How to Manage BYOD in a GRC World

Bring Your Own Device (BYOD) has been a catalyst for a new IT revolution. CNET TechRepublic’s BYOD Business Strategy Survey reveals that 62 percent of companies either allow Bring Your Own Device, or plan to by the end of 2013. However, the prospect of employees using their personal mobile devices to access corporate resources might seem contrary to existing Governance, Risk, and Compliance (GRC) regulations.

Some regulated environments can be ideal for BYOD. For example, the Health Insurance Portability Accessibility Act (HIPAA), Sarbanes Oxley (SOX), and other governance and compliance programs set security standards and policies to protect confidential corporate and financial data.

How Corporate Compliance and Governance Accommodates BYOD

BYOD raises potential security and compliance concerns in a number of ways. Here is an overview of how BYOD factors into major compliance programs:

HIPAA

BYOD and HIPAA are possible through appropriate technology choices including:

  • Virtual Desktop Infrastructure (VDI), which creates a secure encrypted tunnel to a secure PC desktop residing on a server;
  • Two-level security on enterprise applications storing patient data;
  • Mobile Device Management (MDM) solution for the remote wiping of data off mobile devices.

BYOD in a HIPAA-compliant environment requires ongoing audits of mobile device and network security. No patient data resides on mobile devices in a HIPAA compliant environment.

Payment Card Industry Data Security Standard (PCI-DSS)

BYOD compliance with PCI-DSS is a bit tougher because of the mandate that cardholder data never contact an employee’s personal device. If there is even a slim chance of cardholder data contacting employee personal devices, then strict PCI compliance must be enforced on the employee’s mobile device. In fact, PCI compliance must extend from the employee’s device to the corporate server.

SOX

For SOX and BYOD to coexist, a solution to secure corporate data and keep it off personal devices is necessary. The concept of the “data less tablet” or smartphone that can meet SOX security requirements is now possible. For example, VMware is now offering a mobile Hypervisor virtualization solution as part of their VMware Horizon product line that keeps all corporate data and access points inside a secure virtual container. An administrator can wipe that virtual container remotely if the device is lost/stolen, or the employee leaves the company.

Such technology solutions still require a documented BYOD user policy and suitable network security to complete a SOX-compliant BYOD solution.

BASEL III

Financial services firms who are BASEL III compliant should work with a third party risk management firm or auditor to determine the right mobile and network security solution compliant with their industry regulations. There are stiff penalties for falling out of compliance with BASEL III.

Dodd-Frank

A July 3, 2013 article by Greg Buckles on eDiscovery- Journal.com states, “Essentially, Dodd-Frank ‘could’ blow the lid off of the BYOD/cloud Pandora’s box. Too many litigants rely on a Don’t-Ask-For-Mine quid pro quo strategy to ignore these new, complicated data sources.” Later on in the article, Buckles reminds us that only 37 percent of the Dodd-Frank rules had been finalized when the article was published.

Gramm-Leach-Blilely (GLBA)

Conducting a technical and financial feasibility study of BYOD in your financial services organization to set a secure technology, policy, and management strategy is necessary for GLBA compliance.

Being GLBA-compliant brings with it a strict reporting process if a BYOD device containing customer information is lost or stolen. The reporting chain includes:

  • Office of the Comptroller of the Currency
  • Federal Reserve Board
  • Federal Deposit Insurance Corporation
  • Office of Thrift Supervision

Successful Management of BYOD for GRC

Having a thriving BYOD initiative and adhering to a compliance program requires the right mix of technology, security, policy, and management. This means real time reporting of device activity inside the network combined with documented acceptable use policies are the most common requirements for BYOD devices to be compliant with these programs.

Regardless of the compliance program, BYOD education is imperative to teach employees about BYOD security to ensure that any corporate interactions they make using their personal devices avoid the risk of exposing sensitive corporate data.

MDM solutions, providing security policy control, remote location, and remote wiping of corporate data off personal devices constitute a key security element for ensuring that BYOD meets compliance regulations.

The traditional BYOD program framework including preplanning, documented BYOD policy in place, data governance, and ongoing mobile and network endpoint security also take on added importance in meeting regulatory compliance.

COPE vs. BYOD for Compliance

Corporate Owned Personally Enabled (COPE) is another option to have your mobile users adhere to compliance regulations while giving them some choices in the devices they use for work. With COPE, a company owns the device, but the employees can choose their device from a list of supported devices and then configure it for themselves.

COPE is a compromise for enterprises that don’t want to go with BYOD. Going with COPE removes such security concerns as jail-broken Android phones, diverse operating system versions, and side loaded apps. In fact, some analysts see COPE overtaking BYOD in highly regulated industries such as healthcare or financial services (PCI-DSS in particular).

Conclusion

Regulatory and compliance programs contribute to a more secure and robust BYOD initiative because they offer strict guidelines over corporate data security.