos/cybersense1.htmhttp://www.dsd.gov.au/videos/cybersense1.htmhttp://www.apple.com/ipad/business/it-center/security.htmlhttp://www.apple.com/ipad/business/it-center/security.htmlhttp://www.apple.com/ipad/business/it-center/security.htmlhttp://www.apple.com/ipad/business/it-center/security.htmlhttp://www.apple.com/ipad/business/it-center/security.htmlhttp://www.securelist.com/en/blog/805/Mobile_attackshttp://www.securelist.com/en/blog/805/Mobile_attackshttp://www.dsd.gov.au/videos/cybersense1.htmhttp://www.dsd.gov.au/videos/cybersense1.htmhttp://www.apple.com/ipad/business/it-center/security.htmlhttp://www.apple.com/ipad/business/it-center/security.htmlhttp://www.dsd.gov.au/videos/cybersense1.htmhttp://www.securelist.com/en/blog/805/Mobile_attacks -
7/27/2019 Enterprise_Mobility_BYOD.pdf
19/41
16
theInternetviaa
pproachthatisunlikelytoprotectagainsttargetedmalware
virusvendordoesnthavevisibilityof.Antimalwaresoftwareextendssignaturebasedantivirus
softwaretotypicallyincludeheuristicdetection,identificationofapplicationsbehavingsuspiciously,aswellas
Obtainwrittenemployeeagreementto:
onlyaccessorganisationalsystemsordatathattheyareexplicitlypermittedtoaccess avoidsensitiveworkrelateddiscussionsbeingrecordedbyInternettelephony,voicerecognition17or
ofInternetbandwidthforexampleviapersonal
omised
athat
notdeliberatelyaccesspornographyorotheroffensivematerialwhileintheoffice,duringworking
viatheorganisationsnetworkinfrastructure
eAustralianPublicServiceCodeofConductand
AdditionalInformationTheorganisationmightofferantimalwaresoftwarefreeofchargewhenemployeesaccess
captiveportalandagreetothepolicy.
Signaturebasedantivirussoftwareisareactivea
thattheanti
reputationcheckingofapplicationsandwebsitesaccessed.
AvoidBehaviourthatisUnauthorised,Excessive,OffensiveorUnlawful
othervoicerecordingapplications
useorganisationalInternetconnectivityasperexistingpolicy,whichmightdisallowaccessingoffensiveandcopyrightinfringingcontent,disallowexcessiveuse
useofYouTube,andrequireemployeestoaccepttheriskoftheirdevicebeingcompr
ensurethattheirdevicedoesntcontainortransfertoorganisationalsystemsanysoftwareordatispirated,infringingcopyright,orusedforworkrelatedpurposeseventhoughitisonlylicencedfor
home
use,
non
commercial
use
or
educational
use
hours,fromdevicessubsidisedbytheorganisation,or
AustralianPublicServiceemployeesareboundbyth
Valuesevenwhenworkingoutoftheofficeusingtheirowndevice.
17http://www.zdnet.com/apple storesyourvoicedatafortwoyears7000014216/
http://www.zdnet.com/apple-stores-your-voice-data-for-two-years-7000014216/http://www.zdnet.com/apple-stores-your-voice-data-for-two-years-7000014216/http://www.zdnet.com/apple-stores-your-voice-data-for-two-years-7000014216/http://www.zdnet.com/apple-stores-your-voice-data-for-two-years-7000014216/http://www.zdnet.com/apple-stores-your-voice-data-for-two-years-7000014216/http://www.zdnet.com/apple-stores-your-voice-data-for-two-years-7000014216/http://www.zdnet.com/apple-stores-your-voice-data-for-two-years-7000014216/http://www.zdnet.com/apple-stores-your-voice-data-for-two-years-7000014216/http://www.zdnet.com/apple-stores-your-voice-data-for-two-years-7000014216/http://www.zdnet.com/apple-stores-your-voice-data-for-two-years-7000014216/http://www.zdnet.com/apple-stores-your-voice-data-for-two-years-7000014216/http://www.zdnet.com/apple-stores-your-voice-data-for-two-years-7000014216/http://www.zdnet.com/apple-stores-your-voice-data-for-two-years-7000014216/http://www.zdnet.com/apple-stores-your-voice-data-for-two-years-7000014216/http://www.zdnet.com/apple-stores-your-voice-data-for-two-years-7000014216/http://www.zdnet.com/apple-stores-your-voice-data-for-two-years-7000014216/http://www.zdnet.com/apple-stores-your-voice-data-for-two-years-7000014216/http://www.zdnet.com/apple-stores-your-voice-data-for-two-years-7000014216/http://www.zdnet.com/apple-stores-your-voice-data-for-two-years-7000014216/http://www.zdnet.com/apple-stores-your-voice-data-for-two-years-7000014216/ -
7/27/2019 Enterprise_Mobility_BYOD.pdf
20/41
17
RBITRARYUNMANAGEDDEVICESFORNON
h
hasminimalriskmanagementcontrolsapplied
pendixB
andSegregationBetweenDevicesandOrganisationalSystems
Appropriatelyarchitectandsegmenttheorganisationscorporatenetworkusingacombinationofsecurity
enforcingmechanismssuchasfirewalls,reverseproxies,VirtualLocalAreaNetworksandVirtualPrivate
Networks.This
helps
mitigate
devices
accessing
unauthorised
organisational
systems
and
data.
WebApplicationandOperatingSystemVulnerabilityAssessmentandSecurityHardening
Performvulnerabilityassessmentsandsecurityhardeningofwebapplicationsandoperatingsystemsrunningon
organisationalsystemsthatarepermittedtobeaccessed.Thishelpsmitigatedevicescompromising
organisationalsystemsandtheirdata.
APPENDIXB:A
SENSITIVEDATA
ThisappendixprovidesguidancetomanagerisksassociatedwithScenarioB.Thisscenarioinvolvesdeviceswit
ahardwaremodelandoperatingsystemversionthat:
isarbitrarilychosenbytheemployee
iscorporatelyunmanaged isusedtoaccessnonsensitivedata.
ForAustraliangovernmentagencies,nonsensitivedataisdefinedforthepurposeofthisdocumentasdatathat
isunclassified.Examplesofnonsensitivedataareunclassifiedcomputerbasedtrainingcoursesandunclassified
intranetwebapplications.
Thisappendixbuildsuponandincorporatesthehighlevelobjectivesandriskmanagementcontrolsdiscussedin
AppendixAwhichcoversarbitrarycorporatelyunmanageddevicesusedtoaccesstheInternetviathe
organisationsnetworkinfrastructure.HighlevelobjectivesassociatedwiththeexamplescenarioinAp
alsoinclude:
avoidunauthorisedaccesstoorganisationalsystemsanddata avoiduntrustworthydevicescompromisingorganisationalsystemsthatarepermittedtobeaccessed.
CorporatelyEnforcedRiskManagementControls
Theorganisationisabletomanageriskbyenforcingthefollowingtechnicalcontrols.
Segmentation
-
7/27/2019 Enterprise_Mobility_BYOD.pdf
21/41
18
NAGED
SITIVEDATA
oratelyapprovedshortlist
separationoforganisationaldataandpersonaldata,forexampleusing
remotevirtualdesktopsoftware,amanagedcontainerorpartitioningfunctionalitybuiltintothe
ve:Legal
arePoint,networksharesorenterprisegradecloudstorage.
ation,withareasonabledegreeof
organisationmonitoringdevices,remotelywipingsensitivedata,performingsecurityandlegalinvestigations,
ooseadevicefromacorporately
especiallyifthedeviceis
trolsdiscussedin
data.Highlevel
organisationaldatacreatedbyemployeesusingtheirdevice
rapidlyrespondtopolicyviolations,dataspillsandothersecurityincidents beabletoperformelectronicdiscoveryforlitigationcasesandfreedomofinformationrequests.
APPENDIXC:CORPORATELYAPPROVEDANDPARTIALLYMA
DEVICESFORSEN
ThisappendixprovidesguidancetomanagerisksassociatedwithScenarioC.Thisscenarioinvolvesdeviceswith
ahardwaremodelandoperatingsystemversionthat:
ischosenbytheemployeefromacorp hasmoderateriskmanagementcontrolsapplied usescorporatelymanaged
operatingsystem
usesacorporatelymanagedmechanismtoaccessandpotentiallystoresensitivedata,forexampleusingremotevirtualdesktopsoftwareorcorporatelyapprovednativeapplicationscombinedwithaVirtual
PrivateNetwork.
ForAustraliangovernmentagencies,sensitivedataisdefinedforthepurposeofthisdocumentasdatathatis
unclassifiedwithdisseminationlimitingmarkerssuchasForOfficialUseOnly(FOUO),Sensitive,Sensiti
orSensitive:Personal.Examplesofsensitivedataarecorporateemails,calendarsandcontacts,aswellasfiles
residinginSh
Devicesinthisscenariomightbeprovidedtoemployeesbytheorganis
personalusepermitted.Organisationsmightretainownershipofdevicesforlegalreasonsthatfacilitatethe
andretainingownershipofintellectualproperty.Enablingemployeestoch
approvedshortlistisreferredtobysomevendorsasChooseYourOwnDevice,
purchased,ownedandmanagedbytheorganisation.
Thisappendixbuildsuponandincorporatesthehighlevelobjectivesandriskmanagementcon
AppendixBwhichcoversarbitrarycorporatelyunmanageddevicesusedtoaccessnonsensitive
objectivesassociatedwiththeexamplescenarioinAppendixCalsoinclude:
protecttheorganisationsfinancialinvestmentinthecostofdevices maintaintheavailabilityandintegrityoforganisationaldataforbusinesscontinuity maintaintheconfidentialityofsensitivedata maintaincorporateownershipof
-
7/27/2019 Enterprise_Mobility_BYOD.pdf
22/41
19
gthatsomecontrolsfocusprimarilyonsmartphonesand
tabletsrather
than
laptops.
canchooseisasmartphoneortabletdevicerunning:
tha
ingsecurityupdatesinatimelymanner.
arecompatiblewithrequiredbusinessapplicationsdevelopedbytheorganisationandbythirdparties
ingcompatibilitywiththe
organisationschosenriskmanagementcontrolssuchasMobileDeviceManagementaswellas
DeviceManagement
edFOUO/Sensitive
beprevented
sunclassifiedFOUO/Sensitivedataorclassifieddata.
Someoftheriskmanagementcontrolsdescribedinthisappendixmightbeunnecessaryorimpractical
dependingontheorganisationsbusinesscase,thesensitivityofdataaccessedbydevices,theuseofotherrisk
managementcontrols,andthetypeofdevicenotin
Anexampleshortlistofdevicesfromwhichemployees
iOSversion5.1orlater18 BlackBerryversion5orlater Windowsversion8orlater Androidversion4orlaterrunningondevicesfromspecificallynamedhardwaremanufacturerswi
historyofdistribut
Theshortlistofdevicesisregularlyupdatedtoreflectnewlyavailabledevicesonthemarketandislimitedto
onlydevicesthat:
theorganisationhasthetechnicalknowledgetosupport,resultinginmorepredictablesupportcosts meetminimumrequirementsspecifiedbytheorganisation,includ
managedseparationmechanismssuchasmanagedcontainers
providetheorganisationwithadequateassuranceofthedevicesabilitytoappropriatelyprotectsensitivedata
complywithAustralianlegislation19andarecoveredbyAustralianwarranties.CorporatelyEnforcedRiskManagementControls
Theorganisationisabletomanageriskbyenforcingthefollowingtechnicalcontrols.
Overviewof
Managed
Separation,
Remote
Virtual
Desktop
and
Mobile
ASDsISMadvisesthatdeviceswithoutASDapprovedencryptionshouldnotstoreunclassifi
dataandmustnotstoreclassifieddata.Additionally,ASDsISMadvisesthatemployeesshould
frominstallingunapprovedapplicationsthatcanacces
18toftheproduct.AllMentionofanyvendorproductisforillustrativepurposesonlyanddoesnotimplyASDsendorsemen
trademarksarethepropertyoftheirrespectiveowners.
19http://www.acma.gov.au/webwr/_assets/main/lib310037/summary%20of%20labelling%20requirements%20%20fs89.pdf
http://www.acma.gov.au/webwr/_assets/main/lib310037/summary%20of%20labelling%20requirements%20-%20fs89.pdfhttp://www.acma.gov.au/webwr/_assets/main/lib310037/summary%20of%20labelling%20requirements%20-%20fs89.pdfhttp://www.acma.gov.au/webwr/_assets/main/lib310037/summary%20of%20labelling%20requirements%20-%20fs89.pdfhttp://www.acma.gov.au/webwr/_assets/main/lib310037/summary%20of%20labelling%20requirements%20-%20fs89.pdfhttp://www.acma.gov.au/webwr/_assets/main/lib310037/summary%20of%20labelling%20requirements%20-%20fs89.pdf -
7/27/2019 Enterprise_Mobility_BYOD.pdf
23/41
20
crypted
phraseremote
virtual
desktop
software
in
this
document
incorporates
virtualisedapplicationsandVirtualDesktopInfrastructure(VDI).
OrganisationsmightchoosetousemanagedseparationforsomebusinesscasessuchasanASDevaluated
nevaluatedsmartphones21
withsmallscreens,andremotevirtualdesktop
hasunevaluateddevicesordeviceswithlargescreens.
separation,remotevirtualdesktopsoftwareandMobileDevice
Managementisprovidedinthefollowingpagesofthisappendix.Figure2showsthecomparativeabilityofthesetcontrolssuchasapplyingvendor
securitypatchesinatimelymanner,usinguptodateantimalwaresoftwareandperformingbackupsofwork
us
yingorganisationaldatabytakingascreenshotorphotographoftheirdevicesscreen.
Riskmanagementcontrolsusedtofollowthisguidanceincludeusingmanagedseparationsuchasanen
managedcontainer,preferablycombinedwithMobileDeviceManagementtoprovidesomebasicassurancein
thedevicesunderlyingoperatingsystemconfiguration,orusingappropriatelyconfiguredremotevirtual
desktopsoftware.
Use
of
the
encryptedmanagedcontainer20
o
softwareforotherbusinesscasessuc
Detailedinformationaboutmanaged
riskmanagementcontrolstoprotectorganisationaldataandtheirnegativeimpacttotheemployeesuser
experience.Alloftheimplementationsshownincludebasicriskmanagemen
datatobackupserversspecifiedbytheorganisation.Theseriskmanagementcontrolswontpreventamalicio
employeefromcop
product_id=MzA5IyMjMjAzLjYuNjkuMg==20
http://www.dsd.gov.au/infosec/epl/index_details.php?
21http://www.dsd.gov.au/infosec/epl/
http://www.dsd.gov.au/infosec/epl/index_details.php?product_id=MzA5IyMjMjAzLjYuNjkuMg==http://www.dsd.gov.au/infosec/epl/index_details.php?product_id=MzA5IyMjMjAzLjYuNjkuMg==http://www.dsd.gov.au/infosec/epl/index_details.php?product_id=MzA5IyMjMjAzLjYuNjkuMg==http://www.dsd.gov.au/infosec/epl/index_details.php?product_id=MzA5IyMjMjAzLjYuNjkuMg==http://www.dsd.gov.au/infosec/epl/http://www.dsd.gov.au/infosec/epl/http://www.dsd.gov.au/infosec/epl/http://www.dsd.gov.au/infosec/epl/http://www.dsd.gov.au/infosec/epl/index_details.php?product_id=MzA5IyMjMjAzLjYuNjkuMg== -
7/27/2019 Enterprise_Mobility_BYOD.pdf
24/41
21
Figure2.Riskmanagementcontrolsvaryintheirabilitytoprotectorganisationaldataandtheirnegativeimpacttotheemployeesuserexperience.
TradeoffofRiskManagementControlsBetweenSecurityandUserImpact
Abilityto
Protect
Organ
isationa
lDa
ta
H
igh
da
ta)
(e.g.
PROTECTED
Devicerunningsoftware
edby
er
shardeningguide,
andmanagedbythe
andcryptoevaluat
ASD,configuredasp
ASD
organisation
Remotevirtualdesktopon
asmartphone,
with
MDM
providingassuranceinthe
devicesconfiguration
Remotevirtualdesktoponatablet,
withMobile
Device
Management
(MDM)providingassuranceinthe
devicesconfiguration
ManagedcontainerwithMDM
providingassuranceinthe
devicesconfiguration
Remotevirtual
desktoponatablet
Remotevirtualdesktop
onasmartphone
Managed
containeronly
Low
(e.g.non
sensitivedata)
MDMonly
Unmanageddeviceusingnative
applicationsandstoringorganisational
dataunencrypted
on
the
device
Low High
ImpacttoUserExperience
-
7/27/2019 Enterprise_Mobility_BYOD.pdf
25/41
22
ManagedSeparation
Managedseparationhelpsprotectandisolateorganisationaldatastoredondevices.Organisationaldatais
logicallyseparatedfromtheemployeespersonaloperatingenvironment,limitingtheabilityofsuchdatato
spread,and
facilitating
the
remote
wiping
of
only
organisational
data.
AdditionalInformationThereareseveraldifferenttypesofseparationmechanismsincludingpartitioningfunctionalitybuiltintothe
operatingsystemaswellasmechanismsboltedontopoftheoperatingsystemsuchasmanagedcontainers22
23.
Emergingtechnologyincludestype1hypervisorsandtype2hypervisorsprovidingalocallyvirtualisedoperating
system24
.Someseparationmechanismsaredesignedtoensurethatorganisationaldatacanonlybeaccessedby
applicationsthathavebeenvettedbytheorganisation.
dcontainers,type2hypervisorsorothermechanismsboltedontotheoperatingsystemprovide
securityifthereisinadequateassuranceintheintegrityandsecuritypostureoftheoperatingsystem.
ofamanagedcontainerhasthefollowingcorporatebenefitswithassociatedpotentialimpactstothe
userexperience:
requiringemployeestoenteranadditionalpassphrasetoaccessorganisationaldata dataencryptionthatisindependentoftheencryptionprovidedbyadevicesoperatingsystem
softwarebasedencryptionmightslowdownthedeviceduetocryptographicoverhead
reducingtheriskofdataleakagebyrestrictingemployeestouseonlycorporatelyapprovedapplicationstohandleorganisationaldata,whilelimitingtheabilityofsuchapplicationstocopyorganisationaldata
tocorporatelyunapprovedcloudservicesorelsewherebeyondthemanagedcontainer.
Organisationsconsideringusingamanagedcontainerneedtodeterminewhetherthevendorhasaccessto
organisationaldataorcryptographickeysusedtodecryptorganisationaldata.
RemoteVirtualDesktopSoftware
Appropriatelyconfiguredremotevirtualdesktopsoftwarehelpskeeporganisationaldataintheorganisations
datacentreandnotstoredondevices,whilestillenablingemployeestoaccessorganisationaldataand
applications.
AdditionalInformation
Manage
reduced
Use
employees
22http://www.dsd.g
23http://www.theregister.co.uk/2013/03/14/blackberry_secure/
24http://computerworld.com/s/article/print/9233834/Dual_identity_smartphones_could_bridge_BYOD_private_corporate_divide
ov.au/infosec/epl/view_document.php?document_id=OTUxIyMjMjAzLjYuNjkuMg==
http://www.dsd.gov.au/infosec/epl/view_document.php?document_id=OTUxIyMjMjAzLjYuNjkuMg==http://www.dsd.gov.au/infosec/epl/view_document.php?document_id=OTUxIyMjMjAzLjYuNjkuMg==http://www.theregister.co.uk/2013/03/14/blackberry_secure/http://www.theregister.co.uk/2013/03/14/blackberry_secure/http://www.theregister.co.uk/2013/03/14/blackberry_secure/http://computerworld.com/s/article/print/9233834/Dual_identity_smartphones_could_bridge_BYOD_private_corporate_dividehttp://computerworld.com/s/article/print/9233834/Dual_identity_smartphones_could_bridge_BYOD_private_corporate_dividehttp://computerworld.com/s/article/print/9233834/Dual_identity_smartphones_could_bridge_BYOD_private_corporate_dividehttp://www.dsd.gov.au/infosec/epl/view_document.php?document_id=OTUxIyMjMjAzLjYuNjkuMg==http://www.dsd.gov.au/infosec/epl/view_document.php?document_id=OTUxIyMjMjAzLjYuNjkuMg==http://computerworld.com/s/article/print/9233834/Dual_identity_smartphones_could_bridge_BYOD_private_corporate_dividehttp://www.theregister.co.uk/2013/03/14/blackberry_secure/http://www.dsd.gov.au/infosec/epl/view_document.php?document_id=OTUxIyMjMjAzLjYuNjkuMg== -
7/27/2019 Enterprise_Mobility_BYOD.pdf
26/41
23
lassifiedFOUO/Sensitivedataorclassifieddataexchangedduringtheentireremote
Someremotevirtualdesktopsoftware
deliberatelyenableorganisationaldatatobecopiedtoandfromdevices,includingthe
abilityformalwareondevicestobeintroducedintotheremotevirtualdesktopasshowninFigure3below.
ASDsISMadvisesthatunc
virtualdesktopsessionmustbeencryptedusingASDapprovedencryption.
ASDsexperienceisthatremotevirtualdesktopsoftwaredoesnotnecessarilykeeporganisationaldatainthe
datacentreorpreventsuchdatabeingtransferredtoandfromdevices.
containsfunctionalityto
Figure3.Inthisexample,anemployeeisaccessingtheirAndroiddevicesfilesystemandremovablemediafromwithintheremotevirtualdesktoprunningMicrosoftWindows.The
into
resultsinalessstringentaudittrail
ortointroducemalware.
employeeisabletocopyorganisationaldatatotheirdevice,andintroducemalware
theremotevirtualdesktop.Thisemployeebehaviour
thanifemailwasusedtoextractorganisationaldata
-
7/27/2019 Enterprise_Mobility_BYOD.pdf
27/41
24
dataleakageinclude:
usingfulldeviceencryptiontohelpprotectorganisationaldatathatmightinadvertentlybestoredonthedevice,especiallyifthedeviceisalaptopduetothepossibilityofdatainmemorybeingwrittento
diskaspartofapage/swapfileorhibernation/sleepfile
obtainingwrittenagreementfromemployeestoavoiddeliberatelycopyingorganisationaldatatotheirdeviceandtoavoidintroducingpotentialmalwarefromtheirdeviceintotheremotevirtualdesktop
partiallymitigatingkeystrokeloggingsoftwareandmalwarethatenablesanadversarytotakescreenshotsoftheremotevirtualdesktopbyusinguptodateantimalwaresoftwareondevices,
ensuringthatallvendorsecuritypatchesareappliedtodevicesassoonaspatchesareavailablefrom
thevendor,andeducatingemployeestoavoidinstallingpotentiallymaliciousapplications
configuringtheremotevirtualdesktoptolockitsscreenafterashortidletimeoutperiodtohelpmitigateanadversaryusingacompromiseddevicetocontroltheremotevirtualdesktopsmouseand
keyboard
disallowing
the
use
of
keyboard
applications
featuring
a
custom
dictionary
or
predictive
text
which
capturesensitivewordsorwordcombinationstypedintotheremotevirtualdesktopandsavesuch
sensitivedataonthedeviceslocalfilesystem25
.
Thefollowingimpactsofremotevirtualdesktopsoftwareshouldbeconsideredpriortoimplementation:
therequirementforemployeestohavereliableInternetconnectivity theimpactontheemployeesuserexperienceespeciallyfordeviceswithsmallscreenssuchas
smartphonesforexample,usingremotevirtualdesktopsoftwaretoturnasmartphoneintoadumb
terminalmightfrustrateemployeestryingtosendanemailusingMicrosoftOutlookrunningonanolder
versionof
Microsoft
Windows
that
was
not
designed
for
atouch
interface
thepotentialrequirementfortheorganisationtoupgradetheirnetworkanddatacentresstorageandserverprocessingcapacity
the Microsoft
Thereareavarietyofwaysinwhichorganisationaldatamightleakoutoftheremotevirtualdesktopandbe
storedunprotectedondevices.Riskmanagementcontrolstohelpmitigatesuch
appropriatelyconfiguringremotevirtualdesktopsoftwarerunningontheserverandonthedevicetohelpmitigatetheemployeeprintingtolocalprinters,printingtolocalfiles,accessingtheirdevicesfile
systemandremovablemediafromwithintheremotevirtualdesktop,andusingtheclipboardtocopy
andpastedatainbothdirectionsbetweentheremotevirtualdesktopandthedevice
potentialrequirementfortheorganisationtopurchaseadditionalClientAccessLicencesfor
WindowsserverandclientoperatingsystemsaswellasforMicrosoftOffice.
25http://support.swiftkey.net/knowledgebase/articles/9101swiftkeyispredictingmypasswordhowdoistop
http://support.swiftkey.net/knowledgebase/articles/9101-swiftkey-is-predicting-my-password-how-do-i-stophttp://support.swiftkey.net/knowledgebase/articles/9101-swiftkey-is-predicting-my-password-how-do-i-stophttp://support.swiftkey.net/knowledgebase/articles/9101-swiftkey-is-predicting-my-password-how-do-i-stophttp://support.swiftkey.net/knowledgebase/articles/9101-swiftkey-is-predicting-my-password-how-do-i-stophttp://support.swiftkey.net/knowledgebase/articles/9101-swiftkey-is-predicting-my-password-how-do-i-stophttp://support.swiftkey.net/knowledgebase/articles/9101-swiftkey-is-predicting-my-password-how-do-i-stophttp://support.swiftkey.net/knowledgebase/articles/9101-swiftkey-is-predicting-my-password-how-do-i-stophttp://support.swiftkey.net/knowledgebase/articles/9101-swiftkey-is-predicting-my-password-how-do-i-stophttp://support.swiftkey.net/knowledgebase/articles/9101-swiftkey-is-predicting-my-password-how-do-i-stophttp://support.swiftkey.net/knowledgebase/articles/9101-swiftkey-is-predicting-my-password-how-do-i-stophttp://support.swiftkey.net/knowledgebase/articles/9101-swiftkey-is-predicting-my-password-how-do-i-stophttp://support.swiftkey.net/knowledgebase/articles/9101-swiftkey-is-predicting-my-password-how-do-i-stophttp://support.swiftkey.net/knowledgebase/articles/9101-swiftkey-is-predicting-my-password-how-do-i-stophttp://support.swiftkey.net/knowledgebase/articles/9101-swiftkey-is-predicting-my-password-how-do-i-stophttp://support.swiftkey.net/knowledgebase/articles/9101-swiftkey-is-predicting-my-password-how-do-i-stophttp://support.swiftkey.net/knowledgebase/articles/9101-swiftkey-is-predicting-my-password-how-do-i-stophttp://support.swiftkey.net/knowledgebase/articles/9101-swiftkey-is-predicting-my-password-how-do-i-stophttp://support.swiftkey.net/knowledgebase/articles/9101-swiftkey-is-predicting-my-password-how-do-i-stophttp://support.swiftkey.net/knowledgebase/articles/9101-swiftkey-is-predicting-my-password-how-do-i-stophttp://support.swiftkey.net/knowledgebase/articles/9101-swiftkey-is-predicting-my-password-how-do-i-stophttp://support.swiftkey.net/knowledgebase/articles/9101-swiftkey-is-predicting-my-password-how-do-i-stop -
7/27/2019 Enterprise_Mobility_BYOD.pdf
28/41
25
has:
tilthedeviceisautomaticallywiped
t
endpointcompliancecheckingincludingwhetherpatchesandantimalwaresoftwareareuptodate
bebackedup
overtheInternet
classifieddata:
anagetheconfigurationofdevicesandauditadherencetopolicy
MobileDeviceManagement
MobileDeviceManagementconfiguresandauditsdevices,includingenforcingaspectsofthepolicysuc
thedeviceenrolmentprocess,whichmightinvolveinstallingsoftwareonthedevicetoassisttheorganisationtomanagethedeviceandadigitalcertificatetoauthenticatethedevicetothenetwork
unlockpassphraseshavingaspecifiedminimumlengthandrequiredcomplexity thedeviceidletimeoutperioduntilthedevicesscreenisautomaticallylocked thenumberofconsecutivefailedpassphraseattemptsun thecapabilitytoperformremotetracking,lockingandwipingofdevices
the
ability
of
employees
to
print
to
non
organisational
printers
encryptionofdataatrestandintransit,includingVirtualPrivateNetworkconfigurationsettings theabilityforemployeestousetheirdevicescamera,microphone,Bluetooth,USBinterface,
removablemediaorGPS,particularlywhileonorganisationalpremises
detecting,reportingandblockingdevicesthatarejailbrokenorrooted,notingthatdetectionisnoperfectandreliesonanuntrusteddevicetotellthetruthaboutitssoftware
26
disablingthebackupofunprotectedsensitivedatatoconsumergradecloudstoragesuchasiCloud,whilestillenablinganemployeespersonaldatato
configuringappropriateemailandWiFiconnectivitysettings disablinginbuiltvoicerecordingapplicationsthatsendcapturedvoice ongoingdevicemanagement,monitoringandassettracking.
AdditionalInformationASDs
ISM
advises
that
mobile
devices
accessing
unclassified
FOUO/Sensitive
data
or
shoulduseMobileDeviceManagementtoensurethatorganisationalpolicyisapplied,enablingorganisationstocentrallym
mustpreventemployeesfromdisablingsecurityfunctionsonadeviceonceprovisioned
26http://www.networkworld.com/news/2010/121010 appleiosjailbreak.html
http://www.networkworld.com/news/2010/121010-apple-ios-jailbreak.htmlhttp://www.networkworld.com/news/2010/121010-apple-ios-jailbreak.htmlhttp://www.networkworld.com/news/2010/121010-apple-ios-jailbreak.htmlhttp://www.networkworld.com/news/2010/121010-apple-ios-jailbreak.htmlhttp://www.networkworld.com/news/2010/121010-apple-ios-jailbreak.htmlhttp://www.networkworld.com/news/2010/121010-apple-ios-jailbreak.htmlhttp://www.networkworld.com/news/2010/121010-apple-ios-jailbreak.htmlhttp://www.networkworld.com/news/2010/121010-apple-ios-jailbreak.htmlhttp://www.networkworld.com/news/2010/121010-apple-ios-jailbreak.htmlhttp://www.networkworld.com/news/2010/121010-apple-ios-jailbreak.html -
7/27/2019 Enterprise_Mobility_BYOD.pdf
29/41
26
ensurethatdevicesarestillsecure,forexamplethattheirconfiguration
the
experience.
OrganisationsconsideringusingMobileDeviceManagementneedtodeterminewhetherthevendorhasaccess
byusingcompromised
employeecorporateaccountcredentials .
AdditionalInformationASDs ISMadvisesthatmultifactorauthenticationmustbeusedforremoteaccesstogovernmentsystems.
authenticationisrequired
teranidletimeoutperiod.
to
S softwareapplication
SIMcardisreissuedtoanadversary30
,theemployeessofttokenvaluecanbeaccessedbytheadversary,
Usingmultifactorauthenticationdoesntcompletelymitigatetheriskoftypingacorporatepassphraseintoan
oratepassphrasewhentheemployee
ntintrusion,
theemployee.
omiseanyemployeesworkstationonthe
corporatenetworkandusethepreviouslyobtainedpassphrasetoaccesssensitivedataonnetworkdrives.
Tohelpmitigatethisrisk,eitherrequiremultifactorauthenticationforallemployeeloginsincludingloginsto
o
n tworthydevicesaredifferenttocorporatepassphrasesenteredintocorporateworkstationsintheoffice.
shouldberegularlytestedtoalignswiththeorganisationspolicyandthatsecurityupdateshavebeenappliedonaregularbasis.
UsingMobileDeviceManagementtoenforceanorganisationsunreasonablystrictpolicy,especiallywhen
employeeisnotusingtheirdeviceforworkrelatedpurposes,mightnegativelyaffecttheemployeesuser
tosensitivedatasuchasadevicesunlockpassphrase.
MultifactorAuthentication
Multifactorauthenticationhelpsmitigateanadversaryaccessingorganisationalsystems27
Employeesshouldlogofforganisationalsystemswhenfinished,sothatmultifactor
toregainaccess.Organisationalsystemsshouldbeconfiguredtologusersoffaf
Aphysicallyseparatehardwaremultifactorauthenticationtokenwithatimebasedvalue,storedseparately
theemployeesdevice,canprovidegreatersecuritythanasofttokensuchasanSM or
thatdisplaysanauthenticationtokenvalueontheemployeesdevice.Ifthedeviceiscompromised28
29orifits
therebydefeatingthemultifactorauthenticationmechanism.
untrustworthydevice.Anadversarymightobtaintheemployeescorp
typesitintoacompromiseddevice.Theadversarycouldthenusethispassphraseduringasubseque
forexamplebyeithergainingphysicalaccesstoacorporateworkstationandsimplylogginginas
Alternatively,theadversarycoulduseaspearphishingemailtocompr
corporateworkstations
in
the
office,
or
require
that
corporate
passphrases
entered
by
employees
int
u trus
27http://www.dsd.gov.au/publications/csocprotect/multi_factor_authentication.htm
28http://www.securitybistro.com/blog/?p=4226
29http://www.scmagazine.com/zeusforandroidstealsonetimebankingpasswords/article/207286/
nfraudstersbustedbydelhicops/30
http://nakedsecurity.sophos.com/2013/01/20/indian twofactorauthenticatio
http://www.dsd.gov.au/publications/csocprotect/multi_factor_authentication.htmhttp://www.dsd.gov.au/publications/csocprotect/multi_factor_authentication.htmhttp://www.dsd.gov.au/publications/csocprotect/multi_factor_authentication.htmhttp://www.securitybistro.com/blog/?p=4226http://www.securitybistro.com/blog/?p=4226http://www.securitybistro.com/blog/?p=4226http://www.scmagazine.com/zeus-for-android-steals-one-time-banking-passwords/article/207286/http://www.scmagazine.com/zeus-for-android-steals-one-time-banking-passwords/article/207286/http://www.scmagazine.com/zeus-for-android-steals-one-time-banking-passwords/article/207286/http://www.scmagazine.com/zeus-for-android-steals-one-time-banking-passwords/article/207286/http://www.scmagazine.com/zeus-for-android-steals-one-time-banking-passwords/article/207286/http://www.scmagazine.com/zeus-for-android-steals-one-time-banking-passwords/article/207286/http://www.scmagazine.com/zeus-for-android-steals-one-time-banking-passwords/article/207286/http://www.scmagazine.com/zeus-for-android-steals-one-time-banking-passwords/article/207286/http://www.scmagazine.com/zeus-for-android-steals-one-time-banking-passwords/article/207286/http://www.scmagazine.com/zeus-for-android-steals-one-time-banking-passwords/article/207286/http://www.scmagazine.com/zeus-for-android-steals-one-time-banking-passwords/article/207286/http://www.scmagazine.com/zeus-for-android-steals-one-time-banking-passwords/article/207286/http://www.scmagazine.com/zeus-for-android-steals-one-time-banking-passwords/article/207286/http://www.scmagazine.com/zeus-for-android-steals-one-time-banking-passwords/article/207286/http://www.scmagazine.com/zeus-for-android-steals-one-time-banking-passwords/article/207286/http://www.scmagazine.com/zeus-for-android-steals-one-time-banking-passwords/article/207286/http://www.scmagazine.com/zeus-for-android-steals-one-time-banking-passwords/article/207286/http://nakedsecurity.sophos.com/2013/01/20/indian-two-factor-authentication-fraudsters-busted-by-delhi-cops/http://nakedsecurity.sophos.com/2013/01/20/indian-two-factor-authentication-fraudsters-busted-by-delhi-cops/http://nakedsecurity.sophos.com/2013/01/20/indian-two-factor-authentication-fraudsters-busted-by-delhi-cops/http://nakedsecurity.sophos.com/2013/01/20/indian-two-factor-authentication-fraudsters-busted-by-delhi-cops/http://nakedsecurity.sophos.com/2013/01/20/indian-two-factor-authentication-fraudsters-busted-by-delhi-cops/http://nakedsecurity.sophos.com/2013/01/20/indian-two-factor-authentication-fraudsters-busted-by-delhi-cops/http://nakedsecurity.sophos.com/2013/01/20/indian-two-factor-authentication-fraudsters-busted-by-delhi-cops/http://nakedsecurity.sophos.com/2013/01/20/indian-two-factor-authentication-fraudsters-busted-by-delhi-cops/http://nakedsecurity.sophos.com/2013/01/20/indian-two-factor-authentication-fraudsters-busted-by-delhi-cops/http://nakedsecurity.sophos.com/2013/01/20/indian-two-factor-authentication-fraudsters-busted-by-delhi-cops/http://nakedsecurity.sophos.com/2013/01/20/indian-two-factor-authentication-fraudsters-busted-by-delhi-cops/http://nakedsecurity.sophos.com/2013/01/20/indian-two-factor-authentication-fraudsters-busted-by-delhi-cops/http://nakedsecurity.sophos.com/2013/01/20/indian-two-factor-authentication-fraudsters-busted-by-delhi-cops/http://nakedsecurity.sophos.com/2013/01/20/indian-two-factor-authentication-fraudsters-busted-by-delhi-cops/http://nakedsecurity.sophos.com/2013/01/20/indian-two-factor-authentication-fraudsters-busted-by-delhi-cops/http://nakedsecurity.sophos.com/2013/01/20/indian-two-factor-authentication-fraudsters-busted-by-delhi-cops/http://nakedsecurity.sophos.com/2013/01/20/indian-two-factor-authentication-fraudsters-busted-by-delhi-cops/http://nakedsecurity.sophos.com/2013/01/20/indian-two-factor-authentication-fraudsters-busted-by-delhi-cops/http://nakedsecurity.sophos.com/2013/01/20/indian-two-factor-authentication-fraudsters-busted-by-delhi-cops/http://nakedsecurity.sophos.com/2013/01/20/indian-two-factor-authentication-fraudsters-busted-by-delhi-cops/http://nakedsecurity.sophos.com/2013/01/20/indian-two-factor-authentication-fraudsters-busted-by-delhi-cops/http://www.scmagazine.com/zeus-for-android-steals-one-time-banking-passwords/article/207286/http://www.securitybistro.com/blog/?p=4226http://www.dsd.gov.au/publications/csocprotect/multi_factor_authentication.htm -
7/27/2019 Enterprise_Mobility_BYOD.pdf
30/41
27
a
nsidereduntrustworthy.
usedtoencryptunclassifiedFOUO/Sensitivedataor
stworthynetworkinfrastructure.Forexample,datasentoveranuntrusted
beprotectedbyusingASDapprovedencryptionimplementedviaaVirtual
nwhenexchangedbetweenadeviceandanorganisations
Remotetrackinghelpstorecoveradevice