A roadmap for connecting personal devices to corporate networks and data.
The need to consider the policy of how to manage BYOD is becoming more common place in the education industry. Recently, the IT manager of one of our clients who manages a six-campus school with more than 3,000 students was tasked with enabling BYOD access for support staff, teachers, students, and visitors. This raised basic business questions about parental expectations, device replacement, and student monitoring.
As the BYOD phenomenon continues to grow, internal auditors must consider how their organisation can get boards, executives, and employees connected on the devices they prefer to use, while providing appropriate oversight. One answer is to establish an implementation roadmap ensuring that business needs, staff flexibility, and satisfaction requirements are all catered for equally.
Rules of the Road
An implementation roadmap includes distinct rules focused on
ensuring BYOD risks are managed within organisational expectations.
Unless those charged with implementing BYOD understand those rules,
organisations may be exposed to new, unmitigated risks. IT auditors
can advise management on the often-unrecognized risks BYOD access
to corporate systems brings and help organisations ensure basic
BYOD business foundations are established early in an
implementation.
Planning Does the organisation have a risk management plan for mobile computing and BYOD that is reviewed regularly and approved by the board? Risk management plans need to consider new risks and concerns that mobile computing brings, be approved by the board to set the tone at the top, and clearly articulate management's oversight and expectations. Auditors should review whether a board-approved plan exists, and if so, whether it is current given the constantly changing nature of mobility solutions.
Education
Does the organisation have a mobile computing and BYOD awareness
and education plan that ensures mobile users understand their
responsibilities? A training program should outline expectations,
monitoring arrangements, and penalty provisions for misuse.
Auditors should consider how the organisation instructs its BYOD
users about management's expectations around security,
monitoring, and penalties.
Engagement
Has the organisation engaged the human resources, legal,
purchasing, IT, and finance functions to address all necessary
parameters related to mobile computing and BYOD? BYOD should be an
organisation-wide initiative, rather than purely an IT issue.
Purchasing arrangements, including charge-back of usage and device
replacement, involve procurement teams and policies. Employee
expectations and penalty regimes involve human resources and
industrial relations teams.
Monitoring of staff members' personal use involves the legal department, particularly where personal details can be wiped remotely by the organisation. And, technical security implications of using unsecured mobile operating systems to access secure corporate assets will involve the organisation's technology specialists.
Management
Are BYOD activities managed efficiently, including activating
location monitoring of devices and engaging a global theft recovery
service to retrieve lost and stolen devices? As the organisation
relies on personal devices for corporate access, automated policies
and procedures should be implemented to provide assurance that an
employee is complying with management expectations and has the
appropriate access.
One way organisations do this is through automated monitoring tools, including engaging mobile device theft recovery services to retrieve lost or stolen mobile devices. IT auditors can best understand which automated management tools should be in place, and where necessary, they can recommend additional compensating management activities to ensure appropriate control.
Selection
Has the organisation considered which devices will be allowed to
connect to corporate systems, including the version of the
operating system in use for those devices and how it will be
supported? The mobile device operating system is an
organisation's most serious challenge to security and ongoing
corporate system mobile application development. An IT auditor who
is well versed in risks associated with inefficient software
security within operating systems can provide advice on weaknesses
that may not be apparent to management.
Policing
Is the organisation's mobile computing and BYOD policy well
constructed, understood by all users, and enforceable? A core issue
in any BYOD strategy is ensuring employees accept the conditions
and that a penalty regime is in place should conditions be
breached. Auditors can confirm employees have signed necessary user
acceptance statements and that privacy considerations have been
explained adequately, including management's process for wiping
personal data if a device is lost or stolen.
Review
Has the organisation conducted a readiness assessment to confirm
its capability to deal with mobile computing and BYOD requirements
and to ascertain its maturity level and focus for future
investment? An auditor's BYOD readiness assessment can
highlight where mobility issues might arise and often provide a
diagram of the current state vs. the desired state, particularly
with regard to employee engagement, technical security issues, and
business-unit involvement.
Tracking
Has the organisation lost a mobile device that was never
recovered? In a BYOD world lost and stolen devices mean lost
productivity, until the user replaces that device. Recovering those
devices as quickly as possible using automated global theft
recovery services ensures minimal downtime for the employee and
organisation. Auditors should review asset-recovery processes and
provide recommendations on the appropriateness of the processes,
timeliness of recovery, and impact to business operations of lost
or stolen devices.
Transmission
Does the organisation use a publicly available "box"
service to transmit data? Transmission of data outside the
organisation poses risks that organisations deal with routinely,
but in a BYOD environment, employees often use their own means to
access files and information and this may not be as secure as
management require. For example, organisations should ensure that
board papers downloaded to a mobile device are deleted after the
relevant board meeting, when they are no longer needed. Auditors
should confirm independently the security of file transfer and
cloud storage arrangements.
Monitoring
Has the organisation reviewed BYOD activity to monitor behavior,
enforce policy requirements, and take action in line with the
organisation's tolerance for breaches? Mobile device management
enables organisations to enforce management and organisational
expectations, deactivate users that do not comply, and provide
evidence for penalty regimes. Automated tools that alert
organisations when desired rules are breached and provide prompt
feedback to users add robustness to the BYOD initiative. Auditors
should examine management's supervisory control over BYOD
initiatives, including its monitoring of compliance and enforcement
of penalties.
Addressing BYOD Issues
Internal auditors are integral to a BYOD roll-out because they can
provide management with an independent, technically astute
evaluation of the technology issues disparate devices and operating
systems bring. Moreover, they can provide assurance that the
organisation has addressed the new business issues that arise from
connecting employees, contractors, and guests to corporate systems
through personal devices.
This publication is issued by Moore Stephens Australia Pty Limited ACN 062 181 846 (Moore Stephens Australia) exclusively for the general information of clients and staff of Moore Stephens Australia and the clients and staff of all affiliated independent accounting firms (and their related service entities) licensed to operate under the name Moore Stephens within Australia (Australian Member). The material contained in this publication is in the nature of general comment and information only and is not advice. The material should not be relied upon. Moore Stephens Australia, any Australian Member, any related entity of those persons, or any of their officers employees or representatives, will not be liable for any loss or damage arising out of or in connection with the material contained in this publication. Copyright © 2014 Moore Stephens Australia Pty Limited. All rights reserved.