A roadmap for connecting personal devices to corporate networks and data.
The need to consider the policy of how to manage BYOD is becoming more common place in the education industry. Recently, the IT manager of one of our clients who manages a six-campus school with more than 3,000 students was tasked with enabling BYOD access for support staff, teachers, students, and visitors. This raised basic business questions about parental expectations, device replacement, and student monitoring.
As the BYOD phenomenon continues to grow, internal auditors must consider how their organisation can get boards, executives, and employees connected on the devices they prefer to use, while providing appropriate oversight. One answer is to establish an implementation roadmap ensuring that business needs, staff flexibility, and satisfaction requirements are all catered for equally.
Rules of the Road
An implementation roadmap includes distinct rules focused on ensuring BYOD risks are managed within organisational expectations. Unless those charged with implementing BYOD understand those rules, organisations may be exposed to new, unmitigated risks. IT auditors can advise management on the often-unrecognized risks BYOD access to corporate systems brings and help organisations ensure basic BYOD business foundations are established early in an implementation.
Planning Does the organisation have a risk management plan for mobile computing and BYOD that is reviewed regularly and approved by the board? Risk management plans need to consider new risks and concerns that mobile computing brings, be approved by the board to set the tone at the top, and clearly articulate management's oversight and expectations. Auditors should review whether a board-approved plan exists, and if so, whether it is current given the constantly changing nature of mobility solutions.
Does the organisation have a mobile computing and BYOD awareness and education plan that ensures mobile users understand their responsibilities? A training program should outline expectations, monitoring arrangements, and penalty provisions for misuse. Auditors should consider how the organisation instructs its BYOD users about management's expectations around security, monitoring, and penalties.
Has the organisation engaged the human resources, legal, purchasing, IT, and finance functions to address all necessary parameters related to mobile computing and BYOD? BYOD should be an organisation-wide initiative, rather than purely an IT issue. Purchasing arrangements, including charge-back of usage and device replacement, involve procurement teams and policies. Employee expectations and penalty regimes involve human resources and industrial relations teams.
Monitoring of staff members' personal use involves the legal department, particularly where personal details can be wiped remotely by the organisation. And, technical security implications of using unsecured mobile operating systems to access secure corporate assets will involve the organisation's technology specialists.
Are BYOD activities managed efficiently, including activating location monitoring of devices and engaging a global theft recovery service to retrieve lost and stolen devices? As the organisation relies on personal devices for corporate access, automated policies and procedures should be implemented to provide assurance that an employee is complying with management expectations and has the appropriate access.
One way organisations do this is through automated monitoring tools, including engaging mobile device theft recovery services to retrieve lost or stolen mobile devices. IT auditors can best understand which automated management tools should be in place, and where necessary, they can recommend additional compensating management activities to ensure appropriate control.
Has the organisation considered which devices will be allowed to connect to corporate systems, including the version of the operating system in use for those devices and how it will be supported? The mobile device operating system is an organisation's most serious challenge to security and ongoing corporate system mobile application development. An IT auditor who is well versed in risks associated with inefficient software security within operating systems can provide advice on weaknesses that may not be apparent to management.
Is the organisation's mobile computing and BYOD policy well constructed, understood by all users, and enforceable? A core issue in any BYOD strategy is ensuring employees accept the conditions and that a penalty regime is in place should conditions be breached. Auditors can confirm employees have signed necessary user acceptance statements and that privacy considerations have been explained adequately, including management's process for wiping personal data if a device is lost or stolen.
Has the organisation conducted a readiness assessment to confirm its capability to deal with mobile computing and BYOD requirements and to ascertain its maturity level and focus for future investment? An auditor's BYOD readiness assessment can highlight where mobility issues might arise and often provide a diagram of the current state vs. the desired state, particularly with regard to employee engagement, technical security issues, and business-unit involvement.
Has the organisation lost a mobile device that was never recovered? In a BYOD world lost and stolen devices mean lost productivity, until the user replaces that device. Recovering those devices as quickly as possible using automated global theft recovery services ensures minimal downtime for the employee and organisation. Auditors should review asset-recovery processes and provide recommendations on the appropriateness of the processes, timeliness of recovery, and impact to business operations of lost or stolen devices.
Does the organisation use a publicly available "box" service to transmit data? Transmission of data outside the organisation poses risks that organisations deal with routinely, but in a BYOD environment, employees often use their own means to access files and information and this may not be as secure as management require. For example, organisations should ensure that board papers downloaded to a mobile device are deleted after the relevant board meeting, when they are no longer needed. Auditors should confirm independently the security of file transfer and cloud storage arrangements.
Has the organisation reviewed BYOD activity to monitor behavior, enforce policy requirements, and take action in line with the organisation's tolerance for breaches? Mobile device management enables organisations to enforce management and organisational expectations, deactivate users that do not comply, and provide evidence for penalty regimes. Automated tools that alert organisations when desired rules are breached and provide prompt feedback to users add robustness to the BYOD initiative. Auditors should examine management's supervisory control over BYOD initiatives, including its monitoring of compliance and enforcement of penalties.
Addressing BYOD Issues
Internal auditors are integral to a BYOD roll-out because they can provide management with an independent, technically astute evaluation of the technology issues disparate devices and operating systems bring. Moreover, they can provide assurance that the organisation has addressed the new business issues that arise from connecting employees, contractors, and guests to corporate systems through personal devices.
This publication is issued by Moore Stephens Australia Pty Limited ACN 062 181 846 (Moore Stephens Australia) exclusively for the general information of clients and staff of Moore Stephens Australia and the clients and staff of all affiliated independent accounting firms (and their related service entities) licensed to operate under the name Moore Stephens within Australia (Australian Member). The material contained in this publication is in the nature of general comment and information only and is not advice. The material should not be relied upon. Moore Stephens Australia, any Australian Member, any related entity of those persons, or any of their officers employees or representatives, will not be liable for any loss or damage arising out of or in connection with the material contained in this publication. Copyright © 2014 Moore Stephens Australia Pty Limited. All rights reserved.