This document discusses bring your own device (BYOD) policies in the workplace. It begins by introducing BYOD as allowing employees to use personal mobile devices for work. Benefits include increased productivity and employee satisfaction, while costs are reduced. However, less security, management challenges, and lack of device control are cons. The document outlines regulations like HIPAA that apply. Mobile devices face threats like loss, theft, rogue apps, and jailbroken devices. Effective security includes mobile device management, antivirus, VPN, and policies governing device usage and access. Legal issues and privacy must also be considered. In conclusion, while BYOD is becoming standard, organizations must regulate usage through clear policies, training, and security measures.

1. BYOD:
Bring your own demons?
ÁNGEL L. TRINIDAD RIGAU
C|HFI, CFE, CISA, MCTS, MCITP, MCSA, MCT, CICA

2. Agenda
 Introduction
 Benefits
 Cons
 BYOD and Regulations
 Hostile Environment - Threats
 Security Enhancement
 Legal Matters
 Final Thoughts
 Questions

3. Introduction
 Bring your own devices (BYOD), it’s a new trend
of permitting that employees can bring
personally owned mobile devices (smartphones,
tablets and laptops) to the workplace and use
those devices to access, store or create
company information.
 The rapid rise of mobile devices and the
introduction of them to the workplace bring new
security and operational issues to companies.

4. Benefits
 More productive employees
 24/7 access to the company’s email and information
stored in the company’s servers.
 Higher morale among employees because they can
use the technology that they want and not what the
company provide.
 Low or no cost to the company
 Hardware is bought and maintained by the employee
 Sometimes, carrier calls and internet cost also are
paid by the employees
 Advantage of new technology

5. Cons
 Less security
 Administrative cost
 Software acquisition to manage mobile devices
 Develop policies and procedures
 Management issues
 Infrastructure costs
 Service (Carriers) cost
 Not full control of the device

6. BYOD and Regulations
 HIPAA
 Protect private data
 Encrypt emails and data
 On the device
 On the transmission
 Remote management of devices
 Controls to access data and
applications
 Monitoring
 Malware and threats protection
 Compliance reporting
 PCI/DSS
 Explicit approval of authorization to use the
device
 Authentication (two factor authentication)
 Comprehensive list of devices (make and
model) and OS (iOS, Android, Windows, RIM)
 List of personnel with access to this devices
 Labeling of devices with owner information
 Device encryption
 Transmission security (SSL/TLS, IPsec)
Mobile Devices and personal/confidential data are heavily regulated in some industries.
Not recommended or have a lot of aspirins at hand. A violation of any regulation carried
a fine. (up to 1.5 Millions per violation on HIPAA) (Other Regulations: GLBA, HITECH, SOX)

7. Hostile Environment-Threats
 Lost or stolen devices
 The very best advantage of mobile devices is It’s
worst enemy. Mobile devices are small, compact and
…. Yes, MOBILE. Lost or stolen devices are the
pinnacle of BYOD threats.
 Attack surface
 Rogue apps can extract contact information and
data from mobile devices.
 Even if you only allow authorized app, a scan of a QR
code can download an app.

8. Hostile Environment-Threats
 Attack vector
 Attackers can connect mobile devices to open
wireless access points and start scanning your
network.
 Backtrack (and now KALI) have ARM versions that
can be installed and be used in mobile devices.
 Rogue Apps
 Apps should be sandboxed. Only allow authorized
applications on devices with company’s data stored.
 Rogue apps are entryways of malware infections.

9. Hostile Environment-Threats
 Jailbrake/ Rooted Devices
People tend to crave for power and control.
One thing they do first with mobile devices is
jailbrake or root it. This open a new window of
threats. Access of rogue applications (and
users!) to the root account could be
dangerous to the company’s data.

10. Security Enhancement
 Management
 A plethora of mobile devices exist with different models, OS’s, that a possible
chaos could erupt at any moment.
 List of all devices allowed access to the company and prepare a periodical
reports.
 Look for unauthorized devices on you network
 Mobile Device Management
 Mobile expense control (downloads, roaming and international costs)
 Remotely locate, lock and wipe lost devices
 Security control checks
 Anti-virus
 Lock mechanism
 Apps
 Jailbreak/root
 Automatically wipe company data

11. Security Enhancement
 OS Update
 Look for solutions that include different os.
 Notification to users
 SMS before wiping, exceeding data or service plan limit
 Personal data segregation
 Photos, email, calendar, call logs, voicemail, texts
 Protect entryways to Corporation
 Firewall rules checked and double checked!
 Secure wireless access points
 Single recurrent error
 VPN
 Quarantine unauthorized devices

12.  Enrollment
 Bulk enrollment or single enrollment
 Authentication with Active Directory
 Policy
 Reason for authorization
 Devises allowed on company infrastructure
 Data services or personal plan (Stipend)
 Security
 Applications Authorized
Security Enhancement

13.  Cont. Policy
 Services Provided
 What data the employee can access with the device
 Help desk services to personal device
 Agreement between employee and company
 Personal data
 Education of employees of the risk associated with BYOD
 Training of encryption application and communication
 Not every “C” level employees knows about encryptions and
safe communications
Security Enhancement

14. Legal Matters
 First thing first- I'm NOT a Lawyer
 Legal issues may arise
 If the employee Is a suspect in an internal
investigation, can I take possession of the mobile
device for analysis?
 The employee may be accountable for any access
from the mobile device if he/she lost it?
 Privacy?

15. Final Thoughts
 BYOD is here to stay
 Prepare an analysis of the pros and cons of the
implementation of BYOD in your company
 Regulate the use of BYOD
Policies anyone?
Training programs for employees

16. Questions?
Ángel L. Trinidad
787-461-8111
atrinidad.mct@outlook.com