Dissertation Final With Final Revisions

In the Name of God the Mercy-‐giving the Merciful

Mobile Security:

A Systems Engineering Framework for Implementing Bring Your Own Device (BYOD) Security Through the Combination of Policy Management and Technology

By Nima Zahadat

B.S. in Theoretical and Applied Mathematics, August 1991, George Mason University

M.S. in Information Systems, August 2005, The George Washington University

A Dissertation submitted to

The Faculty of The School of Engineering and Applied Science

of the George Washington University in partial fulfillment of the requirements for the degree of Doctor of Philosophy

January 31, 2016

Dissertation directed by

Paul Blessner

Professorial Lecturer in Engineering Management and Systems Engineering

ii

The School of Engineering and Applied Science of The George Washington University

certifies that Nima Zahadat has passed the Final Examination for the degree of Doctor of

Philosophy as of 25 September 2015. This is the final and approved form of the

dissertation.

Mobile Security: A Systems Engineering Framework for Implementing Bring Your Own Device

(BYOD) Security Through the Combination of Policy Management and Technology

Nima Zahadat

Dissertation Research Committee:

Paul Blessner, Professorial Lecturer of Engineering Management and Systems Engineering, Dissertation Director

Shahram Sarkani, Professor of Engineering Management and Systems Engineering, Committee Member

Thomas Andrew Mazzuchi, Professor of Operations Research and of Engineering Management, Committee Member

James Wasek, Professorial Lecturer of Engineering Management and Systems Engineering, Committee Member

Lile Murphree, Jr., Professor of Engineering Management, Chair Person of the Examination Committee

iii

© Copyright 2016 by Nima Zahadat All rights reserved

Pauca Sed Matura – Gauss

Few, but Ripe

iv

Dedications

Dicata Deo Domino Universi

• To my wonderful mother, Tooran Khajehnoori, whose memory will always be

with me

• To my dear father, Seyed M. Zahadat, who missed seeing me obtain my Ph.D. by

just a few months

• To my delightful son, Joseph Aryo Zahadat (Joey), who is bright, fun, kind,

patient, and whose mere presence brings a smile to daddy’s face

• To my brilliant sister, Dr. Nazdaneh Zahadat, DDS, the youngest and the first to

get her doctorate degree but whose life was tragically short

• To my supportive brothers, Massih Zahadat and Mani Zahadat

• To my delightful nephew, Ian Arman Taylor, who is bright, fun, and kind

• To my great friend K. Shawn Azarmanesh, who has always been supportive and

encouraged me to go after this degree more than anyone else

• To my little tiger Bamm Bamm, who was a blessing these past 18 years

• To my respectable cohort classmates, for their consistent support and in

particular, Tariq Oun for being my 300 miles weekends driving partner for 3

years and for being supportive of me throughout this challenging process

• To Ron Ross, Ph.D., fellow at NIST for inspiring me to do this research and his

subsequent support throughout including reviewing my entire dissertation

• To Carl Friedrich Gauss, whose life’s works, dedication, genius, and honor was

an inspiration during my youth and since there after

v

Abstract

Mobile Security: A Systems Engineering Framework for Implementing Bring Your Own Device

(BYOD) Security Through the Combination of Policy Management and Technology

With the rapid increase of smartphones and tablets, security concerns have also

been on the rise. Traditionally, Information Technology (IT) departments set up devices,

apply security, and monitor them. Such approaches do not apply to today’s mobile

devices due to a phenomenon called Bring Your Own Device or BYOD. Employees find

it desirable to use personal mobile devices for their work and make no distinction

between using their carriers’ services versus their organizations’ Wi-Fi. BYOD is an

extension of corporate networks and thus it is essential to secure BYODs to protect

enterprise networks (Wang & Vangury, 2014).

To address the security concerns of BYOD, many vendors have introduced

Mobile Device Management (MDM) systems. Such systems by themselves do not and

cannot provide comprehensive solutions to BYOD precisely due to the nature of BYOD:

the user and not the enterprise owns the device. BYOD necessitates a different paradigm,

one in which the device is removed as the primary object of security and one in which the

device, the user (employee), and management are all taken into consideration. Further,

the approach to security would necessitate technology, policy management, and people

integration instead of the traditional technology alone approach.

In this dissertation, risks of allowing BYOD balanced by its benefits will be

examined. The instrument for addressing BYOD security concerns will be presented as a

BYOD Security Framework. The framework has three pillars: People, Policy

vi

Management, and Technology. It will be demonstrated that these three pillars are

necessary in order to secure BYOD implementations in an enterprise.

To validate the framework, an empirical survey was conducted from a pool of 114

industry security practitioners. The resulting dataset was analyzed via nonparametric

statistics for ordinal data to determine the association between the level of the BYOD

Security Framework elements being de facto implemented in organizations and the

frequency of security breaches associated with BYOD in those organizations to identify

and confirm key elements of the framework.

vii

Table of Contents

Dedications ........................................................................................................................................................ iv

Abstract ................................................................................................................................................................ v

List of Figures ................................................................................................................................................ xiii

List of Tables .................................................................................................................................................. xiv

Glossary of Terms and Acronyms ........................................................................................................... xv

1 Introduction .......................................................................................................................... 1

1.1 Overview ..................................................................................................................................... 1 1.2 Purpose of the Research .......................................................................................................... 2 1.3 Research Outline ....................................................................................................................... 3 1.4 Contribution to the Body of Knowledge .............................................................................. 4 1.5 Summary of Dissertation Organization ............................................................................... 4

2 Literature Review ............................................................................................................... 6

2.1 Overview ..................................................................................................................................... 6 2.2 Background ................................................................................................................................ 9 2.3 Why BYOD? ............................................................................................................................ 11 2.4 BYOD Adoption ..................................................................................................................... 12 2.5 Examples of BYOD ................................................................................................................ 13 2.6 Benefits of BYOD ................................................................................................................... 15 2.7 Top Failures in BYOD Security .......................................................................................... 17 2.7.1 Inconsistent Security Policies .................................................................................................. 17

2.7.2 Leakage in Shared Media ........................................................................................................... 17

2.7.3 Minimal Management .................................................................................................................. 18

2.7.4 Readable Data Remaining in Disposed Devices ............................................................... 18

2.7.5 Inter-‐application Data Leakage ............................................................................................... 18

2.8 Challenges and Risks of BYOD ........................................................................................... 18 2.9 BYOD Security Lifecycle ...................................................................................................... 19

3 Research Problem and Hypotheses .............................................................................. 23

3.1 Problem Statement ................................................................................................................. 23 3.2 Research Hypotheses ............................................................................................................. 23

4 BYOD Security Framework .......................................................................................... 26

viii

4.1 Plan ............................................................................................................................................ 27 4.1.1 Business Environment ................................................................................................................ 27

4.1.2 BYOD Standards ............................................................................................................................. 29

4.1.3 Mobile Device Management (MDM) ..................................................................................... 32

4.1.4 Application Store ........................................................................................................................... 33

4.1.5 Asset Management ....................................................................................................................... 34

4.1.6 Network Environment ................................................................................................................ 35

4.1.7 Governance ...................................................................................................................................... 35

4.1.8 Risk Management Strategy ....................................................................................................... 36

4.1.9 User Training .................................................................................................................................. 37

4.1.10 Legal Issues ...................................................................................................................................... 38

4.1.11 Device Maintenance and Support .......................................................................................... 40

4.1.12 Is BYOD the Right Choice? ......................................................................................................... 41

4.2 Identify ...................................................................................................................................... 43 4.2.1 Register .............................................................................................................................................. 43

4.2.2 User Training .................................................................................................................................. 43

4.2.3 Provision ........................................................................................................................................... 44

4.3 Protect ....................................................................................................................................... 45 4.3.1 Device Authentication ................................................................................................................. 45

4.3.2 Wireless Protection ...................................................................................................................... 46

4.3.3 Network Architecture ................................................................................................................. 49

4.3.4 Awareness and Training ............................................................................................................ 50

4.3.5 Application Store ........................................................................................................................... 51

4.3.6 Application Whitelisting and Blacklisting .......................................................................... 52

4.3.7 IPSec/VPN ........................................................................................................................................ 53

4.3.8 Mobile Device Management ..................................................................................................... 54

4.3.9 Location Awareness ..................................................................................................................... 55

ix

4.3.10 Device Fingerprinting ................................................................................................................. 56

4.3.11 Device Encryption ......................................................................................................................... 57

4.3.12 Sandboxing ....................................................................................................................................... 57

4.3.13 Virtualization .................................................................................................................................. 58

4.3.14 Endpoint Protection ..................................................................................................................... 59

4.3.15 Mobile Operating System Patching ....................................................................................... 60

4.3.16 Application Patching .................................................................................................................... 61

4.4 Detect ........................................................................................................................................ 62 4.4.1 Vulnerability Detection .............................................................................................................. 62

4.4.2 Malware Detection ....................................................................................................................... 63

4.4.3 Attack Detection ............................................................................................................................ 64

4.4.4 Lost Device ....................................................................................................................................... 65

4.4.5 Data Loss Detection/Prevention ............................................................................................ 65

4.4.6 Device Monitoring ........................................................................................................................ 66

4.5 Respond .................................................................................................................................... 67 4.5.1 Vulnerability Remediation ........................................................................................................ 67

4.5.2 Malware Removal ......................................................................................................................... 68

4.5.3 Incident Response ......................................................................................................................... 69

4.5.4 Device Account Deactivation ................................................................................................... 70

4.5.5 Remote Wipe ................................................................................................................................... 70

4.6 Recover ..................................................................................................................................... 72 4.6.1 Corporate Backups ....................................................................................................................... 72

4.6.2 Employee Backup .......................................................................................................................... 73

4.6.3 Device Tracking ............................................................................................................................. 74

4.7 Assess and Monitor .................................................................................................................... 76 4.7.1 Review and Evaluation of BYOD Program ......................................................................... 76

4.7.2 Insider Threat ................................................................................................................................. 77

x

4.7.3 Penetration Testing ...................................................................................................................... 77

4.7.4 Periodic Review of Approved Devices ................................................................................. 78

4.7.5 Approval of New Devices ........................................................................................................... 78

4.7.6 Device de-‐provisioning ............................................................................................................... 78

5 Key Controls as Part of BYOD ..................................................................................... 81

5.1 Overview .................................................................................................................................. 81 5.2 Incentives ................................................................................................................................. 83 5.3 Disincentives ............................................................................................................................ 83 5.4 Compliance Tactics ................................................................................................................ 83 5.5 Ongoing Communication ...................................................................................................... 84

6 How to Use the BYOD Framework .............................................................................. 85

6.1 Establishing a BYOD Security Program ........................................................................... 85 6.2 Identifying and Communicating with Stakeholders ....................................................... 88 6.3 Identifying Policy and Capability Gaps ............................................................................ 88 6.4 Selecting a BYOD Solution .................................................................................................. 89 6.5 Implementing BYOD ............................................................................................................. 89 6.6 Managing BYOD .................................................................................................................... 90

7 Recommendations on BYOD Strategies and Policies ............................................... 91

7.1 Overview .................................................................................................................................. 91 7.2 BYOD High-Level Strategies ............................................................................................... 91 7.3 Suggested Stages for Planning and Initiating a BYOD Policy ..................................... 92 7.3.1 Clearing Up Misconceptions ..................................................................................................... 93

7.3.2 Instituting a Baseline ................................................................................................................... 95

7.3.3 Classifying and Priortizing Use-‐Cases via Workforce Analysis ................................. 97

7.3.4 Diversity Analysis for Support ................................................................................................ 98

7.3.5 BYOD Technology Assessments .............................................................................................. 99

7.3.6 Sample Policy Symposium ..................................................................................................... 100

7.3.7 BYOD Policy Structure ............................................................................................................. 103

8 Research Approach and Methodology ...................................................................... 105

8.1 Problem Statement ............................................................................................................... 105 8.2 Survey Instrument ............................................................................................................... 105 8.3 Data Capture Process .......................................................................................................... 107

xi

8.4 Demographics ........................................................................................................................ 108 8.5 Experts Panel ........................................................................................................................ 112 8.6 Experts Panel Interview Results ....................................................................................... 113

9 Research Hypotheses and Methodology .................................................................... 120

9.1 Overview ................................................................................................................................ 120 9.2 Research Question and Hypotheses ................................................................................. 121 9.2.1 Hypothesis 1 (H1) ...................................................................................................................... 125

9.2.2 Hypothesis 2 (H2) ...................................................................................................................... 127

9.2.3 Hypothesis 3 (H3) ...................................................................................................................... 130

9.2.4 Hypothesis 4 (H4) ...................................................................................................................... 132

9.2.5 Hypothesis 5 (H5) ...................................................................................................................... 134

9.2.6 Hypothesis 6 (H6) ...................................................................................................................... 136

9.2.7 Hypothesis 7 (H7) ...................................................................................................................... 138

9.2.8 Hypothesis 8 (H8) ...................................................................................................................... 141

9.2.9 Hypothesis 9 (H9) ...................................................................................................................... 143

9.2.10 Hypothesis 10 (H10) ................................................................................................................ 145

9.2.11 Hypothesis 11 (H11) ................................................................................................................ 147

9.2.12 Hypothesis 12 (H12) ................................................................................................................ 150

9.3 Additional Statistical Findings .......................................................................................... 152 9.4 Summary of Data Analysis ................................................................................................. 154

10 Conclusions and Recommendations ........................................................................... 155

10.1 Overview ................................................................................................................................ 155 10.2 Summary of Key Research Parameters .......................................................................... 155 10.3 Conclusions ............................................................................................................................ 160 10.4 Research Caveats and Recommendations ...................................................................... 163

11 References ........................................................................................................................ 166

12 Appendix A – Checklist for Determining Enterprise Readiness for BYOD ..... 179

13 Appendix B – MDM Standard Capabilities Starter Template ............................ 182

14 Appendix C – Survey Questionnaire ......................................................................... 184

xii

15 Appendix D – Semi-Structured Experts Panel Survey Questionnaire ............... 200

xiii

List of Figures

Figure 1: Tablet BYOD Adoption by Industry, Source: (Gartner, 2013) ......................... 13

Figure 2: Smartphone BYOD Adoption by Industry, Source: (Gartner, 2013) ................ 13

Figure 3: Aspects of a BYOD Program ............................................................................ 19

Figure 4: BYOD Security Lifecycle ................................................................................. 20

Figure 5: BYOD Security Framework .............................................................................. 26

Figure 6: Network Environment ....................................................................................... 35

Figure 7: Risk Management Strategy ............................................................................... 36

Figure 8: Key De-provisioning Activities ........................................................................ 79

Figure 9: BYOD System Security Engineering Process ................................................... 86

Figure 10: BYOD Strategy Foundation Surrounded by Technologies ............................. 92

Figure 11: Sample Managed Diversity Framework (Girard, 2011) .................................. 99

Figure 12: Current Industries of Survey Participants ..................................................... 110

Figure 13: Current Job Titles of Survey Participants ...................................................... 110

Figure 14: Years of Experience in Information Security of the Participants .................. 111

Figure 15: Size of the Organization of the Survey Participants ...................................... 111

Figure 16: Educational Level of the Survey Participants ............................................... 112

xiv

List of Tables

Table 1: Possible Responses to the Framework Particulars ............................................ 107

Table 2: Possible Responses to Security Breaches ......................................................... 107

Table 3: Understanding Kendall tau-b (Τb) Values ......................................................... 121

Table 4: Summary of z-values, Τb values, and P-values ................................................. 125

Table 5: Hypothesis 1 Results ......................................................................................... 127





Table 10: Hypothesis 6 Results ...................................................................................... 138




Table 14: Hypothesis 10 Results ..................................................................................... 147

Table 15: Hypothesis 11 Results ..................................................................................... 149

Table 16: Hypothesis 12 Results .................................................................................... 151

Table 17: Fisher’s z and calculated Τbz Values for H1 – H12 ........................................ 153

Table 18: Summary of Τb values and rejection of null/alternate hypotheses .................. 154

Table 19: BYOD Organizational Readiness Checklist ................................................... 181

Table 20: Mobile Device Management Standard Capabilities Starter Template ........... 183

xv

Glossary of Terms and Acronyms

802.1x – An IEEE Standard for Port-Based Network Access Control (PNAC) that

provides authentication for devices connecting to a LAN or WLAN and is part of the

IEEE 802.1 group of networking protocols.

Bring-Your-Own-Device or BYOD – Refers to the business model of allowing

employees to utilize personally owned devices to conduct work activities, including

connection to and storage of sensitive corporate data.

Defense-in-Depth – An approach for establishing an adequate security posture in a

shared-risk environment that allows for shared mitigation through: the integration of

people, process, and technology; the layering of security solutions within and among IT

assets; an, the selection of security controls and solutions based on their relative level of

robustness.

De-provision – The act of removing provisioned software, apps, settings, digital

certificates, and sensitive data from a device that will no longer participate in the BYOD

program.

Governance – The processes and management that ensure the efficient and effective use

of information technology that aligns with corporate vision, goals, and objectives.

Provision – The act of preparing a device for usage within an organization’s BYOD

program. It may include the installation of software, apps, settings, and/or digital

certificates.

AES Advanced Encryption Standard

BYOD Bring Your Own Device

CVSS Common Vulnerability Scoring System

xvi

DLP Data Loss Prevention

DMZ Demilitarized Zone

HIPAA Health Insurance Portability and Accountability Act

GPS Global Positioning System

IDS Intrusion Detection System

IPS Intrusion Prevention System

IRP Incident Response Plan

IT Information Technology

LAN Local Area Network

LDAP Lightweight Directory Access Protocol

MAC Mandatory Access Control

MAC Media Access Control (Hardware address of interface cards)

MDM Mobile Device Management

MSB Minimum Security Baseline

NFC Near-Field Communications

OTA Over-the-Air

PIN Personal Identification Number

PKI Public Key Infrastructure

SDLC System Development Life Cycle

SIEM Security Incident and Event Management

SMS Short Message Service

SSID Service Set Identifier

SSL Secure Sockets Layer

xvii

TKIP Temporal Key Integrity Protocol

VPN Virtual Private Network

WEP Wired Equivalent Privacy

WPA Wi-Fi Protected Access

WPA2 Wi-Fi Protected Access II

In the Name of God the Mercy-‐giving the Merciful

1

1 Introduction

"The methods that will most effectively minimize the ability of intruders to compromise

information security are comprehensive user training and education. Enacting policies

and procedures simply won't suffice. Even with oversight the policies and procedures

may not be effective: my access to Motorola, Nokia, AT&T, Sun depended upon the

willingness of people to bypass policies and procedures that were in place for years

before I compromised them successfully."

Kevin Mitnick, world famous most wanted hacker

1.1 Overview

Bring Your Own Device or BYOD is a movement that has been around ever since

individuals began bringing their own particular USB flash drives, or install personally

preferred program or system, to accomplish the tasks that had been assigned to them. In

such cases, throughout the years, the security of organizational resources and data has

been achieved through a variety of technological innovations. These include controlling

of the desktop environment by implementing different technologies; for instance, the use

of central software-based policy controls, restriction of the installation of applications,

disabling USB ports, and the monitoring of desired workstations to a degree that were

deemed necessary.

The current consumerization of IT has been a central point for several years and

analysts agree adoption of personal mobile devices will continue to flourish (Burt, 2011).

What is lacking is a comprehensive solution that allows for secure operation of BYOD

within the enterprise (Ron Ross, Ph.D. fellow at NIST, personal communication, May 3,

2

2013) (Greengard, 2014). The focus of this dissertation is addressing the security

concerns of BYOD by presenting a validated framework as the solution.

1.2 Purpose of the Research


examined. This dissertation has three overarching objectives. The first is to address the

security concerns of BYOD, which necessitate technology, policy management, and

people integration instead of the traditional technology alone approach. The second is to

propose a BYOD Security Framework as the solution to BYOD security concerns. The

framework has three pillars: People, Policy Management, and Technology. It will be

demonstrated that these three pillars are necessary in order to secure BYOD

implementations in an enterprise. The final objective is to validate the proposed

framework. This is done via an empirical survey conducted from a pool of 114 industry

security practitioners. The resulting dataset is analyzed via nonparametric statistics for

ordinal data to determine the association between the level of the BYOD Security

Framework elements being de facto implemented in organizations and the frequency of

security breaches associated with BYOD in those organizations to confirm key elements

of the framework.

The allure of this research lies in the integration of several areas of engineering

management and systems engineering. A framework is proposed and validated using

statistical analyses. The proposed framework addresses requirements analysis, functional

analysis, and controls (in particular security controls), which fall in the realm of systems

engineering. Further, policy management needs to be incorporated as part of the

framework in form of planning, design, implementation, testing, monitoring, and

3

enforcement, all of which fall into the realm of engineering management. Organizational

stakeholders would be interested in the framework and the research findings since

embracing and properly implementing BYOD can improve a firm’s productivity and

performance leading to the firm’s competitive advantage (Caldwell, Zeltmann, & Griffin,

2012).

1.3 Research Outline

Extensive research using existing literature on information systems, mobile

security, BYOD security, and policy management were conducted. Additionally,

interviews with industry leaders and experts were shepherded. A strategy agenda and

research methodology were developed. The research resolved to answer the

following overarching question: Can a balanced application of technology and policy

using a security framework significantly reduce security breaches in an enterprise

where Bring Your Own Device (BYOD) is allowed/implemented?

A framework was then developed as the solution to the BYOD security concerns

and named BYOD Security Framework. To assess the effectiveness of a de facto

implementation of the framework, a survey was created and distributed to systems

engineers, security practitioners, and project managers. The results of the survey were

analyzed using nonparametric statistical analyses. The results showed with reasonable

degree of confidence that a de facto implementation of the BYOD Security Framework

would reduce security breaches associated with BYOD in an enterprise.

4

1.4 Contribution to the Body of Knowledge

This research helps security practitioners, project managers, and systems

engineers in understanding the new paradigm of BYOD while providing them with a

solution in the form of a security framework, which can be used to secure their existing

organizational BYOD programs or in creating new ones. The framework is modular in

nature and thus scalable. Practitioners can choose to implement some or all parts of the

framework depending on their needs and risk appetite. Furthermore, the framework can

be used as a reference to determine security gaps in areas of existing BYOD

implementation within an organization. The results of this dissertation imply that

practitioners who implement a comprehensive BYOD program using the BYOD Security

Framework can expect significant improvement in productivity gains, reduced costs in

procurement, training, hardware, software, and support while successfully and efficiently

mitigating the associated risks inherent in BYOD.

1.5 Summary of Dissertation Organization


examined. It is helpful to give a synopsis of the dissertation’s organization to the reader.

The dissertation starts out by the study of literature and then dives into an analysis of

BYOD and some examples of its use. The research question and corresponding

hypotheses are presented next. The BYOD Security Framework is next presented

followed by some key policy controls. This presentation is in turn followed by

recommendations in policy management and usage scenarios. The research

methodology, data collection, results and analyses are presented next. Recommendations

for future research areas then follow along with the dissertation’s conclusions, which

5

wraps up the dissertation. The appendices present valuable tables for planning and

starting a BYOD program as well as the dissertation’s survey questionnaire.

6

2 Literature Review

"Against the growing, unstoppable backdrop of consumerization and BYOD [bring your

own device], every mobile device is a risk to business."

Raimund Genes, Trend Micro CTO

2.1 Overview

Information security incidents have increased considerably during the past

decade, owing more and more to personal mobile devices (Siponen, 2014). So far,

mobile devices have not been anywhere near as big a target as have desktop machines,

however, they have not been spared either (Michael & Viega, 2010). It has been

estimated that over half of all information system security violations are directly or

indirectly caused by employee failure to comply with security procedures and personal

mobile devices have been a major contributor (Son, 2011). It is not surprising then, that a

critical concern for organizations is the extent to which employees comply with

information security policies, and in particular when using BYOD (Son, 2011) (Siponen,

2014).

Given the desire of employees to bring the devices they use at home into the

workplace, organizations need to adopt a “bring your own device” (BYOD) vision – that

is, securing the network and data regardless of how workers access information

(Thompson, 2012). Today's IT departments need to enable the chaos that comes from a

BYOD environment. This doesn't mean accepting high levels of risk, but it does mean the

security department cannot act as the barrier to business transformation, says Gordon

Thomson, Cisco Security EMEA (2012).

7

If it were not for the security and privacy concerns, BYOD would not worry

anyone (Mansfield-Devine, 2012). Organizations sometimes start out by saying “no” to

BYOD only to find out later they have been participants through email, text messages,

and document sharing. On the other hand, many organizations embrace it rapidly and

then are overwhelmed by the security and privacy implications. Since in a BYOD

environment, the organization does not own the desktop (devices are privately owned and

are portable), the solution to their security concerns seems to be to make the user part of

their security model; that is, a system of access control based on whom, what and maybe

even where. Users need to play an active role in the information security environment by

preventing unwanted incidents, protecting organizational material and immaterial assets,

and reacting to incidents (Vance, 2012). Examples might be locking their devices and

setting automatic locks, password etiquette, cautious use of email and the Internet on

their personal devices, cautious use of organizational assets and data when outside the

organization, and reporting information security breaches.

Certainly, it's possible to build a reasonably secure mobile device, just as it's

possible to build a reasonably secure desktop but this security comes at the expense of

functionality (Michael & Viega, 2010). This defeats the appeal that mobile devices have

for their owners. Jansen suggests User Interface plugins, encryption, and policy

incorporations (Jansen et al., 2004) but most of what is proposed apply to managed,

company owned devices circa 2003 and do not apply to today’s post Apple iOS and

Google Android based BYOD that permeate all aspects of society.

In addition, high information security workloads create conflicts of interest

between functionality and information security especially in BYOD since users work

8

considerably with their easy to use apps to get their work done (Von Solms, 2004).

Simply documenting requirements of expected information security behavior and general

awareness campaigns have little effect by themselves on user behavior and awareness

(Von Solms, 2004). Approaches where user participation is embraced can be much more

effective for influencing user awareness and behavior.

Most organizations are totally dependent on their IT systems to capture, store,

process and distribute company information (Von Solms, 2006). This has grown rapidly

with the advent of mobile device BYOD. Information security is and has always been the

discipline to mitigate risks impacting the confidentiality, integrity, and availability of an

organization’s IT resources (Von Solms, 2006). This discipline has been forced to

expand with the advent of BYOD but not necessarily in a predictive and cohesive

manner. Many organizations are not even aware that BYOD is used on their networks; of

those who are, many have little to no technologies and/or policies in place to address

BYOD (Mansfield-Devine, 2014). BYOD thus, is a trend that requires studying as part

of the information security governance of an organization. To protect valuable

information, organizations must stop making a distinction between devices in the

corporate network and devices outside of it, argues Bill Morrow of Quarri Technologies

(2012).

Most organizations do not realize that security is corporate governance

responsibility (the buck stops at the top) and that information security is also a business

issue and not just a technical issue (Von Solms, 2004). Information security governance

is a complex issue and there is no off-the-shelf solution available for it. An information

9

security plan needs to be based on identifiable risks. It should be clear that a corporate

security policy and associated enforcement and monitoring are essential.

In addition, information security awareness amongst users is of core importance

(Von Solms, 2004). Further, information security administrators and managers must be

empowered with the tools, infrastructure, support mechanisms, and enforceable policies

to properly perform their duties. Information security should be a priority of executive

management, including the Board and CEO and should therefore commence as a

corporate governance responsibility needing to integrate information security into

corporate governance (Posthumus & Von Solms, 2004).

Corporate governance consists of the set of policies and internal controls by

which organizations, irrespective of size or form, are directed and managed. Information

security governance is a subset of the organization’s overall corporate governance

program (Von Solms, 2006). The proposed BYOD Security Framework needs to be

placed within the information security governance of the organization.

2.2 Background

BYOD is short for Bring Your Own Device, a play on the acronym BYOB (Bring

Your On Beer). It is a trend that has been around ever since people first brought their

own USB flash drive, or installed their favorite browser or program, to get their job done.

In such cases, over the years, a variety of solutions have come into existence in order to

secure organizational resources and data. These included controlling of the desktop

environment using policies. These policies were both written policies as well as policies

applied via technology such as Microsoft’s Active Directory Group Policies. For

example, using central software-based policies, IT could lock down installation of

10

applications, disable USB ports, and even monitor a desired workstation to any degree

deemed necessary. They may or may not also put out a policy outline as to proper use of

the devices and software and restrictions in place.

Much like Coke, Xerox or Kleenex that have had their names become generics

(“Do you have Coke?”), BYOD has become such an eponym referring almost exclusively

to smartphones with tablets especially in the work environment, with tablets being a

distant second.

When Apple introduced its iOS devices (the iPhone followed quickly by its iPad),

the popularity and ease of use of these devices made them too enticing for employees not

to use them for their jobs on-site and off-site. Google entered the market shortly after

with its Android operating system along with an added twist: it used open licensing, so

vendors could modify the source code. Additionally, users could install whatever they

wished, to their hearts’ delight, a model that is not in Apple’s iOS devices. Since these

devices are privately owned, IT faces the challenge of how to secure their organizations’

resources and data from being lost, stolen, or exploited. Consider the scenario in which a

legitimate employee copies confidential data into his smartphone, and then loses the

phone a couple of days later. Or perhaps a nurse takes a picture that includes a patient’s

private information, with the camera in her iPad, and then forgets about the picture. The

device may be lost or stolen and the image may be transmitted unwittingly (or

purposefully) to a third party, violating the patient’s privacy as well as the Health

Insurance Portability and Accountability Act (HIPAA) regulations. These are two quite

common scenarios that are not that difficult to imagine. While security software

companies hail loads of solutions to the problems of mobile security, usually in the form

11

of some Mobile Device Management (MDM) system, based on this research, none has

the technology to protect an organization’s resources against BYOD or to alleviate all

privacy concerns.

2.3 Why BYOD?

BYOD has many advantages, such as reducing companies' cost and increasing

users' productivity (Wang & Vangury, 2014) (Scarfo, 2012). Saving money in

procurement, hardware, software, licensing, service agreements, and insurance are

additional benefits of BYOD (Caldwell, Zeltmann, & Griffin, 2012). Increased mobility,

flexibility, productivity and employee satisfaction are considered as some of the key

reasons for the adoption of BYOD (Rivera et al, 2013). Additional considerations for

BYOD include:

• BYOD is portable, so employees can work from anywhere

• BYOD increases efficiency since employees are well versed in using their own

devices; this also means that the burden of training is lowered (Finneran, 2012)

• Employees tend to look after their own devices with more diligence than

company-provided ones (Ghosh, 2013)

• Services can be provided to rural areas; for instance, patient monitoring in remote

locations can be done using BYOD at very little cost

• Via apps such as GotoMeeting, virtual conferences are easy and quick to set up

from anywhere using mobile devices

• Services can be delivered in the field; for instance, an insurance agent can provide

proper services right at a customer’s location, report the results back to the

12

company, and finalize the transaction using his BYOD with custom company

apps installed

• Organizations such as Khan Academy (www.khanacademy.org) and

Harvard/MIT edX (www.edxonline.org) provide low cost, high quality online

education ideal for BYOD learning experiences (Miller, 2012)

• Communication and information sharing is instant and available from just about

anywhere, with or without Wi-Fi or LAN resource availability

2.4 BYOD Adoption

According to David A. Willis, while BYOD is occurring in companies and

governments of all sizes, BYOD is most prevalent in midsize and large organizations

($500 million to $5 billion in revenue, with 2,500 to 5,000 employees) (Willis, 2013).

BYOD allows small companies to go mobile without a large device and service

investment, and in some cases, the low-cost consumer apps can add significant value

without significant cost (Willis, 2013). Unlike tablets, over half the companies that allow

smartphone BYOD subsidize at least part of the expenses for their employees. Figures 1

and 2 show the adoption of BYOD by industry.

13

Figure 1: Tablet BYOD Adoption by Industry, Source: (Gartner, 2013)

Figure 2: Smartphone BYOD Adoption by Industry, Source: (Gartner, 2013)

2.5 Examples of BYOD

Mobile devices are improving healthcare tremendously, especially for the poor

and those in rural areas, says West (2012). West contends that mobile data traffic will

increase eighteen-fold by 2016 and that mobile technology is poised to alter how

healthcare is delivered. Using BYOD, patients can be monitored in real time, even those

in rural areas, since 3G and 4G wireless services can be used to reach them. Mobile

14

devices can be used to access patient records, raise health awareness, perform

telemedicine such as reminding patients of their medication via texting, and even use text

messaging to determine emergency room wait times. West predicts that with real time

monitoring, $197 billion in overhead would be saved over 25 years, while an additional

$305 billion in productivity would be gained by 2022. Furthermore, physicians using

their BYOD respond more promptly to medical results, have fewer errors in medication

prescription, and show improved data management and record keeping practices (Willis,

2013). Since it is BYOD, physicians can use their devices at multiple locations since

many doctors work at more than one hospital or medical facility. According to J.

Goedert, the benefits of BYOD and mobility are not just for doctors (Goedert, 2013);

patients, especially kids, love using the iPad and those devices help them not to think

about needles. iPads are especially sought after and doctors prefer them to RIM

Blackberries: the iPads have larger screens, are easy to take from patient to patient, are

easy to use, have no keyboards, and thus easy to sanitize, a point specifically made by

many doctors refusing to use Blackberries (Mansfield-Devine, 2012). With so many

benefits, hospitals are learning that it is not possible to deny BYOD (Goedert, 2013).

BYOD is not a passing fad. It is here to stay, in the healthcare industry.

The main challenges of BYOD in healthcare are security and, as part of that,

patient privacy. Some additional areas of concern are: upgrades to network

infrastructures, having a strategy for lost BYOD since the devices are not owned by the

healthcare organization, providing solution for the mixing of personal and professional

data on BYOD, providing for proper data sanitation of devices, and the distribution and

control of applications across these devices. These are enormous challenges and not

15

unique to the healthcare industry. As of 2013, there are over 12,000 healthcare apps for

Apple iOS devices and more than 30,000 for Android-based devices (Mansfield-Devine,

2012). To add to the complexity, unlike Apple devices, Android devices are spread out

in their operating system versions, capabilities, features, and base security, since Android

uses open licensing. What this means, in a nutshell, is that an app that can be securely

put on one Android-based device may not be able to be placed securely on another

Android-based device due to the operating system version. Another area of consideration

involves the policies to be implemented, in software, hardware, wireless, carrier based

services, as well as personnel and management (i.e. people-based policies for proper

clearance, conduct, and access).

2.6 Benefits of BYOD

There are clear benefits and business reasons that an organization may gain as a

result of a successful employment of a BYOD program. Typically, the benefits of BYOD

can be characterized in one of three ways: employee morale, increased productivity, and

cost benefits. Employees are far more comfortable and satisfied using devices that they

have chosen to invest in, which in turn may also lead to higher levels of efficiency and

productivity when compared to employees who are issued a device that they may not be

familiar with. BYOD also allows employees to carry one device for personal and work

functions rather than carrying multiple devices. A single device is less likely to be lost or

stolen than an employee who carries multiple devices. BYOD may make an organization

more attractive to employees by making the company look flexible and in-touch with

today’s technology, which may increase recruiting and retention. Employees will

16

appreciate the convenience of carrying a singular device, of their choosing, to conduct

both their business and their personal activities upon.

The driving factors for some organizations to implement BYOD are the rise of

employee expectations with regard to mobile technology coupled with the rising costs of

the latest mobile devices. At the time of this writing, a new Apple iPhone 6 with 32

gigabytes of storage costs nearly $300 with the purchase of a two-year agreement from a

carrier. The cost to keep up with employee expectations can be immense and difficult to

overcome, particularly to smaller businesses and organizations. At the same time,

organizations may not realize return on investment by purchasing the latest and greatest

mobile technology through every evolution. Since its initial release in 2007, Apple has

released nine iPhone models. In the same timeframe, thirteen versions of the popular

Android operating system have been released, each with its own flagship device

highlighting new features and capabilities. The mobile technology market is evolving

more than once per year!

Organizations may realize cost savings from several vectors when properly

implementing a BYOD program. First and foremost, the organization is no longer

responsible for purchasing mobile devices. Given the prices of the latest devices, that

cost savings is significant. Employees using their own devices for work are more likely

to invest in new technology at their own pace, which saves the organization from the

costs of keeping up with the latest technology. Another advantage that results in cost

savings is that organizations are not required to maintain a telecommunications support

staff to administrate and manage carrier agreements. Maintenance and technical support

are handled between the employee and their carrier, abstracting organizations from

17

providing help desk or other support for the devices. Employees utilizing BYOD are far

more likely to be familiar with their chosen device, eliminating the need for any

additional training by the organization.

2.7 Top Failures in BYOD Security

Defining Top Failures can be a challenging task since each organization has

unique security requirements and challenges. However, certain failures are so common

that they deserve to be mentioned specifically. Clearly there are many concerns, but

this list serves as a good starting point. To have a more structured approach, a

checklist for BYOD readiness would be necessary (see appendix A). Such a checklist

would serve as a precursor to the application of a framework that would serve as

the resolution to the BYOD systems security concerns. Girard has identified a list of

the top BYOD security failures (Girard, 2013). Below is the list followed by a brief

description of each failure:

2.7.1 Inconsistent Security Policies

Policy gaps are the foundation of most security failures and BYOD security is no

exception. A typical instance is requiring complex passwords on desktops and laptops

but allowing a simple 4-digit passcode in BYOD devices.

2.7.2 Leakage in Shared Media

USB and flash devices such as SDs are common culprits here. Enterprises may

bypass inventorying removable media in favor of honor systems, where users are

encouraged to encrypt their devices, or perhaps enterprises ignore the problem all

18

together. This allows for sensitive files to move between generic devices and invariably

causes leakage of sensitive data.

2.7.3 Minimal Management

The unrestricted and easy access that BYOD enjoys was rarely if ever tolerated

for laptops. BYOD devices are frequently allowed to connect to enterprise networks,

access email, access and manipulate data, and very often few controls if any are in place

to check such access.

2.7.4 Readable Data Remaining in Disposed Devices

Many recycled, traded, or sold smartphones and tablets contain sensitive data

even after they were presumably erased; this includes those devices that were “properly”

erased. Many users are not aware that when they “delete” their data, the operating

system simply marks the location as erasable and that the data can still be retrieved.

2.7.5 Inter-application Data Leakage

As smartphones and tablets can store gigabytes of data easily, including email

attachments, pictures, and documents, there is a good chance that their data gets shared

between applications and possibly copied to unapproved and/or unsecured locations

through sync tools, cloud tools, or automated backups.

2.8 Challenges and Risks of BYOD

BYOD, particularly as it relates to smart phones, presents a distinctive set of

challenges and risks to any organization. Throughout this dissertation and in particular in

the BYOD Security Framework, challenges, risks, and solutions as they relate to three

19

core aspects of a BYOD program, depicted in figure 3, will be addressed: People, Policy,

and Technology.

Figure 3: Aspects of a BYOD Program Every aspect of BYOD can be categorized under one of these three groupings in order to

help readers understand the different components of BYOD and how each plays a critical

role in the overall process. Policy can help guide and shape user behavior and

Technology can be used to enforce policy. In the end, it is the People who stand to

benefit and represent the greatest risk to BYOD.

There are cultural challenges to groom a responsible and security-conscious user

base. Organizations must develop policies surrounding BYOD that align with the core

business mission and the risk tolerance of the organization. Technology must be selected

and implemented to enforce and manage BYOD policies. Risks to sensitive corporate

data must be managed in the face of a myriad of challenges. Finally, there are legal

issues upon which little guidance exists in the way of legislation or case law.

2.9 BYOD Security Lifecycle

The BYOD Security Lifecycle defines the stages of a mobile device during its

participation within a BYOD program. This BYOD Security Lifecycle is presented in

order to provide structure and context to the steps presented later in the BYOD Security

Framework. The BYOD Security Lifecycle is displayed in figure 4 below.

20

Figure 4: BYOD Security Lifecycle

Register. The device is registered with the BYOD program. The device and mobile

operating system are examined to ensure they meet the minimum standards for inclusion

in the program.

Provision. The device is provisioned using Over-The-Air (OTA) or other enrollment

process. During provisioning, the device is installed with any configurations, settings,

software, and certificates necessary to prepare the device for BYOD.

Operate. The user is granted access to approved organization resources with the device.

The user continues to enjoy the benefits of BYOD while maintaining compliance with all

organizational requirements for participation in the BYOD program.

De-provision. The device will no longer participate in the BYOD program. All

organizational data are removed in accordance with organizational policies. Any

Register

Provision

Operate

De-‐provision

21

organizational configurations, settings, software, and certificates are removed. The

device is returned to the user and is no longer able to access organizational resources.

2.10 Current State of BYOD

The momentum gained by the popularity of BYOD seems unstoppable. A 2012

study conducted by Cisco showed that an astounding 95% of respondents from a pool of

600 U.S. IT and business leaders say their organization permits employee-owned devices

in the workplace. According to a global survey of Chief Information Officers conducted

by Gartner’s Executive Programs, more than 38 percent of companies expect to stop

providing devices to workers by 2016 (Gartner, 2013).

BYOD remains largely uncharted territory with few real success stories. Worse,

many organizations are currently participating in BYOD without knowing it. Employees

who are able to connect their corporate email on their personal smart phone or tablet are

participating in BYOD, whether the organization chooses to admit it or not. With no

level of operational management regarding how corporate data are accessed, stored,

processed, and transmitted on employee-owned devices, this course of action represents a

great deal of risk. Organizations that profess to disallow BYOD but do not actively

prevent it through preventative or detective security controls place themselves in a similar

risky situation. Other organizations have chosen to face BYOD head-on. These

organizations have an advantage over their counterparts, but may have had little guidance

to direct their early actions and implementations.

Technology to support BYOD is still largely an emerging market. Early adopters

of BYOD were mostly limited to Mobile Device Management (MDM) standards. MDM

will be explained in more detail in the framework (section 4). MDM is certainly better

22

than nothing, but often lacks the innovative and sophisticated features to be effective as a

singular solution. Another popular approach is the sandboxing method, by which

company data are kept in a separate, encrypted container from personal data. The

solution is fairly effective in design, but limits the primary functionality of the mobile

device by only allowing access to business resources through the sandbox’s applications

rather than native device applications. Other technology innovations are arriving by the

day, and include: GPS-based mobile device policy enforcement, virtualization, and data

loss prevention.

Current BYOD policies are equally unproven and untested. The legalities of

BYOD and the authorized actions of the business are very much in question. There is

little in the way of legislation or case law on which to base BYOD policies.

Compounding matters is a plethora of legal issues and challenges for which no clear

answers are available. During the BYOD policy planning process, it is critical that the

organization seek legal and human resources counsel to ensure policies meet existing

human resources statutes and remain enforceable. A more detailed discussion of the legal

challenges surrounding BYOD can be found in section 4.1.10 of the framework.

23

3 Research Problem and Hypotheses

"Spending hundreds of thousands of pounds, euros or dollars on a security system,

plugging it in and switching it on — then presuming your company is secure — is a

totally inadequate approach, because it usually results in relatively poor levels of

protection for your organization as the threats from criminals are constantly changing."

Ray Bryant, CEO of idappcom

3.1 Problem Statement

Based on the literature review and wide-ranging interviews with security experts,

no study was found that proposed a comprehensive solution or a framework to broadly

address the BYOD security concerns. The proposed framework of this dissertation is

presented later in this article.

3.2 Research Hypotheses

This dissertation attempts to answer the following overarching question: Can a

balanced application of technology and policy using a security framework significantly

reduce security breaches in an enterprise where Bring Your Own Device (BYOD) is

allowed/implemented? In order to answer this question, the following twelve research

hypotheses were postulated:

H1: There is a significant correlation between implementation of the BYOD Security

Framework for an enterprise and corresponding reduction of mobile related data security

breaches.

24


Framework for an enterprise and corresponding reduction of mobile related wireless (Wi-

Fi) security breaches.


Framework for an enterprise and corresponding reduction of mobile related cellular

security breaches.


Framework for an enterprise and corresponding reduction of security breaches related to

rogue mobile devices access.


Framework for an enterprise and corresponding reduction of authentication related

security breaches.



lost/stolen mobile devices.



unauthorized mobile access.



lack of understanding of organizational security policies.

25



lack of training and education of organizational employees.



lack of awareness of organizational policies.


Framework for an enterprise and corresponding reduction of document related security

breaches (e.g. improper document sharing, saving, copying, emailing, printing, and

scanning of documents).



mobile application flaws.

It is worthwhile studying the framework prior to statistical analyses of the hypotheses.

Section 4 below presents the BYOD Security Framework followed by recommended

policy controls and policy recommendations. A recommended set of guidelines for

applying the framework properly is presented afterwards. The statistical study and

analyses to validate the framework is then undertaken.

26

4 BYOD Security Framework

The BYOD Security Framework is a modular architecture that can be easily

integrated into a larger information security program. This framework provides a starting

point for organizations to structure their BYOD program around. It can be used to create

a new program or improve upon an existing one. The framework outlines a seven-step

process that encompasses the entire BYOD lifecycle mentioned previously. The

framework is iterative and assumes that organizations will revisit each step in the process

on a periodic basis in order to provide continuous monitoring of the organization’s

BYOD program and to continuously assess the effectiveness of the program. The BYOD

Security Framework is illustrated in figure 5 below.

Figure 5: BYOD Security Framework

27

4.1 Plan

The first step in undergoing any major

endeavor is to properly plan. In this section,

we will highlight some of the key concepts that

are critical during the planning process of a

mobile device BYOD security program.

The Plan phase requires close

coordination across multiple disciplines and

among all stakeholders. It is vital that the

planning process is supported at the very

highest levels of management to ensure that appropriate time and human resources are

allocated.

There are several key concepts that will require decision points prior to moving

on in the framework. Each concept will be explained along with its potential impact as

well as an outline of the consequences of common decisions.

4.1.1 Business Environment

The first step in planning for a BYOD program is to understand how BYOD and

mobile devices fit into the business landscape of the organization. Planners should

identify who BYOD users are and what business resources BYOD users will be

accessing. Organizations that only need to expose email to their BYOD users will

require a significantly different security posture than another organization requiring file

or internal web access. By identifying the typical use-cases for BYOD, planners will be

7. Assess and

Monitor

1. Plan

2. Identify

3. Protect

4. Detect

5. Respond

6. Recover

28

better able to advise and guide the organization through key decision points in their

BYOD planning process.

According to a recent SANS Institute survey on Mobility and BYOD Policies and

Practices, 51% of respondents identified knowing what sensitive data devices can access

as one of the most critical practices for BYOD. Organizations should determine which

information systems, assets, data, and capabilities will be accessed by BYOD devices.

The types and level of accesses by BYOD will vary from organization to organization

and even employee to employee. Planners should consider all the possible use-cases to

help shape the protective, detective, and reactive security controls necessary to secure

BYOD access. Some examples of internal information resources that might be accessed

via BYOD are highlighted below.

• Electronic Mail

• Intranet websites

• Productivity applications

• Collaboration tools

• Social Media

• Internal databases

• Storage

• Cloud services

• Custom applications

• Network access

• Remote access

29

4.1.2 BYOD Standards

In order to ensure that BYOD devices are capable of supporting functional and

security requirements, a set of hardware and operating system standards need to be

established, maintained, and published. Operating systems and their hardware platforms

should have the capability to support the implementation of critical mobile security

requirements. Planners should determine who will bear responsibility for establishing

BYOD standards and requirements. Once determined, organizations need to publish a

list of approved devices that users may access to determine if their devices are eligible for

inclusion in the BYOD program.

As critical as the establishment of standards is the ability of the organization to

maintain and update standards. New mobile technologies evolve every 6-9 months.

Planners should understand that if the organization falls behind in their ability to respond

to changes in technology, it would have a negative effect and possibly undo the positive

effects of having a BYOD program in the first place.

A non-exhaustive list of BYOD requirements is included below. This list is

meant to be a starting point for discussion only. Organizations should establish their own

requirements that align with organizational missions, goals, and objectives. The Defense

Information Systems Agency has published an exhaustive list of security requirements in

the Mobile Operating System Security Requirements Guide, available for free download;

key elements are listed below. Organizations should take into account any potential

limitations of their chosen MDM solution, such as hardware and operating systems

supported, when publishing a list of approved devices. Key requirements should include:

30

• The device should be supported by the chosen MDM solution1

• The device should integrate with organization’s email system

• If required, the device should support certificate-based authentication, including

query of organization certificate revocation status

• The mobile device should enforce a mandatory access control (MAC) policy

• The device should support for periodic, forced password changes

• The device should enforce a lock function to prevent unauthorized users from

gaining access, including automatic locking after a defined period of inactivity

and user-directed locking

• Device lock should hide previously visible information from the screen

• The device should not automatically execute applications without user direction

• The device should support the creation and sending of organization-required

auditing data, including accurate date and timestamps

• The device should support and meet organizational encryption requirements for

data-at-rest and data-in-transit

• The device should support mutual authentication and encryption between the

provisioning server and provisioned device during trusted over-the-air (OTA)

provisioning

• The device should not permit users from removing organizationally-required

applications

• The device should not permit a user to disable or modify security policies or

enforcement mechanisms

1 Not all MDM solutions are capable of supporting every device on the market. Check section 4.1.3 on MDM later in this dissertation as well as product literature to ensure approved devices are supported.

31

• The device should prevent applications from accessing other applications and data

stored on the device

• The device should support Internet Protocol Security (IPSec) with Advanced

Encryption Standard-128 (AES-128) or better encryption for Virtual Private

Network (VPN) tunnels

• The device should encrypt the Private Key Infrastructure (PKI) certificate store

using AES-128 or better encryption

• The device should prohibit remote activation of collaborative computing

functions, including microphones, cameras, and networked white boards without

user concurrence

For organizations with more stringent security standards, these additional requirements

are worthy of consideration:

• The device should support organization legal/warning banner prior to device

unlock

• The device should support alignment of device timestamps with organization

network time to support forensic analysis and investigation of events that cross

mobile devices into the organization’s network

• The device should support organization PKI requirements, including verification

of public keys and denial of untrusted certificates and certificate authorities

• The device should support enforcement of password complexity requirements

• The device should verify the integrity of software and applications before

installation and execution

32

• The device should support disabling or securing Bluetooth and Near-Field

Communications (NFC)

• The device Wi-Fi module should support WPA2 with EAP-TLS authentication

and AES-CCMP encryption

• The device should authenticate tethered connections before granting access to the

device

• The device should detect and report the presence of unauthorized software and

applications

4.1.3 Mobile Device Management (MDM)

Any technology solution to implementing a successful BYOD program starts with

Mobile Device Management. MDM provides OTA control of data, applications, and

configuration settings for mobile devices. Most MDM solutions consist of a server

located either in the organization’s network or in the cloud that communicates with

managed devices via the Open Mobile Alliance (OMA) Device Management (DM)

protocol. OMA DM is an open standard that defines a common feature set, including

device provisioning, software upgrades, and fault management. Most MDM vendors

offer a fairly standard set of capabilities, which are included in Appendix B of this

document.

Not all MDM solutions are created equal and organizations should pay careful

attention to each product’s capabilities. Many MDM solutions offer advanced features,

but those features may only be available for a particular device model or operating

system.

33

4.1.4 Application Store

The true power of the smartphone is not in the features of its operating system,

but in the seemingly infinite possibilities of its applications. With great capability comes

great risk. Organizations should plan for how BYOD devices will be permitted to

download and install applications. Depending on the organizational mission, there are

many different solutions and each may offer benefits and drawbacks to the success of the

BYOD program.

Applications today are no longer being written exclusively by larger software

companies who could presumably be trusted and be held accountable. Anyone with the

knowledge and proper tools can create an “app” and publish it for public download.

Organizations cannot implicitly trust the integrity and quality of publicly available

applications. Applications may contain unintended flaws that could expose

organizational information or even allow attacks directly upon the enterprise network.

Malicious developers may create entertaining and popular applications with a more

sinister payload. Organizations should plan for how they will balance the user demand

for openness with the need to protect organizational assets and data.

There are several possible solutions presented in sections 4.3.5 and 4.3.6 of this

document. Some key questions that planners should ask include:

• Will the organization allow full and open access to any and all applications?

• Should the organization blacklist known-bad applications?

• Should the organization whitelist and only allow known-good applications? If so,

what will be the inclusion process for applications?

34

• Will users be permitted to download applications from a public source (e.g.

Apple App Store, Android Market, etc.)?

• Will the organization stand up its own application marketplace?

Full and open access may introduce unmanageable risks while restrictions placed

on applications may eliminate the appeal of a BYOD program in the first place.

Decisions should be based around solid risk management planning.

4.1.5 Asset Management

Organizations must know what they are protecting before they can hope to protect

it. Asset management encompasses the full range of processes and technology from

which BYOD devices are registered and approved, configuration controlled, and

managed. Organizations can expect that asset management will play a critical role in the

overall risk management process of BYOD.

Asset management includes activities to formally approve users and devices into

the BYOD program, register devices, install required software, configurations, and

applications to meet organizational requirements, and to manage the relationship between

the organization, the user, and the device throughout the BYOD lifecycle.

During the planning process, organizations should determine who will be

responsible for asset management, the tools used, and the reporting metrics required in

order to maintain visibility of the BYOD program. MDM solutions may offer some

degree of asset management, but care should be taken to ensure the capabilities meet the

organization’s requirements.

35

4.1.6 Network Environment

The greatest single technical defense against attacks resulting from the

exploitation of a mobile device is the architecture of the network. As important as what

planners intend the device to access is what the device can actually access. A purpose-

built network architecture will permit BYOD devices to access required organization

information resources while retaining strategic network access and intersection points

where protective, detective, and reactive security controls can be placed. There are a

number of technological solutions that are capable of performing the required functions,

including firewalls, access-control lists, virtual local area networks (VLANs), zoning,

VPN, and application wrapping among others. There are many methods and solutions to

engineer sound network architecture, but the best advice is to treat the BYOD interface as

an untrusted, demilitarized zone (DMZ) and expose only those information resources

specifically required. This is illustrated in figure 6 below.

Figure 6: Network Environment

4.1.7 Governance

Organizational planners will need to identify the policies, processes, and

procedures used to operate and monitor the organization’s BYOD program. Governance

36

should include statutory, regulatory, legal, security, environmental, and operational

requirements at a minimum. It is critical to understand the limitations of mobile security

technology in order to comprehend which aspects of the BYOD security program are

technically enforceable and which are relying solely on policy for enforcement. Some

key planning items include:

• Identify existing organization information security policies

• Identify security roles and responsibilities

• Identify statutory, regulatory, and legal requirements

For instance, if a MDM solution is chosen that relies upon an installed application

that the user can remove, then organizational policy must dictate that BYOD users are not

permitted to remove the required application. In this manner, organizations can augment

the limitations of their technology solution by shaping user behavior through policy. In

this instance, the organization should ensure that users are briefed and trained on their

responsibilities to participate in the BYOD program.

4.1.8 Risk Management Strategy

The Risk Management Strategy surrounding BYOD should be based upon the

principles of Identify, Protect, Detect, and Respond, illustrated in figure 7.

Figure 7: Risk Management Strategy

Identify

Protect

Detect

Respond

37

These four concepts encompass the four major activities that will drive risk

management decisions surrounding BYOD. First, identify the information and assets that

need to be protected. Second, protect information and assets using available technology

to automate protection mechanisms and enforcement actions. Examples of protect may

include device encryption, pass-phrases, and application white/black listing. Third,

recognize that there will be gaps between protection mechanisms and the likely attacks

used to gain access to information and assets. Deploy detective security controls to

provide visibility and situational awareness in order to detect suspicious activity. Last,

when suspicious activity is detected, the organization must respond accordingly.

Response actions may include automated actions, such as automatic device wipe after a

predetermined number of failed login attempts, or manual actions, like enabling GPS-

locator services on a stolen device. In short, identify what needs to be protected, protect

what can be protected, detect what cannot be protected, and respond accordingly.

The goals of the risk management strategy are to provide a modular security

framework that can be easily integrated into a larger information security program (e.g.

NIST SP800-37). Organizations should plan for who is responsible for identifying risks

and how they will identify them. During the planning process, planners should discuss

what tools and techniques might be used to identify risks. Also, planners should discuss

whether periodic risk assessments will be utilized or if a more continuous monitoring

solution is desired.

4.1.9 User Training

The largest risk in any BYOD program lies in its users. Whether through

negligence, malice, or pure bad luck, users have the ability to cause great harm to an

38

organization. Never is this truer than in a BYOD scenario where users are empowered to

do whatever they want because the device belongs to them. Therefore, it is absolutely

critical that users are trained on the rules of behavior and their responsibilities as good

corporate citizens in the effective use of BYOD.

Planners should identify the key training components of their BYOD program,

including what will be presented during initial and refresher training, the frequency for

mandatory training, and who will be responsible for developing and maintaining the

training curriculum.

4.1.10 Legal Issues

There are a number of key legal issues that need to be discussed and planned for

among all stakeholders in the BYOD program. Many of these issues and questions do

not have definitive answers. Little exists in the way of legislation or case law to

determine an organization’s rights and responsibilities in a BYOD program. Among

these key legal issues are:

• Does the organization have the right to wipe the device, including personal data

and applications, if the device is lost or stolen, in order to protect sensitive

corporate data?

• Can the organization monitor access to personal email accounts? If not, how will

corporate email be monitored? If so, what restrictions does the organization have

regarding how this information can be used?

• What happens to corporate data when an employee is terminated, for whatever

reason?

39

• What liability does an organization have when a device is encrypted and the key

is lost, effectively rendering personal data and applications unusable?

• What responsibility does an employee have if he or she sells or transfers

ownership of the device, such as gifting to a child? What action will the

organization take for failure to notify such a transfer of ownership?

• What are the organization’s requirements for data breach notification in relation

to the data stored/processed on BYOD?

• Do organizations have a right to search and seize the device as they would

corporate property? What about in the case of e-discovery?

• May the organization use GPS to track employee whereabouts? If not, how will

this behavior be prevented?

• How will organizations prevent inadvertent exposure of personal information it is

not legally allowed to see (e.g. ADA, Genetic Information Non-Discrimination

Act, etc.)?

• Who owns the data on the device?

• What responsibility does the organization have for backing up the device and

providing the employee access to those backups?

• How will the organization prevent the employee from backing up sensitive

corporate data onto unprotected assets, such as carrier or manufacturer cloud

backup services?

40

4.1.11 Device Maintenance and Support

Planners will need to inform Senior Leaders of available maintenance and support

options for providing help desk-related support for hardware and mobile operating

system issues that may arise.

The first option is for the vendor or carrier to provide all device maintenance and

support. This option requires the lowest overhead from the organization to ensure that

their users’ support needs are met. By utilizing vendors or carriers to provide help desk

support, there is less risk that device warranties will be voided by potential help desk

actions, which may increase the overall appeal of the BYOD program. Conversely, it

leads to little organizational control over the level of service provided as well as

introduces risk that sensitive organizational data may be exposed to vendor or carrier help

desk personnel. Organizations should consider adding safeguards and/or policies to

remove or wipe sensitive data prior to a device being turned over to the vendor or carrier.

The second option for device maintenance and support is a hybrid plan. The

hybrid option lets the organization provide support for critical user problems while

deferring other issues to the vendor or carrier. The hybrid option requires additional

resources in the form of a help desk and supporting assets from the organization.

Planners will need to establish the scope and authority of organizational help desk

personnel and clearly articulate when problems will require escalation to the vendor or

carrier to preserve device warranties. Should a problem be escalated to the vendor or

carrier, planners should consider adding safeguards and/or policies to remove or wipe

sensitive data prior to a device being turned over to the vendor or carrier.

41

The final option for BYOD endpoint support is for the organization to provide full

support. This allows for the greatest amount of organizational control over devices and

the information resident on them; however, it also increases staffing and training costs for

endpoint support personnel competent in all the technology platforms allowed under the

BYOD policy. Providing full support for the devices may also cause any hardware

repairs to void employees’ warrantees on their devices. Potential legal implications

aside, this can lead to a lower overall appeal and lower employee buy-in for the BYOD

program.

4.1.12 Is BYOD the Right Choice?

While there will be more extensive discussion of the topic of this section later in

the dissertation, it is thought that a brief discussion is worthwhile here. Once an initial

round of planning has occurred and the organization has a good measure of what it takes

to successfully implement BYOD, the next planning item should determine if BYOD is

right for the organization. A proper cost/benefit analysis should be conducted, consistent

with existing organizational IT investment processes to determine what the organization

stands to gain by implementing BYOD.

For some organizations, the risks and/or costs may not outweigh the benefits. In

that case, the organization needs to ask itself: What have we done to prevent BYOD?

Many organizations are already implementing BYOD without their knowledge but have

done nothing to control it. Today, many corporate email users can easily connect their

corporate email account to their device because nothing actively prevents it. This is a

nightmare scenario for security professionals, because they are left to defend an attack

vector that they don’t know exists. The backdoor access may expose the organization to

42

data leakage, loss of sensitive information if the device is lost or stolen, or a laundry list

of other risks, all without the knowledge of the organization whose data have been

exposed.

Part of this decision is selling security process improvements to upper

management, which is not easy because security professionals have often focused on

vague although troubling potential threats and BYOD security is no exception. Security

experts are often seen as alarmists in the boardroom. Selling security as a means to

mitigate risk, notably privacy issues that could lead to legal action from affected

customers and reliability issues that could lead to violation of service-level agreements

and system downtime are more plausible and can be assigned monetary value by

managers and thus offer a more effective approach (Howard & Lipner, 2009).

43

4.2 Identify

The Identify phase begins the BYOD

Security Lifecycle. During the Identify phase,

devices are registered for participation in the

BYOD program, officially approved for use,

and provisioned with required security settings

in accordance with the established plan

developed in Phase 1.

4.2.1 Register

In accordance with the BYOD Security

Lifecycle, the first step in the Identify phase is to register the devices that will require

protection. During the registration process, the user will present the device for inclusion

into the organization’s BYOD program. The assigned department within the organization

will evaluate the device to ensure it meets established hardware and operating system

requirements for inclusion in the process. Using an automated or manual workflow

system, official approval should be given by delegated organizational resources that the

device meets established standards and is eligible for inclusion into the BYOD program.

Some organizations may want to consider eligibility criteria for employees as well as

devices. The additional check will ensure repeat violators of BYOD or other security

policies are not placed in a position to cause additional harm.

4.2.2 User Training

Prior to granting the user any access to organizational resources or data, the user

should be trained on the policies and procedures as well as their individual role and

7. Assess and

Monitor

1. Plan

2. Identify

3. Protect

4. Detect

5. Respond

6. Recover

44

responsibilities in carrying out the security controls associated with the organization’s

BYOD program. This initial training helps to clearly communicate the rules of behavior

expected of BYOD users while establishing the corporate culture for BYOD. User

training should be periodically reviewed for content updates and users periodically

trained. Periodic training will reinforce security norms and build a culture of security

responsibility and awareness surrounding BYOD. A workflow should only permit a user

to progress when initial BYOD security has been acknowledged and the user is certified

as having been successfully trained.

4.2.3 Provision

Next, the device should be provisioned in accordance with organizational policy.

Provisioning is the act of implementing security configurations, settings,

applications, device profiles, and software certificates necessary to fully realize all

security controls established as part of the BYOD program. Provisioning may occur

OTA or in person, as approved by the organization during the Plan phase. If groups are

utilized to configure department-specific accesses or security controls, group membership

should be assigned during the Provision step.

45

4.3 Protect

Once devices have been identified, and

users have been enrolled in the BYOD program

appropriately, the organization needs to ensure

that the devices, and the information that resides

on them, are appropriately protected throughout

the BYOD lifecycle.

4.3.1 Device Authentication

Policy is required regarding credentials

to unlock the device. There are several

decisions involved in deciding the level of protection required for smartphone access.

Many mobile operating systems have the capability to enforce two-factor authentication.

These can include token codes, common access cards, or biometrics. The use of two-

factor authentication can lower the overall appeal of the devices due to the increased time

involved in unlocking devices. Some two-factor implementations also carry increased

overhead to the organization.

There also needs to be a mobile device passcode policy. Most mobile operating

systems support utilization of a Personal Identification Number (PIN) for authentication.

Although this is the easiest manner of unlocking devices, and may be most desirable by

employees, it may be deemed inadequate to protect sensitive organizational data due to

the relative ease of cracking a four or six digit PIN. This means that organizations may

opt to require strong passwords.

7. Assess and

Monitor

1. Plan

2. Identify

3. Protect

4. Detect

5. Respond

6. Recover

46

No matter the organizational decisions regarding the credentials required to

unlock the device, the policy needs to address the sharing of credentials. This includes

sharing credentials with a significant others, children or other family members, friends,

and coworkers.

4.3.2 Wireless Protection

Many employee-owned devices, including both phones and tablets, are unable to

connect to networks via wired Local Area Networks (LAN) when utilized at the

workplace; they require a wireless architecture to be capable of connecting to a network.

There are several key items to consider when building a wireless architecture to support

employee-owned devices, including authentication, encryption, and consideration of who

might be listening despite the best protections.

When considering authentication, organizations should decide whether to use one-

or two-way authentication and whether to utilize individual or group authentication.

One-way authentication refers to an architecture where the device or user authenticates

itself to the network. Two-way authentication means the device or user authenticates

itself to the network and the network authenticates itself to the device, offering a greater

degree of protection from spoofed networks. An example of group authentication is a

home wireless router that requires a single, shared password to grant access to the

network. Individual authentication refers to a scheme where the device, user, or

potentially both, authenticate themselves individually against an access control list. The

measures of authentication protection should commensurate with the sensitivity of the

data and resources that may be accessed once authentication has occurred.

47

Many organizations use a single shared password associated with a service set

identifier (SSID) to grant access to their wireless networks. The shared nature of SSID

all but guarantees eventual compromise of the password. Once compromised, the

network segment is completely exposed unless other protective security controls are put

in place. Given today’s technology, there are many other solutions that can be deployed

with far greater protections for little more cost. The single, shared password for

authentication may be adequate for some organizations, but most should look for more

robust authentication protections.

One available option for increased authentication protection is to use an enterprise

802.1x authentication server for allowing the devices to connect to the network. 802.1x

can be configured to rely on an existing Lightweight Directory Access Protocol (LDAP)

server, such as Microsoft Active Directory, to provide individual authentication to the

network. 802.1x has considerably more overhead than simply relying on the wireless

routers for authentication with a single, shared password but offers a much higher level of

confidence in the authentication protection afforded. Some devices, however, will

automatically retry connections to 802.1x authentication servers with the same

credentials any time that their authentication fails causing inadvertent denial of service

attacks against users’ domain accounts by locking them out.

There are many other authentication solutions on the market today and more

evolving often. Organizations should use care in evaluating the full range of

authentication solutions to choose the solution that best meets their functional and

security requirements and aligns with the organization’s risk appetite.

48

Another key aspect of wireless protection is the encryption standards in use. As

wireless attacks become more advanced, wireless protection standards have evolved to

meet the threat. The majority of devices currently support Wi-Fi Protected Access II

(WPA2) using Advanced Encryption Standard (AES). It is recommended that WPA2

with AES is required by the organization when accessing sensitive data and resources as

opposed to WPA2, Wired Equivalent Privacy (WEP) and WPA, that rely on weaker

encryption standards, and are considered insecure (NIST, 2007) (Von Solms & Von

Solms, 2004)

Beyond the corporate network, it can be expected that employees will connect

their devices to public or unsecured networks. To protect communications, there are

many options available that the organization should explore. The easiest option is to

utilize network restrictions on the device to permit connection to trusted networks only.

While easy, it greatly limits the usability of the device and will not work in most BYOD

situations. Another option is to take advantage of security solutions that utilize an

“always-on” VPN solution that runs through the corporate network. The VPN solution

protects the confidentiality and integrity of communications, but introduces latency

associated with the VPN solution. Other, less secure options include denying access to

unsecured wireless networks or preventing corporate connections over unsecured

connections. In the end, the planners should select the solutions that best align with the

overall business goals and are within the organization’s risk tolerance.

Based on the physical location of the device, there are also concerns regarding the

path that data takes over cellular networks. If a device is transmitting unencrypted data

over the cellular network, including voice and Short Message Service (SMS), it is

49

possible that eavesdropping could occur. Therefore, the physical location of employees

should be taken into account, especially for international companies. There have been

cases of nation-states monitoring both incoming and outgoing traffic, which could

compromise sensitive data in transit through cellular towers in the host country. Some

wireless solutions are also applicable to cellular transmission, most notably an always-on

VPN that goes through the organization’s corporate network, thus offering protection of

in-transit data on the BYOD.

4.3.3 Network Architecture

Establishing a network boundary permitting access to employee-owned devices is

critical to ensuring that the network is appropriately protected from the possible threats

that they present to corporate resources. There are far too many possibilities to explore

each option, but this section will outline some key concepts to consider when planning

network architecture to support BYOD.

First, the entry point for mobile devices into the corporate network should be

structured to allow for appropriate protective and detective security controls to control

and monitor mobile device network traffic. Control could be established using VPN

architecture, network monitoring tools (e.g. IDS/IPS, Next-Generation Firewall, etc.),

separate VLANs, and/or separate address spaces.

Second, the path from the untrusted entry point to the internal corporate resources

must provide a layered protective and detective security layer to control and monitor

network traffic passing between the untrusted and trusted zones. The intersection points

can be used to deploy additional protections, such as data loss prevention (DLP).

50

Some mobile security solutions use the concept of an always-on VPN connection

to provide data-in-transit protection for network-based communications to and from the

managed device. In this scenario, the network architecture needs to grant access to

internal resources when required while also allowing outbound Internet communication

for non-corporate destinations. Again, the intersection point represents an appropriate

place to layer protective and detective security controls.

4.3.4 Awareness and Training

Training should be conducted initially, prior to device registration in the BYOD

program, and should repeat at least annually for all users, regardless of their participation

in the program.

Training should include all aspects of the BYOD program that include a level of

user responsibility. There are several areas of user responsibility within BYOD.

Employees must understand the regulations protecting them, their data, and the security

requirements for organizational data stored on or transmitted by their personal devices.

Employees must also be briefed on the appropriate protocol for reporting security

incidents, including a lost or stolen device, so that the organization can take appropriate

actions to protect the data resident on it. Users should be trained on their other

responsibilities in maintaining compliance with BYOD policies, such as ensuring that

applications and software are kept up-to-date.

Training should occur for both non-privileged and privileged users, such as MDM

administrators and security operations analysts. It is natural that personal and corporate

data reside on the device in some combination and thus organizations may be subject to

laws and restrictions that limit what information they can capture and utilize. Privileged

51

users with potential access to restricted information need to understand their roles and

responsibilities in carrying out their duties. Privileged users should fully understand

where their authority begins and ends with regards to operation of the BYOD security

apparatus.

4.3.5 Application Store

There are multiple options for an appropriate application store, each at different

cost and allowing for different levels of organizational control over the employee-owned

devices.

The first option is to allow unrestricted access to public application stores. This

option is the most desirable to employees, as it allows them to download any applications

they desire without restriction. This relies on trusting the vetting processes of the

applications being allowed in their respective stores. Some application stores, such as the

Android Market, have notoriously poor malware vetting processes, instead opting to

leave the burden of protection on the users. This is not to say that other application stores

are significantly better – there have also been instances of malicious developer-signed

applications in Apple’s App Store. The malicious applications can trigger a variety of

unwanted actions, including data theft and utilization of the device as a pivot to access

restricted resources within the organization. Access to the contact list poses the threat of

spam, targeted advertising, phishing, and spear-phishing; these threats are not only to the

organization, but a compromise can also cause an organization’s clients to be exposed to

these tactics.

There is also the option to utilize a Corporate Application Store and deny access

to the commercial Application Stores. This option represents a more secure option,

52

allowing organizations to only publish permitted applications to the Application Store.

This is associated with both considerable overhead and a lessened overall appeal of the

BYOD program.

4.3.6 Application Whitelisting and Blacklisting

If the decision is made to use the public application stores for applications

resident on the device, there is the choice to either grant access to specific authorized

applications, known as whitelisting, or to deny access to specific unauthorized

applications, known as blacklisting. Restricting access to either known-good applications

or blocking access from known-bad applications will reduce exposure to poorly formed

or malicious software.

Blacklisting is a reactive method of ensuring that only applications deemed secure

are resident on the employee-owned devices. This means that an application must be

discovered, and deemed to be a threat, before being added to the blacklist. This can

cause new malicious applications not to be on the blacklist, allowing them access to the

corporate network.

Whitelisting and blacklisting both require considerable overhead in the form of

corporate resources assigned with maintaining and updating the lists, although services

exist to outsource the listing functions. Whitelisting is a proactive security control that

provides a greater level of assurance that applications are safe than blacklisting does, as it

proactively denies all applications that have not been organizationally reviewed for

security. This keeps new malicious applications from being added to the device before

they can be evaluated. Whitelisting, however, is more likely to impede the employees

53

from downloading the applications that they want, as those applications will need to be

reviewed first, thus lowering the appeal of the BYOD program.

Either of these options allows the organization to restrict access to malicious

applications and reduce the overall operational risk of a BYOD program, however, in

either case, if users cannot access their desired applications, there may be less

organizational buy-in to the BYOD program.

As with most processes in BYOD, user participation is required and a workflow is

needed for users to request whitelisting of particular applications. If a user desires to use

a particular app on his phone to get his job done, he should be able to request the vetting

of the app via a form, preferably online, and be guaranteed an answer within a certain

timeframe, perhaps two business days. The form will need to capture why the user needs

such an app and include a disclaimer that in case the request is denied, the user may not

use that app to do job related work. The vetting process needs to be quick for obvious

reasons. This process can be enhanced if a suggestion form is available where users can

suggest apps, even if they are not currently using them. This allows more time for the

vetting process thereby lowering the risk of malicious apps.

4.3.7 IPSec/VPN

Virtual Private Networks, or VPNs, allow for the connection of employee-owned

devices to access the organizational network as though they were within the network’s

protections. This offers a level of protection against data being intercepted or stolen in

transit.

Internet Protocol Security or IPSec is an open standard allowing for mutual

authentication and encryption of communications over the network and between

54

networks. This is one of the available methods for enabling VPNs. IPSec VPNs allow

for access that is similar to being physically connected to the corporate network; however

connections can be limited to specific applications on the device to mitigate the risk of a

compromised device accessing any network resources that they desire.

Secure Socket Layer (SSL) VPNs provide a similar capability to IPSec VPNs,

however they can provide additional levels of control; this includes the restriction of

access to specific users or groups on the network. This allows for a greater level of

organizational control over remote access to resources than IPSec VPNs do.

Both IPSec and SSL can be used without VPNs, as well, to allow for

authentication and encryption of traffic passed over the network.

4.3.8 Mobile Device Management

A critical aspect of protecting mobile devices as part of a BYOD program is a

MDM. Before provisioning a mobile device with MDM software, an automated or

manual process should inform MDM administrators that the user is authorized to

participate, with the identified device, in the organization’s BYOD program.

MDM administrators should be carefully selected and the principle of least

privilege taken into account. MDM administrators will have complete rights over nearly

every aspect of every mobile device under the purview of the MDM solution.

Organizations should ensure their MDM administrators are trusted and their activity

monitored.

MDM is typically deployed through an enrollment or provisioning process.

Devices can be provisioned from the MDM server using OTA or other methods. Some

MDM solutions allow for integration with directory services, such as Microsoft Active

55

Directory, to realize increased visibility across the organization. The provisioning

process will install the necessary certificates, configurations, and software required to

enforce BYOD security standards.

If users require different settings based upon a set of criteria (e.g. division,

geographic location, etc.), most MDM solutions offer administrators the option to

structure profiles around groups, from which BYOD users can be assigned. Groups

simplify the management and deployment of MDM profiles when users require different

settings.

A comprehensive list of MDM standard features can be found in Appendix B.

4.3.9 Location Awareness

Many mobile devices possess GPS location capabilities. Beyond telling a user the

most direct route to their local drive-thru, they can also promote a level of device self-

awareness that can be utilized in collusion with a MDM solution to enact protective,

detective, and reactive security controls based on the device’s location.

Some solutions are capable of disabling different components on managed

endpoints. Examples include disabling cameras and microphones when carried into

specific locations, such as meeting rooms used to discuss sensitive organizational topics.

They may also restrict network access depending on the data being accessed (e.g.

disallow access to corporate data when attached to an unknown or unsecured wireless

network).

Location-aware solutions can ensure that specific physical locations of the

building are protected from unauthorized recording and photography. These may be met

with far less resistance than ensuring that each employee leaves their phone in a locker or

56

on a shelf outside of a protected area, which could detract from the value of the BYOD

program or the overall work environment.

4.3.10 Device Fingerprinting

Device fingerprinting allows devices to be identified, or fingerprinted, as an

additional means of authentication. There are two methods of device fingerprinting,

passive and active.

Fingerprinting allows for agentless identification of a device, and non-repudiation

of data transmitted from that device. Generally, this is based on client configurations. In

the case of BYOD, many devices may be configured exactly to meet the Minimum

Security Baseline (MSB), while being of the same operating system and model.

Traditional passive fingerprinting may see many of the same fingerprints, making passive

fingerprinting a model that may not stand up as well.

For the sake of BYOD, a more substantive fingerprinting model is recommended.

Many MDM solutions offer application-layer fingerprints based on criteria unique to the

device to ensure that there are no two devices with the same fingerprints, so that they can

all be positively identified. This is considered more invasive, and may involve adding

information such as Media Access Control (MAC) address and Serial Number to the

fingerprint to ensure that it is unique. This also allows for the fingerprint to remain static

– passive fingerprinting allows fingerprints to change as users modify the settings on

their devices.

Having static, application-layer device fingerprints allows for a higher level of

protection for network resources, as not only will a user’s authentication credentials need

to be compromised, but also their device will need to be, as well.

57

4.3.11 Device Encryption

Encryption is a cornerstone of BYOD security. Encrypted VPNs, using IPSec or

Secure Sockets Layer (SSL), provide for the confidentiality and integrity of data in

transit, but this may leave data on the devices unencrypted once it has reached that

destination.

There are several solutions to this, including some that may be resident on devices

already. For example, the Apple iPhones have mandated full device hardware encryption

utilizing AES-256 since the 3GS version, and this level of security cannot be disabled.

Other popular devices, such as those based on Android and Windows Mobile, do not

have this level of security mandated, though it is available through security settings.

An organization must ensure that the work effort involved in accessing

information on a lost or compromised device is great enough to allow response actions to

take place prior to the loss or theft of data resident on the device.

4.3.12 Sandboxing

Sandboxing allows for an application to run in a protected area on the device.

This allows for corporate data to be contained and segregated from the employees’

personal data. This allows for targeted wipes and targeted backups of corporate data,

ensuring that personal data are neither stored on corporate resources, nor deleted when a

targeted wipe is performed to ensure that corporate data are not compromised.

This BYOD solution, however, only ensures that the application is protected. It is

often at the discretion of the employees as to where data are stored, meaning there is still

the possibility that corporate data exists outside the protected area designated for

corporate data.

58

There are two methods of implementation for a sandboxed solution: zero-trust and

one-way trust. Zero-trust solutions do not allow information to transfer either into or out

of the sandbox, providing a virtual separation between organizational and personal apps

and data. One-way trust solutions allow some data to be transferred into the sandbox.

For example, records such as contacts can be moved from the untrusted area on the

device into the sandboxed area; however they do not permit data to be moved back to the

unprotected area of the device. Either of these solutions may be the best fit for an

organization depending on the sensitivity of the data, the organizational mission, and the

organization’s risk tolerance.

The major detractor of a sandboxed application solution is that the application

uses its own interface as opposed to the standard interface of the device. Productivity and

employee satisfaction may be reduced while using an unfamiliar interface that does not

contain the features and benefits that led the user to purchase the device in the first place.

In a one-way trust environment, employees may choose to use the native interface to

perform potentially sensitive work in the untrusted area on the device, and then transfer

the data into the protected area for further transmission. The scenario described

circumvents the security controls put in place to protect organizational assets and data

and should be mitigated through additional security controls, policy, and user training.

4.3.13 Virtualization

The option for a virtualization solution offers the greatest level of control over

organizational data that is used by employees from their devices.

A virtualization-based BYOD solution allows for a device to access a thin client

that stores, processes, and transmits all data from organizationally owned and operated

59

hardware. This keeps organizational data from being stored on, processed, or transmitted

by the employee-owned device. This solves several of the inherent problems with

BYOD. To name a few, the loss of a device, or even a device being shipped to a vendor

for repair, no longer requires it to be wiped. The risks associated with both corporate and

employee backups are also removed.

This is not without major detractors, however. A virtualization-based solution

comes with substantial overhead, in servers, storage, processing, and a network backbone

capable of low latency while in use – not to mention administrators with the appropriate

expertise in workforce mobility virtualization.

Among the primary benefits of BYOD are that employees are more productive

due to working with interfaces that they are comfortable with and that they have chosen

to use; a virtualization-based approach will often utilize one-size-fits-all thin clients,

forcing employees to use the same interfaces that they embraced BYOD to be rid of.

This may lower productivity and may also lower employee satisfaction, making the

BYOD program less appealing.

4.3.14 Endpoint Protection

There are multiple options when deciding on appropriate endpoint protection.

Most mobile operating systems have solutions allowing an agent to be installed on the

device. This will cause resource utilization overhead on the employee-owned device,

such as processor, memory, and network usage.

There are several solutions that allow for centralized management of security on

endpoints to supplement the chosen MDM solution. These will have lower resource

utilization overhead for employee-owned devices.

60

There are also locally managed solutions for endpoint protection. If a local

solution is decided upon, the administrative control over this solution may be left in the

employees’ hands, leading to potentially insecure configurations. If this approach is

taken, a generic minimum-security baseline should be established for the local endpoint

protection solution, and additional awareness training should be added to the employee

BYOD training regarding the expectations for local endpoint protection.

4.3.15 Mobile Operating System Patching

To ensure a high level of protection for mobile devices, vendor operating system

patches should be applied in a timely manner. Vendor patches regularly include

mitigation and remediation of known security flaws on mobile operating systems.

Many operating system functional upgrades are released with additional features

that contain insecure configurations and new security flaws waiting to be exploited by

opportunistic threat actors. An organization must decide whether to allow its users to

upgrade their own devices at will, or if it will need to be done as part of the

organization’s configuration management process.

There is potentially high overhead involved with exploring the security

implications of every upgrade to every organizationally-supported operating system, and

the overall appeal of a BYOD program may be lessened if an employee cannot have the

shiny new Android or Apple operating system the day it launches. Decisions should be

driven based on the organization’s risk management strategy, risk appetite, and threat

landscape.

61

Failing to install new operating system upgrades may have a negative effect and

can lead to users having insecure or unstable operating systems on their devices. This

can result in compromised data or a reduction in productivity.

4.3.16 Application Patching

The process for patching both corporate and non-corporate applications has

potential security implications. The Security Officer will need to develop an appropriate

vulnerability management policy regarding the patching of applications.

Corporate applications should closely follow the software development lifecycle

(SDLC) to allow for a reasonable expectation of secure application releases.

Non-corporate applications can also have far reaching implications on the security

of the device. Many applications are not designed with security in mind, and one cannot

necessarily expect the newest version of “Words with Friends”, “Angry Birds”, or

“Facebook for Windows Mobile” to be free of possible backdoors that an attacker could

use to gain access to the device. Users will need to be responsible for ensuring that their

personal applications are kept up to date. If application white- or blacklisting is in use,

the organization should ensure the list encompasses each version release of listed

applications.

62

4.4 Detect

Even when devices are adequately

protected, changes in the technological

landscape cause new attack vectors to arise

regularly. Due to this, there are several

different events that need to be identified so

that an organization can proactively prevent,

or respond to and recover from, intentional or

unintentional threat events.

4.4.1 Vulnerability Detection

Software and configuration flaws can have unintended consequences, including

denials of service, unauthorized access to organizational resources, and the loss or

compromise of data. Detection of these vulnerabilities can be performed in several ways.

Many automated software use tactics similar to those that a hacker would use in the

reconnaissance stages of an attack. Among these are verifying that the device is alive,

and then probing the device to find out what services are running. There are several

vulnerability scanners on the market with the capability to find software flaws on a

variety of mobile operating systems.

There are several advantages of using automated vulnerability scanners.

Generally, there is only a low level of effort involved in finding known software and

configuration flaws that attackers could potentially exploit. Often, these flaws are also

identified with documented fixes readily available.

7. Assess and

Monitor

1. Plan

2. Identify

3. Protect

4. Detect

5. Respond

6. Recover

63

The possible disadvantages of these vulnerability scanners is that there is

generally increased network usage associated with them. Also, as new technologies

emerge and new vulnerabilities are found, the scanners must be kept up to date. As

employee-owned devices are not always on the network, the ideal time to perform

vulnerability scanning would be when they are which are also the times of day where the

network will already be experiencing the most strain. Some vulnerability scanning

engines will not support all of the available mobile operating systems.

There is also the question of legality of scanning employee mobile devices,

finding potential weak areas in their software and configurations that could be exploited.

As many documented bugs also have documented exploits, retaining this information on

a network server may be a risky decision. An attacker gaining access to that server

would effectively have a database of their reconnaissance phase completed for them if

they were to perform an attack.

The organization’s Security Officer will need to decide on the requirements for

vulnerability scanning and detection while on the network, however, these are actions

that will need to be taken by the security operations team and overseen by the Director of

Security Operations.

4.4.2 Malware Detection

Part of the risk that employee-owned devices pose is that users have

administrative control of these devices, and that they are not always connected to

networks with the same level of protection as organizational networks. That can lead to

malicious software being resident on them; this software may be used to gain access to

employee-owned devices. The two primary antivirus methodologies for BYOD are

64

organizational and client based, and the organization’s Security Officer will need to

decide which of these is the most beneficial to obtain an acceptable level of risk.

Agentless anti-malware solutions can be run as an internal service for the

organization. These solutions have the same downsides as vulnerability scanners – they

require consistent updates to the signatures to remain effective. These will also require

the security operations team to manage, and can increase network strain while they are

scanning, because again, this must be done during the day. However, these solutions will

provide the organization with the peace of mind that the antivirus is kept up to date – it is

not left in the employees’ hands to ensure that their antivirus is up to date.

If the solution is to be local malware protection, this will require less network

utilization and lower employee overhead. This, however, relies on employees to ensure

that the antimalware solution is kept updated.

4.4.3 Attack Detection

If vulnerabilities or malicious software are not detected, or if they are detected

and not remediated, attackers can exploit these to gain a network foothold. A foothold

within the network can be used as a pivot to gain access to areas of the network that are

otherwise restricted. Attacks need to be detected so that they can be responded to

appropriately.

When connected to corporate networks, the Security Incident and Event

Management (SIEM) solution, Intrusion Detection/Prevention Systems (IDS/IPS), and/or

Next-Generation Firewalls should be placed and configured appropriately to detect

malicious activity targeting the endpoints within the protected area of the network that

they are allowed to connect, as well as malicious activity emanating from devices within

65

that area. SIEM, IDS/IPS, and Next-Generation Firewall solutions should be deployed

using a Defense-in-Depth strategy to maximize protection and visibility into mobile

device traffic.

4.4.4 Lost Device

Even with all the safeguards, it must be assumed that at some point, an employee

will have a device lost or stolen. The BYOD training plan needs to cover the importance

of users reporting lost or stolen devices to the appropriate information owner. This will

allow for the information owner(s) of the data resident on the device to determine the best

course of action, and to initiate the appropriate recovery actions.

4.4.5 Data Loss Detection/Prevention

In order to detect security violations or potential exposure of sensitive data, a data

loss detection or prevention (DLP) system could be used. There are several different

ways to implement DLP. The solutions presented assume the reader has some familiarity

with DLP and the current industry offerings.

The first method assumes that all network traffic is routed through an “always-on”

VPN connection. In this scenario, the DLP solution is deployed at a strategic network

location where all BYOD traffic will eventually cross in order to detect security

violations. Because the traffic will inevitably cross the sensor, DLP violations can be

detected and appropriate actions taken. This solution can be beneficial because it may

not require additional hardware or software beyond existing enterprise capabilities

(assuming the organization has already deployed a DLP solution).

The second method is to install a DLP client either on the device or, in the case of

a sandbox BYOD solution, in the sandbox. A direct DLP client on the device may detect

66

attacks that might otherwise be missed. However, solutions are limited in both scope and

effectiveness while the market continues to evolve. This solution is also more expensive

to deploy and operate, but offers potentially the best protection available, assuming a

solution that works for all approved devices can be found.

The last solution is to rely upon existing DLP solutions to protect against data

loss. While connected to a corporate network or using corporate email, these solutions

may prove partially effective. The danger is that users may inadvertently or maliciously

send data out through unmonitored interfaces, such as Wi-Fi, Bluetooth, cellular,

personal email, post to the web, etc. Regardless of the chosen solution, organizations

should examine the ability of users to transmit sensitive data over the cellular network,

effectively bypassing network security controls.

4.4.6 Device Monitoring

Employee-owned devices will need to be monitored for communications that may

contain potentially sensitive information. However, as the employee owns the device,

there are regulatory restrictions and legal implications of an employer monitoring

communications.

Many MDM solutions allow for communication through the application to be

tracked, though there will need to be criteria to establish the difference between personal

and organizational data transfer. Monitoring of an employee's communication with a

personal contact could potentially expose sensitive information, including data protected

by law. The criteria for monitoring must be appropriately vetted to ensure due diligence

and due care on the part of the organization in the case of personal information being

discovered.

67

4.5 Respond

Once a threat event has taken place,

the organization must respond. The response

will be based on the nature of the risk or threat

event that has presented itself to the

organization.

4.5.1 Vulnerability Remediation

When periodic scans discover

vulnerabilities in software, either due to code

flaws or insecure configuration, the risk must

be mitigated to an organizationally acceptable level. This requires that the level of risk

be determined. Many vulnerabilities may already have Common Vulnerability Scoring

System (CVSS) scores2 associated with them, allowing for a quick basis for the level of

risk presented to the organizational computing environment. Depending on the type of

vulnerability, and the level of risk presented, there are several choices available. The

owner of the device should be made aware of what is happening, and why, at every point

throughout this process.

In the case of an insecure configuration, scan findings should be reviewed to

determine whether the vulnerability is resident on a single device, a subset of related

devices, or all devices. Generally, if it is resident on a single device, this can be

remediated without utilizing the organization configuration management process. Some

device operating systems may not support configurations that are otherwise required as

2 http://nvd.nist.gov/cvss.cfm

7. Assess and

Monitor

1. Plan

2. Identify

3. Protect

4. Detect

5. Respond

6. Recover

68

part of the Minimum Security Baseline (MSB), leading to several related devices

showing the same insecure configuration vulnerability. This may be remediated through

compensating controls or through third party applications, or may need to be accepted as

a risk in allowing these devices to be part of the BYOD program. If all devices are

showing the same vulnerability, then the impacts of remediation should be researched

through the configuration management process, and the viability of adding controls to

mitigate the risk should be determined. If it is determined that the risk cannot be

accepted as it is, and requires remediation, the organization should update their MSB.

In the case of software code vulnerability, the organizational vulnerability

management process should be followed. The decisions made should involve

communication with the device owner, or owners, if it is due to an insecure operating

system or application.

4.5.2 Malware Removal

There also have to be documented procedures for malware removal, whether it is

intentionally malicious or “accidentally” poses a threat. The IT Security Staff will need

to make an informed decision as to the course of action to mitigate these potential threats

based on a set of predetermined criteria, so that the security operations team can take the

appropriate mitigating action.

The safest route, as always, is to wipe the device. This will ensure that the

malware, even at the rootkit level, has been removed. It provides the highest level of

organizational assurance that the risk posed by the malware has been removed.

69

Some applications may pose an inadvertent threat, as previously discussed, and

the ideal way to address these may be to remove them from the device, and disallow them

via an application store whitelisting or blacklisting solution.

4.5.3 Incident Response

As suspicious activity is detected, organizational incident response personnel will

respond in accordance with the organizational Incident Response Plan (IRP). The

organizational IRP needs to be appropriately resourced to handle incidents related to

employee-owned devices. The additional challenges presented by a BYOD program,

including the lack of organizational device control, lack of remote access capability, and

the implications of taking physical possession of the device, must be adequately

identified and socialized through policy and user training. Business needs and scope

must be established prior to any incident response activity to ensure compliance with

organizational policy, and any applicable laws and regulations.

Response activities to potential attack or compromise of a device should be

published and accepted by both Senior Leaders and the users. While not a panacea to

legal battles over organizational responsibility of employee data, proper socialization will

help establish a corporate culture that supports business goals with regards to incident

response. Employees should be trained and should formally acknowledge IRP

procedures and the employee’s role in compliance with the IRP.

A significant risk in the area of incident response is the preservation of evidence

on the device. The lack of organizational control of the device can lead to corruption of

forensic findings due to actions, either accidentally or purposefully, performed by an

employee. The IRP and supporting employee training should identify these scenarios and

70

provide clear guidance on roles and responsibilities by both employees and incident

response personnel.

As outlined in the legal issues (4.1.10) section of this framework, situations may

arise where the most appropriate incident response action is to wipe the device. In those

cases, the organization should ensure they are prepared technically, culturally, and legally

to deal with any potential repercussions resulting from the loss of organizational and

employee data.

4.5.4 Device Account Deactivation

Once a user has reported that a device has been lost or stolen, or the security

operations team discovers that the device has been compromised, the IT operations team

will need to deactivate the device account. This will disallow it from being used to

access protected organizational resources in the event that a threat actor gains control of

it.

4.5.5 Remote Wipe

Once an employee reports that a device is lost or stolen, the organization will

need to take steps to protect data that may be resident on the device. This includes

wiping the device remotely so that if the device is stolen, no organizational data can be

compromised. There are several approaches to this, which will need to be discussed by

the Security Officer and the information owner(s). The security operations team will then

be responsible to enact one of two possible remote wipe capabilities, depending on

organizational decisions.

The entire device can be wiped. This ensures that no organizational data, nor an

employee’s personal data, can be stolen. Therefore, potentially sensitive data types,

71

though no longer recoverable from the device, will not fall into the hands of a threat

actor. This also protects employee’s personal data, which could be used for spear

phishing and other social engineering attacks. There may be legal issues which need to

be explored with regards to wiping an employee’s personal data from an employee-

owned device. This could cause some level of discontent if an employee reports their

device lost or stolen, only to find it, as a brick, sitting on the dresser when they return

home.

Targeted directories or specific sandboxed areas on the device where

organizational data are to be stored can be wiped. This will leave all employee-owned

data on the device, avoiding potential legal implications. However, there may be some

organizational data that remains resident on the device outside of those directories.

72

4.6 Recover

Following the initial response to a

threat event, the organization must be able to

fully recover from the event.

4.6.1 Corporate Backups

In the case of a device that was

wiped, whether it is due to loss, theft, or

being shipped to a vendor for repair, the

organization will need to be able to recover

the data, or a subset of the data, that were

stored on it. The same is true if the device suffers catastrophic failure. The most

common means of ensuring that the data are recoverable is a corporate backup solution.

There are several options in deciding what information to back up with a corporate

backup solution.

The whole device can be backed up. If the device is lost, stolen, or suffers

catastrophic failure, this will ensure that no organizational data are lost, as well as

ensuring that employees’ data are not lost. This will, however, lead to increased

organizational storage requirements, depending on the amount of employees that are a

part of the BYOD program. There is also potential for employees to perceive misuse of

their personal data stored on organizational servers. It is recommended that the

organization seek legal counsel regarding the implications of backing up employees’

personal data on corporate infrastructure, as these data could include information covered

under multiple laws.

7. Assess and

Monitor

1. Plan

2. Identify

3. Protect

4. Detect

5. Respond

6. Recover

73

Targeted directories or specific sandboxed environments can be backed up. This

ensures that employees’ personal data will not be stored on organizationally-owned

servers, alleviating potential legal qualms and ensures that administrators do not have the

capability to sift through employees’ personal data. This will also ensure that file servers

are not bloated with unnecessary personal data from employee-owned devices. However,

all organizational data may not be stored within the targeted scope of the backup, leading

to the possibility of permanent loss if the entire device is not backed up.

As always, there is the option to completely forego a corporate backup solution.

This will require no overhead, and will ensure that no employee data are stored on

organizational servers. However, if a device is lost, stolen, or suffers catastrophic failure,

all organizational data that is resident on the device may be permanently lost.

Information owners will need to determine, in collusion with the Security Officer,

the scope of employee-owned device backups, based on the requirements for

confidentiality, integrity, and availability of information that is stored on them, weighted

against the potential legal implications of potentially storing sensitive personal data on

the organizational backup solution.

4.6.2 Employee Backup

If users are unable to access the corporate backup solution, or if it does not back

up all of the data on their device, they may be inclined to perform personal backups.

These backups may take place prior to a mobile operating system upgrade in case the

upgrade is unsuccessful, or even prior to device de-provisioning to retain either the

personal or sensitive corporate data that were otherwise sanitized from the device. This

74

can include using either cloud-based backups or backups that are stored locally on

employees’ other personal devices.

If employees do back up their devices to either cloud-based solutions or to other

devices that may or may not be a part of the organizational BYOD program, then there is

a high probability of sensitive organizational data being stored on assets entirely outside

of organizational control.

If employees cannot perform these backups, then they will have to rely on

corporate backups of their information, which can be out of date unless they are

performed on-demand. There will also be the risk that if employees are only able to

restore their device from the corporate backup solution, they may only be willing to

perform software updates while at work, lowering their overall efficiency. An employee

may also elect to forego operating system updates, which can lead to additional published

security flaws being resident on their devices, leading to an increased possibility of

compromise.

The Security Officer and information owner(s) of data expected to be resident on

the devices need to weigh the additional risks of data compromise, and weigh this with

respect given to the corporate backup solution, to decide on the capabilities of users to

back up their own devices.

4.6.3 Device Tracking

Whether or not devices are able to be tracked by the organization is another

potentially sticky item. This will need to be discussed by all stakeholders, including user

representatives, to ensure an appropriate decision is made.

75

If an organization tracks the devices, it may allow for the recovery of lost or

stolen devices. This can alleviate the potential for wiping a device that was reported as

lost or stolen, but appears to be in the residence of the employee.

However, the organizational BYOD program may have a lesser appeal due to the

potential misuse. Along with the possible level of discomfort, there is currently no case

law regarding the tracking of employee-owned mobile devices; the legality of this has not

been established. This may lead to supervisors tracking phones when an employee is

supposed to be in attendance at an off-site meeting and seeing that they are on the fourth

hole of a local golf course – what course of action can an employer take, if any?

There are also applications that allow employees to track their own devices (e.g.

“Find my iPhone”), which may be recommended or mandated by the organization in lieu

of an organizational capability to track employee device whereabouts. This can aid in the

ability for recovery of a device without the legal or moral implications of an organization

doing so.

If the Security Officer has made a determination allowing employee-owned

device tracking within the organization, it is recommended that only the security

operations team is capable of tracking devices to maintain a level of checks and balances.

If employees are mandated to have the capability of tracking their own device, this

burden lies with the user in tracking and discovering the location of their device.

76

4.7 Assess and Monitor

After implementation, it is critical to

assess and monitor the BYOD security program

for effectiveness and efficiency. Threats,

technology, and security solutions will continue

to evolve. Organizations need to ensure a

continuous monitoring and feedback loop is in

place to meet the changing landscape. This

section will outline some key facets of the

Assess and Monitor phase of this BYOD

Security Framework.

Throughout the BYOD lifecycle, there will be risks associated with the program.

These must be appropriately mitigated to ensure that the program maintains value to the

organization.

4.7.1 Review and Evaluation of BYOD Program

The BYOD program needs to be reviewed and evaluated for effectiveness on a

periodic basis to ensure that it remains relevant and effective to the organization. The

entire BYOD security program should be re-evaluated on at least an annual basis, using

this framework as a roadmap for conducting evaluation efforts. Security requirements

should remain applicable to the business mission. Policies and procedures should be

reviewed at least annually to ensure they continue to meet security requirements. Last,

the security controls should be assessed as part of a larger risk management program to

validate that controls are implemented and operating as designed.

7. Assess and

Monitor

1. Plan

2. Identify

3. Protect

4. Detect

5. Respond

6. Recover

77

4.7.2 Insider Threat

Despite the media attention that cyber attacks garner, the oldest and most

effective way to damage, destroy, and exfiltrate sensitive information remains the trusted

insider. Insiders are usually granted access to sensitive information as part of their

normal duties. Privileged insiders may have knowledge of security controls and how to

exploit them as well as locations and access methods to sensitive information.

Organizations should plan to address insider threat concerns stemming from the use of

BYOD into their existing mitigation schemes. Particular attention should be paid to

system administrators of critical BYOD security functions, such as MDM.

4.7.3 Penetration Testing

Penetration testing can expose vulnerabilities that were not found through other

detective security controls. Organizations should carefully plan the scope of penetration

testing efforts in order to comply with any regulatory or legal requirements regarding

employer penetration testing conducted on employee devices. As of the time of this

writing, there is little in the way of laws or legal precedents regarding penetration testing

conducted on employee devices.

One approach is to using devices owned by the organization and perform

penetration testing (along with other needed testing) using those devices. This way,

many of the holes and security vulnerabilities of the network can be detected. The

opposite testing can attempt to break into organizationally owned devices in order to

detect security vulnerabilites on those devices. The organization’s security team can then

move to incorporate the needed patches and policies in place while keep the users

informed of the process.

78

4.7.4 Periodic Review of Approved Devices

As security requirements change and threats evolve, organizations will need to

periodically review approved device lists. Changes to security requirements or the threat

landscape may make devices or mobile operating systems obsolete. Organizations should

plan for and train BYOD users on how the decision will be communicated and develop a

standard transition plan to allow users to migrate their obsolete devices to an approved

devices. Organizations should also be prepared to handle cultural unpopularity of

removing a device for security reasons. The constantly changing nature of mobile

technology and employees’ desires to keep up may mitigate this risk, but organizations

should be prepared regardless.

4.7.5 Approval of New Devices

In order to keep up with constantly evolving devices and mobile operating

systems, organizations should periodically evaluate new industry offerings for inclusion

into the BYOD program. In addition to organizationally-initiated reviews, employees

should have a means to submit new devices and mobile operating systems as candidates

for inclusion. Failure to maintain a relevant device and mobile operating system list will

surely detract from the success and appeal of the organization’s BYOD program. New

devices and mobile operating systems should be evaluated using criteria established

earlier in this framework to ensure the candidate is capable of meeting all security

requirements at an acceptable level.

4.7.6 Device de-provisioning

Employees will leave the company at some point, even in organizations with very

high retention rates. This means that a course of action must be taken by the organization

79

to protect potentially sensitive organizational data that is resident on their BYOD devices.

All stakeholders in the de-provisioning process should be briefed on their roles and

responsibilities in carrying out de-provisioning activities.

Figure 8: Key De-provisioning Activities

During the de-provisioning process, four key items must be addressed, outlined in

figure 8. Any device access to organizational information or assets must be removed.

Accesses may come in the form of email accounts, installed applications, or digital

certificates. Sensitive organizational data must be wiped using approved mechanisms to

prevent data retrieval. If the device is being removed from use completely, employees

should consider removing their own personal information on the device as well.

Remaining digital certificates and security settings must be removed in addition to any

security software installed by the organization (e.g. MDM). One solution to achieve this

Remove Accesses

Wipe Sensitive Data

Remove Certs & Settings

Remove Security Software

80

goal is to restore the device to its factory default settings, once data have been removed.

As part of the de-provisioning process, organizations should confirm de-provisioning

activities, including data wipes, and track associated security metrics.

The removal of sensitive data is critical in the de-provisioning process. Sensitive

data may come in many forms depending on the nature of the organization and the

employee’s role. It cannot be assumed that just because the device has been wiped that

all sensitive data are free from disclosure risks. If allowed, employees may have backed

up their device and its data on non-corporate media. In those situations, it may be

beneficial to perform a de-provisioning interview with BYOD users to confirm deletion

of sensitive data beyond the organization’s control.

81

5 Key Controls as Part of BYOD

"Just because a mobile site is meant to be viewed on a mobile browser with limited

functionality doesn't mean an attacker can't load it in a normal browser and have full use

of their powerful tools to bypass authentication, find vulnerabilities in non-standard

encryption and ultimately crack the site. … It's like having two doors to your bank vault.

Web applications of today are like the highly guarded front door fortified by mature

security practices and fully capable of stopping an intruder. Mobile APIs are like the

unguarded back door — offering far easier access to would-be attackers."

Pete Soderling, founder of Stratus Security

5.1 Overview

As has been mentioned, technology alone cannot guarantee the success of BYOD

programs. A successful policy implementation and its management are also necessary. It

is important to understand that such policies will have many parts that are non-technical

and others that are technical. Part of such a policy implementation would be a set of

process controls that encourage users to comply with enterprise policies. Planners of

BYOD would benefit from using such controls in order to improve the policy compliance

wherever technology solutions may come up short. Process controls can be defined as a

set of procedures and techniques used to influence compliance with policies. As BYOD

implementations must comply with a variety of legal, financial, regulatory, HR, and

service-level necessities, having such controls is crucial to success. Of course, enforcing

policies is always a challenging matter.

82

The idea here is to implement technology policies, user-related policies, and

process-related policies so that once in place, supporting technologies such as MDMs can

be configured so that BYOD is implemented successfully. Successful implementation

means different things to different enterprises, but a good definition would be an

implementation with the minimal risk level as required by the enterprise. The goal of

process-side policy compliance is to address the users’ level of awareness and their

motivation to comply with the policies. Success begins with proper education. BYOD is

a shift in how enterprises, IT, and users think and relate to one another. In BYOD, all are

in far greater partnership than ever before in securing the enterprise’s resources and data.

While it is true that IT needs to adapt to this new phenomenon, users also need to adapt

and to realize the critical role they play. As with anything, education works best when

enforced and tested periodically. This fact highlights the important connection between

education and motivation. Motivation is where the controls come into play.

As part of the control process, an Acceptable Use Agreement should be mandated

for all employees, whether or not they are BYOD participants. Such agreements have

traditionally leaned heavily on disincentives, that is, what would happen if a user has not

followed the policies stated in the agreement. A common issue has been that such

agreements have not been read carefully traditionally and even when they have been, they

may not have been well understood by users. While such an agreement may give IT a

sense of indemnification (“We told you so”), the fact is such a sense, real or imagined, is

not a solution to BYOD especially during a breach. By failure to apply all the

motivational controls listed below, the success of the BYOD program can be severely

handicapped.

83

The control tools of motivation can be organized into four general control

processes:

5.2 Incentives

This type of control encourages the users to actively participate based on some

kind of reward. This does not need to be monitary in nature and in fact monitary rewards

should be discouraged. As an example, the incentive for using a company preferred

device or OS may be freer access to the enterprise’s resources such as data and apps. As

stated previously, users should be made active participants in the BYOD program. For

instance, users can be asked to rank themsevles accurately based on certain questionnaire

and then be considered to be placed in various levels of BYOD particiaptions.

5.3 Disincentives

By far the most common, this type of control discourages the users to take

particular actions based on negative implications. For example, if the user fails to report

a lost device that had been used to access the enterprise’s resources within 24 hours, the

user’s employment may be terminated. Disincentives are by far the most used control

process implemented by organizations to secure resources and typically form the

cornerstone of Acceptable Use Agreements. Used alone, however, without additional

key controls explained, they can lessen the appeal of BYOD and even create an

environment where BYOD is used in secret.

5.4 Compliance Tactics

This type of control uses a variety of compliance techniques. For example,

having a user sign an agreement/pledge to protect the enterprise’s intellectual property

84

reduces the likelihood that data leakage will occur. This is akin to someone signing an

agreement that they will recycle glass and plastic. The mere acceptance of such

responsibility increases the likelihood of compliance.

5.5 Ongoing Communication

This control focuses on the many methods for communicating and re-

communicating compliance requirements at the various points within the process. For

example, a short text message that pops up when a user makes a connection to the

enterprise network using BYOD or a brief message that plays during a support call,

reminding a particular policy, can go a long way by providing positive and non-intrusive

reinforcement. This control is most effective when applied in context; users are more

likely to comply with a policy when that policy is stated in context. Using opportunities

at service points to communicate policies in a just-in-time manner is a good example.

85

6 How to Use the BYOD Framework

The purpose of the framework is to assist organizations with implementing

BYOD and integrating BYOD into their existing business operations. The framework

does not represent an all-inclusive list of potential risks and mitigation strategies which

would simply be impossible. Instead, the framework is meant to guide discussions by all

stakeholders within the organization to help them identify risks and solutions that are

applicable and appropriate to the organization. Given the wide variety of business

missions and potential BYOD implementations, organizations are advised to rely on their

own subject matter experts to analyze how the concepts presented in this framework

apply to their organization.

6.1 Establishing a BYOD Security Program

Organizations may use this framework to build a new BYOD program or to

improve on an existing solution. In either scenario, the organization’s risk management

process should be invoked to identify the current status of BYOD security and to analyze

security and policy capability gaps within the organization. The organization can then

make adjustments to their BYOD program to reflect changes in risk levels.

Using the concept of Information Systems Security Engineering, the following

example outlines the steps to implement a BYOD program, depicted in figure 9.

86

Figure 9: BYOD System Security Engineering Process Step 1: Discover Information Protection Needs. During this first, critical step, the

organization clearly communicates the high-level goals of the BYOD program.

Communication should occur from the senior executive level and outline the business

objectives and risk tolerance levels of the organization to facilitate clear guidance to

BYOD planners and implementers. Planners will articulate the types of systems and

information to be accessed by BYOD users and identify any applicable security laws,

regulations, or policies.

Step 2: Define BYOD Security Requirements. Once information protection needs have

been identified, security requirements for the BYOD program should be defined.

Security requirements should identify the specific action items required to meet the

87

security objectives of the BYOD program. Requirements should be traced from their root

source (e.g. security laws, regulations, or policies) and clearly communicate the action,

threshold, and expected result of each security requirement. Requirements should align

with the high-level guidance provided by senior executives and the overall business

mission.

Step 3: Design BYOD Security Architecture. Security Architecture defines how the

BYOD program will align with existing security controls in order to meet security

requirements. Aligning the BYOD security architecture with existing organizational

security architecture ensures consistency among security control quality throughout the

organization.

Step 4: Develop Detailed BYOD Security Design. The detailed security design

incorporates technical and non-technical security controls into a cohesive solution that

meets security requirements. During this step, organizations outline specific use-cases

and conduct analysis of alternatives to identify technologies and policies that will

implement established security requirements at the defined threshold levels. The detailed

security design represents the final step in the planning process.

Step 5: Implement BYOD Security. The detailed security design is executed in

accordance with all planning guidance. Technologies are procured, configured, and

implemented. Policies and procedures are created and authorized in accordance with the

organization’s standard operating procedures. At the completion of this step, all security

controls are implemented and functioning as intended.

Step 6: Assess Security Effectiveness. The final, and arguably most important, step is

to assess the implemented solution against the security requirements to ensure all security

88

controls are working as intended at their defined threshold levels. Any gaps should be

identified and remediated in accordance with the organization’s risk management

process.

6.2 Identifying and Communicating with Stakeholders

A BYOD program should be implemented in accordance with existing

organizational project management techniques. As part of the project management

process, a communications plan should be identified to outline all BYOD stakeholders

and establish the frequency and content of communications. Because BYOD crosses

many traditional organizational boundaries, it is imperative that stakeholders are

informed, involved, and provide feedback at all stages of the BYOD lifecycle.

6.3 Identifying Policy and Capability Gaps

While technology in the BYOD arena continues to evolve on a daily basis, it is

near impossible for all security controls and requirements to be met with technology

alone. Organizations should pay careful attention to which security requirements can be

met with technology and identify where gaps exist between technology and security

requirements that must be filled with security policy. Policy can be an effective way of

meeting regulatory and compliance requirements, but may still offer significant risk if

there is no way to automate the enforcement of security policy. For example, an

organization may require that users do not access corporate resources from an unsecured

wireless network. However, if a technology solution does not exist to actively prevent

the user from connecting to an unsecured wireless network then the organization is

relying upon security policy to shape the user’s behavior. The gaps between policy and

89

technology may represent significant risk areas that organizations should pay careful

attention to.

6.4 Selecting a BYOD Solution

A BYOD solution should represent a careful balance of technology and policy,

capability and security, and cost savings versus security risks. Proper planning that

adheres to this BYOD framework will assist organizations with selecting a BYOD

solution that meets the overall organization goals, complies with security requirements,

and balances competing interests.

A one-size-fits-all solution does not exist and would not be appropriate given the

wide variety of business missions, criticality of information, and BYOD implementations

that may exist from organization to organization. The best advice in selecting a BYOD

solution is to examine every aspect of the business and analyze how BYOD may affect

the cost, security, and risk of the organization. Proper planning will help identify

technology requirements, analyze capability gaps, implement effective policies, and

understand the business and security risks associated with BYOD.

6.5 Implementing BYOD

While proper planning cannot be stressed enough, it is also imperative to

implement the plan effectively. By following this framework and the BYOD lifecycle,

organizations should have the necessary planning tools to effectively implement BYOD.

Technology should be implemented in accordance with the requirements

established during the planning process. Initial and periodic testing should occur to

ensure all technology components are functioning as designed and continue to meet

functional and security requirements.

90

Policies should be written so they are clear, concise, and most importantly,

enforceable. Understand that policy may be the only security control in place to shape

user behavior in certain instances. Therefore, the effectiveness and enforceability of

BYOD policies remain critical to the overall success of the BYOD program.

6.6 Managing BYOD

Organizations must manage BYOD throughout the BYOD lifecycle to ensure that

risks are identified and understood by all stakeholders. Each stakeholder must

understand his role and responsibility in carrying out the overall BYOD program.

Executive-level commitment will make or break BYOD.

Mobile technology, and the risks associated with mobile technology, is evolving

constantly. As new requirements evolve, organizations should evaluate how their current

BYOD solution meets new and emerging requirements. Organizations should plan for at

least an annual review of their BYOD program to stay abreast of advances in technology

and legislation or case law that may affect the effectiveness and enforceability of BYOD

policies.

91

7 Recommendations on BYOD Strategies and Policies

"App stores and mobile apps are the greatest hostile code and malware delivery

mechanism ever created."

Winn Schwarta, chairman of MobileActiveDefense

7.1 Overview

Enterprises are becoming aware of the need to have BYOD strategy and policy in

place; this simply cannot be ignored. The checklist included in Appendix A is a good

starting point prior to using the framework presented. Next, the framework is used to

integrate the BYOD security program in the overall system security of the organization.

In an effort to further assist the planners and architects of BYOD with the formation of

strategies and policies, below a high level overview of BYOD planning and operations

followed by a recommended policy approach are outlined.

7.2 BYOD High-Level Strategies

What follows are strategy recommendation for BYOD planners and architects:

Demand. The demand strategy enables the understanding of business requirements, user

abilities, and the preferred outcomes of application mobilization.

Supply. The supply strategy focuses on how to deliver a desired result based on existing

partnerships and skill sets.

Governance. Part of the governance strategy is the understanding of how standards and

policies will be implemented and how they will evolve along other processes and parts of

the enterprise.

92

Risks and Issues. This strategy focuses on meeting security requirements, their growth

and change, and how they will mature.

The four parts of the high level strategy for BYOD are diagrammed in figure 10

surrounded by mobile/BYOD security technologies and challenges. This is a modular

approach and items from around the core can be removed or added as needed for the

oragnizational business processes.

Figure 10: BYOD Strategy Foundation Surrounded by Technologies

7.3 Suggested Stages for Planning and Initiating a BYOD Policy

Business and technical priorities and requirements must be periodically reviewed

as described previously in the BYOD Security Framework. Historically, organizations

have had the tendecnies to take their mobile policies which include BYOD policies for

granted. This is partly due to outdated mode of thinking and reasoming.

93

First, a short while ago, a phone was just a phone and the mentality has not yet set

in fully for many organizations that smartphones and BYOD in particular are powerful

devices. Second, many organizations that allowed smartphones, typically provided them

in the form of Blackberries which were controlled and managed centrally. This gives the

wrong sense of security that any smartphone including those that are BYOD can be

managed the same way. Third, historically the only real application of choice for

smartphones was email and email providers offered needed controls (such as Microsoft

Exchange ActiveSync for Exchange mail from Microsoft). In today’s world, apps on

smartphones can do just about everything a desktop can do and in many instances do

them faster and easier. Lastly, oragnizations still have the tendency to think of personal

mobile devices as mere accessories instead of noteworthy and capable IT systems.

For these reasons among others, the option not to bring the organization’s mobile

policies, and in particular BYOD, up to date poses considerable risks to information

security. Assuming that an organization has reached the decision point that including

BYOD is part of, and a cost of, doing day-to-day operations, then in order to achieve

superior operations and results sought after, a well-thought of and superior BYOD policy

is also required.

7.3.1 Clearing Up Misconceptions

Functions of IT often times come with preconceptions and biases regarding the

role that they must provide in supporting new devices and updating them. Often times,

the stakeholders become entagled over precedence. The end result of this stage however,

will be the clarification of BYOD facts, myths, and realities for all the stakeholders. The

94

designers, managers, and architects must grab such an occaion to conduct an open

conversation regarding the impact of BYOD across all user and management levels.

The designers and architects of BYOD must take into account understanding on

certain foundational views:

Traditional desktop policy models do not apply to BYOD. Most organizations have

security and management policies that are out of date, especially with regards to BYOD.

Many of these organizational policies are spread across several teams including IT

operations, IT security, and telecommunications to mention a few. As such, no single

organizational unit is usually ready to accept responsibility for the BYOD policy life

cycle. This is exasperated by the request of end users for access to mission-critical

applications and data and by the speed with which they require such access.

There is no one size fits all policy template that fits every BYOD scenario. Analyses

of risks and issues along with their related obligations are specific to an organization’s

business and operation context. The architects, managers, and designers tasked with

BYOD policy creation and management need to evaluate external policy examples,

preferably from multiple sources, and in the end adopt their own by selecting proper

controls tailored to their organizational needs. They must next follow this with proper

justification of those controls.

Organizational support for BYOD is mandatory. As has been explained, BYOD is

riskier than traditional desktop models and presents uncharted territories in the IT

security system landscapes. Even organizations with rules against BYOD are eventually

forced to relent even if under special circumstances or for special personnel.

95

Mobile devices including BYOD are becoming the new liability. Organizations that

delay dealing with BYOD or ignore it entirely will be at the head of the next wave of

security breaches and public humiliations along with the associated legal and reparative

costs. BYOD mobile devices are typically consumer-grade devices and manufacturers of

these devices usually stress ease of use and user experience over enterprise requirements

such as security, privacy, and manageability. This is unlike RIM Blackberries, which are

typically secure because they are centrally managed, much like laptops.

7.3.2 Instituting a Baseline

It is paramount that before any new policies are written, as much as possible for

all previous policies be discovered, then evaluated to find out areas compelling changes

as well as possible areas of commonality. Performing such a search may bring to light

the following and possibly more:

• Possible older mobile device policies in place

• Desktop policies that also reference mobile devices

• Policies unknown to IT operations and/or IT security

• HR policies that are not linked to any IT policies

• Partners and contractors policies

As part of such a search and review, the following attributes should be considered a part

of the planning for a new BYOD policy:

• The existing perception and attitude towards security, policies, and management

(supportive, hostile, apathetic)

• Historical precedence of departments that have been most involved in policy

planning and policy formation

96

• Controls that have been implemented in the past most commonly

• Common past security practices

• Existing instances of agreements, guidelines, and policies

• Other useful and relevant documents that should be cited for BYOD policy

Additionally, it is required to first know the initial landscape and existing user

expectations before the BYOD policy can be planned and developed. This requires

taking an inventory of the mobile devices that are in use. Girard recommends the

following data to be included (Girard, 2011):

• Number of devices by platform, operating systems, and versions of both devices

and their operating systems

• Number of mobile devices in use by employees and contractors

• A detail assessment of existing data residing and passing through the devices

• Apps in use by the devices as well as app ownership (personal, corporate)

• Security profiles, if any, on the devices

• Any mobile device (including BYOD) policies that are already in place

• Complete list of entry paths including VPN, Wi-Fi, cellular, shared media (such

as USB) used by devices gaining access to data and enterprise resources

Inventorying these devices and associated information is fairly difficult especially if the

organizations do not have mobile device tools and reporting methods already in place. If

necessary, IT can announce a cutoff date for some types of access in possible worse case

scenario.

97

For this stage, the final output will be detailed narrative of devices in use as well

as the user expectations. This allows the organization to perform some cost analysis as

well as obtain a solid understanding of how BYOD has contributed or detracted from the

business processes.

7.3.3 Classifying and Priortizing Use-Cases via Workforce Analysis

BYOD policies need to be context-‐oriented to balance the environmental

realities of the organization’s use-‐cases. Simply building on existing technological

foundations won’t be enough. BYOD policies may solve the wrong problems, if any

at all in the absence of proper context analysis; with context, the planners and

architects will have the support and cooperation of the user base and senior

management (Girard, 2011). This means the architects need to discuss the BYOD

policy with users and senior management and to document their needs and wants,

whether actual or perceived. Some questions to consider include:

• Where are mobile devices used? This should include off-‐site use also

• In what context are mobile devices used and how?

• What constitutes necessary authentication?

• What constitutes mandatory authentication?

• Are users allowed to share devices? Are they sharing devices regardless?

• Will users use organization related apps offline as well as online?

• Will users use personally downloaded apps to do company work?

• Which information will be accessible with the BYOD mobile devices?

• Will information be copied to the users’ devices or stay resident on the

organization’s network?

98

• Who are the owners of mobile devices? In BYOD, it is undoubtedly the users.

The next question to ask is, who owns the organizational data on those

devices?

• Exactly who will be held responsible for the security of mobile devices?

Responsibility needs to be defined to include such concerns from possession,

upgrades, and updates, to the securing the device and the data on it

• What levels of support are users and senior management expecting?

• Are there any recommendations that are being offered from users regarding

loss or theft of the devices and possible risks associated with misuse?

The result of this stage will be a comprehensive account of the users wants and

needs. These use-‐cases are justifiable and will form a foundational part of the BYOD

policy. Furthermore, since users and senior management have played active roles,

the policies will be more likely to be understood and abided by.

7.3.4 Diversity Analysis for Support

As there are different mobile platforms for users to choose from, a managed

diversity analysis is needed. Such an analysis offers the BYOD architects with the

necessary assurance and provision that the organization will be providing end users,

based on mobile device type (platform, operating system, etc.) and job functions (Girard,

2011). Every commitment by the organization is subject to what is realistically

deliverable by IT and what they can guarantee, thus playing a major role in the mature

development of the BYOD policies. IT is responsible in communicating to end users that

decisions have advantages and possible penalties. If users breach certain boundaries, the

privileges can change and the BYOD policies may need to be adjusted to reflect those

99

changes. The output of this stage would be a diversity framework or a decision matrix

that displays which platforms, operating systems, and versions will be supported within

different job roles. Each decision point can be further developed, documented, and

detailed as needed. A table such as the one listed in figure 11 can be used to start the

processes for this stage.

Level 1

Full Support by

IT

Level 2

Partial Support by

IT

Level 3

100% User

Responsibility

Executives

Accounting

Sales

HR

Contractors

…so on

Figure 11: Sample Managed Diversity Framework (Girard, 2011)

7.3.5 BYOD Technology Assessments

As has been mentioned prior and will be discussed in more detail later in this

dissertation, MDMs are the primary technology tools available for mobile systems

including BYOD. Planners and architects of the BYOD policies are required to initially

decide how much they can trust a range of mobile devices based on the intrinsic

weaknesses in each platform prior to selecting a MDM solution (Girard, 2011). Some

imperative questions to consider are: (1) how much investment is enough; (2) how will

IT Support Level

User Groups

100

such spending extend to future platforms and future security threats; and (3) what must be

the minimum satisfactory BYOD policy?

The designers ought to also study the following three areas of mobile

management technologies:

• Software tools provided by MDM

• Device and user authentication tools (typically part of MDM)

• Enterprise app stores application delivery

The choices made in this stage along with associated decisions define how policy

statements and essential processes will be designated in the next stage (7.2.6) (Gartner,

2011).

7.3.6 Sample Policy Symposium

The sample policy discussion points here are recommendations according to their

roles in the BYOD policy. Sample wording would not be appropriate and is not provided

as choice of wording is specific to the enterprise. The enterprise’s legal team, auditors,

and regulators must approve such wording. Keep in mind that the responsibilities listed

are recommendations and provided as guidelines. Also that the entities listed may have

differing roles:

Level of Risk: HR and IT Responsibility

• Mobile device division (see figure 11)

• Allowable business functions

• Device and user authentication requirements

o Local to device

o Remote to organization’s portals

101

• Methods of application and data delivery

• App store controls for both public and in-house app stores

Boundary of Liability: HR and Legal Responsibility

• Compliance requirements for government, industrial, partners, etc.

• Acceptable Use Agreement signed by employees in exchange for access

• Allowable access levels for external media; encryption level requirements

BYOD Devices: IT, Developers, and Security Team Responsibility

• Acceptable device level including minimums and maximums for hardware,

firmware, device version, and operating system

• Password requirements such as complexity, retry and time-out rules

• PIN length requirements and whether simple PINs will be allowed

• “No Hacking” policy (implementing zero-tolerance)

• Cleanup for sensitive data

• Security certificate requirements for any access: email, apps, data, networks

• Application and device encryption

• Organization may decide to filter data at their discretion

• Loss/theft reporting accountabilities and escalations

• Employees must accept organization’s lock/wipe resolutions

• Approved encrypted containers needed for local data storage

• Organization can ask for verification that organizational data have been removed

Help Desk and Escalation (Support): IT Department Responsibility

• Self-help web sites audited by support (FAQs)

• Support limits on approved devices/models

102

• For VPN, email, and Wi-Fi, requisite installation of certificates

• Device locking, wiping, and restoration procedures

• Exceptions (perhaps for executives)

Administrative: IT Department Responsibility

• Device enrollments under the control of the organization for all devices

• Requirements for proper reporting of lost, stolen, modified, and discarded devices

• Management control for Wi-Fi, Bluetooth, and Cellular connections

• Logical and physical device disposal; logical refers to the soft removal of the

device from the organizational systems

Freelancers/Suppliers/Partners: IT, HR, Business Unit, and Legal Responsibility

• Participating in the company BYOD management may not be possible or

advisable for partners/contractors

• Strong authentication must be required to access sensitive data

• Encrypted containers for local business data storage

• Limit system access to server resources: secure web portals, VMware, Citrix

• Local apps need to be self-secured where possible

• Business partner contract clearly states the required code of conduct; monitor

violations

Usage with High Risk: Operations, Security Team, and Legal Responsibility

• May include travel to international locations deemed risky

• Require approved VPN use for access to sensitive systems

• Require strict email/data/device loss prevention policies

• When returning from trips to high risk locations, consider wipe and rebuild

103

Policy Administration/Updates: Operations, HR, and Legal Responsibility

• Departments and entities accountable for ownership, changes, and updates to

BYOD policies

• Implemented schedule for updates/revisions

• Notifications methods to end users

Compliance: Operations, Security Team, HR, and Legal Responsibility

• BYOD policy reviews and monitoring

• Penalties for deliberate violation of agreement

• Remedies and methods of redress if violation was unintentional

This stage will produce a clear, understandable, and defensible statement of work, listing

and justifying the paramount points in the BYOD policy, based on accurate

understanding of the business rules and processes.

7.3.7 BYOD Policy Structure

This last stage provides guidance for the ordered outline in which information

needs to be in the final BYOD policy documentation. The outline’s emphasis is on

clarity and readability, conveying relevance to the end reader immediately. A partial

suggested list of the content ordering in the final policy guide recommended by Girard

(Girard, 2011) are presented here:

• Definition of what is considered a mobile device, definition of mobile/BYOD

policy, affected individuals/departments, MDM

• The premise and scope of organizational control of BYOD devices

• Obligations of the organization and end users (employees, contractors, partners)

• The specific rules/controls to be implemented and tracked as proposed in 7.2.6

104

• Consequences of violating rules/controls

• Reference materials

This final stage of the BYOD policy will construct an easy to read and clear-cut policy

document using the discoveries in stage 7.2.6. Suggestions and objections raised will

have been acknowledged and documented trailing back to the users’ wants and needs

combined with assessments of the suitability of mobile platforms (Girard, 2011).

Furthermore, biases, preconceptions, assumptions, and other discovered barriers to

realization will have been predicted and responded to in the final BYOD security policy.

105

8 Research Approach and Methodology

8.1 Problem Statement

Initial findings attained through literature review and interviews suggested that

BYOD security is a sensitive area requiring thoughtful research. Literature review and

interviews also suggested that serious study for this field is earnestly lacking. The

premise of the research was that a BYOD Security Framework could be designed for an

enterprise which when implemented would reduce security breaches. The framework

would be comprised of a combination of technology management and policy

management. In a nutshell, Use BYOD Security Framework à Reduce security

breaches associated with BYOD.

It was thus decided that the research’s objectives could not be achieved through

literature review alone. Therefore, a survey questionnaire was conducted as the non-

literature based data gathering tool to collect empirical data required for suitable

statistical analysis to support the research question. Thus, the characteristics of the

activities performed throughout this dissertation most closely correspond to those of

quantitative methods as defined by (Creswell, 2013).

8.2 Survey Instrument

A series of 60 measurement survey questions were drawn from the review of

literature to test the quantitative hypotheses among security practitioners and security

engineers. In order to confirm reliability and validity of the survey instrument, the

measurement survey questions were expressed in a manner that avoids systematic bias

and errors. As such, the survey instrument was reviewed by experts in academia and the

106

industry for content validity, then pilot tested to evaluate the survey effectiveness with

regards to its reliability when gathering data required for statistical analysis (Alreck &

Settle, 2003).

A series of 48 independent questions were asked followed by 12 dependent

questions corresponding to the 12 hypotheses (see Appendix C for the questionnaire).

The questionnaire was divided into four main parts. Part I contained an information sheet

about the research study, introduced the researcher, and provided the invited participant

with the goals, objective, and the procedures of the research study including a glossary of

important terms. Participants were given clear directions as well as complete assurance

of the confidentiality and anonymity of their responses. Part II consisted of five

demographic questions used to represent the nature of the population sample (Alreck &

Settle, 2003). Part III consisted of 48 survey questions used to measure the extent to

which framework elements have been de facto implemented in a well-defined fashion and

practiced by the participants’ organizations though without any mention of the

framework; these 48 questions formed the independent variables of the survey

instrument. Part IV consisted of 12 survey questions used to measure the extent of BYOD

security related breaches, given the level of framework elements implementation, again

without any mention of the framework; these 12 questions formed the dependent

variables of the survey instrument.

Through this approach, a meaningful correlation would be created between the

level of the framework elements implementations and related security breaches. For

example, if many subjects felt that most of the framework elements had been well-

defined and implemented in their environment with regards to BYOD and the frequency

107

of breaches was minor or non-existent, a conclusion can be drawn that the hypotheses are

validated and thus the framework is sound. To administer the questionnaire, the

measurement survey was created using the online tool Qualtrics (qualtrics.com) and

administered to security engineers, project managers, information systems professionals,

and security practitioners. Throughout the survey, terms that required definitions were

highlighted in blue and a simple mouse hover would present the participant with a

balloon that would present the definition or explanation. In this manner, the survey was

made manageable and easy to read, avoiding excessive wording.

8.3 Data Capture Process

The responses were measured using the Likert rating scale. Tables 1 and 2 below

show the two types of Likert scale responses and their weighted values:

Response Weighted value

Strongly Agree 5 Agree 4 Neither Agree Nor Disagree 3 Disagree 2 Strongly Disagree 1 Don’t Know 0

Table 1: Possible Responses to the Framework Particulars

Response Weighted Value

No Breaches 5 Some/Minor Breaches 4 Moderate Degree of Breaches 3 Excessive Breaches 2 Critical (Business Impactive) Breaches 1 Don’t Know 0

Table 2: Possible Responses to Security Breaches

108

An invitation to participate in the survey study was sent to 1,017 individuals who

were selected from lists made available by the Project Management Institute, the

Information Systems Security Association, the IEEE, and the US military security

engineers and practitioners. The survey was distributed using online software service

Qualtrics (qualtrics.com).

The data collection from the finished surveys was performed through Qualtrics

survey software. Microsoft Excel 2007 was then used for scrubbing, filtering,

organizing, quality check, and pre-testing the collected data. For the data statistical

analysis, Minitab® 16 was used. The survey response rate was 138 out of 1,017

(13.57%). Eliminating incomplete surveys, 114 points remained (11.21%).

8.4 Demographics

The survey participants spanned many industries, job titles, experience levels with

security, and came from varying organizational sizes. The demographics presented here

help clarify the expertise, job description, and an experience level of those surveyed.

From these data, it is possible to draw intelligent assumption about the qualification of

those who participated in the survey. Given that the survey was technical in nature, it is a

fair assumption that those who took it and completed it must have had an acceptable level

of understanding of the terminology, the technologies, the policies, and the concerns

related to mobile security and BYOD in particular.

60% of those surveyed indicated that they were engineers or in information

systems and security. 74% were directly responsible for security related operations such

as standards, auditing, compliance, or management. Interestingly, 50% or half the

respondents had more than 11 years experience in information security with 69% having

109

more than 6 years experience with information security. These facts are significant since

6 years prior to the survey date of 2014, mobile devices and BYOD mobile devices in

particular were in their infancy so many of these professionals have lived and worked

through this changing paradigm. It is also noteworthy to point out that 88% of the

respondents indicated at least 1 year experience in information security.

The size of the organizations that the survey participants work for is also of

interest. 50% indicated working for larger organizations, those having more than 1,000

employees while in total 75% work for organizations having more than 500 employees.

Smaller organizations were represented as well but it is notable to understand that most

participants worked for larger enterprises, where BYOD security concerns are typically

the highest. The majority of the participants had at least a bachelor degree (87%) with

49% possessing at least a master level degree. The demographics information is

presented in figures 12 through 16. A final point to mention on demographics: of those

in “other” industries (17%), 56% were involved with defense and/or federal government

security.

110

Figure 12: Current Industries of Survey Participants

Figure 13: Current Job Titles of Survey Participants

1%

6%

3% 2%

13%

47%

11%

17%

Healthcare/Biotechnology

Education

Manufacturing

Finance/Accounting

Engineering/Security Engineering

Information Systems/Infomration Security

Telecommunication

4%

36%

17% 7%

10%

26%

CSO/CISO

Project Manager/IT Manager/Director/CIO

Security Administrator/Security Manager

Security Analyst/Compliance Ofhicer/Auditor

Security Architect/Security Engineer

Other

111

Figure 14: Years of Experience in Information Security of the Participants

Figure 15: Size of the Organization of the Survey Participants

12%

19%

21%

29%

19%

None

1-‐5 years

6-‐10 years

11-‐15 years

More than 15 years

7% 11%

7%

25%

50% 50 or less

51-‐250

251-‐500

501-‐1000

1001 or more

112

Figure 16: Educational Level of the Survey Participants

8.5 Experts Panel

In order to justify the 12 hypotheses are complete and other factors aren’t missing

from analysis, a panel of experts was sought and an additional semi-structured survey and

interviews conducted based on recommendations from Bernard (1988). In all 20 experts

were surveyed and interviewed. The purpose of this survey and interviews was to ask the

question of “what else if anything could be missing from BYOD security”; in other

words, are there other areas of mobile security breach that are not addressed via the 12

hypotheses? Section 8.6 below addresses the result of the interviews with each expert

along with their title and expertise area. The semi-structured survey and interview

questions used with the panel of experts are in Appendix D. All the respondents had at

least a bachelor degree with the greater majority having master or doctorate degrees.

10% 3%

38%

46%

3%

High School

Associate

Bachelor

Master

Doctorate

113

8.6 Experts Panel Interview Results

In order to make the results readable, each interview is listed separately along

with the expert’s title, education, years of experience, and qualifications.

Expert 1

• Title: Fellow at National Institute of Standards and Technology (NIST)

• Education: PhD

• Years Experience: 15+

• Qualifications: Information security, risk management, security

architecture/engineering, systems resiliency, risk management frameworks,

international outreach programs for cybersecurity and critical infrastructure

protection

• Comments: The 12 hypotheses are very comprehensive and they hold together

very well. The hypotheses really outline and compartmentalize the BYOD

security breaches

Expert 2

• Title: Assistant Vice President

• Education: Master

• Years Experience: 11-15

• Qualifications: Information security, project management, security systems

• Comments: Agree that the hypotheses are fairly complete. Secondary forms of

authentication (e.g. RSA token) should also be considered along with BYOD

Expert 3

• Title: Forensics Analyst and Professor

114

• Education: PhD


• Qualifications: Security expert, forensics expert, mobile forensics

• Comments: The hypotheses are quite complete in that they address both the

technology as well as the policy areas of mobile security

Expert 4

• Title: Management of Information Systems Professor

• Education: PhD


• Qualifications: Former Department of Defense security and cybersecurity

analyst, project management

• Comments: I believe the above mentioned factors completely address the security

concerns of mobile device BYOD

Expert 5

• Title: Security Analyst

• Education: PhD


• Qualifications: CISSP, CISM, CIPP (US Government and Private Sector),

CAHIMS, and HCISPP certified

• Comments: Agree that the 12 factors are applicable; items 1, 5, and 8-12 are also

applicable to stationary devices

Expert 6

• Title: Security Manager

115



• Qualifications: Intrusion detection, Snort, malware analysis, incident response;

CISSP, CCNP Security, and CHFI certified

• Comments: Strongly agree that the 12 factors are complete

Expert 7

• Title: Chief Information Officer



• Qualifications: Analytical skills

• Comments: Strongly agree that the list looks complete

Expert 8

• Title: Security Architecture and Engineer

• Education: Bachelor


• Qualifications: Experienced IT security auditor, developer, ISSO certified

• Comments: Agree that the 12 factors form a complete list

Expert 9




• Qualifications: NSA-IAM, CAP, and CFCP certified


116

Expert 10

• Title: Chief Information Security Officer



• Qualifications: CISSP, CISA, CSSLP, CISM, ISSAP, ISSMP, IEM, IAM

certified

• Comments: More time would be needed to discuss if these 12 factors are

complete but they are a great start. Application security should be the most

important one though since that is what is going to really connect into the

organizational data

Expert 11

• Title: Cyber Security Researcher and Developer

• Education: PhD


• Qualifications: CISSP and Security+ certified

• Comments: Agree that the factors are complete. Would add prevention of

security breaches due to malicious applications/malware being downloaded onto

mobile devices (author note: this has been addressed in the framework and the

questions)

Expert 12


• Education: PhD


117

• Qualifications: CISSP certified

• Comments: Agree that the 12 factors are complete

Expert 13


• Education: PhD


• Qualifications: Software engineer, web developer, simulation modeling and

analysis


Expert 14

• Title: Security Analyst/Compliance Officer

• Education: PhD


• Qualifications: Project management and supply chain management expertise

• Comments: Strongly agree and trust that the 12 factors are complete

Expert 15

• Title: Security Consultant

• Education: 15+

• Years Experience: Master

• Qualifications: CISSP certified

• Comments: Agree that the 12 factors are pretty complete

Expert 16

• Title: Director of Security

118



• Qualifications: Security analyst, architect, consultant and engineer

• Comments: Strongly agree that the 12 factors listed are very complete. Thought

long and hard about additional areas and could not come up with anything else.

This is a well thought out list

Expert 17

• Title: Compliance Officer



• Qualifications: CISSP and PMP certified

• Comments: Disagree that the 12 factors are complete. The 12 factors focus only

on prevention. Although clearly important, an employee will unintentionally or

intentionally BYOD and connect to a workstation/server. As such detection and

correction cannot be ignored (author note: detection and correction are addressed

in the framework and in the questions; the author disagrees with this expert’s

opinion)

Expert 18




• Qualifications: CISA


119

Expert 19

• Title: Project Manager



• Qualifications: 14 years of project management expertise including management

of security projects


Expert 20

• Title: Consultant



• Qualifications: Security+, CEH, CHFI, CISSP and 10+ years consulting the

government, military, and private organizations on various projects with many

being security related

• Comments: Strongly agree that the 12 factors form a complete list

120

9 Research Hypotheses and Methodology

9.1 Overview

In order to test the research hypotheses, as the data collected was ordinal in

nature, nonparametric statistics was applied. Each research hypothesis was tested in order

to discover corresponding measures of association and concordance between a de facto

implementation of the BYOD Security Framework elements and possible BYOD related

security breaches. In order to determine the association and concordance between a

single framework element’s implementation (an independent variable) and a possible

security breach (a dependent variable), the corresponding questions’ response data were

selected and then the Cross Tabulation and Chi Square statistics tool in Minitab was run

against that selection. The measured Kendall tau-b (Τb) and P-value were observed.

Kendall Τb correlation coefficient was used to measure the association between

responses of the survey measurement questions, where, on a scale of -1.0 (negative

association) to 1.0 (positive association), the degree and the nature of the relationship

between a de facto implementation of BYOD Security Framework elements (independent

variables) and the possible BYOD security breaches (dependent variables) were

determined. A positive Τb value demonstrates that the ranking of the dependent variable

increases by increasing the ranking of the independent variable, whereas a negative Τb

value demonstrates that the ranking of the dependent variable decreases by increasing the

ranking of the independent variable and vice versa (Siegel, 1956). The P-value was

calculated in order to evaluate the probability of concordance versus the probability of

discordance for the survey questions responses. For the P-value, if the observed value

121

was lower than 0.05, then a statistically significant correlation existed between the

selected independent and dependent variables. According to Yates et al. (1993), the

Kendall Τb correlation guidelines listed in table 3 can be supposed.

Kendall Τb Coefficient Meaning

Less than +/- 0.10 Very weak association

+/-0.10 to +/-0.19 Weak association

+/-0.20 to +/-0.29 Moderate association

+/-0.30 to +/-0.39 Moderately strong association

+/-0.40 and above Strong association

Table 3: Understanding Kendall tau-b (Τb) Values

9.2 Research Question and Hypotheses

While the research question and hypotheses were mentioned previously as a

stepping-stone to the BYOD Security Framework, it is worth having them be revisited

here as the dissertation moves into statistical analysis of each hypothesis and then the

research question validation.

This dissertation attempts to answer the following overarching question: Can a

balanced application of technology and policy using a security framework significantly

reduce security breaches in an enterprise where Bring Your Own Device (BYOD) is

allowed/implemented? In order to answer this question, the following twelve research

hypotheses were postulated:

122


Framework for an enterprise and corresponding reduction of mobile related data security

breaches.


Framework for an enterprise and corresponding reduction of mobile related wireless (Wi-

Fi) security breaches.


Framework for an enterprise and corresponding reduction of mobile related cellular

security breaches.



rogue mobile devices access.


Framework for an enterprise and corresponding reduction of authentication related

security breaches.



lost/stolen mobile devices.



unauthorized mobile access.

123



lack of understanding of organizational security policies.



lack of training and education of organizational employees.



lack of awareness of organizational policies.


Framework for an enterprise and corresponding reduction of document related security

breaches (e.g. improper document sharing, saving, copying, emailing, printing, and

scanning of documents).



mobile application flaws.

According to Yates et al. (1993), a Τb of 0.4 or higher would indicate a strong

correlation between a de facto implementation of BYOD Security Framework

elements and corresponding reduction in security breaches. In order to calculate the

P-values, the Τb approximation to the normal distribution was used since the sample size

is greater than 40 (Siegel, 1988) (Zaiontz, 2015):

124

𝑧 = 3𝜏 𝐶(𝑛, 2)2𝑛 + 5

where 𝜏 is the Τb value and C(n,2) is the combination of the sample size n taken 2 at a

time. In order to use the normal distribution one-tail approximation, the Τb values were

normalized for the [0,1] range and then the z-values were calculated based on those

values. Next the corresponding P-values were calculated. The normalization process

was done using the following routine equation:

𝑧! = 𝑥! −min (𝑥)

max 𝑥 −min (𝑥)

For the data collected via survey, the sample size n is 114. Using our calculated Τb

values in the formula, we obtain the following z-values and corresponding P-values listed

in table 4.

125

Table 4: Summary of z-values, Τb values, and P-values

9.2.1 Hypothesis 1 (H1)

The first main research hypothesis attempts to shed light on the following sub-

question: Can the BYOD Security Framework implementation for an enterprise reduce

mobile related data security breaches? To achieve a strong degree of statistical

significance it will be supposed that Τb = 0.4 is the minimally acceptable and minimally

significant correlation coefficient value based on Yates et al. (1993) recommendation (see

Kendall Τb z-value Normalized

Τb

Normalized

z-value

Significant?

(P < 0.05)

0.427 6.73516 0.50000 7.88660 Yes (P < 0.00001)

0.467 7.36609 0.73529 11.5979 Yes (P < 0.00001)

0.342 5.39444 0.00000 0.00000 No (P = 0.5)

0.431 6.79825 0.52353 8.25774 Yes (P < 0.00001)

0.510 8.04433 0.98824 15.5876 Yes (P < 0.00001)

0.416 6.56165 0.43529 6.86598 Yes (P < 0.00001)

0.456 7.19258 0.67059 10.5773 Yes (P < 0.00001)

0.492 7.76042 0.88235 13.9175 Yes (P < 0.00001)

0.512 8.07588 1.00000 15.7732 Yes (P < 0.00001)

0.512 8.07588 1.00000 15.7732 Yes (P < 0.00001)

0.452 7.09794 0.63529 10.0206 Yes (P < 0.00001)

0.439 6.92444 0.57059 9.00001 Yes (P < 0.00001)

126

table 3), which would necessarily imply a strong correlation between a de facto

implementation of the BYOD Security Framework and significant reduction of

corresponding security breaches. Based on this assumption the corresponding null and

alternate hypotheses were developed from the conceptual BYOD Security Framework:

H10: There is no significant correlation between implementation of the BYOD

Security Framework for an enterprise and corresponding reduction of mobile related data

security breaches.

H1a: There is significant correlation between implementation of the BYOD

Security Framework for an enterprise and corresponding reduction of mobile related data

security breaches.

The corresponding independent (x) questions and the dependent (y) question are

listed in Appendix C. In order to aggregate the independent (x) values, the median of the

x values were taken. While the mean and median values can sometimes be the same or at

least very close, they differ greatly if data values are clustered toward one end of their

range and/or if there are a few extreme values. This is referred to as skewness in

statistical terms. In such cases, the mean can be considerably influenced by the few

extreme values, and not be representative of the majority of the values in the data

set. Under these circumstances, median gives a better representation of central tendency

than average (Frederick & Brian, 1979).

The median value of the independent (x) questions was calculated and then

statistically compared against the dependent question (y) values using the Minitab Cross

Tabulation and Chi-Square analysis; in other words, a de facto implementation of the

BYOD Security Framework (the x questions) against the possible security breaches (the

127

y question). The resulting Kendall Τb and P-‐values for the relationship between the

BYOD Security Framework de facto implementation and hypothesis 1 (Q1y) are

listed in table 5.

Measure of Association Corresponding Survey Questions Τb P < 0.05?

Protection of resources and assets (independent variables)

Questions Q4.1x_1 – Q4.7x_6 (see Appendix C)

0.427 0.00001 (Yes)

Possible security breach (dependent variable)

Q1y How often has your organization had data security breaches, during the past year? This can be loss of data, stolen data, or unauthorized data alteration. Table 5: Hypothesis 1 Results

The positive value for Kendall Τb of 0.427 suggests a strong and positive

association between a well-defined implementation of the BYOD Security Framework

and reduction of security breaches related to data breaches. The test of reliability and

significance was confirmed, assuming a confidence interval of 95% (alpha-level = 0.05),

with a P-value < 0.00001 (Salkind, 2012). Thus, it can be concluded that there is enough

evidence suggesting that a well-defined implementation of the BYOD Security

Framework significantly reduces mobile and BYOD data security breaches so we reject

the null hypothesis H10.


The second main research hypothesis attempts to shed light on the following sub-

question: Can a BYOD Security Framework implementation for an enterprise reduce

mobile related wireless (Wi-Fi) security breaches? To achieve a strong degree of

128

statistical significance it will be supposed that Τb = 0.4 is the minimally acceptable and

minimally significant correlation coefficient value based on Yates et al. (1993)

recommendation (see table 3), which would necessarily imply a strong correlation

between a de facto implementation of the BYOD Security Framework and significant

reduction of corresponding security breaches. Based on this assumption the

corresponding null and alternate hypotheses were developed from the conceptual BYOD

Security Framework:


Security Framework for an enterprise and corresponding reduction of mobile related

wireless (Wi-Fi) security breaches.



wireless (Wi-Fi) security breaches.










129






BYOD Security Framework de facto implementation and hypothesis 2 (Q2y) are

listed in table 6.




0.467 0.00001 (Yes)


Q2y How often wireless sessions to your organizational resources (network, data, applications) resulted in security breaches over the past year? Table 6: Hypothesis 2 Results



and reduction of security breaches related to wireless (Wi-Fi) breaches. The test of

reliability and significance was confirmed, assuming a confidence interval of 95% (alpha-

level = 0.05), with a P-value < 0.00001 (Salkind, 2012). Thus, it can be concluded that

there is enough evidence suggesting that a well-defined implementation of the BYOD

Security Framework significantly reduces mobile and BYOD wireless (Wi-Fi) security

breaches so we reject the null hypothesis H20.

130


The third main research hypothesis attempts to shed light on the following sub-


mobile related cellular security breaches? To achieve a strong degree of statistical









cellular security breaches.



cellular security breaches.







131









BYOD Security Framework de facto implementation and hypothesis (Q3y) are listed

in table 7.




0.342 0.5 (No)


Q3y How often cellular sessions to your organizational resources (network, data, applications) resulted in security breaches over the past year? Table 7: Hypothesis 3 Results

The positive value for Kendall Τb of 0.342 suggests a moderately strong and

positive association between a well-defined implementation of the BYOD Security

Framework and reduction of security breaches related to cellular breaches. This value,

however, is less than the sought after Τb of 0.4 which would have indicated a very

strong reduction of breaches or a significant reduction; it shows a moderately strong

reduction instead. The test of reliability and significance was not confirmed, assuming a

132

confidence interval of 95% (alpha-level = 0.05), with a P-value = 0.5 (Salkind, 2012). It

cannot be concluded that there is enough evidence suggesting that a well-defined

implementation of the BYOD Security Framework significantly reduces mobile and

BYOD wireless (Wi-Fi) security breaches significantly so we reject the alternate

hypothesis H3a. It should be noted that the values still support a reduction in security

breaches though they point to a moderate reduction.


The fourth main research hypothesis attempts to shed light on the following sub-


security breaches related to rogue mobile devices access? To achieve a strong degree of







Security Framework:


Security Framework for an enterprise and corresponding reduction of security breaches

related to rogue mobile devices access.



related to rogue mobile devices access.

133
















in table 8.




0.431 0.00001 (Yes) Possible security breach

(dependent variable) Q4y How often mobile related security breaches, do you believe, may have resulted from rogue mobile devices during the past year? Table 8: Hypothesis 4 Results

134



and reduction of security breaches related to wireless (Wi-Fi) breaches. The test of




Security Framework significantly reduces mobile and BYOD wireless (Wi-Fi) security



The fifth main research hypothesis attempts to shed light on the following sub-


authentication related security breaches? To achieve a strong degree of statistical








Security Framework for an enterprise and corresponding reduction of authentication

related security breaches.

135


Security Framework for an enterprise and corresponding reduction of authentication

related security breaches.


listed in Appendix C. In order to aggregate the independent (x) values, the median value

of the values was taken. While the mean and median values can sometimes be the same

or at least very close, they differ greatly if data values are clustered toward one end of

their range and/or if there are a few extreme values. This is referred to as skewness in











in table 9.

136





(dependent variable) Q5y How often has your organization had authentication breaches, during the past year?

Table 9: Hypothesis 5 Results



and reduction of security breaches related to authentication breaches. The test of




Security Framework significantly reduces mobile and BYOD authentication security



The sixth main research hypothesis attempts to shed light on the following sub-


security breaches related to lost/stolen mobile devices? To achieve a strong degree of






137


Security Framework:



related to lost/stolen mobile devices.



related to lost/stolen mobile devices.















138


in table 10.




0.416 0.0000

1 (Yes)


Q6y How often security breaches from lost or stolen mobile devices affected your organization, during the past year? Table 10: Hypothesis 6 Results



and reduction of security breaches related to authentication breaches. The test of




Security Framework significantly reduces mobile and BYOD authentication security



The seventh main research hypothesis attempts to shed light on the following sub-


security breaches related to unauthorized mobile access? To achieve a strong degree of


139






Security Framework:



related to unauthorized mobile access.



related to unauthorized mobile access.












140





in table 11.




0.456 0.00001 (Yes)


Q7y How often security breaches from unauthorized mobile devices accessing your organizational resources occurred, during the past year? Table 11: Hypothesis 7 Results



and reduction of security breaches related to unauthorized mobile device access breaches.

The test of reliability and significance was confirmed, assuming a confidence interval of

95% (alpha-level = 0.05), with a P-value < 0.00001 (Salkind, 2012). Thus, it can be

concluded that there is enough evidence suggesting that a well-defined implementation of

the BYOD Security Framework significantly reduces security breaches related to

unauthorized mobile and BYOD access so we reject the null hypothesis H70.

141


The eight main research hypothesis attempts to shed light on the following sub-


security breaches related to lack of understanding of organizational security policies? To

achieve a strong degree of statistical significance it will be supposed that Τb = 0.4 is the

minimally acceptable and minimally significant correlation coefficient value based on

Yates et al. (1993) recommendation (see table 3), which would necessarily imply a strong

correlation between a de facto implementation of the BYOD Security Framework and

significant reduction of corresponding security breaches. Based on this assumption the


Security Framework:



related to lack of understanding of organizational security policies.



related to lack of understanding of organizational security policies.







142










in table 12.




0.492 0.00001 (Yes)


Q8y How often has your organization had mobile device security breaches as a result of employees’ lack of understanding of security policies, during the past year? Table 12: Hypothesis 8 Results



and reduction of security breaches related to lack of understanding of security policies.

The test of reliability and significance was confirmed, assuming a confidence interval of

95% (alpha-level = 0.05), with a P-value < 0.00001 (Salkind, 2012). Thus, it can be

143

concluded that there is enough evidence suggesting that a well-defined implementation of

the BYOD Security Framework significantly reduces security breaches related to lack of

understanding or organizational security policies related to mobile and BYOD security so

we reject the null hypothesis H80.


The ninth main research hypothesis attempts to shed light on the following sub-


security breaches related to lack of training and education of organizational employees?

To achieve a strong degree of statistical significance it will be supposed that Τb = 0.4 is

the minimally acceptable and minimally significant correlation coefficient value based on





Security Framework:



related to lack of training and education of organizational employees.



related to lack of training and education of organizational employees.



144














in table 13.




0.512 0.00001 (Yes)


Q9y How often has your organization had mobile device security breaches as a result of lack of education and/or mandatory security training for employees, during the past year? Table 13: Hypothesis 9 Results

145



and reduction of security breaches related to lack of education and/or mandatory security

training. The test of reliability and significance was confirmed, assuming a confidence

interval of 95% (alpha-level = 0.05), with a P-value < 0.00001 (Salkind, 2012). Thus, it

can be concluded that there is enough evidence suggesting that a well-defined

implementation of the BYOD Security Framework significantly reduces mobile and

BYOD security breaches related to lack of employee education and training so we reject

the null hypothesis H90.


The tenth main research hypothesis attempts to shed light on the following sub-


security breaches related to lack of awareness of organizational policies? To achieve a

strong degree of statistical significance it will be supposed that Τb = 0.4 is the

minimally acceptable and minimally significant correlation coefficient value based on





Security Framework:



related to lack of awareness of organizational policies.

146



related to lack of awareness of organizational policies.















BYOD Security Framework de facto implementation and hypothesis (Q10y) are

listed in table 14.

147




0.512 0.00001 (Yes)


Q10y How often has your organization had mobile related security breaches by employees who later claimed they were unaware of organizational policies, during the past year?




and reduction of security breaches related to lack of awareness of organizational policies

by employees. The test of reliability and significance was confirmed, assuming a

confidence interval of 95% (alpha-level = 0.05), with a P-value < 0.00001 (Salkind,

2012). Thus, it can be concluded that there is enough evidence suggesting that a well-

defined implementation of the BYOD Security Framework significantly reduces mobile

and BYOD security breaches related to lack of employee awareness of organizational

policies so we reject the null hypothesis H100.


The eleventh main research hypothesis attempts to shed light on the following

sub-question: Can a BYOD Security Framework implementation for an enterprise reduce

document related security breaches (e.g. improper document sharing, saving, copying,

emailing, printing, and scanning of documents)? To achieve a strong degree of statistical



148






Security Framework for an enterprise and corresponding reduction of document related

security breaches (e.g. improper document sharing, saving, copying, emailing, printing,

and scanning of documents).


Security Framework for an enterprise and corresponding reduction of document related

security breaches (e.g. improper document sharing, saving, copying, emailing, printing,

and scanning of documents).












149





listed in table 15.




0.450 0.00001 (Yes)


Q11y How often document related security breaches related to mobile devices occurred, during the past year, as a result of improper, non-‐existent, or unclear policies in place? (Breaches can be improper sharing, improper saving to the cloud or portable media, improper emailing, and improper printing and scanning among other things.




and reduction of document related security breaches. The test of reliability and

significance was confirmed, assuming a confidence interval of 95% (alpha-level = 0.05),

with a P-value < 0.00001 (Salkind, 2012). Thus, it can be concluded that there is enough

evidence suggesting that a well-defined implementation of the BYOD Security

Framework significantly reduces document related mobile and BYOD security breaches

so we reject the null hypothesis H110.

150


The twelfth main research hypothesis attempts to shed light on the following sub-


security breaches related to mobile application flaws? To achieve a strong degree of







Security Framework:



related to mobile application flaws.



related to mobile application flaws.







151










listed in table 16.





(dependent variable) Q12y How often security breaches resulted from mobile application security flaws during the past year?




and reduction security breaches related to mobile application flaws. The test of reliability

and significance was confirmed, assuming a confidence interval of 95% (alpha-level =

0.05), with a P-value < 0.00001 (Salkind, 2012). Thus, it can be concluded that there is

enough evidence suggesting that a well-defined implementation of the BYOD Security

152

Framework significantly reduces mobile and BYOD security breaches related to mobile

application flaws so we reject the null hypothesis H120.

9.3 Additional Statistical Findings

In order to take into account all-encompassing views of the collected data, three

further statistical operations were performed. First, the P-values for all associations were

combined using the Fisher method (Fisher, 1934) for a combined P-value result of 0.000.

Second, the overall median value of the independent (x) values were compared to the

median value of the dependent (y) values using the Minitab Cross Tabulation and Chi-

Square analysis; this in fact means if all the elements of the Framework are implemented,

then what is the impact on security breaches? The Τb value obtained was most

interesting: 0.534. This not only indicates a very strong correlation between the

implementation of the Framework elements and resulting reduction in security breaches

related to BYOD, but it is also larger than any of the Τb values obtained previously

when individual breaches were studied (See Tables 1 – 12). This can be interpreted to

mean that with a complete de facto implementation of the BYOD Security Framework,

the overall security breaches related to BYOD are significantly reduced as a whole, more

than just its individual parts.

Finally, a roll-up operation was performed to display the results of the study

analyses for the initial 12 high-level research hypotheses. The roll-up operation entailed

performing Fisher’s z transformation, an alternate method of averaging correlation

coefficients described by Corey et al. (1998) and studied by Fieller et al. (1957), to

average the Kendall Τb values and to provide an comprehensive overview of how

153

applying an enterprise-wide BYOD Security Framework approach significantly reduces

BYOD related security breaches. Each correlation coefficient Τb can be converted into a

Fisher’s z using equation (i) (Corey et al., 1998):

z = 0.5*ln((1 + Τb)/(1 - Τb)) (i)

The Fisher z transformation results can then be averaged and the outcome back-converted

to correlation coefficient denoted as (Τbz) using equation (ii) (Corey et al., 1998):

Τbz = (e2z-1)/(e2z+1) (ii)

For each of the 12 high-level hypotheses, this same rollup operation was performed and

the results analyzed. These results are displayed in table 17.

H1 H2 H3 H4 H5 H6 Fisher’s z 0.382 0.413 0.293 0.366 0.448 0.367 Τbz 0.364 0.391 0.285 0.351 0.420 0.351 H7 H8 H9 H10 H11 H12 Fisher’s z 0.376 0.433 0.453 0.436 0.387 0.393 Τbz 0.359 0.408 0.424 0.410 0.369 0.374 Table 17: Fisher’s z and calculated Τbz Values for H1 – H12

As an example, consider hypothesis H5: BYOD Security Framework implementation for

an enterprise reduces authentication related security. The Τbz value of 0.420 suggests a

strong and positive association between implementation of all the BYOD Security

Framework elements and the corresponding reduction of authentication related security

breaches as stated in hypothesis H5. Overall, the Τbz values indicate moderately strong to

strong positive associations between a well-defined implementation of the BYOD

Security Framework elements and the overall reduction of BYOD related security

breaches. Furthermore, the overall calculated P-value of 0.000 using the Fisher method

discussed previously indicates that a statistically significant relationship exists between a

154

well-defined implementation of the framework elements and reduction of BYOD related

breaches. Based on these analyses and the previously discussed Τb associations, we

conclude that the BYOD Security Framework is valid and its implementation in the

enterprise would significantly reduce BYOD related security breaches.

9.4 Summary of Data Analysis

The following table summarizes the hypotheses and the resulting data analysis. If a Τb

was greater than 0.4, then according to Yates et. al. (1993), the correlation is a strong

one; values between 0.3 and 0.4 indicate a moderately strong correlation.

Hypothesis:

Significant Reduction in

Kendall Τb Significant?

(P < 0.05)

Null/Alternate

H1: Data breach 0.427 Yes (P < 0.00001) Reject null

H2: Wireless breach 0.467 Yes (P < 0.00001) Reject null

H3: Cellular breach 0.342 Yes (P = 0.5) Reject alternate

H4: Rogue device breach 0.472 Yes (P < 0.00001) Reject null

H5: Authentication breach 0.510 Yes (P < 0.00001) Reject null

H6: Lost/Stolen device breach 0.416 Yes (P < 0.00001) Reject null

H7: Unauthorized access breach 0.456 Yes (P < 0.00001) Reject null

H8: Confusion over policy breach 0.492 Yes (P < 0.00001) Reject null

H9: Lack of training breach 0.512 Yes (P < 0.00001) Reject null

H10: Lack of awareness breach 0.512 Yes (P < 0.00001) Reject null

H11: Document related breach 0.450 Yes (P < 0.00001) Reject null

H12: Application (app) flaw breach 0.439 Yes (P < 0.00001) Reject null

Table 18: Summary of Τb values and rejection of null/alternate hypotheses

155

10 Conclusions and Recommendations

10.1 Overview

This dissertation fills a gap in the academic literature and contributes to the

security engineering and engineering management body of knowledge by providing a

practical framework for secure implementation of personal mobile devices or BYOD.

The strategies, policy management, and technology integration processes presented in the

BYOD Security Framework form an enhanced security management system for

deployment of BYOD. The analyses of the twelve research hypotheses demonstrate that

a BYOD strategy is achievable via the use of the BYOD Security Framework resulting in

sustained productivity improvement at the enterprise.

10.2 Summary of Key Research Parameters

The first research hypothesis claim that “There is a significant correlation

between implementation of the BYOD Security Framework for an enterprise and

corresponding reduction of authentication related security breaches” is supported with the

results of the Kendall Tau analysis. The results showed that given a de facto

implementation of the BYOD Security Framework, the resulting mobile related data

security breaches are reduced significantly (tau = 0.427). The results indicate a very

strong correlation between the implementation of the framework elements and significant

reduction of data breaches as related to personal mobile devices. The P value of less than

0.00001 further confirms this conclusion.

The second research hypothesis claim that “There is a significant correlation


corresponding reduction of mobile related wireless (Wi-Fi) security breaches” is

156

supported with the results of the Kendall Tau analysis. The results showed that given a

de facto implementation of the BYOD Security Framework, the resulting Wi-Fi related

data security breaches are reduced significantly (tau = 0.467). The results indicate a very




The third research hypothesis claim that “There is a significant correlation


corresponding reduction of mobile related cellular security breaches” is not supported

with the results of the Kendall Tau analysis. The results showed that given a de facto

implementation of the BYOD Security Framework, the resulting cellular related data

security breaches are reduced moderately strongly (tau = 0.342) but not significantly (i.e.

very strongly). The P value of 0.5 further confirms this conclusion.

The fourth research hypothesis claim that “There is a significant correlation


corresponding reduction of security breaches related to rogue mobile devices access” is


de facto implementation of the BYOD Security Framework, the resulting rouge mobile

access related data security breaches are reduced significantly (tau = 0.431). The results

indicate a very strong correlation between the implementation of the framework elements

and significant reduction of data breaches as related to personal mobile devices. The P

value of less than 0.00001 further confirms this conclusion.

157

The fifth research hypothesis claim that “There is a significant correlation


corresponding reduction of authentication related security breaches” is supported with the

results of the Kendall Tau analysis. The results showed that given a de facto

implementation of the BYOD Security Framework, the resulting authentication related





The sixth research hypothesis claim that “There is a significant correlation


corresponding reduction of security breaches related to lost/stolen mobile devices” is


de facto implementation of the BYOD Security Framework, the resulting lost/stolen

related data security breaches are reduced significantly (tau = 0.416). The results indicate

a very strong correlation between the implementation of the framework elements and

significant reduction of data breaches as related to personal mobile devices. The P value

of less than 0.00001 further confirms this conclusion.

The seventh research hypothesis claim that “There is a significant correlation


corresponding reduction of security breaches related to unauthorized mobile access” is


de facto implementation of the BYOD Security Framework, the resulting unauthorized

158

mobile access related data security breaches are reduced significantly (tau = 0.456). The

results indicate a very strong correlation between the implementation of the framework

elements and significant reduction of data breaches as related to personal mobile devices.

The P value of less than 0.00001 further confirms this conclusion.

The eighth research hypothesis claim that “There is a significant correlation


corresponding reduction of security breaches related to lack of understanding of

organizational security policies” is supported with the results of the Kendall Tau analysis.

The results showed that given a de facto implementation of the BYOD Security

Framework, the resulting lack of understanding of organizational security policies related





The ninth research hypothesis claim that “There is a significant correlation


corresponding reduction of security breaches related to lack of training and education of

organizational employees” is supported with the results of the Kendall Tau analysis. The

results showed that given a de facto implementation of the BYOD Security Framework,

the resulting lack of training of employees related data security breaches are reduced

significantly (tau = 0.512). The results indicate a very strong correlation between the

implementation of the framework elements and significant reduction of data breaches as

159

related to personal mobile devices. The P value of less than 0.00001 further confirms this

conclusion.

The tenth research hypothesis claim that “There is a significant correlation


corresponding reduction of security breaches related to lack of awareness of

organizational policies” is supported with the results of the Kendall Tau analysis. The

results showed that given a de facto implementation of the BYOD Security Framework,

the resulting lack of awareness of employees of organizational policies related data





The eleventh research hypothesis claim that “There is a significant correlation


corresponding reduction of document related security breaches (e.g. improper document

sharing, saving, copying, emailing, printing, and scanning of documents)” is supported

with the results of the Kendall Tau analysis. The results showed that given a de facto

implementation of the BYOD Security Framework, the resulting document related data





160

The twelfth research hypothesis claim that “There is a significant correlation


corresponding reduction of security breaches related to mobile application flaws” is


de facto implementation of the BYOD Security Framework, the resulting mobile

application flaws related data security breaches are reduced significantly (tau = 0.439).

The results indicate a very strong correlation between the implementation of the

framework elements and significant reduction of data breaches as related to personal

mobile devices. The P value of less than 0.00001 further confirms this conclusion.

10.3 Conclusions

The main inspiration behind this research was the author’s experience in the

world of security and security management and his curiosity about the lack of any kind of

comprehensive solution to the security of personal mobile devices in the workplace.

Upon further research through the literature along with personal interviews with industry

experts, CIOs, and academia, it became clear that comprehensive solutions aren’t

available for securing of personal mobile devices on enterprise networks. Interestingly

the literature offers a good deal of expertise on the problems, issues, and concerns

regarding mobile security and BYOD while failing to provide a comprehensive solution.

Certainly, it is possible to build a reasonably secure mobile device, just as it is possible to

build a reasonably secure desktop but this security comes at the expense of functionality

(Michael & Viega, 2010). This defeats the appeal that mobile devices have for their

owners. Jansen suggests User Interface plugins, encryption, and policy incorporations

(Jansen et al., 2004) but most of what is proposed apply to managed, company owned

161

devices circa 2003 and do not apply to today’s post Apple iOS and Google Android

based BYOD that permeate all aspects of society.

The purpose of this research was to address the security concerns that arise from

allowing and/or implementing BYOD in an organization and contributing to the body of

knowledge by proposing a solution in the form of a validated framework. The BYOD

Security Framework was presented as having seven necessary stages encompassing the

BYOD Security Lifecycle’s four mandatory stages. These stages are Plan, Identify,

Protect, Detect, Respond, Recover, and Assess/Monitor. The quantitative research

following the framework included a survey questionnaire to collect qualitative insights of

factors that determine a secure implementation of a BYOD program as outlined in the

BYOD Security Framework. More specifically, the statistical results showed with a

reasonable degree of confidence that an organization having de facto implemented the

BYOD Security Framework would significantly reduce associated BYOD security

breaches. This framework was innovated and statistically validated as a proposed solution

to securely implementing a BYOD program in the enterprise. A security team can use

the framework’s seven stages and the BYOD Security Lifecycle in their organizational

BYOD program to achieve their objectives while mitigating risk in a clear and well-

defined manner. In the often-chaotic world of BYOD, this framework serves as an

exceptional and well-defined tool to be used by security teams and practitioners.

The twelve main hypotheses in this dissertation address the basic research

question that implementation of the BYOD Security Framework significantly reduces

breaches related to personal mobile devices. A not so unexpected benefit of

implementing the BYOD Security Framework and thus having a mobile program in the

162

enterprise is increased productivity. While this is a side benefit of the framework, it is

worthy of mention. Consider Intel Corporation which started its BYOD program in 2008

and by the end of 2012 more than 23,000 employees had been enrolled in its program.

Intel’s IT department created a cloud which provided access to company services and

resources. Employees recounted they each saved 57 minutes daily on average in 2012,

corresponding to a productivity gain of five million hours for 2012 (Intel, 2014). The

elements of the BYOD Security Framework that are in Intel’s BYOD program are:

• Device registration

• Employee training and usage agreement

• Data protection via policies and encryption

• Security enforcement policies such as monitoring devices and mandatory wipes

• Expected device support levels from Intel

• Compliance with Intel’s policies and code of conduct

• Software application restriction on devices

• Application approval process

While these elements are only a portion of the presented framework, hopefully it is clear

the productivity impact that just this subset of the framework brings combined with an

apparent security level, as Intel has not reported any major security breaches related to its

BYOD program.

BYOD can provide an exceptional landscape to be explored and can be especially

worthy for an organization’s bottom line (Caldwell, Zeltmann, & Griffin, 2012). The

research concludes that a well-defined and well-managed BYOD approach based on a

balanced combination of technology and policy management, as laid out in the BYOD

163

Security Framework, allows for preservation of a desired level of security while offering

many benefits of BYOD to an organization.

10.4 Research Caveats and Recommendations

Mobile security and in particular BYOD have become such an integral part of

everyday life that a new term has been coined to describe the phenomenon:

consumerization, a word that is not yet in any dictionary or for that matter the Microsoft

Word spell checker. From apps that are designed to help handicapped people, to those

helping doctors and engineers, to those for teachers and education, those used by banks

and financial institutions, those for hospitality, entertainment, games for all ages, and

even apps for measuring our heart rates and sleep patterns, the personal smartphone is

everywhere and used by all. It should be clear that a single security process or guideline

is not sufficient for every organization or even a single type of organization. Each

enterprise has its own business needs, policies, risk level, and each would need to

customize their own security framework. The BYOD Security Framework serves as an

excellent foundation and starting point for further research and improvement of security

for a particular area. Further research into each specific area of interest can build on the

BYOD Security Framework. For example, interested security researchers in the health

industry can start their research with the BYOD Security Framework, fine-tune and

extend its principles with an eye towards practical and secure implementation of personal

mobile devices in the healthcare industry. The same can be said for architectural

organizations, colleges and universities, schools, manufacturing, software developers,

and any other needs area. Researchers with focus on one particular area can become

more granular in their approaches to presenting more specific solutions to the use of

164

BYOD within the confines of their particular area. More specifically, the study

conducted for this dissertation offers the following areas of opportunities for future

systems engineering and engineering management research:

1. Custom secure app development and operating system extensions for unifying

existing legacy system interfaces on personal mobile devices

2. BYOD secure packaged application developments for small to mid-size

businesses that are easily integrated. These can be decentralized and thus not

require the overhead of having central servers yet providing security for data in

transit and data in place

3. Specific policy development based on the BYOD Framework for various industry

sectors such as healthcare, education, IT, etc. that provide out of the box policy

solutions for BYOD

4. General and industry-specific training modules and processes focused on

educating users in a BYOD environment

5. Further research in the areas that build on BYOD, namely Bring Your Own

Service (BYOS) and Bring Your Own Apps (BYOA) and how they should be

integrated with the BYOD Security Framework. BYOS comprises of employees

using their own devices (BYOD) to do company work but also using their own

choice of services such as VPN and cloud services. BYOA comprises of

employees using their BYOD to do company work using custom apps developed

by themselves or else developed by a third party which the user contracted to

develop the custom app

165

There are many other research venues of course but these are some practical ones to start.

The last research area on this list, namely BYOS and BYOA present excellent research

opportunities for making BYOD a truly enterprise and productive paradigm for the near

and distant futures.

166

11 References

[1] Absalom, R. (2012). International Data Privacy Legislation Review: A Guide for

BYOD Policies.

[2] Ackerman, E. (2013). The bring-your-own-device dilemma [Resources At Work].

Spectrum, IEEE, 50(8).

[3] Alberts, C. J., & Dorofee, A. J. (2010). Risk Management Framework: DTIC

Document.

[4] Albrechtsen, E. (2007). A qualitative study of users' view on information security.

Computers & Security, 26(4), 276-289. doi:

http://dx.doi.org/10.1016/j.cose.2006.11.004

[5] Albrechtsen, E., & Hovden, J. (2009). The information security digital divide

between information security managers and users. Computers & Security, 28(6), 476-

490. doi: http://dx.doi.org/10.1016/j.cose.2009.01.003

[6] Alreck, P. L., & Settle, R. B. (1985). The survey research handbook (p. 146).

Homewood, IL: Irwin.

[7] Anderson, E. E., & Choobineh, J. (2008). Enterprise information security strategies.

Computers & Security, 27(1–2), 22-29. doi:


[8] Arbaugh, W. A. (2003). Wireless security is different. Computer, 36(8), 99-101.

[9] Armerding, T. (2013). The Department of Homeland Security and its obsolete

Android OS problem, 2013, from http://www.csoonline.com/article/742371/the-

167

department-of-homeland-security-and-its-obsolete-android-os-

problem?source=CSONLE_nlt_update_2013-11-03

[10] Ballenstedt, B. (2013). Study Predicts BYOD Boom by 2016 Retrieved May 23,

2013, from http://www.nextgov.com/cio-briefing/wired-workplace/2013/05/study-

predicts-byod-boom-2016/62990/

[11] Banuri, H., Alam, M., Khan, S., Manzoor, J., Ali, B., Khan, Y., . . . Zhang, X. (2012).

An Android runtime security policy enforcement framework. Personal and

Ubiquitous Computing, 16(6), 631-641. doi: 10.1007/s00779-011-0437-6

[12] Baskerville, R. (1993). Information systems security design methods: implications for

information systems development. ACM Computing Surveys, 25(4), 375-414. doi:

10.1145/162124.162127

[13] Becher, M., Freiling, F. C., Hoffmann, J., Holz, T., Uellenbeck, S., & Wolf, C.

(2011). Mobile security catching up? revealing the nuts and bolts of the security of

mobile devices. Paper presented at the Security and Privacy (SP), 2011 IEEE

Symposium on.

[14] Benefits of Enabling Personal Handheld Devices in the Enterprise. (n.d.). Retrieved

21 July 2015, from http://www.intel.co.uk/content/www/uk/en/it-leadership/intel-it-it-

leadership-benefits-of-enabling-personal-handheld-devices-in-the-enterprise-

practices.html

[15] Bernard, H. R. (1988). Research methods in cultural anthropology (p. 117). Newbury

Park, CA: Sage.

168

[16] Bishop, M. (2003). What is computer security? Security & Privacy, IEEE, 1(1), 67-

69.

[17] Burt, J. (2011). BYOD trend pressures corporate networks. eweek, 28(14), 30-31.

[18] Caldwell, C., Zeltmann, S., & Griffin, K. (2012, July). BYOD (bring your own

device). In Competition Forum (Vol. 10, No. 2, p. 117). American Society for

Competitiveness.

[19] Choo, K.-K. R. (2011). The cyber threat landscape: Challenges and future research

directions. Computers & Security, 30(8), 719-731. doi:


[20] Choras, M. (2013). Comprehensive approach to information sharing for increased

network security and survivability. Cybernetics and Systems, 44(6-7), 550-568. doi:

10.1080/01969722.2013.818433

[21] Coles-Kemp, L. (2009). Information security management: An entangled research

challenge. Information Security Technical Report, 14(4), 181-185.

[22] Corey, D. M., Dunlap, W. P., & Burke, M. J. (1998). Averaging correlations:

Expected values and bias in combined Pearson rs and Fisher's z transformations. The

Journal of general psychology, 125(3), 245-261.

[23] Creswell, J. W., & Clark, V. L. P. (2007). Designing and conducting mixed methods

research.

[24] Crossler, R. E., Long, J. H., Loraas, T. M., & Trinkle, B. S. (2014). Understanding

Compliance with BYOD (Bring Your Own Device) Policies Utilizing Protection

169

Motivation Theory: Bridging the Intention-Behavior Gap. Journal of Information

Systems.

[25] Dodd, C. (2013). Pros and Cons of Bring Your Own Device Retrieved May 25,

2013, 2013, from http://turbinehq.com/2013/bring-your-own-device/

[26] Fayad, M., & Schmidt, D. C. (1997). Object-oriented application frameworks.

Communications of the ACM, 40(10), 32-38.

[27] Fieller, E. C., & Pearson, E. S. (1961). Tests for rank correlation coefficients: II.

Biometrika, 29-40.

[28] Finn M. Halvorsen, O. H., Martin Eian, Stig F. Mjolsnes. An Improved Attack on

TKIP. Trondheim, Norway: Norwegian University of Science and Technology.

[29] Finneran, M. (2012). Mobile Security Gaps Abound. Informationweek, 26-29.

[30] Fisher, R. A. (1934). Statistical methods for research workers.

[31] Forcht, K. A., & Ayers, W. C. (2000). Developing a computer security policy for

organizational use and implementation. Journal of Computer Information Systems,

41(2), 52-57.

[32] Frederick, H. and E. D. Brian (1979). Exploratory Data Analysis, Sage.

[33] Rowsell-Jones, A., Jones, N. (2012). Checklist for Determining Enterprise Readiness

to Support Employee-Owned Devices [Research]. Gartner (G00234127)

[34] Ghosh, A., Gajar, P. K., & Rai, S. (2013). Bring your own device (BYOD): Security

risks and mitigating strategies. Journal of Global Research in Computer Science, 4(4),

62-70. Siponen, M., & Willison, R. (2009). Information security management

standards: Problems and solutions. Information & Management, 46(5), 267-270.

170

[35] Girard, J. (2013). Top Seven Failures in Mobile Device Security [Research]. Gartner

(G00246862)

[36] Girard, J. (2011). Seven Steps to Planning and Developing a Superior Mobile Device

Policy [Research]. Gartner (G00225405)

[37] Godlove, T. (2012). Examination of the factors that influence teleworkers' willingness

to comply with information security guidelines. Information Security Journal, 21(4),

216-229. doi: 10.1080/19393555.2012.668747

[38] Goedert, J. (2013). Mobile device management software: the answer to BYOD?

Health data management, 21(2), 32, 34, 36 passim.

[39] Greengard, S. (2014, July 7). Missing in Action: BYOD Security. Retrieved July 30,

2014, from http://www.cioinsight.com/blogs/missing-in-action-byod-security.html

[40] Halpert, B. (2004). Mobile device security. Paper presented at the Proceedings of the

1st annual conference on Information security curriculum development, Kennesaw,

Georgia.

[41] Hayes, J. (2012). The device divide. Engineering & Technology, 7(9), 76-78.

[42] Hays, W. L. (1960). A note on average tau as a measure of concordance. Journal of

the American Statistical Association, 55(290), 331-341.

[43] Hedström, K., Kolkowska, E., Karlsson, F., & Allen, J. P. (2011). Value conflicts for

information security management. The Journal of Strategic Information Systems,

20(4), 373-384. doi: http://dx.doi.org/10.1016/j.jsis.2011.06.001

[44] Howard, M., & Lipner, S. (2009). The security development lifecycle. O'Reilly

Media, Incorporated.

171

[45] Ifinedo, P. (2012). Understanding information systems security policy compliance:

An integration of the theory of planned behavior and the protection motivation

theory. Computers & Security, 31(1), 83-95. doi:


[46] Intel. (2013). Accelerating Business Growth through IT. Retrieved from

http://www.intel.com/content/dam/www/public/us/en/documents/reports/2012-2013-

intel-it-performance-report.pdf

[47] Janessa Rivera, R. v. d. M. (2013). Gartner Predicts by 2017, Half of Employers will

Require Employees to Supply Their Own Device for Work Purposes. Stamford, CT:

Gartner.

[48] Jansen, W. A., Gavrila, S. I., Korolev, V., Heute, T., & Séveillac, C. (2004, June). A

Unified Framework for Mobile Device Security. In Security and Management (pp. 9-

14).

[49] Jaramillo, D., Katz, N., Bodin, B., Tworek, W., Smart, R., & Cook, T. (2013).

Cooperative solutions for bring your own device (BYOD). IBM Journal of Research

and Development, 57(6), 5-1.

[50] Jarvelainen, J. (2013). IT incidents and business impacts: Validating a framework for

continuity management in information systems. doi: 10.1016/j.ijinfomgt.2013.03.001

[51] Jones, J. (2012, 2 Aug 2012). BYOD: Organizations Question Risk vs. Benefit.

BYOD, from http://blogs.technet.com/b/security/archive/2012/08/02/byod-

organizations-question-risk-vs-benefit.aspx

172

[52] Keith W. Miller, J. V., George F. Hurlburt. (2012). BYOD: Security and Privacy

Consideration. IEEE, 14(5), 53-55. doi: 10.1109/MITP.2012.93

[53] Knapp, K. J., Franklin Morris Jr, R., Marshall, T. E., & Byrd, T. A. (2009).

Information security policy: An organizational-level process model. Computers &

Security, 28(7), 493-508. doi: http://dx.doi.org/10.1016/j.cose.2009.07.001

[54] Kraemer, S., Carayon, P., & Clem, J. (2009). Human and organizational factors in

computer and information security: Pathways to vulnerabilities. Computers &


[55] Loucks, J., Medcalf, R., Buckalew, L., & Faria, F. (2013). The Financial Impact of

BYOD. Retrieved from http://www.cisco.com/web/about/ac79/docs/re/byod/BYOD-

Economics_Econ_Analysis.pdf.

[56] Lu, W. P., & Sundareshan, M. K. (1990). A model for multilevel security in computer

networks. IEEE Transactions on Software Engineering, 16(6), 647-659. doi:

10.1109/32.55093

[57] Malin, A. (2007). Designing networks that enforce information security policies.

Information Systems Security, 16(1), 47-53. doi: 10.1080/10658980601051490

[58] Manley, M. E., McEntee, C. A., Molet, A. M., & Park, J. S. (2005). Wireless security

policy development for sensitive organizations. Paper presented at the 6th Annual

IEEE System, Man and Cybernetics Information Assurance Workshop, SMC 2005,

June 15, 2005 - June 17, 2005, West Point, NY, United states.

[59] Mansfield-Devine, S. (2012). Interview: BYOD and the enterprise network.

Computer Fraud & Security, 2012(4), 14-17.

173

[60] Mansfield-Devine, S. (2014). Majority Of Organizations Have No BYOD Policies.

(2014) Retrieved 10/14, 2014, from http://www.tripwire.com/state-of-security/top-

security-stories/majority-of-organizations-have-no-byod-policies-2/

[61] Marsa-Maestre, I., De La Hoz, E., Gimenez-Guzman, J. M., & Lopez-Carmona, M.

A. (2013). Design and evaluation of a learning environment to effectively provide

network security skills. Computers and Education, 69, 225-236. doi:

10.1016/j.compedu.2013.07.022

[62] Martinez-Moyano, I. J., Conrad, S. H., & Andersen, D. F. (2011). Modeling

behavioral considerations related to information security. Computers & Security,

30(6–7), 397-409. doi: http://dx.doi.org/10.1016/j.cose.2011.03.001

[63] McGee, A. R., Coutiere, M., & Palamara, M. E. (2012). Public safety network

security considerations. Bell Labs Technical Journal, 17(3), 79-86. doi:

10.1002/bltj.21559

[64] Michael, B., & Viega, J. (2010). Mobile device security. IEEE Security & Privacy,

8(2), 0011-12.

[65] Michael, K. (2012). Security Risk Management: Building an Information Security

Risk Management Program from the Ground Up. Computers & Security, 31(2), 249-

250. doi: http://dx.doi.org/10.1016/j.cose.2011.12.011

[66] Miller, K. W., Voas, J., & Hurlburt, G. F. (2012). BYOD: security and privacy

considerations. IT Professional, 14(5), 0053-55.

[67] Morrow, B. (2012). BYOD security challenges: control and protect your most

sensitive data. Network Security, 2012(12), 5-8.

174

[68] Moyer, J. E. (2013). Managing Mobile Devices in Hospitals: A Literature Review of

BYOD Policies and Usage. Journal of Hospital Librarianship, 13(3), 197-208.

[69] Parker, D. B., & Parker, D. (1976). Crime by computer: Scribner New York.

[70] Parsons, K., McCormac, A., Butavicius, M., Pattinson, M., & Jerram, C. Determining

employee awareness using the Human Aspects of Information Security Questionnaire

(HAIS-Q). Computers & Security(0). doi:


[71] Posey, C., Bennett, R. J., & Roberts, T. L. (2011). Understanding the mindset of the

abusive insider: An examination of insiders’ causal reasoning following internal

security changes. Computers & Security, 30(6–7), 486-497. doi:


[72] Posthumus, S., & Von Solms, R. (2004). A framework for the governance of

information security. Com

[73] Pros and cons of ‘Bring Your Own Device’ (BYOD). (2013, March 19). Retrieved 21

August 2015, from http://turbinehq.com/2013/bring-your-own-device/

[74] Rhee, H.-S., Ryu, Y. U., & Kim, C.-T. (2012). Unrealistic optimism on information

security management. Computers and Security, 31(2), 221-232. doi:

10.1016/j.cose.2011.12.001

[75] Rivera, D., George, G., Peter, P., Muralidharan, S., & Khanum, S. (2013). Analysis of

Security Controls for BYOD (Bring your own Device).

[76] Roberts, P. (2013). If iOS is Less Secure, Why Does Android Get Attacked? All

Things Security Retrieved May 23, 2013, from

175

http://www.veracode.com/blog/2013/04/if-ios-is-less-secure-why-does-android-get-

attacked/

[77] Rouse, M. (2013). Mobile Device Management Systems Retrieved July 14, 2013,

from http://searchmobilecomputing.techtarget.com/definition/mobile-device-

management

[78] Ryan, J. J. C. H., Mazzuchi, T. A., Ryan, D. J., Lopez de la Cruz, J., & Cooke, R.

(2012). Quantifying information security risks using expert judgment elicitation.

Computers & Operations Research, 39(4), 774-784. doi:

http://dx.doi.org/10.1016/j.cor.2010.11.013

[79] Salkind, N. J. (2012). Statistics for People who (think They) Hate Statistics: Excel

2010 Edition. Sage.

[80] Scarfo, A. (2012, November). New security perspectives around BYOD. In

Proceedings of the 2012 Seventh International Conference on Broadband, Wireless

Computing, Communication and Applications (pp. 446-451). IEEE Computer

Society.

[81] Schreuders, Z. C., McGill, T., & Payne, C. (2013). The state of the art of application

restrictions and sandboxes: A survey of application-oriented access controls and their

shortfalls. Computers & Security, 32(0), 219-241. doi:


[82] Security, S. (2013). Mobile Device Security Implementation Plan Statistics.

[83] Siegel, S. (1956, 1988). Nonparametric statistics for the behavioral sciences.

176

[84] Singh, N. (2012). BYOD Genie Is Out Of the Bottle–“Devil Or Angel”. Journal of

Business Management & Social Sciences Research, 1(3), 1-12.

[85] Siponen, M., & Willison, R. (2009). Information security management standards:

Problems and solutions. Information & Management, 46(5), 267-270. doi:

http://dx.doi.org/10.1016/j.im.2008.12.007

[86] Siponen, M., Adam Mahmood, M., & Pahnila, S. (2014). Employees’ adherence to

information security policies: An exploratory field study. Information &

Management, 51(2), 217-224. doi: http://dx.doi.org/10.1016/j.im.2013.08.006

[87] Son, J. Y. (2011). Out of fear or desire? Toward a better understanding of employees’

motivation to follow IS security policies. Information & Management, 48(7), 296-

302.

[88] Stricklen, M., McHale, T., Caminetsky, M., & Reddy, V. (2007). Mobile device

management: Google Patents.

[89] Stytz, M. R. (2004). Considering defense in depth for software applications. Security

& Privacy, IEEE, 2(1), 72-75.

[90] Tang, W. K. (2003). The Effect of WLAN Security Evolution on Home, Enterprise

and Hotspots Market. SANS Institute Retrieved from

http://www.giac.org/paper/gsec/3606/effect-wlan-security-evolution-home-enterprise-

hotspots-market/105865.

[91] Thayer, R. (1998). Network security: Locking in to policy. Data Communications

International, 27(4), 77-80.

177

[92] Thomson, G. (2012). BYOD: enabling the chaos. Network Security, 2012(2), 5-8.

doi: http://dx.doi.org/10.1016/S1353-4858(12)70013-2

[93] Tokuyoshi, B. (2013). The security implications of BYOD. Network Security,

2013(4), 12-13.

[94] United States. National Institute of Standards and Technology. (June 20, 2007).

National Vulnerability Database Common Vulnerability Scoring System Support v2.

Retrieved December 30, 2013, from http://nvd.nist.gov/cvss.cfm.

[95] US DoD. (2013). Mobile Operating System Security Requirements Guide Retrieved

December 30, 2013, from

http://iase.disa.mil/stigs/net_perimeter/wireless/smartphone.html

[96] Vance, A., Siponen, M., & Pahnila, S. (2012). Motivating IS security compliance:

Insights from Habit and Protection Motivation Theory. Information & Management,

49(3–4), 190-198. doi: http://dx.doi.org/10.1016/j.im.2012.04.002

[97] Von Solms, B. (2000). Information Security — The Third Wave? Computers &

Security, 19(7), 615-620. doi: http://dx.doi.org/10.1016/S0167-4048(00)07021-8

[98] Von Solms, B. (2006). Information Security – The Fourth Wave. Computers &


[99] Von Solms, B., & Von Solms, R. (2004). The 10 deadly sins of information security

management. Computers & Security, 23(5), 371-376. doi:


[100] Von Solms, S. (2005). Information security governance–compliance management

vs operational management. Computers & Security, 24(6), 443-447.

178

[101] Wang, Y., Wei, J., & Vangury, K. (2014, January). Bring your own device

security issues and challenges. In Consumer Communications and Networking

Conference (CCNC), 2014 IEEE 11th (pp. 80-85). IEEE.

[102] West, D. (2012). How mobile devices are transforming healthcare. Issues in

Technology Innovation, 18, 1-14.

[103] Whiteside, T. (1978). Computer capers: Tales of electronic thievery,

embezzlement, and fraud: Crowell.

[104] Willis, D. A. (2013). Bring Your Own Device: The Facts and the Future.

[Research]. Gartner (G2422315), 1-15.

[105] Wong, S. (2003). The evolution of wireless security in 802.11networks: WEP,

WPA and 802.11 standards. SANS Institute Retrieved from

http://www.sans.org/reading-room/whitepapers/wireless/evolution-wireless-security-

80211-networks-wep-wpa-80211-standards-1109.

[106] Yates, P. M., Beadle, G., Clavarino, A., Najman, J. M., Thomson, D., Williams,

G., ... & Schlect, D. (1993). Patients with terminal cancer who use alternative

therapies: Their beliefs and practices. Sociology of Health & Illness, 15(2), 199-216.

[107] Young, K. (2010). Policies and procedures to manage employee Internet abuse.

Computers in Human Behavior, 26(6), 1467-1471. doi: 10.1016/j.chb.2010.04.025

[108] Young, M. (2002). Policy-based network management: finally? Business

Communications Review, 32(8), 48-51.

[109] Zaiontz, C. (n.d.). Real Statistics Using Excel. Retrieved 6 October 2015, from

http://www.real-statistics.com

179

12 Appendix A – Checklist for Determining Enterprise Readiness for BYOD

The following table is a high-‐level checklist for implementing BYOD. It can be used

alongside the BYOD Security Framework (Rowsell-‐Jones & Jones, 2012).

Step Key Deliverable 1 Deciding on BYOD strategy Determination of which approach to

adopt to BYOD 1.1 Perform a high-‐level BYOD

problem analysis to scan for showstoppers

1.2 Validate the program and define the goals

Evidence and goals for supporter and stakeholders

1.3 Describe the scope and identify the supporter

Commission the BYOD program, definition of goals, and identity of supporters

1.4 Identify stakeholders and solicit input

List of stakeholders and the issues/concerns that impact them

2 Grouping employees and outlining support and access for each

Segmentation of employees into multiple groups and a package of policies and technologies for each

2.1 Define employee groups Employee roles/needs matrix and a list of applications/services to be supported on BYOD devices

2.2 Assess employee information sensitivity for each group

Roles/needs matrix noted with the sensitivity of information handled by employee roles

2.3 Ascertain the provision and security options for apps and services for each group

List of preferences to deliver each key app or service onto a BYOD device along with management and security instruments

2.4 Create scenarios for device/user/application management rules for each group

Potential packages of policies and technologies to tackle the needs of particular employee roles

2.5 Choose a scenario for operation for each group

Meticulous proposition for the preferred principal scenario

3 Execution Planning Range of Tools, Network Services, Funding Models

3.1 Pick the tools and technologies

Catalog of tools for application provisioning, device administration, virtual desktop, and security

3.2 Define the networking and List of network services and providers,

180

connectivity strategy and a technical and financial policy for each supported network type

3.3 Delineate the application management and licensing policy

Recommendations and policies for application licensing, management, sourcing, and finance

3.4 Define and refine the economic aspects and create a cost model

Proposed compensation plans, expected costs, and a total cost of ownership model

3.5 Determine the user education and training requirements

Determine education and training material for proper use of BYOD over the organizational assets

3.6 Identify qualified users List of users participating in the BYOD program and align management approval for their participation

3.7 Conduct risk analysis Justification alongside business process, social, data security, and financial risks

4 Program Setup Staged Endorsement for BYOD Program

4.1 Design a comprehensive program application for stakeholder sign-‐off

Detailed program descriptions for stakeholder approval

4.2 Coach stakeholders and ensure their sign-‐off

Approval from stakeholders and supporters

4.3 Create policies and procedures

Internal policy documents, processes, user BYOD contracts and agreements

4.4 Define support procedures and processes

Supported principles, processes, and budgets

4.5 Attain external stakeholder deliverables

External policy documents (e.g. legal language for contracts, finance policies)

4.6 Develop instructional material

Teaching and training material on proper use of BYOD, appropriate connection to resources, and policy adherence

4.7 Select users and obtain agreements

Catalog of participants and signed user agreements

4.8 Rollout user training Rollout of training material on proper use of BYOD, appropriate connection to resources, and policy adherence

5 Proof of Concept Successful Pilot 5.1 Pilot the BYOD program Updated program deliverables

addressing concerns identified in the pilot

6 Implementation BYOD Program Rollout 6.1 Rollout the program Educated users, support staff, managers,

181

and new and updated devices 7 Program Renewal Periodic BYOD Health Check 7.1 Monitor and evolve the

BYOD program 12-‐month review of BYOD user satisfaction, risk, value, and all needed corrective actions

Table 19: BYOD Organizational Readiness Checklist

182

13 Appendix B – MDM Standard Capabilities Starter Template

The following table is a non-‐exhaustive Mobile Device Management (MDM)

Standard Capabilities Starter Template. Organizations should carefully consider

adding additional capabilities to this list as they are warranted with an eye towards

risk and added value.

Feature Area Feature Application Management

List authorized applications based upon user groups

Install and remove applications Enable and disable applications Remove managed applications Update applications Install certificates Enable/Prevent user from uninstalling applications Check to ensure required applications are installed Check if application is currently running Add/Remove applications from whitelist/blacklist Wipe application data Configuration Management

Enable/Disable camera and microphone

Allow automatic synchronization while roaming Disable push while roaming Remove managed Exchange account and data Enable/Disable Wi-‐Fi Control access points Enable/Disable Bluetooth Start/Stop Bluetooth discovery Exchange Server Configure Active Sync Create new Exchange account Set Exchange account display name Set Exchange account sync interval Set Exchange account protocol version Set Exchange account sender name Set Exchange account sender signature Password Policy Allow simple passwords Require alphanumeric values for password Enforce minimum password length

183

Enforce maximum password age Enforce minimum password complexity Enforce password history Get device password Set device password Set maximum number of failed login attempts before

device wipe Security Management Remote lock and unlock Remote wipe Remote reset Remove configuration data Lock management functions on device Lock device after specified inactivity period Full device encryption Wipe encrypted data SD card encryption Add/Remove whitelist/blacklist from device

Table 20: Mobile Device Management Standard Capabilities Starter Template

184

14 Appendix C – Survey Questionnaire

Welcome

Introduction: You are hereby invited to participate in a study about security aspects of personal mobile devices (smartphones and tablets) used in organizations. This phenomenon is popularly known as Bring Your Own Device (BYOD) and is very prevalent in today's business world. You are being asked to participate in this survey because of your subject matter expertise in the areas of security systems engineering, project management, and policy management. This is a voluntary participation; however, if you have accepted, we ask that you complete the survey accurately. Your employment status will not be affected in any way should you choose not to take part or to withdraw at any time.

Research: This questionnaire is part of a research study conducted by the author under the direction of Dr. Thomas Mazzuchi, supervised by HRC advisers Dr. Timothy Blackburn P.E., Dr. Paul Blessner, and Dr. William Olson, all from the George Washington University. We thank you in advance for your time.

Confidentiality: This questionnaire is anonymous and confidential and all the responses will be kept in a secure location in encrypted form. There is a small chance that someone not on our research team could find out that you took part in the study or somehow connect your name with the information we collect about you. However the following steps are being taken to reduce this risk: all responses are anonymous and no personal information including name, email, and IP address will be recorded or stored anywhere in any capacity. Should you have any questions about this study, please contact Dr. Thomas Mazzuchi at 202-994-7541. If you have any questions about your rights as related to this study, please feel free to contact the George Washington Office of Human Research at 202-994-2715.

Benefits: Taking this survey may not benefit you directly; however, the many benefits to society will include improved and more secure implementations of BYOD with additional services becoming available to users of BYOD and their respective organizations.

Time: The survey may take 20-25 minutes to complete. The author sincerely thanks you for your support and time.

185

Instructions and Definitions

Instructions: The survey is web based. Please read each question carefully, think about the scenario, and then choose the proper selection. Throughout the survey, some words including the ones below appear in blue. When you hover over them, helpful balloons appear with definitions.

Definitions: The following operational definitions are provided to help you while taking the survey; again, they are highlighted in blue throughout the survey and with a simple hover over the words, you will see the definitions:

• Multi-factor authentication: this form of authentication requires multiple steps to authenticate a user or a device. For example, when a username and password is entered, an additional step may be required such as a retina scan or scanning of a secure card before authentication is accepted.

• Two-way authentication: two-way authentication means the mobile device is authenticated by the server and the server is authenticated by the device so there is no doubt both are legitimate.

• Security breach: a security breach can be any incident that results in loss of data, loss of information, disrupts normal flow of day-to-day operations, or grants unauthorized access to systems or data.

• Unauthorized access: this is any access that has not been specifically and officially (via a written policy) authorized; it also includes promoting such an activity.

• PKI: short for Public Key Infrastructure, is a comprehensive set of technologies and policies that allow creation of security digital certificates, dispensing such certificate to users or devices, verifying and identifying such entities as needed, monitoring the certificates, controlling the use of the certificates, expiring certificates, renewing certificates, revoking compromised certificates, and providing all information needed to proper personnel and systems as to the use and condition of the digital certificates. PKI can be implemented by an organization for its own internal use, much like a business granting IDs to its employees. It can also be outsourced to outside agencies such as VeriSign and Entrust.

• Mobile devices: for the purpose of this survey, mobile devices refer to smartphones or tablets (such as iPhones, iPads, Galaxies, other Android-based devices, Blackberries, and Windows Phones) that are personally owned and used to access organizational resources whether locally or remotely (Bring Your Own Device or BYOD).

• Rogue devices: devices that are not approved by the organization but that have been used to access organizational resources. These can be devices by unauthorized third party, devices that were once approved but since have been disallowed, or any device that has not been through a registration, vetting, and provisioning process prior to being allowed to access organizational resources.

• Whitelisting/Blacklisting: whitelisting refers to an application going through a vetting process where it is determined if it has no security flaws and its use does

186

not present a risk to the organization. Blacklisting is the opposite where the application is flagged as being a risk if used.

187

Demographics Section

Q0.1 What is the current industry of your organization? Information Technology/Information Systems Healthcare/Biotechnology Education Manufacturing Telecommunication Finance/Accounting Engineering Other (please specify)

Q0.2 What is your job title where you work?

CSO/CISO Project Manager/IT Manager/Director/CIO Security Administrator/Security Manager Security Analyst/Compliance Officer/Auditor Security Architect/Security Engineer Other (please specify)

Q0.3 How many years of work experience do you have in information systems security?

None 1 – 5 years 6 – 10 years 11 – 15 years More than 15 years

Q0.4 What is the highest educational degree you have earned?

High School Associate Degree Bachelor Degree Master Degree Doctorate Degree

Q0.5 What is the size of your organization?

50 or less 51 - 250

188

251 - 500 501 - 1000 1001 or more

189

Independent Questions (Xs)

Existing Mobile Security Implementations: Questions in this section refer to your organization Q4.1x

190

Q4.2x

191

Q4.3x

192

Q4.4x

Q4.5x

193

Q4.6x

Q4.7x

194

Dependent Questions (Ys)

Technology Breaches: Questions in this section refer to your organization Q1y

Q2y

195

Q3y

Q4y

196

Q5y

Q6y

197

Q7y

Q8y

198

Q9y

Q10y

199

Q11y

Q12y

200

15 Appendix D – Semi-Structured Experts Panel Survey Questionnaire

Welcome

Introduction: You are hereby invited to participate in a study about security aspects of personal mobile devices (smartphones and tablets) used in organizations. This phenomenon is popularly known as Bring Your Own Device (BYOD) and is very prevalent in today's business world. You are being asked to participate in this survey because of your subject matter expertise in the areas of security systems engineering, project management, and policy management. This is a voluntary participation; however, if you have accepted, we ask that you complete the survey accurately. Your employment status will not be affected in any way should you choose not to take part or to withdraw at any time.

Research: This questionnaire is part of a research study conducted by the author under the direction of Dr. Thomas Mazzuchi, supervised by HRC advisers Dr. Timothy Blackburn P.E., Dr. Paul Blessner, and Dr. William Olson, all from the George Washington University. We thank you in advance for your time.

Confidentiality: This questionnaire is anonymous and confidential and all the responses will be kept in a secure location. There is a small chance that someone not on our research team could find out that you took part in the study or somehow connect your name with the information we collect about you. However the following steps are being taken to reduce this risk: all responses are anonymous and no personal information including name, email, and IP address will be recorded or stored anywhere in any capacity. Should you have any questions about this study, please contact Dr. Thomas Mazzuchi at 202-994-7541. If you have any questions about your rights as related to this study, please feel free to contact the George Washington Office of Human Research at 202-994-2715.

Benefits: Taking this survey may not benefit you directly; however, the many benefits to society will include improved and more secure implementations of BYOD with additional services becoming available to users of BYOD and their respective organizations.

Time: The survey may take 20-25 minutes to complete. The author sincerely thanks you for your support and time.

201

Demographics Section

Q1 What is your job title where you work? CSO/CISO Project Manager/IT Manager/Director/CIO Security Administrator/Security Manager Security Analyst/Compliance Officer/Auditor Security Architect/Security Engineer Other (please specify)

Q2 How many years of work experience do you have in information systems security?

None 1 – 5 years 6 – 10 years 11 – 15 years More than 15 years

Q3 What is the highest educational degree you have earned?

High School Associate Degree Bachelor Degree Master Degree Doctorate Degree

Q4 What is the size of your organization?

50 or less 51 - 250 251 - 500 501 - 1000 1001 or more

Q5 Please list your strongest qualifications.

202

Questions

The following factors were identified as required for mobile security and Bring Your Own Device (BYOD) mobile security. How completely do you believe these factors address the security concerns of mobile device BYOD? If you believe other factors are needed that are not listed, please list them and explain why you feel these additional factors are necessary and why they are not part of one of the 12 factors listed below.

1. Prevention of data security breaches. This includes data loss, stolen data, or unauthorized data alteration

2. Prevention of wireless (Wi-Fi) security breaches 3. Prevention of cellular security breaches 4. Prevention of rogue mobile device access to corporate data, network, and

applications 5. Prevention of mobile authentication related security breaches. This includes

device and user authentication breaches 6. Prevention of mobile security breaches related to lost/stolen mobile device 7. Prevention of unauthorized mobile device access. This is different than a rogue

device prevention in that it can be an approved device but in the wrong hands or it can be an approved device and an approved user but accessing data and resources they should not have access rights to

8. Prevention of mobile security breaches related to employees’ lack of understanding of security policies

9. Prevention of mobile security breaches related to lack of education and/or mandatory security training for employees

10. Prevention of mobile security breaches related to employees’ claims of being unaware of organizational policies

11. Prevention of document related security breaches via mobile devices. Breaches can be improper sharing, improper saving to cloud or portable media, improper emailing, improper printing, improper scanning, and improper photographing

12. Prevention of mobile security breaches related to application (app) security flaws Q The above 12 factors are complete in that they encompass the necessary areas of security concerns related to mobile device operation in an enterprise, including Bring Your Own Device (BYOD) operation

Strongly Agree Agree Neither Agree nor Disagree Disagree Strongly Disagree

Your notes and comments:

Dissertation Final With Final Revisions

Documents

Transcript of Dissertation Final With Final Revisions