Risk Assessment Report: AztekIT's BYOD Policy for Personal Devices

Verified

Added on  2020/03/23

|17
|4326
|45
Report
AI Summary
This report provides a comprehensive risk assessment of AztekIT's Bring Your Own Device (BYOD) policy, focusing on the security implications of allowing employees to use personal devices to access organizational resources. It examines the challenges associated with BYOD, including reduced system security, the difficulty in differentiating between personal and work-related device use, the risk of unsecured sensitive information, and the potential for device loss or theft. The report outlines the need for AztekIT to enforce policies and technical controls to mitigate these risks, such as device approvals, application restrictions, and system patching. It also explores the benefits of BYOD, including business continuity, work-life balance, and cost savings. The assessment covers existing BYOD frameworks, relevant legislations, and the importance of clear communication and technical support. It analyzes potential risks related to device selection, malicious programs, user engagement, unauthorized access, sensitive data exposure, informational integrity, and data flow security. The report concludes by emphasizing the need for AztekIT to develop a robust BYOD strategy to manage risks and leverage the benefits of technological advancements.
Document Page
Running head: RISK ASSESSMENT1
AztekIT Risk Assessment- Personal Devices
Name
Institutional Affiliation
Date
tabler-icon-diamond-filled.svg

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
RISK ASSESSMENT 2
Executive Summary
Among the major challenges that the ICT management team face in today's technological
ageis mostly related to their Bring-Your-Own-Device (BYOD) policies. BYOD refers to policies
that stipulate the rules and regulations governing the employees’ access to an organization’s IT
resources using their devices such as laptops, smartphones, or tablets (Miller, Voas & Hurlburt,
2012).The BYOD challenge is consequent of consumerization of IT whereby information
technologies emerge in the consumer way before organizations or even governments adopt the
technologies (Thompson, 2012). The result of this concept is a workforce with new, better, and
improved technology as compared to their organization’s technology framework (Scarfo, 2012).
Furthermore, most employees tend to work during their free time and do their personal stuff
during working hours.
Several risks may arise from allowing personal devices in Aztek’s work environment.
These risks include the reduced system security assurance by Aztek management, difficulty in
distinguishing between thepersonal and work-related use of these devices, risk of unsecured use
of sensitive information, and the likelihood of these devices getting lost or being stolen along
with the organization’s sensitive information (Morrow, 2012). Adopting a BYOD policy will
also have implications on Aztek’s personnel resources budget, their legal liability, and
compliance regulations. To mitigate these risks, Aztek must enforce policies outlining term of
use and regulatory grounds for device permits.
In addition to outlining the employees’ IT interaction behavior, Aztek should enforce
technical risk controls to identify any policy violations. Only devices shortlisted and approved by
Document Page
RISK ASSESSMENT 3
Aztek management will be permitted to access or store the organization’s sensitive information.
These devices will be monitored using the technical risk controls. Thesecontrols include flagging
and preventing unapproved applications from executing and accessing sensitive data, limiting
employees’ ability to use modified devices that grant them administrativeprivilege, and the
prompt patching of systems (Zahadat et al., 2015). Alternatively, the management of Aztek may
provide their employees with approved personal devices while retaining legal ownership of the
same. These measures aim to mitigate the various risks that Aztek faces from the adoption of a
BYOD policy. However, the management team must determine the effectiveness of these
controls in managingtherisks.
Pillay et al. (2013) notes that aside from the risks involved, a BYOD policy presents a
wide range of benefits to both the organization and its employees. The policy allows the
continuity of business activities outside the office in the occurrence of a power outage, natural
calamities, or even transport complications. With the flexibility facilitated by a BYOD policy,
employees of Aztek can achieve a work-life balance in their professional and personal activities
(Mitrovic et al., 2014). Furthermore, skilled employees who cannot relocate to Aztek facilities
can still be recruited and perform their respective duties.Employees will be satisfied with their
jobs hence improving retention and recruitment of staff. Implementation of the policy will also
be beneficial to the environment in terms of transportation and use of paper. With the advent of
consumerization, emerging technologies will enable employees of Aztek to innovate and find
better and efficient ways to carry out their daily work activities. Aztek will benefit financially as
a result of reduced technological hardware costs. This policy will ultimately improve the general
productivity, efficiency, and service delivery of Aztek. This risk assessment report aims to
analyze the risks emerging from adopting a BYOB policy in Aztek, the relevant control
Document Page
RISK ASSESSMENT 4
measures, and potential benefits. The purpose of this assessment is to assist management and
stakeholders in their making process on the implications of a Bring Your Own Device policy to
Aztek and how it supports the business structure of the organization.
tabler-icon-diamond-filled.svg

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
RISK ASSESSMENT 5
Table of Contents
Executive Summary.....................................................................................................................................2
Project Review...........................................................................................................................................5
Develop a BYOD strategy.....................................................................................................................6
Existing BYOD framework...................................................................................................................6
Legislations and Regulations................................................................................................................7
Communicating the Organization’s Policy..........................................................................................7
Technical Support.................................................................................................................................8
Financial Support..................................................................................................................................8
Impact of the BYOD Project on Security................................................................................................8
Risk Assessment.......................................................................................................................................10
Devices selected....................................................................................................................................11
Malicious Programs.............................................................................................................................11
User Engagement.................................................................................................................................11
Unauthorized Access...........................................................................................................................12
Sensitive Data Exposure......................................................................................................................12
Loss of Devices.....................................................................................................................................12
Informational Integrity.......................................................................................................................13
Data Flow and Security...........................................................................................................................13
References.................................................................................................................................................14
Document Page
RISK ASSESSMENT 6
Project Review
Before implementing a BYOD policy, Aztek must carefully scrutinize both the business
and security implications of the project. This policyis regulated by various legislative measures
and controls described in the Freedom of Information Act 1982, Archives Act 1983, and also the
Privacy Act 1988. These regulations govern the BYOD implementation criteria in an
organizationand the relevant legal control measure to oversee the policy. These legislative
regulations were necessary due to the liability risks emerging from adopting a BYOD policy in
an organization. To ensure thesuccess of the BYOD project, the ICT management team of Aztek
must develop a BYOD strategy, determine the implications of the project on any potentially
existing BYOD, identify related legislation and regulations, communicate the organization’s
BYOD policies, and the relevant financial and technical support measures.
Develop a BYOD strategy
In order to successfully implement a BYOD strategy that compliments the business
structure of Aztek, it is crucial to carefully formulatea strategy that is tailored to the needs and
activities of Aztek. A strategy is importantso as to clearly analyze the risks involved and the
appropriate measures (Ghosh, Gajar & Rai, 2013). The absence of a strategy might create a
situation whereby BYOD policies are employee driven.
To developing a BYOD strategy for Aztek, the ICT team under the guidance of the
management will conduct a pilot trial of a few employees in a low-risk section of Aztek. A
review of the pilot trial using clearly defined success measures will provide Aztek management
with an overview ofthe project’s security implications, its cost-benefit relevance, and the impact
on Aztek’s business activities.
Document Page
RISK ASSESSMENT 7
Existing BYOD framework
In today's technological culture, it is likely that there exists an authorized or unauthorized
BYOD framework in any organization. Aztek must first determine the possible BYOD
existingprior to the implementation of the strategy. This information can be obtained from
Aztek’s employees and other relevant stakeholders. A review of the organization’s assigned
devices can also help in mapping out the existing framework and implement the new strategy in
a complementary manner.
Legislations and Regulations
According to the Information Security Manual (ISM) by the Australian government, it is
important for any organization to seek legal advice before allowing employees to access the
organization’s systems using their personal devices so as to carefully understand the legal issues
and liabilities imposed by a BYOD strategy.
Communicating the Organization’s Policy
Aztek must carefully determine how to implement the policy in a manner that will
facilitate employees’ compliance and support. Among the most effective ways ensure user
compliance is by involving all relevant stakeholders in developing and implementing the BYOD
policies (Lebek, Degirmenci & Breitner, 2013). This will ensurea policy that is complementaryto
the business and workforce structure of Aztek, employee motivation, and that the needs of all
affected parties are met. The management of Aztek can alternatively offer BYOD as an optional
strategy rather than mandatory.In order to ensure full awareness, the policy must be
communicated to all departments, employees, and stakeholders. The policy must clearly
highlight the authorized devices, the organizational data that they are permitted to access,
tabler-icon-diamond-filled.svg

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
RISK ASSESSMENT 8
authorized applications and software, storage and distribution regulations, non-compliance
repercussions, and the controls that the managementis obligated to enforced to ensure the success
of the BYOD strategy. To ensure the compliance of all employees and to prevent legal liabilities,
the employees of Aztek will be required to sign an Acceptable Use Policy that stipulates their
authorized behavior and consequent repercussions of any violationsof the policy.
Technical Support
In developing a BYOD strategy, it is necessary for Aztek to determine the technical
support implications of the strategy. A BYOB strategy would result in awide variety of personal
devices with different operating systems, manufacturers, configuration settings, and electrical
layouts. It would, therefore, be ineffective to assign Aztek’s IT support desk with the
responsibility of managing the devices. Possible solutions for Aztek include issuing a list of
approved devices or providing basic technical training to the employees.
Financial Support
The main aim organizational goal of Aztek is to ensure shareholders’ wealth
maximization and making profits. It is therefore important to consider the financial implications
of a BYOD strategy before its implementation (Seigneur et al., 2013).This includes concerns
about expenses from internet and connectivity while at Aztek or outside the office, personal
devices provided by Aztek, and the relevance of these expenses in helping accomplish Aztek’s
organizational goal.All this will be dependent on Aztek’s budget, financial resources, and
necessity of the BYOD strategy to the organization.
Document Page
RISK ASSESSMENT 9
Impact of the BYOD Project on Security
In today’s modern environment, it is challenging for any organization to adapt. This
challenge is especially crucial to financial service organizations such as Aztek. Financial service
institutions face high data security risk and management obligations. The situation is worsened
by the increased level of competition among financial service organizations (Gustav & Kabanda,
2016). These institutions manage the sensitive financial information of their many clients.
Implementing a BYOD strategy, therefore, imposes a huge risk on Aztek and other financial
service institutions. The security of the customer’s sensitive financial information is put at risk of
loss or even malicious manipulation when employees are authorized toaccess to this information
from their personal devices. The management of financial institutions is often faced with a
dilemma of improving the customers’ security and meeting the auditor’s requirements on the one
hand and increasing organizational efficiency and customer relationson the other hand
(Vijayan,& Hardy, 2015).
To mitigate the security risks as a result of a BYOD strategy, Aztek can specifically
assign authorized devices to a regulated number of reliableemployees. By controlling the specific
business and employees, Aztek can ensure security and efficiency of its financial services. With
the continuously growing number of mobile devices, it is important for financial institutions to
implement BYOD policies that are complementary to the organizations. This is particularly
crucial for financial institutions in the modern age. A survey by IDC revealed that a huge number
of financial institutionsare exposed to risk related to employees’ personal devices (Burt, 2014).
The institutions do not have relevant strategies and policies to govern the use of mobile devices,
applications, and mobile security concerns for their employees.
Document Page
RISK ASSESSMENT 10
In order to address the security concern, Aztek must first evaluate the impact of a BYOD
strategy on the organizational goal of wealth maximization. The organization should then
formulate efficient methods to govern employees’ personal device use, authorized data and
content, applications’ compliance, privacy, and general security. In addition to enforcing these
policies, Aztek may consider seeking the professional servicesof solution providers such as
AT&T and the likes. These solution providers are specialized in providing BYOD solution,
formulation of policies, risk assessment, and control measures to assist in the management of the
policies.
It is important to realize that technological evolution is inevitable(Guan, 2012). Aztek
should, therefore, strive to leverage the advances in technology to its own benefit.This can be
achieved by carefully planning a BYOD strategy under the current of future advances in devices,
mobile networking, and application management. The need for the management team to
implement a robust BYOD strategy is further emphasized by the financial data risks faced by
Aztek.
Although BYOD presents many opportunities and benefits to an Aztek, it also exposes
the organization to various security threats and risk as outlined above. Studies have shown that
most breaches on the securityframework of organizations are adirect result of using personal
devices to access the organizations’ sensitive data(Keyes, 2013). Therefore, Aztek must enforce
appropriate measures to maintain integrity and confidentiality,ensure compliance by the
employees, manage the security risk, and preserve the availability of sensitive data in a secure
manner. Some information when placedin the wrong hands may cause substantial damage to the
organizations, client’s image, operational complications, and even financial loss.
tabler-icon-diamond-filled.svg

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
RISK ASSESSMENT 11
Risk Assessment
Aztek faces various vulnerabilities, threats, and consequences of a BYOD strategy. This
report will analyze the risks based on the devices selected for the BYOD strategy, potential
malicious programs or applications, insecure user engagement, unauthorized access, sensitive
data exposure, loss of BYOD devices, and the loss of informational integrity.
Devices selected
The first thing for Aztek to consider in the risk assessment are the personal devices that
the organization will authorize to access Aztek’s sensitive information (Suby, 2013). This
assessment will include the device manufacturers, operating system platforms, and security
features in the respective devices. Aztek’s assessment team must also determine the security
threats imposed by each of these devices. Information on the merits and demerits of all
authorized devices should be availed to the employees along with strategies to cope with any
security issues that may arise as a result of the devices (Watkins, 2014).
Malicious Programs
There are a wide variety of malicious applications designed to steal, modify, or sniff
sensitive information. As users interact with their devices, they often tend to customize the
devices or access the internet for work-related and personal use. This exposes their devices to an
attack by malicious programs that may access the sensitive organizational information in those
devices (Chin et al., 2011). A risk assessment is, therefore, necessary to determine possible
infection avenues and ways of tackling the risk. Aztek may consider limiting application
downloads to only trusted and authorized markets, ensure installation of malware prevention
Document Page
RISK ASSESSMENT 12
programs, and sensitive the users on the security threats, mitigation procedures and ways to
avoid infection (Felt et al., 2011).
User Engagement
Risk arises based on the operational behavior of employees as they interact with their
personaldevices (Mansfield-Devine, 2012). Insecure behavior may expose the devices to
malware attacks or inadvertent leakage of sensitive information (Ballagas et al., 2004). Aztek is
especially vulnerable due to the sensitivity of the financial services it offers. This risk assessment
aims to determine the employees’ level of competency in handling sensitive organizational data
from their personal devices.
Unauthorized Access
BYOD poses a major threat to Aztek’s information as a result of unauthorized access.
Unlike organizational devices which are safely protected and managed by Aztek’s security team,
the security of personal devices, especially outside the office, is solelyto the user (Keyes, 2013).
This poses the risk that an unauthorized third party may obtain access to the devices and Aztek’s
sensitive data. Employees must be sensitized on security measure to prevent unauthorized
access.
Sensitive Data Exposure
Under a BYOD strategy, employees can access and distributeAztek’s information from
multi-points and in different locations. This exposes the information of this financial institution
to manipulation and unauthorized use. The variety of devices also complicates the process of
chevron_up_icon
1 out of 17
circle_padding
hide_on_mobile
zoom_out_icon
[object Object]