BYOD security question

Currently have a client who are looking to encourage Bring Your Own Device for their students and some potential staff. All access would be via a web facing portal or access to remote desktop farm via https website. The wireless networks in place are segregated in a way that you cannot access the corporate network. So this would essentially be an internet connection which would connect in as if working from home.

I am trying to investigate whether there is enough security here or if they should be implementing a network access control system and mobile device management systems for better management and security.

Does anyone have any thoughts on this? As my security knowledge is very high level.

Thanks

You need to be a member of Global Risk Community to add comments!

Join Global Risk Community

Votes: 0
Email me when people reply –

Replies

  • I also should have mentioned that they would only be accessing from the wireless network.

    One thing I never thought of when I was looking at data leakage was snipping data, locking the screen as a resolution which Bernd mentioned, I will now be adding this into that test.

    Cheers!
     
    Ricky Meechan said:

    Thank you very much for all of your replies.

    The students are only their own work, The staff (which has not yet been encouraged) would be accessing more sensitive data (student records, health care data etc.)

    I raised a high recommendation regarding data leakage prevention which included areas such as allowing uploading to uncontrolled cloud storage, allowing copy of data from the remote desktop session to uncontrolled machines, enforcing data/hardware encryption on sensitive data leaving the site and controlling attachments etc being downloaded from webmail solutions amongst others.

    I also raised as a separate recommendation that they request a security penetration test on their wireless network as well as the external penetration test they had plans to purchase.

    The security in place around the network and remote working solution was adequate. I think with these steps in place they can trial it and see how they get one.

    The whole idea for them to go down the BYOD route was to save money, I don't like the idea personally and think it is more hassle than it is worth and probably not that cheaper if done correctly. But each to their own!

  • Thank you very much for all of your replies.

    The students are only their own work, The staff (which has not yet been encouraged) would be accessing more sensitive data (student records, health care data etc.)

    I raised a high recommendation regarding data leakage prevention which included areas such as allowing uploading to uncontrolled cloud storage, allowing copy of data from the remote desktop session to uncontrolled machines, enforcing data/hardware encryption on sensitive data leaving the site and controlling attachments etc being downloaded from webmail solutions amongst others.

    I also raised as a separate recommendation that they request a security penetration test on their wireless network as well as the external penetration test they had plans to purchase.

    The security in place around the network and remote working solution was adequate. I think with these steps in place they can trial it and see how they get one.

    The whole idea for them to go down the BYOD route was to save money, I don't like the idea personally and think it is more hassle than it is worth and probably not that cheaper if done correctly. But each to their own!

  • Ricky, there are a lot good suggestions here. Since I am based in Germany it may be that German law would be different then where you reside.

    Anyhow, besides what especially Betsy pointed out I would make sure that all people who want/need to connect have to sign an NDA. Make sure that strict enforcements are included in a very clear and straight forward written Policy. As a matter of fact you will reduce internal offenders/inside hackers by 60 to 80% making that point up front.

    2nd thing I would implement is certainly a very well defined firewall keeping the users from doing illegal things from out of the internal W-LAN-system. Make sure to have a policy in place here, too. Just imagine some guy starts to share child pornography, making up an online shop for drugs, trades Music or Videos online or whatever illegal thing (get my point?) and the Feds are coming in… here you could not be sure which equipment would be confiscated (which would lead to unclear and maybe unmanageable downtime). Maybe even Internet Access is while working on the Net prohibited as a solution similar to VPN allowing only one tunnel to be opened at a time??

    3rd thing I would check – especially if the data accessed is critical or secret: is it possible to lock the screen with e.g. code from being copied/snipped? On the other hand: if people are allowed to print you would need a solution here, too.

    4th – Check, if data is vital to your customer, if an Endpoint Protection Solution is increasing the security level to the desired state.

    And – certainly all the other security measures you would apply to an online shop will apply also to your final solution.

  • Completely agree with Betsy :)

  • I would recommend you do this on a trial basis with one to three people. If nothing untoward - like someone attempting to hack the system - happens, then expand the number of users with their own devices. Again, test and continue repeating this cycle until everyone has access who has requested it. Also, I would say anyone who violates the trust or hacks the system is expelled immediately and let the whole group know this will put all at risk, too.

  • Depends on the risk, I would start by asking the following:

    What type of data are the students and staff accessing? Is there potential for it to be sensitive? E.g health care data or personally identifiable information?

    Are there any concerns of sensitive data being removed from the network resources and downloaded onto a personal device?

    What does the wireless network have to do with this? is the only way the staff and students would be able to access this resource?Is there anything in place to stop someone from directly connecting a personal device to the internal network via a network jack?

    If there are no serious concerns about the type of data that is being accessed, that the network resource they are accessing has been segregated appropriately and that there's monitoring in place for anomalous activity- all i'd recommend is that they implement 2factor authentication and remind end users to install anti-virus software and keep their software up to date.

  • Hi,

    In fact the web base access is sufficient security and no harm to the company network since the people can access anywhere they want with user log in and password. When you don't want someone to log in into the system, you only need to deactivate the user name and password. 

    The access control you only need to do is to monitor the access right of granted users and make sure they can't log in when they are no longer eligible to access into the system.

    Hope this helps

  • In my view there is never enough security. Be sure and implement a network access control system and mobile device management system. Why not?

  • We may allow cloud sharing with secure passwords.

  • A complex situation. My observation is that the individuals bringing their own devices will do their darndest to bypass the security. So the security has to expect hacking. Companies can find it hard to believe their own staff would do such a thing but they do. The benefits may be worth it but my advice is proceed with caution and expect the worst. 

This reply was deleted.

Introducing the Global Risk Series - Book 1 Risk Management How Tos

Dear GlobalRisk Community member, Our community’s mission is to foster business, networking and educational explorations among members. Learn from some of the top experts in the industry as they clearly explain how to approach the most important Risk management concepts. Check out their expert tips and use the link at the end of each article to navigate back to the website to leave your comment or ask a question.   Some of the topics include: How do you Explain Risk Appetite?  How to Prepare a…

Read more…
16 Replies · Reply by GlobalRiskCommunity Mar 21
Views: 1137

[Free COVID-19 Framework] What's the path to recovery look like?

We created a free presentation (attached), which discusses both global and organizational impacts of the COVID-19 pandemic, along with critical actions organizations should take immediately. This presentation introduces a framework that helps regions and organizations navigate a path to recovery via 9 potential scenarios. These scenarios capture outcomes related to GDP impact, public health response, and economic policies. The presentation also breaks down 6 immediate and critical actions…

Read more…
4 Replies · Reply by Steve Diaz Jul 8, 2023
Views: 244

If risk management is about decision making, are current risk management solutions irrelevant?

Now that the updated COSO and ISO risk management standards emphasize a connection to enterprise objectives and decision making, does this mean ERM and GRC solutions focused on risk registers and regulatory compliance are missing the true value of risk management?Will current risk management solutions evolve to integrate more decision support functionality or will standalone prescriptive analytics and other technology solutions take a more prominent role in enabling risk-informed…

Read more…
3 Replies
Views: 177

A question related to classification of instruments between trading and banking book.

We have an interesting question from one of our members.       "We usually perform OTC FX transactions with clients backed-to-back on the market (with Banks). Now we are going to perform a FX swap (i.e. Spot + forward) JPY/EUR for the Bank account for 1 week at the longest. The purpose is to get EUR place @ CB for LCR compliance purpose (no trading purposes). Bank's Management think that this should be considered as a trading position and therefore be classified within the Bank's trading book.…

Read more…
5 Replies · Reply by Prisha Singh Dec 26, 2023
Views: 381

Plunging oil prices: curse or blessing in disguise?

The recent sudden crash of oil prices has had a major impact on the world economy, leading to many troubled faces in the international arena. The Russians fear the effects of yet another powerful hit on their economy, Venezuela seems to be considering default and the Americans are weary of the consequences for its young and emerging shale oil industry. And then you have the Middle East, where the smallest match is enough to ignite the largest fire. But are these worries really justified or…

Read more…
1 Reply
Views: 114

    About Us

    The GlobalRisk Community is a thriving community of risk managers and associated service providers. Our purpose is to foster business, networking and educational explorations among members. Our goal is to be the worlds premier Risk forum and contribute to better understanding of the complex world of risk.

    Business Partners

    For companies wanting to create a greater visibility for their products and services among their prospects in the Risk market: Send your business partnership request by filling in the form here!

lead