Bring your own device (BYOD) Harnessing the opportunities and mitigating the risks using ITIL and RESILIA. Sharon Taylor. AXELOS.

Bring your own device (BYOD) Harnessing the opportunities and mitigating the risks using ITIL and RESILIA Sharon Taylor White Paper January 2016 Contents Introduction 3 Where BYOD came from
of 14
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Related Documents
Bring your own device (BYOD) Harnessing the opportunities and mitigating the risks using ITIL and RESILIA Sharon Taylor White Paper January 2016 Contents Introduction 3 Where BYOD came from 3 The value of BYOD to an organization 4 Risks and common concerns of BYOD 5 Service management capability 6 Mitigating the risks 6 BYOD and access management 8 ITIL and RESILIA processes and control objectives for BYOD 8 BYOD and the service desk 9 Monitoring BYOD 10 BYOD policies 10 Communicating the policy 11 Future planning 12 About the author 13 Acknowledgements 13 About AXELOS 13 Trade marks and statements 14 Bring your own device (BYOD) Introduction Successful businesses today thrive on a global presence and a workforce that appears to be everywhere at once. The internet economy is no longer a niche marketplace, but rather a business delivery mechanism which has become embedded in every organization. Whether the intent is to broadcast the business services, transact electronically or generate new customers and market segments, almost every organization, large or small, faces the challenge of managing a reliable, secure and competitive presence that is fluid in nature and increasing in scope. Organizations are slower to change than individuals when it comes to adopting new technology. This disparity in how quickly a business can adopt, prepare and deploy new technology in relation to its workforce has created the Bring Your Own Device (BYOD) phenomenon. Not all organizations that adopt a BYOD programme experience positive results. Why do some succeed in adopting a BYOD strategy, while others fail? What makes these organizations different from one another? The reason can be quite simple. Those who succeed usually have a higher level of service management maturity. They recognize that business as usual (BAU) has to change in order to keep the business mobile and that a service management approach works equally well in mobility computing. Service management styles have also changed as the technology that enables service management has itself become mobile, and the models used to implement service management move to keep up with the changes in business styles. Where BYOD came from BYOD was a concept waiting to happen. Businesses and organizations were signing deals tying them into the hardware and software of large IT companies partly to take advantage of economies of scale in their IT purchasing but also to minimize the number of platforms the IT service department had to contend with and to lockdown data within their systems. In response, individuals within the organization employees and contractors alike began to follow their preference for devices that they had tailored to their own specific ways of working. Developers, in particular, had workflows and working practices that were built around their favoured computers, operating systems, applications, integrated development environments (IDEs), and editors. Often this involved a move away from proprietary systems to more open ways of working. Open source platforms and agile development methodologies were encouraging a transparency that appealed to programmers for both practical and ideological reasons. Their productivity was frequently contingent on workflows that had become second nature; using their own devices, they could achieve in minutes what otherwise might have taken hours. Some organizations recognized that allowing their staff to use their own devices was not a threat to their business, but a way of keeping high-performing staff happy in their work. As start-ups were acquired agile, quick on their feet, built around open platforms and open data and achieving growth that the purchaser could only dream of the acquiring company became conscious that to change the newcomer s ways of working was to risk destroying the advantages that the start-up was bought to acquire. Rather than force their own technology onto their new acquisition, the parent companies benefitted from adopting the new company s working practices. It wasn t just developers who saw the advantage of using their own devices rather than being stuck with the computers the organization provided. Managers found that taking their personal tablet into a meeting made for a more compelling presentation than could be achieved with their company-assigned laptop. Employees who were normally tied to their desktops discovered that accessing webmail on their own PC meant they were freed up to work from home. Similarly, checking their on their personal smartphone meant salespeople could keep themselves informed about cancelled appointments, train, plane or traffic delays and the goings-on within the office. This consumerization of IT was a function of consumer enterprise, and businesses that ignored this shift did so at their peril. Many have lost competitive advantage through stifling innovation within a locked-down environment. 4 Bring your own device (BYOD) The thought of adopting a BYOD policy brings to mind a substantial list of pros and cons, for example: lower asset costs for companies versus increased security concerns or the freedom for an individual to choose their tools of productivity against the headache of supporting an overly complex technology infrastructure. These are legitimate considerations. To make things trickier, the BYOD phenomenon is only going to grow more complex as it continues its exponential growth. For example, according to Gartner, by: 2016, 38% of companies expect to stop providing devices to workers 2017, half of employers will require their employees to provide their own devices 2020, 85% of companies will provide some sort of BYOD program. 1 Clearly, there s no escaping the evidence that if your organization isn t already dealing with managing employee-owned devices, it soon will be. The benefits of adopting a BYOD policy are also becoming harder to ignore and, as the industry gets used to managing this kind of environment, the risks are being mitigated through adapting service management frameworks that balance agility, flexibility and security needs. This means that an organization, with the right blend of policy, planning, skill and following best practices such as ITIL and RESILIA can successfully leverage BYOD as a best of breed philosophy that reaps dividends on the balance sheet. 3 The value of BYOD to an organization Figure 3.1 BYOD Collaboration trends A well-managed BYOD practice can and does save money (see figure 3.1). Obvious benefits to organizations include: Productivity gains through empowering a mobile workforce Enabling remote workers and flexible working styles Lowering/offsetting the cost of ownership for mobility devices (which depreciate rapidly) Reducing the level of physical office space needed Improving service continuity through the ability to work anywhere in the event of workplace disasters Improved cycle time for business decision-making and transactions with customers. Bring your own device (BYOD) 5 Most CEOs would agree that these benefits mirror the larger strategic business goals of their organizations. What isn t as clear is how these benefits can be realized in practice and how the maturity level of existing service management-related policies and practices either magnify or erode such benefits. Evidence is emerging that there is a direct correlation between the success of a BYOD programme and the maturity of the organization s service management policies and practices. At the heart of this is ITIL. With a reputation in the IT industry for being the most mature, well-accepted and widely adopted service management framework, the chances of successfully developing and implementing a BYOD policy can be significantly improved with the use of ITIL practices within an organization. The maturity of ITIL magnifies the benefits and mitigates the risks of adopting a BYOD strategy. 4 Risks and common concerns of BYOD Value is achieved when reward is balanced with risk. This is clearly felt within an organization that has chosen to adopt a BYOD programme. Data control and security rank among the highest risk-related concerns for companies opening up to BYOD practices. Asset ownership and control has traditionally allowed for a (sometimes false) sense of security within an organization. For example, the advent of cloud computing whilst offering clear cost and administrative advantages raised fears over the control and security of corporate information when managed outside the organization. As cloud computing matured, the use of sound security, cyber resilience and service management practices among cloud providers and their customers addressed the risk and control concerns. As such, the adoption of cloud has continued to accelerate, with escalating benefits for all, demonstrating that a company does not necessarily need to own assets in order to secure its data and mitigate risk. Similar evidence is emerging with respect to BYOD. Again, the key success criteria are the adoption, maturity and dedication to solid service management frameworks. ITIL and RESILIA are at the forefront of this. Common concerns expressed by organizations regarding the adoption of a BYOD policy include: How to integrate personal devices into the business environment How to manage the complexity of supporting multiple operating systems and platforms How to integrate BYOD with cloud providers of corporate services How restricted access to corporate information should be on personal devices versus how much access is needed to achieve the desired flexibility Understanding and abiding by the legal and regulatory requirements How to respect the privacy of personal data on a user s device How to monitor inappropriate content on a personal device in the workplace How to successfully manage service changes across a rapidly changing range of personal devices How to deal with mobility computing in organizations that use contract, part-time and non-traditional working relationships How to ensure the device is used in a way that supports business objectives How to effect the roll out of security policies Whether or not to subsidize the cost of personal devices How to determine an appropriate data usage plan. The potential list of risks and concerns are almost endless. Navigating the challenge of adopting a successful BYOD programme first requires taking a step back. 6 Bring your own device (BYOD) 5 Service management capability Research suggests that the more mature an organization s service management practices are, the better BYOD is managed. This is because personal devices used within a BYOD programme are really nothing more than tools to deliver business services. As such, they are service assets. While they are not owned by the organization, they are nonetheless part of the business service spectrum and must be supported, configured, managed and controlled to the degree necessary to ensure their productive and responsible use as a means to fulfil business requirements. They should be monitored and maintained the way any other service asset would be and subject to the same rigors of scrutiny, risk profiling, security assurance and governance that a server, a paper document or an would be which contained or accessed corporate information. Subjected to the basic ITIL service management processes of incident, change, configuration and security management, the personal device is no more or less a risk exposure than anything else. When assessing how a BYOD programme should be approached, every organization should use service strategy as a starting point. They should examine how personal devices will be used in the organization and what policies should be in place, communicated, accepted and enforced, long before permitting users to access corporate information on a personal device. Next, assess how current service management processes can work with personal devices and identify where gaps exist and improvements and changes are needed. Once these things are addressed, an organization can then take the next step, assessing the risks. Productivity Security BYOD Figure 5.1 BYOD policy must strike a balance between productivity and security 6 Mitigating the risks Most organizations have some level of risk tolerance. The factors for assessing risk tolerance should be simple but they are often misinterpreted. First you need to be able to correctly identify what a risk is. The AXELOS RESILIA portfolio is built upon the RESILIA: Cyber Resilience Best Practices guide. Its focus is on ensuring an organization has the ability to protect, detect, respond and recover from cyber incidents and a good lesson can be taken from its approach to risk management and applying it to BYOD. To illustrate this, let s examine the following scenario: You get into your car and place your handbag on the passenger seat, then remember you ve left your sunglasses in your house. You quickly run back inside to get them, briefly leaving the car unsecured and unattended. You return to find your purse missing from your handbag. In those brief moments, you made two decisions that exposed you to risk: 1. You decided that the vulnerability was minimal since you were only running quickly into your house and then right back out 2. You knew instinctively there was a possibility of a threat but chose to accept that it was highly improbable. Bring your own device (BYOD) WHAT IS A RISK? RESILIA describes risk as a possible event that could cause harm or loss, or affect the ability to achieve objectives. A risk is measured by the probability of a threat, the vulnerability of the asset to that threat, and the impact it would have if it occurred. 2 The risk in this context is the loss of the purse (or, more specifically, the contents of the purse). Image 6.1 The purse is the asset; leaving the car unsecured is the vulnerability; the loss of the purse is the risk; the theft of the purse is the threat; the thief is the threat actor. 6.2 WHAT IS AT RISK? In every case, the risk is an asset. An asset could be information, data, a device, etc. In this case, the asset is the purse that has been left in an unsecured car. 6.3 HOW LIKELY IS IT TO HAPPEN? This is the probability that a threat actor will strike, and is a factor in measuring risk. You may think that, because you will only be gone for a minute or two, the probability that a thief (the threat actor) will just happen to be nearby is very remote. By leaving the car unsecured, you accept the tolerance for this risk to occur. 6.4 HOW VULNERABLE IS THE ASSET? This is a weakness or flaw in the protection of the asset that could be exploited by a threat. In this example, the vulnerability is the unlocked car and the purse in plain sight. 6.5 WHAT IMPACT WOULD RESULT IF IT HAPPENED? This is relative to the service itself. In this case, the result is the theft of the purse and its content (money, credit cards, driving licence etc.) and the loss of money or compromise of confidential data that would subsequently occur. When it comes to risk tolerance and BYOD programmes, the mistake is to focus on the minutiae, i.e. the device itself. In this example, it is not the purse, its contents or even the car for that matter that is the risk. It s the action of choosing to leave the car unattended while it is not secured, even for a moment. Now imagine that the purse is a BYOD phone, tablet or laptop and this is the context in which mitigating risk needs to be placed. It is not the personal device, or the information it has access to, that carries the bigger risk. It is the action of the user that has created the vulnerability. The risk to the assets can frequently be mitigated through how the device is used. 8 Bring your own device (BYOD) 7 BYOD and asset management IT asset management (ITAM) has been around for a few decades now and many organizations are familiar with the principles. Published standards are available with guidance for asset management, SAM (Software Asset Management) and ITAM. As mobile computing emerged, the industry responded with mobile device management (MDM) solutions to help organizations manage both the security and use of the asset itself. BYOD and the need for corporate security and controls adds complexity to MDM. Simply gathering information about how many devices there are describing what device each user has and what applications they have installed is not a complete picture. It must also take into consideration user practices, identity, access control, confidentiality, integrity and availability of data being accessed at any moment. It is beneficial to take a broader view of personal device use from a mobility asset management (MAM) perspective as positioned within ITAM. There are synergies between the ITAM and MAM approaches: 1. Inventory the environment 2. Categorize both fixed assets and mobile devices 3. Define minimum security controls 4. Establish an ongoing risk-assessment process 5. Develop system security plans for fixed assets and mobile assets 6. Conduct regular certification and accreditation of the systems 7. Provide ongoing monitoring of the IT environment. 8 ITIL and RESILIA processes and control objectives for BYOD ITIL and RESILIA have a similar structure and approach in this regard, and lend themselves well to BYOD, with process and control objectives such as (but not limited to): Service asset and configuration management: Understanding what devices are being used within the corporate environment Understanding how they are configured Being aware of the impact they have on business services Inventorying and categorizing mobile devices. Change management: Ensuring devices are subject to change controls Ensuring consistent platform compatibility and security with corporate applications and data as they change. Information security management: Creating policies that govern how information is accessed and used on personal devices Defining minimum security controls Defining system security plans Ensuring adherence to BYOD and security policies. Service level availability and capacity management: Agreeing on service support, assurance and stability for mobile devices. Risk Management: Profiling risk Assessing risk Monitoring risk. Bring your own device (BYOD) 9 Event management: Monitoring device use Detecting events and responding. Incident management: Support and response. Access management: Rights and permissions to corporate systems and information User authentication. Records and information (RIM) management Managing the information lifecycle, including identifying, classifying, storing, securing, retrieving, tracking and destroying or permanently preserving records. 9 BYOD and the service desk There are two facets to consider when thinking about BYOD and the service desk: 1. The model of service desk needed for dealing with requests and incidents within an organization that has adopted a BYOD policy 2. Using BYOD as part of the model for the service desk itself. As part of adopting a BYOD strategy, an organization should consider the benefits of the agility offered against the cost of supporting it. The service desk contributes greatly to cost since the knowledge, tools and support model itself will be influenced by the complexity of the environment being supported. Strategic decisions about how BYOD is adapted within an organization can play a major role in balancing cost with benefits. Some examples of BYOD policy choices that could have an impact are: Supporting the device or only the corporate apps and information used by it The range of devices that can be included as part of a corporate BYOD programme Detecting compliance or security breaches and how they are dealt with. Will the service desk staff be responsible for invoking wipe and detach decisions and will they have the power to wipe all information on the device? Building and maintaining service desk skills to manage the increased complexity. What will the service desk manage and what wil
Related Search
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks