Management and auditors need to ensure their organizations have a well-considered roadmap in place for connecting personal devices to corporate networks and data.
While most individuals have two or more mobile devices they use daily (e.g. smart-phones, tablets, laptops), many organizations are grappling with the Bring-Your-Own-Device (BYOD) phenomenon. Technology advances mean individuals now often have more capable and user friendly equipment at home than in the office.
Organizations frequently ask – “How do we get boards and senior executives connected, on the devices they like and use, and roll that capability out to our staff?” One way to answer this is to map out an implementation roadmap ensuring that business needs and staff flexibility and satisfaction requirements are all catered for equally. An implementation roadmap can form the basis of a risk based audit program designed to attest robustness of an organisations BYOD initiatives. IT auditors can advise management on the often-unrecognized risks BYOD access to corporate systems brings and help organizations ensure basic BYOD business foundations are established early in an implementation.
Rules Of The Road
For many organizations allowing employees, guests, and contractors to access corporate systems and information from their own mobile device is becoming part of the normal course of doing business. Unless those organizations understand the “rules of the road”, they may be exposing their organizations to new unmitigated risks.
Some questions that need to be answered before connecting noncorporate devices to corporate systems include:
1. Does the organization have a risk management plan for mobile computing and BYOD that is reviewed regularly and approved by the Board?
Risk management plans need to: consider new risks and concerns that mobile computing brings; be approved by the Board to set the ‘tone at the top’; clearly articulate oversights and expectations of management; be current, given the rapidly changing nature of mobile computing.
Auditors should review whether a board-approved plan exists, and if so, whether it is current given the constantly changing nature of mobility solutions.
2. Does the organization have a mobile computing and BYOD awareness and education plan that ensures users of mobility infrastructure understand their responsibilities?
It’s nearly impossible to expect users to behave in a corporate manner with their personal devices if management has not implemented an appropriate training regime for employees. A training program should outline expectations, monitoring arrangements, and outline penalty provisions for misuse. Auditors should consider how the organization instructs its BYOD users about management’s expectations around security, monitoring, and penalties.
3. Has the organization engaged widely, including across human resources, legal, purchasing, information technology and finance, to address all necessary parameters relating to mobile computing and BYOD?
BYOD should not be considered purely as an information technology issue. Purchasing arrangements, including charge back of usage and device replacement, involve procurement teams and policies. Employee expectations and penalty regimes involve human resources and industrial relations teams. Monitoring of staff out of hours, including personal activity during work hours, usually involve the legal department, particularly where personal details can be remotely wiped by the organization without recourse by the employee. Of course, technical security implications of using unsecured mobile operating systems to access secure corporate assets will involve the organization’s technology specialists.
4. Are BYOD activities managed in an efficient manner, including activating location monitoring of devices and engaging a global theft recovery service to retrieve lost and stolen devices?
As the organization relies on personal devices for corporate access, automated policies and procedures should be implemented to provide assurance an employee is performing as expected and has the appropriate access, including if their personal devices are lost, stolen, or other wise unavailable. One way organizations do this is through automated monitoring tools, including engaging mobile device theft recovery services to recover lost or stolen mobile devices.
IT auditors can best understand which automated management tools should be in place, and where necessary, they can recommend additional compensating management activities to ensure appropriate control.
5. Has consideration been given to what devices will be allowed to connect to the corporate systems, including the version of operating system in use for those devices and how that will be supported?
The mobile device operating system provides organizations with their most serious challenge to security and ongoing corporate system mobile application development. When organizations develop corporate mobile applications to assist employees with their tasks, support considerations become apparent in some environments where many thousands of operating system variants are in use. For a corporate organization to effectively manage that type of environment, the internal support costs are considerable.
An IT auditor who is well versed in risks associated with inefficient software security within operating systems can provide advice on weaknesses that may not be apparent to management.
6. Is the organization’s mobile computing and BYOD policy well constructed, understood by all users and enforceable?
A core issue in any BYOD strategy is ensuring employees accept the conditions and providing for a penalty regime should conditions be breached. One way to do this is to have each BYOD employee sign an understanding confirming they agree to the organization’s conditions and associated penalties. Auditors can confirm employees have signed necessary user acceptance statements and that privacy considerations have been explained adequately, including management’s process for wiping personal data if a device is lost or stolen.
7. Has a readiness assessment been conducted to confirm the organization’s robustness in dealing with mobile computing and BYOD requirements and to ascertain its maturity level and focus for future investment?
Before going live with any new initiative it is always useful to gauge the organization’s maturity level with respect to the initiative. More mature organizations generally have a greater capacity to adjust and implement new regimes than less mature, embryonic organizations.
A BYOD readiness assessment can highlight where mobility issues might arise and often provides a diagrammatical representation of the current state versus the desired state, particularly with regard to employee engagement, technical security issues, and wide involvement of necessary business units (human resources, legal, procurement).
8. Has your organization suffered a loss of a mobile device that was never recovered?
In a BYOD world lost and stolen devices mean lost productivity, until the end-user has the capability to replace that personal device. Recovering those devices as quickly as possible utilising automated global theft recovery services ensures minimal downtime for the employee, and ultimately the organization. Interim devices may need to be provided by the organization for those employees unable to provide a backup mobile device.
Auditors should review asset-recovery processes and provide recommendations on the appropriateness of the processes, timeliness of recovery, and impact to business operations of lost or stolen devices.
9. Does your organization utilise a publicly available “box” service to transmit corporate data?
Transmission of data outside your organization poses normal transmission risks that organizations deal with routinely. However, often in a BYOD environment employees are left to their own means of accessing files and information, and frequently resort to publically available “box” services. In the corporate world an organization intending to facilitate BYOD must provide secure “box” services, including the capacity to deactivate downloaded files after a specific timeframe or event. For example the downloading of Board papers to a mobile device must ensure those papers are deleted after the relevant Board meeting, when they are no longer needed.
Auditors should confirm independently the security of file transfer and cloud storage arrangements.
10. Has your organization conducted a review of BYOD activity to monitor behaviour, enforce policy requirements and action the organizations tolerance to breaches?
Mobile device management provides organizations with the ability to enforce management and organizational expectations, deactivate users that do not comply, and provide evidence for penalty regimes. Left to their own actions, end-users may not comply with simple policy directives. Automated tools that alert when desired rules are breached and provide prompt feedback to end-users, add robustness to the BYOD initiative.
Auditors should examine management’s supervisory control over BYOD initiatives, including its monitoring of compliance and enforcement of penalties.
A series of structured steps to ensure business needs and staff flexibility and satisfaction requirements are catered for equally, will ensure Boards and senior executives get connected on the devices they like and use, and provide a robust foundation for an organization to roll that capability out to staff.
Internal auditors are integral to a BYOD rollout because they can provide management with an independent, technically astute evaluation of the technology issues disparate devices and operating systems bring. Moreover, they can provide assurance that the organization has addressed the new business issues that arise from connecting employees, contractors, and guests to corporate systems through personal devices.
STEPHEN COATES is a Partner at Moore Stephens in Australia, a national Board member of IIA Australia, and a global member of the Institute of Internal Auditors’ Professional Issues Committee.