This report analyzes the risk assessment of the BYOD policy in an organization basing on the threats agents, consequences and impact of the threats on the information assets of the organization. It also provides the information security strategies to be implemented to encounter the BYOD policy threats.
Contribute Materials
Your contribution can guide someone’s learning journey. Share your
documents today.
RISK ASSESSMENT: BYOD POLICY2 Table of Contents Executive Summary.....................................................................................................................................3 Introduction.................................................................................................................................................3 Risk Assessment..........................................................................................................................................4 Threat Agents..........................................................................................................................................5 Vulnerabilities.........................................................................................................................................7 Consequences of BYOD Threats.............................................................................................................8 Impact......................................................................................................................................................9 BYOD Protection mechanisms for Information Security (Literature review)............................................10 Safeguards.............................................................................................................................................11 Conclusion.................................................................................................................................................12 References.................................................................................................................................................13
RISK ASSESSMENT: BYOD POLICY3 Executive Summary This report analyzes the risk assessment of the BYOD policy in an organization basing on the threats agents, consequences and impact of the threats on the information assets of the organization. The report analyzes different vulnerabilities and how they may impact the corporation’s information system if they occur. It also providesthe information security strategies to be implemented to encounter the BYOD policy threats. Bring Your Device policies allows employees to utilize own electronic devices such as laptops computers, tablets PCs and smart phones for undertaking their official duties and responsibilities. An organization can fully comprehend the BYOD policy threats and vulnerabilities by undertaking risk assessment of its information systems. Introduction More and more corporations are implementing Bring Your Device policies which allow employees to utilize own electronic devices such as laptops computers, tablets PCs and smart phones for undertaking their official duties and responsibilities. Employees, therefore, will have private terminals to assess information resources of organization. However, implementation of Bring Your Device in organization carries various risks including information theft, data leakage, network availability problems, loss of application security as well as legal liability. Therefore, organizations require a well-designed cyber security framework to protect its information system resources from the potential threats. Information is vital to an organization’s operations, strategic objectives and its brand and also of critical value to the clients and consumers who utilize the organization's products and services. Therefore, the information can be considered as an organization's asset and has its value, threats, and vulnerabilities which the threats can potentially abuse to cause harm to the assets and the organization as a whole. Organization’s information assets must be protected from various risks by implementing different security strategies. To understand the risks brought by BYOD policies and processes facing the information assets of an organization, a risk assessment must be undertaken to comprehend the threats, key threats agents, their vulnerabilities and their potential impact on the assets. The organization should develop a BYOD policy that contains the procedures and regulations to be adhered to when utilizing personal devices at the workplace. The other strategies will include strongly encrypting the organization's data to be accessed through the mobile device and also encrypt the data communication process(Densham, 2015).Regular update of operating system, and the software of the system should be undertaken by the organization, and the IT administrator should ensure that the users with personal mobile devices are updating their antivirus and authentication measures. Various tools and techniques should also be implemented including application containerization software that ensures that applications are utilized in isolation and prevents other applications from accessing. Data Loss Prevention techniques allow the network administrators to monitor the employees' activities on the network and any security breach source and respond quickly to that threat(Martin, Martin, Hankin, Darzi, & Kinross, 2017).
RISK ASSESSMENT: BYOD POLICY4 Merits of BYOD Adoption of BYOD in an organization harnesses numerous benefits including improved productivity, reduced costs, the efficiency of work and convenience. The users face less complication in terms of the operating systems and applications because they are utilizing the own devices and usually know their way around the mobile devices. BYOD results in reduced IT infrastructure expenses because the employees bring their own devices. Workplace efficiency is also attained through BYOD implementation in an organization, because the policy allows the employees to utilize their devices comfortably in the office. The operational costs of the organization such as that meant for device or software upgrades, is avoided since the employees upgraded their own devices and associated software. The expenses meant for IT operations can then be utilized for other projects. BYOD improves the productivity and convenience in an organization because the employees can work from anywhere at any time with no difficulties. Therefore, an organization should not shy away from the use of personal devices in their workplace due to the threats of the BYOD policy on the information assets, but the organization should develop and implement a strategy to prevent and mitigate the risks of BYOD policies and practices. Risk Assessment The essential benefits of undertaking a Risk assessment of the information system of the organization are outlined below; Risk assessment helps in the identification of the potential vulnerabilities to be utilized by hackers to access the organization’s information assets. Risk assessment results in the adoption of more secure practices, solutions and policies, and guides in implementing the best information security strategy that suits the organization. Risk assessment of the information systems of an organization justifies security investments by presenting a fair analysis of the information security investment versus the costs of the potential losses due to breaches of the information assets. A key aspect of risk assessment is the identification of the threats and determination of their likelihood of occurrence. A threat is a physical or a logical process that has the potential to impact operations, information, and systems of an organization negatively. In developing, information security strategy and undertaking risk assessment, the first essential procedure is to identify and comprehend the information assets that require protection. The information assets in an organization impact integrity, confidentiality, availability and support the institution’s mission and vision and it strategic objectives(Boranbayev, Mazhitov, & Kakhanov, 2015). The information system assets of an organization are namely Human resources: personal data of staff and reports. Legal: contracts and internal documentation, employees confidential information on staff
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
RISK ASSESSMENT: BYOD POLICY5 Finance and Economics: financial information and procurement documentation Information Technology: Databases, logins, and passwords, IT management information and ITdevelopments copyright Research: products test results, undergoing research Risk identification The role of this step in the risk assessment is to identify potential threats to the information system. Risks in information system occur when flaws in the system or the surrounding environment are exploited by threat agents. The risk identification process consists of three core aspects; i.Identification of potential threats that could harm the information system ii.Identification of vulnerabilities within the system’s components that could be exploited by the threats iii.Combination of the threats and the vulnerabilities to identify the risks to which the information system is exposed Threat Agents Threats Agents facing an organization due to BYOD policies and practices are elaborated as shown; Malware The most persistent and dangerous threat to corporate information system is malware. The number of malware families has rapidly increased over the past few years(Beckett, 2014). The adoption of BYODresults in the IT department losing control over the mobile electronic devices utilized by employees which means that accidental malware infections go undetected. In a BYOD environment, the malware exploits the existent vulnerabilities in the mobile devices of the employees to steal the corporation's confidential data. Insecure Wireless Networks In BYOD, the employees can access advanced technology such as public wireless network and home networks. The network configuration of these networks outside the office is unknown and is not under the organization’s information security scope but can view the information assets of the organization. Through such insecure communication channels, interception can be launched to steal or corrupt the information assets of the organization. Fake Certificate Authorities Certificate-based authentication is widely utilized over the internet to authenticate computers and is normally issued by certificate authorities who should be trusted.Electronic mobile devices usually come with factory preloaded CA credentials but also contain capability that allows the user to either remove existing ones or add their own(Vignesh & Asha, 2015).In a BYOD context, an employee may be deceived to add fake CA credentials or impersonated-
RISK ASSESSMENT: BYOD POLICY6 trusted digital certificate to the mobile devices which then the hacker utilizes it to steal sensitive corporate data. Phishing Phishing scams through phishing email are becoming more common in the cybercrime world since it is supported by an unacknowledged employee collaboration environment such as social networks and cloud services where it spreads with ease(Densham, 2015). A well- structured phishing email can be utilized by scammers to evade traditional network security frameworks and steal the company's information.In BYOD, device protection strategies are left to the employee, and then hackers can utilize phishing scams without any difficult or detection to access Company sensitive and critical information assets Malicious Mobile Applications In a BYOD context, employees can install unauthorized and non-corporate applications either for leisure purposes or aid in their functions within the organization(Morrow, 2012). These applications can be utilized by hackers to steal or disclose private corporate information. Also, these malicious applications can be given more privileges by rooted mobile devices to disseminate spam and send unauthorized anonymous sensitive data to outsiders. Social Engineering The broad adoption of electronic mobile devices supported by BYOD policies and practices has made the spread of malware through email spams and social networks by scammers easy(Tzoumas, 2013).Due to lack of security awareness, employees during their leisure time, can access social media or open the scam emails which then result in infection of the corporate information network. Personal and Corporate Information Mixture Employees utilize their own devices to conduct personal business as well as keeping in contact with family and friends, while at the same time use it to access corporate databases, servers, and networks to undertake work responsibilities and duties. Also, in BYOD, IT administrators cannot monitor the illegal action on the corporate data(Yang, Vlas, Yang, & Vlas, 2013). Themixture of personal and corporate information can affect the integrity of the corporate information due to the complexity of separating the data. Using Personal Cloud Services for information sharing An employee utilizes the mobile device for personal use as well as for corporate use, which then stores all the corporate information on the private cloud storage. Personal cloud storage is utilized to increase availability and flexibility for accessing both personal and corporate information. Cloud services can be hacked and hence sharing of information on cloud services may then expose confidential corporate information to corruption and unauthorized disclosure (Romer, 2014).Also, employees can modify or share corporate data hence impacting on the information’s confidentiality and integrity. Uncontrolled Heterogeneous Devices inception
RISK ASSESSMENT: BYOD POLICY7 The various electronic mobile devices used by employees to access the information assets of an organization increases threats to confidential information. The support given by the IT department to may be ineffective due to the incompatibility of the organization's configurations and applications or operating system fragmentation and hardware of the device(Chang, Ho, & Chang, 2014). Therefore, lack of proper IT control and monitoring of the mobile devices will result in unauthorized access of the sensitive corporate information. Stolen and Lost Mobile Devices The mobile device of an employee maybe get lost or stolen while it is still logged on or had “remember password” feature, then corporate information can be accessed by outsiders. Also, some employees keep corporate data even after termination, and if the employee is vengeful, it can result in the exposure of corporate information and also result in intellectual property violation(Beckett, 2014). Vulnerabilities 1.Employees Habits as vulnerability The primary vulnerability in BYOD context is the user; the employees' habits are utilized by intruders to lure them to access social networks or to open a phishing email during their leisure time or to install a certain application. These activities are then exploited by intruders to get unauthorized access to the corporate information and they them steal, contaminate or disclose the information resulting in compromise of the integrity, availability, and confidentiality of the corporation's sensitive information. 2.Lack of privilege to stop an ongoing application installation process In other android application utilized in mobile devices, the user does not have the right to terminate an application installation process once it has been initiated(Tarle, 2015).An intruder to the organization information system can attach malware to the application and wait for the user to install the app. 3.Dated software and non-updated security patches The other vulnerability to BYOD threats is the use of dated software and non-updated security patches current(Mishra, Mathur, Jain, & Rathore, 2013). This allows easy access for intruders to steal or contaminate the organization’s data. 4.Remember-passwords Some employees have utilized the “remember passwords” when login into their corporate accounts in their mobile devices and this action becomes a vulnerability when the device is lost or stolen. Consequences of BYOD Threats In risk assessment, the consequences of information system threats can be expressed as a loss of trust (integrity), loss of privacy (confidentially), loss of service and loss of an asset. Blow discussed are the consequences of BYOD threats to the information assets of an organization.
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
RISK ASSESSMENT: BYOD POLICY8 a)Information Disclosure or Leakage (Loss of confidentiality) The mixture of corporate and personal information when utilizing a mobile device exposes the organization's information threats that can lead to disclosure which then results in compromise of the information confidentiality. Spoofing and tampering are also threat vectors. For example spoofing of databases, cloud service and web applications can result in corporate information being inverted and stored in intruders repositories. Also tampering attacks such as XSS can result in the capture of database access credentials which then can be utilized to make unauthorized access to databases(Aphale, Borikar, Kardile, Vasekar, & Shital, 2015). Information traveling through an insecure channel can be stolen by an intruder through sniffing or interception attacks. Figure 1 relays the different threats that result in information disclosure in an organization. Figure 1: BYOD threats’ interactions that result in information disclosure b)Information Contamination or Corruption (Loss of integrity) The core consequence related to BYOD attacks is information contamination which compromises information integrity. Contamination occurs from threats due to employee habit of accessing the corporate information employees. Corporate databases can be corrupting by utilizing the tampering threats(Aphale, Borikar, Kardile, Vasekar, & Shital, 2015).
RISK ASSESSMENT: BYOD POLICY9 Figure 2: BYOD threats’ interactions that result in information contamination Impact Once the information assets of the organization have been identified and the threats listed, then the impact of a threat occurring must be assessed. The impact of a particular threat will be evaluated based on levels designated as less serious, serious and exceptionally grave. Table 1: Impact assessment framework
RISK ASSESSMENT: BYOD POLICY 10 Mitigation Mitigation techniques to be implemented to alleviate BYOD risks are; i.Train the employees on the wide range of security threats arising from the adoption of BYOD including installation of applications and use of public and home wireless networks. ii.The IT department should provide continuous support to employees on every lifecycle of the mobile devices. iii.Prevent data leaks through acceptable use support policy to be signed by employees BYOD Protection mechanisms for Information Security (Literature review) Device and User Authentication Password-based Authentication or other authentication techniques when accessing the organization’s information resources should be implemented in a BYOD organization. The authentication processes to include a limited number of input retries before the device automatically locks out or before storage is wiped out, depending on the settings(Pritchard & PMP, 2014).The IT administrator should have a capability to remotely set the device if automatically locks out or when an employee forgets the password. If the device is idle for a set period, it should have the capability to the lockout to avoid an unauthorized individual from snooping if the mobile device had been with displaying cooperation data. Data communication and Storage Strongly encrypt the organization's data to be accessed through the mobile device and also encode the data communication process. Also, trongly encrypt the organization's data stored on both the inbuilt storage and the removable storage. To mitigate offline attacks on any the removable media storage, it can be bound to a specific device so it can only be decrypted when attached to that device(Sadgrove, 2016).Implement a capability of remotely wiping mobile device storage when remote stolen or lost. Also, the device can be configured to automatically erase itself when it is wrongly authenticated for a certain number of times. Updating operating systems Regular update of the operating system and the software of the system should be undertaken. The multiple software and applications updates and security patches released by the vendors regularly be installed(Herrera, Ron, & Rabadão, 2017).The corporation should ensure that the users with personal mobile devices are updating their antivirus and authentication measures. This will be a good security measure in guaranteeing corporate data stored on the personal devices is safe from unauthorized access by third parties. Applications Synchronization services including websites, remote and local device synchronization should be restricted. Digitally sign applications and distribute it through a mobile store to ensure only applications from trusted entities are installed on the mobile devices(Tarle, 2015).Access
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
RISK ASSESSMENT: BYOD POLICY 11 to the organization’s information resources through mobile devices should be controlled depending on their version of the operating system such as whether the device has been rooted. Data loss prevention Data Loss Prevention techniques allow the network administrators to monitor the employees' activities on the network and any security breach source and respond quickly to that threat. They do this by following up on any sensitive data that is on the network(Martin, Martin, Hankin, Darzi, & Kinross, 2017). DLP places a watermark on sensitive data and checks for any alteration of the data as it is being transferred within the system. Figure 3: DLP techniques for data loss prevention in a BYOD context Security Software An organization should implement the following software to curb the risks resulting from the adoption of BYOD practices. Implementation of the application containerization software that ensures that applications are utilized in isolation and prevents other applications from accessing the data is another techniques meant to attain information security in an organization. The containerization technique allows the organization to implement a security policy without touching the data as well as the data functionality on the confidential area of the mobile device (Yadav, Ganguly, & Suman, 2015).Mobile Identity and access management- This software implements a two-factor authentication technique and a single sign-on across multiple devices hence making logging for employees simple. Mobile content Management-It allows an organization to determine the storage process in the cloud as well as the access procedure by its employees. Safeguards The organization should control third-party software by limiting or blocking their use in order to prevent data security breach through such software(Herrera, Ron, & Rabadão, 2017). An organization should develop separate secure gateways equipped with data loss prevention tools as well as content filtering to control employees from to undertake what they are meant to do. Also, the organization should perform regular mobile device audits and testing to know their security capability.
RISK ASSESSMENT: BYOD POLICY 12 Conclusion BYOD significantly improves productivity in a corporation through increased availability and flexibility of the accessing the organization’s information. It is important for the organization, to be aware of the security risks brought out by BYOD policies and practices. An organization can harness the benefits of BYOD by implementing an effective BYOD strategy that maximizes benefits while minimizing risks. Threats Agents due to BYOD implementation include malware, wireless public networks, the mixture of corporate and personal information and stolen and lost devices. Vulnerabilities of BYOD include employees’ habits and dated software security patches. BYOD threats can result in various consequences including disclosure of sensitive corporate information and corruption of the data which compromises the confidentiality and integrity of the organization’s data. The organization should develop a BYOD policy that contains the procedures and regulations to be adhered to when utilizing personal devices at the workplace. The policy will assist in controlling the behavior of users when accessing and managing the firm’s network resources. The policy should stipulate regulatory measures including the type of devices allowed in the work premises, the applications, and software compatible with the firm's network and the web addresses that have been restricted to visit and the reasons why the policy should also stipulate the consequences that follow if an employee violates the rules in the policy. The organization should regularly conduct a risk analysis on the company’s network regularly to make sure that all the authentication procedures and other security measures are running as required. The organization should implement application containerization-software that ensures that applications are utilized in isolation and prevents other applications from accessing the data. References
RISK ASSESSMENT: BYOD POLICY 13 Aphale, M., Borikar, U., Kardile, B., Vasekar, V., & Shital, J. (2015). Forensics investigation for database tampering using audit logs.International Journal of Engineering Research and Technology, 4(3). Beckett, P. (2014). BYOD-popular and problematic.Network Security, 2014(9), 7-9. Boranbayev, A., Mazhitov, M., & Kakhanov, Z. (2015). Implementation of Security Systems for Prevention of Loss of Information at Organizations of Higher Education.2015 12th International Conference on Information Technology-New generations, (pp. 802-804). Las Vegas, NV. Chang, J., Ho, P., & Chang, T. ( 2014). Securing BYOD.IT Professional, 16(5), 9-11. Densham, B. (2015). Three cyber-security strategies to mitigate the impact of a data breach. Network Security, 2015, 5-8. Herrera, A. V., Ron, M., & Rabadão, C. (2017). National cyber-security policies oriented to BYOD (bring your device): Systematic review.2017 12th Iberian Conference on Information Systems and Technologies (CISTI(pp. 1-4). IEEE.(pp. 1-4). IEEE. Martin, G., Martin, P., Hankin, C., Darzi, A., & Kinross, J. (2017). Cybersecurity and healthcare: how safe are we?BMJ. Mishra, A., Mathur, R., Jain, S., & Rathore, J. S. (2013). Mishra, A., Mathur, R., Jain, S., & Rathore, J. S. (2013). Cloud computing security. International Journal on Recent and Innovation Trends in Computing and Communication, 1(1), 36-39.International Journal on Recent and Innovation Trends in Computing and Communication, 1(1), 36-39. Morrow, B. (2012). BYOD security challenges: control and protect your most sensitive data. Network Security, 2012(12), 5-8. Pritchard, C. L., & PMP, P. R. (2014).Pritchard Risk management: concepts and guidance. NW: Auerbach Publications. Romer, H. (2014). Best practices for BYOD security.Computer Fraud & Security, 2014(1), 13- 15. Sadgrove, K. (2016).The complete guide to business risk management.Abingdon, U.K: Routledge. Tarle, P. (2015). Comparative Study of Smart Phone Security Techniques.Internal Journal of Emerging Technology and Advanced Engineering, 5(2). Tzoumas, C. (2013). The BYOD World.BusinessWest, 30(2), 45. Vignesh, U., & Asha, S. (2015). Modifying Security Policies Towards BYOD.Procedia Computer Science. Elsevier, 2015, vol. 50, pp. 511–516., 50, 511–516. Yadav, S., Ganguly, U., & Suman, S. (2015). Threats and Vulnerabilities of BYOD and Android. International Journal of research, 2(8), 997-1003.
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
RISK ASSESSMENT: BYOD POLICY 14 Yang, T., Vlas, R., Yang, A., & Vlas, C. (2013). Risk Management in the Era of BYOD: The Quintet of Technology Adoption, Controls, Liabilities User Perception, and User Behavior.2013 International Conference on Social Computing(pp. 411-416). IEEE.