ITAudit

BY LANCE SEMER EDITED BY STEVE MAR

AUDITING THE BYOD PROGRAM

The growing business use of personal smartphones and other devices raises new security risks.

any organizations are taking advantage of "bring your own device" (BYOD) practices that allow employees to use their own personal portable devices to access the company's email and internal network. Among other benefits, businesses can save significant resources when employees are able to use their own smartphones, laptops, and tablets to do their work (see "BYOD Advantages" on page 25). However, BYOD programs can introduce data security, compliance, and privacy risks such as data leakage when employees forward sensitive documents to unauthorized individuals or make them available through unsecured cloud file-sharing providers. To mitigate these concerns, organizations need to have an effective BYOD policy in place, including a mobile device management (MDM) solution. For their part.

internal auditors should evaluate compliance with the policy and assess the MDM's ability to provide multilayered security, policy enforcement, and control across a variety of devices.
Unsecure Devices

Many of today's personal devices are prone to vulnerabilities. For example, a September 2012 article by mobile security firm Duo Security reports that more than half of Android devices have security flaws that could be exploited by malicious applications to gain access to the data stored on them. In addition, unsecured portable devices may be vulnerable to security exploits such as unauthorized carrier billing charges incurred by cybercriminals; illicit sign-up of costly premium text messaging services; and installation of spyware that can steal sensitive data, including credit card numbers, email account logon credentials.

online banking credentials, and contact list information. Some hackers have found ways to wipe data stored on a device by sending a text message. Another concern for organizations is e-discovery litigation associated with storing company email and data outside their control. Moreover, unsecured storage of sensitive customer information increases regulatory exposure.
Managing Devices Remotely

An MDM solution is a best practice that can enable organizations to manage employee-owned portable devices and enforce security policies remotely, once employees have installed the software on their devices and agreed to the organization's terms and conditions. Ideally, an MDM solution should strike a balance between providing enterprise security and preserving the

SEND ITAUDIT ARTICLE IDEAS to Steve Mar at steve.mar2OO3(3imsn.com

FEBRUARY 2013

INTERNAL AUDITOR

23

Practices/ITAudit

BYOD ADVANTAGES
Implementing a BYOD program can have benefits for both employees and their organization. ORGANIZATION Eases overhead by eliminating the need to manage a service provider. Eliminates overhead needed to monitor usage and cost overruns exceeding contractual limits. Eliminates need to manage and pay for service plans, individually managed calls, and data usage. Increases employees' productivity by enabling them to work when traveling or away from the office. Eliminates or reduces IT infrastructure resources and associated costs. Provides a recruiting incentive for prospective employees who want to use their own devices. EMPLOYEES Employees are free to choose the device they want. Employees avoid burden of carrying an additional companyissued device. Morale may be higher because employees are not forced to use devices they don't like. The ability to telecommute using their own devices can enhance employees' quality of work and personal life.

employee's user experience, convenience, and privacy. Indeed, some products can configure portable devices to have two separate logical "containers" that segregate business from personal data. This method permits the employee's personal data to remain private while enabling the organization to control only the business container where the organization's apps, data, and email reside. Once installed, an MDM solution can enforce numerous security policies. Auditors should verify these policies are in place: O Anti-malware and firewall policy. Mandates installation of security software to protect the device's apps, content, and operating system. O App/operating system update policy. Requires devices to he configured to receive and install sofiware updates and security patches automatically. O App-vetting policy. Ensures that only trustworthy "white listed" apps can be installed; blocks "black listed" apps that could contain malicious code. Encryption policy. Ensures that the contents of the device's business container are encrypted and secured. PIN policy. Sets up PIN complexity rules and expiration periods, as well as prevents reuse of old PINs. Inactive-device lockout policy. Makes the device inoperahle after a predetermined period of inactivity, after which a PIN must be entered to unlock it. Jail break policy. Prohibits unauthorized alteration of a device's system settings configured by the manufacturer, which can leave devices susceptible to security vulnerabilities.
FEBRUARY 2013

Remote wipe policy. Erases the device's husiness container contents should the device be lost or stolen. Revoke access policy. Disconnects the employee's device from the organization's network when the MDM's remote monitoring feature determines that it is no longer in comphance.

The Low-end Approach Organizations that do not yet have an MDM solution in place can still provide guidance for those employees who use their mohile devices to access company data and email. As an interim measure, management can have employees read and sign an acceptable-use document stipulating that they agree to take proactive measures to secure their portable devices as well as give the organization's IT or information security department the right to inspect devices for policy compliance. Devices that fail inspection should be disconnected from the organization's network, and business content should he wiped until the device is hrought back into compliance. Internal auditors should evaluate inspection practices to ensure that they are in place and operating as designed. As much as practical, employees should conform to the same security policies used by MDM solutions. Moreover, organizations should consider a variety of additional measures including: Setting the Bluetooth feature to nondiscoverable mode or disabling it altogether if it is not needed. This can protect against connections with other devices that could upload malware.
INTERNAL AUDrTOR 25

Practices/ITAudit
TO COMMENT on this article, EMAiL tiie author at lance.semerC^theiia.org

Using a virtual private network or secured website connection when accessing company email and data through a public Wi-Fi hotspot. G Not forwarding company email messages to noncompany computer systems, personal email accounts, cloud service providers, or file-sharing services, which may cause data leakage. Protecting against unauthorized observation of sensitive information in public places. Furthermore, organizations should advise employees to consult their owner's manual or seek assistance from their service provider if they are unsure of how to configure their personal devices. Reimbursement Strategy An equitable BYOD reimbursement policy should be considered to compensate employees for work-related activities when they are mandated by the organization. Employees are accountable for paying their monthly bill to their service provider because a contractual relationship exists between

them, not the organization. Two popular compensation models to consider are a monthly usage stipend or expense reimbursement based on the percentage of use for business purposes. Regardless of the model used, auditors should evaluate reimbursement practices to ensure controls are in place to prevent abuse, as well as assess compliance with compensation policies. Assessing Risks and Policies Based on growth projections for BYOD and its potential risks, internal auditors should get involved in assessing their organization's BYOD risks and evaluating MDM and other policy solutions to determine their adequacy to protect the organization's proprietary and sensitive information. Moreover, they should ensure that the otganization's BYOD practices comply with privacy and data security requirements imposed by applicable industry standards, laws, and regulations. Dl
LANCE J. SEMER, CIA, CISA, CISSP, is the information security officer for Washington Federal based in Seattle.

Use the new CiA Transition Planning Tooi to identify your path during the four-part to three-part transition of the exam to earn your CIA, the only globally recognized internal audit designation. Visit www.tiieiia.org/goto/CiA2013 to view the transition schedule and build your plan for becoming a Certified Internal Auditor.

CCSA

CFS

CGAP

FEBRUARY 2013

INTERNAL AUDITOR

27

Copyright of Internal Auditor is the property of Internal Auditor and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use.