July 25, 2012
Credit Union Management magazines’ “Tech Time” column runs the fourth Wednesday of the month.
For many credit union executives, the thought of allowing CU employees to use their own devices (smartphones, tablets, etc.) at work or home for CU tasks creates a great deal of anxiety and concern. Having a “bring your own device” program is new, different and untested for some. For other CUs, it is BTDTBTTS (Been There. Done That. Bought The T-Shirt.).
For example, you might have examined the risks and determined, with certain controls in place, that having employees use their own cars for CU related matters is workable. The same holds true for mobile devices. With an examination and understanding of the risks, and the implementation of various controls, your CU can have a workable BYOD program for its employees.
The first step in creating your program is to define both how your BYOD program integrates into current CU programs (member service, security, risk management) and strategic plans/goals, and how these mobile devices will be handled/managed at the CU. Just like any CU strategy and management plan, your BYOD program needs to evolve as technology, risks and needs change. With a general idea of what you want to start doing, you can begin your risk assessment process, which will ask such questions as what are our risks for…viruses/malware…internal system compromise…compromised corporate data…compromised member data…and social engineering. Your completed risk assessment will be used to further refine your program and the controls you’ll want in place.
While technical risks and controls will be part of your program, it’s important to consider the numerous non-technical items. For example:
- If non-exempt (e.g. overtime) employees use their devices for work-related tasks (checking emails) outside of their normal work hours, how will this time be handled?
- What is the CU’s liability (and insurance coverage) for employee mishaps or issues when using BYODs?
- How will the CU handle e-discovery issues for BYODs?
- How will reimbursement for any connection or usage-related costs be handled?
Employees understand “rank hath its privilege” and should also understand “rank hath its responsibilities.” In the case of BYOD, the CU’s program should lay out that what can or can’t be done with a BYOD is based on the employee’s role and position at the CU. The more integrated an employee’s device is with CU systems, the more controls and restrictions will be placed on the device.
And for some employees, BYOD just may not be feasible. The risks from an employee checking emails are one thing. The risks from an IT employee monitoring or accessing servers and systems are another. What the CU may wish to allow on “its” phones, may not be practical on an employee-owned phone. (For example, programs that monitor other staff members’ computers might be fine to run on a CU-owned device but not on a personal one.) And just as with using other CU systems, employees need to know CU expectations and practices regarding data privacy and security don’t go away when it’s the employee’s device being used.
The following are some additional controls (expectations), the CU should consider for its program:
- Anti-virus/-malware ~ A reputable anti-virus/anti-malware package should be installed on the device and configured to perform regular updates and sweeps.
- Remote wiping ~ An application to allow for remotely wiping the device should be installed and placed under the CU’s control if it is lost, stolen, or believed to be compromised.
- Passwords ~ Access to the device should require the use of a strong password or PIN. Minimal password/PIN lengths (usually 4 characters) should not be used.
- Encryption ~ Data on the device and additional storage cards should be encrypted.
- Limited apps ~ Applications on the phone should be downloaded and installed only from CU-approved sites and installation of some applications may be prohibited by the CU.
- Un-needed services ~ Employees should be instructed to turn off un-needed or necessary services. For example, unless needed, Bluetooth communications, GPS or Wi-Fi should be turned off on the device.
- Secure access ~ Access to CU systems will be through secure communication systems/protocols (i.e., VPNs, SSL, etc.).
- Audit/verification ~ CU policy and any employee agreements should indicate that the CU reserves the right to audit and physically verify that appropriate security and privacy settings are enabled on the device.
- Limited devices ~ In some form or another, CU IT personnel will be called in to support BYOD issues or problems (… can’t connect … won’t download … this weird error message …). To provide better support, management and cost-containment, the CU should create a list of devices it certifies and supports. This list will contain devices for which the CU will provide appropriate levels of privacy, security and controls for accessing CU systems.
- Written agreement/acknowledgement ~ While it may be included as part of another security agreement, the CU should have a written agreement/acknowledgement form for BYOD users, spelling out the CU and employee’s rights, responsibilities and obligations.
In addition to the above, the CU will need to update its information protection awareness and training programs to include BYOD items. The updates should provide employees with an understanding of the risks to using their devices; controls needed to protect CU systems and member information; and actions users need to take if they feel their device has been compromised.
With planning, forethought, and a little work, your CU can fairly easily incorporate BYOD into its mobile device program.
Jim Benlein, CISA, CISM, is owner of KGS Consulting, Silverdale, Wash.