AMT Lab @ CMU

View Original

Take Action: It’s time to build your BYOD policy

Did you know that in 2010 a publishing company accidentally wiped out an employee’s phone used for both work and personal affairs? All the contacts,  photos, media, and even the phone’s ability to make calls, were utterly destroyed

And did you know that even NASA laptops are vulnerable to theft and inadequate security practices? Between April 2009 and April 2011, 48 NASA laptops or mobile devices were stolen. One of the devices was an unencrypted laptop containing confidential codes for the International Space Station! 

Due our reliance on personal technology, the risks concerning data privacy and security are more potent than ever. However, there is a longstanding perception in arts organizations that there is no sensitive data —all the information in a non-profit arts organization is open to the public. Most nonprofit leaders still know little about the risks that can arise from the storage of personal information collected from donors, audiences, employees, and volunteers. Many threats to data privacy live much closer to arts organizations than they might expect. The following business activities can lead to potential liability for a nonprofit if the they are conducted on personal devices: conducting e-commerce (especially collecting credit card data and processing payments online); sending employee, donor or audience data via email; storing information related to intellectual property (for example, artistic creative work) to Dropbox; accessing sensitive information in the cloud. To cope with the increasing complexity coming from data sharing and data security, arts managers might consider implementing a Bring Your Own Device policy (BYOD policy) to prepare adequately for the possible risks. 

How to frame a BYOD policy for Your organization? 

The first step in implementing a BYOD policy is the most important: organizations should clarify a goal and involve stakeholders early through the formation of a policy-making group. The group could consist of executives, HR, legal, support, IT and other employee representatives. An effective way of specifying the goal is to simulate the daily working scenarios and establish the key objectives you want to have with the BYOD policy. 

The second step is to make an outline and list all the relevant subjects to this policy. This list should include what devices are covered in this BYOD policy and what behavior will be monitored. Organizations should also conduct an overview of security issues to answer questions such as what types of information must be protected, what kinds of information will be accessible on mobile devices,  how and when security incidents should be reported, and who should be responsible for the security incidents.

The next step is to know your employees' expectation of privacy. Employees are expected to answer the how the they react to different monitoring processes or different policies. They should also be told where they can get technical support to respond to security incidents.

Step four is risk analysis. This policy-making group should prepare for potential policy violations and privacy violations. For example, the group should assess the data stored and processed in the devices, and evaluate the access granted for the devices to organizations' resources, paying particular attention to scenarios that are more likely for mobile devices, such as a lost or stolen smartphone. The group can incorporate geographically relevant data and privacy laws into this risk analysis. For arts organizations which have an international partnership, they should also consider the impact of the mobile workforce traveling to countries with different data import or export restrictions. Based on the risk analysis, the group members need to list all the possible consequences and figure out how they might deal with them.  

The next step is to actually create a BYOD policy. The policy needs to be both flexible and enforceable. Generally, BYOD policies include the following information

  1. General security requirements for mobile devices 
  2. Authentication requirements (such as passcode or pin)
  3. Storage/transmission encryption requirements (for instance, password or key required for storage or transmission)
  4. Requirements to automatically wipe devices after a certain number of failed login attempts 
  5. Usage restrictions for mobile devices. (For example, are there some websites should be blocked for personal mobile devices?)
  6. Organizational liability (If data leakage occurs, what are the potential abilities for the arts organization?)
  7. Rights to monitor, manage, and wipe
  8. Operation model (which department will be involved in the operation of BYOD policy? What's the cost and benefits of this policy? How should the financial conditions back up this policy?) 
  9. Optional: specifying the requirements for mobile data usage on international travel, conference, or partnership.

Creating a BYOD policy is not the final step. To successfully establish and implement a BYOD policy, arts organizations should always test, verify, and measure the benefits gained from the policy. Also. It's recommended that organizations use different testing approaches to evaluate the BYOD policy. Additionally, it is important to test infrastructural changes, such as Wi-Fi deployments or VPN endpoints, to find out whether these changes will have an impact on the security conditions. 

Similar to other policy implementation, arts organization should also measure their process and continually improve the program. ROI (Return on investment) can be one way to measure success. Remember to identify and quantify the benefits and costs, especially the hidden costs. Furthermore, direct user feedback from staff members is an essential factor to recognize areas for improvement. 

Additionally, arts organizations also need to pay attention to the "culture" of BYOD policy.  Does the BYOD policy need to be compatible with the organization's risk tolerance? Will the policy change people's perception of the organization's culture? Or might the BYOD policy potentially create tension within the organization? Arts organizations should answer these questions while they creating the policy. Otherwise, there may be strong resistance to the policy implementation. 

Overall, a BYOD policy should take in multiple stakeholders, and it should prepare a mechanism that helps the organization deal with possible security incidents. It's not an unnecessary move; it is a proactive preparation.