Chapter 12 - 03 - Discuss Common Mobile Usage Policies in Enterprises - 01_ocred_fax_ocred.pdf
Document Details
Uploaded by barrejamesteacher
null
EC-Council
Tags
Related
- Chapter 12 - 03 - Discuss Common Mobile Usage Policies in Enterprises - 01_ocred.pdf
- Chapter 12 - 03 - Discuss Common Mobile Usage Policies in Enterprises - 02_ocred.pdf
- Chapter 12 - 04 - Discuss Security Risks and Guidelines Associated with Enterprises Mobile Usage Policies_ocred.pdf
- Chapter 12 - 03 - Discuss Common Mobile Usage Policies in Enterprises - 02_ocred_fax_ocred.pdf
- Chapter 12 - 04 - Discuss Security Risks and Guidelines Associated with Enterprises Mobile Usage Policies_ocred_fax_ocred.pdf
- Chapter 12 - 05 - Discuss and Implement Enterprise-level Mobile Security Management Solutions - 02_ocred_fax_ocred.pdf
Full Transcript
Certified Cybersecurity Technician Exam 212-82 Mobile Device Security Module Flow...
Certified Cybersecurity Technician Exam 212-82 Mobile Device Security Module Flow Discuss Security Risks and Understand Various Mobile Guidelines Associated with Device Connection Methods Enterprises Mobile Usage Policies Discuss and Implement e Discuss Mobile Device Enterprise-level Mobile Security SRR Mauagenient Concepts S Management Solutions Discuss and Implement General o Discuss Common Mobile Security Guidelines and Best e e Practices on Mobile Platforms Copyright © by EC iL All Rights Reserved. Reproductionis Strictly Prohibited. Prohibited Discuss Common Mobile Usage Policies in Enterprises An organization that enables its employees to work remotely using a smartphone or tablet must design a policy to secure these devices and protect the company data. This section introduces the various mobile usage policies that can be implemented by an organization based on its requirements. Module 12 Page 1496 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Mobile Device Security Mob Use App ile Use Mobile chess roache Approa \ \ q ‘9 in Enterprise — ~No “N m Organizations follow four types of approaches to grant permissions ' to employees to use mobile devices for business purposes @ ‘ BYOD (Bring Your Own Device) O. COPE (Company Owned, Personally Enabled) \_)!‘3)4&77 f \_)QQ‘VE sy Y ‘““!?' &‘ 3 4 COBO (Company CYOD (Choose Your Owned, Business Only) Own Device) Mobile Use Approaches in Enterprise An organization can implement any of the following policies based on their requirements as well as the role and responsibilities of its employees to enable them to use mobile devices for business purposes. = BYOD (Bring Your Own Device) = COPE (Company Owned, Personally Enabled) = COBO (Company Owned, Business Only) = CYOD (Choose Your Own Device) The following questions can help an organization to determine which approach to follow: = Device Specific o Device type (which device to use (smartphone/phablet/laptop)?) o Selection of device (who uses which devices?) o Who pays for the device? o Service providers for cellular connectivity and monthly plans = Management and Support o Who manages the device? o Whois responsible for support? o Describe Integration and Application o Describe how closely the device is integrated and important for everyday workflow? o Describe the installed/running applications o Should personal applications be restricted? Module 12 Page 1497 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Mobile Device Security OQ Bring your own device (BYOD) refers to a policy that allows employees to bring their personal devices such as laptops, smartphones, and tablets to the workplace and use them for accessing the organizational resources Bring Your based on their access privileges Own O The BYOD policy allows employees to use the devices that they are B. comfortable with and best fits their preferences and work purposes Device (BYOD) |. BYOD Benefits. Increased productivity. ‘ Work flexibility Work flexibility. ‘ Employee satisfaction. Lower costs Copyright © by | iliL Al All Rights Reserved. Reproductionis Strictly Prohibited Prohibited. Bring Your Own Device (BYOD) Bring Your Own Device (BYOD)/Bring Your Own Technology (BYOT)/Bring Your Own Phone (BYOP)/Bring Your Own PC (BYOPC) refers to a policy that allows employees to bring their devices such as laptops, smartphones, and tablets to the workplace and use them for accessing the organizational resources based on their access privileges. The BYOD policy allows employees to use the devices they are comfortable with that best fit their preferences and work purposes. With the “work anywhere, anytime” strategy, the BYOD trend encounters challenges in securing the company data and satisfy compliance requirements. BYOD Advantages The adoption of BYOD is advantageous to the company as well as its employees. Its advantages include: = Increased productivity and employee satisfaction = Enhances work flexibility = Lower IT Costs * Increased availability of resources BYOD Disadvantages = Difficult to maintain security access in organizational networks ®* Increased compatibility issues |ncreased = Reduced Scalability Module 12 Page 1498 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Mobile Device Security BYOD Policy Implementation Define the Decide how to manage requirements the employee devices and their data access Develop policies Security Copyright © by EC AL All Rights Reserved. Reproduction s Strictly Prohibited. BYOD Policy Implementation For the implementation of the BYOD policy, the employee devices must be introduced to the corporate environment to minimize the risks associated with data security and privacy. = Define the requirements Not all user requirements are similar. Thus, the employees must be grouped into segments considering the job criticality, time sensitivity, value derived from mobility, data access, and system access. Further, end user segments should be defined based on the location/type of worker (e.g., an employee working from home, full-time remote, day extender, part-time remote), and a technology portfolio should be assigned for each segment based on user needs. Privacy impact assessment (PIA) should also be performed at the beginning of each BYOD project in the presence of all relevant teams after assigning the responsibilities and collecting the requirements. It provides an organized procedure to document the facts, objectives, privacy risks, and risk mitigation approaches and decisions throughout the project lifecycle. It should be a central activity performed by the mobile governance committee (end users from each segment/line of business and IT management). = Decide how to manage the employee devices and their data access Apart from the mobile device management (MDM) system that provides a minimum level of control, other options such as virtual desktops or on-device software can be used to improve the security and data privacy. Additionally, it should be ensuring that the corporate environment supports WLAN device connectivity and management. Module 12 Page 1499 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Mobile Device Security = Develop policies o A delegation of company resources should develop the policies, instead of just IT. It should include key participants such as the HR, legal, security, and privacy. o Each device (smartphone, PC, laptop, tablet, or even smartwatch) and OS in the BYOD policy of a company should be listed; devices with a poor security record should not be permitted. This involves only permitting devices with specific OSes or manufacturers. o Establish a policy to determine a reasonable, binding policy regarding BYOD to secure businesses and employees. o The IT staff of an organization should be trained about the various platforms, devices, and OSes to familiarize them with the risks associated with wrong device handling or to avoid the security threats imposed by a BYOD work environment. o The BYOD policy should also ensure that the devices are appropriately backed up to prevent the loss of critical data under unforeseen circumstances. = Security The mobile management technology is effective only when suitable policies are established, implemented, and supported. The organizations must ensure sufficient security in the mobile ecosystem to make the BYOD programs work. This requires a thorough assessment of the operating environment and the development of a solution that provides the following. o Asset and identity management o Local storage controls o Removable media controls o Network access levels o Network application controls o Corporate versus personal app controls o Web and messaging security o Device health management o Data loss prevention = Support The inconsistent nature of BYOD users will increase the frequency of support calls. Therefore, organizations should establish suitable processes and capabilities in the early stages to ensure success. Mobile committees should frequently reassess the support levels and ensure the productivity of their mobile employees. Module 12 Page 1500 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Mobile Device Security Choose Your Own Device (CYOD) Choose Your Own Device (CYOD) refers to a policy that allows employees to select devices @ such as laptops, smartphones, and tablets from the list of devices approved by the company. J @ The company purchases the selected device, and the employees use it for accessing the organizational resources according to their access privileges CYOD Benefits Devices compatible with the company ‘ Streamline device options security policy Employee satisfaction with company’s Lower cost compared to COPE. control Copyright © by EC-Council All Rights Reserved. Reproduction s Strictly Prohibited. Choose Your Own Device (CYOD) Choose Your Own Device (CYOD) refers to a policy in the employees select their device of choice from a preapproved set of devices (laptops, smartphones, and tablets) to access company data according to the access privileges of an organization. For example, allowing employees to select an Apple device instead of Android devices. CYOD has recently garnered more attention than BYOD in the business world because securing BYOD systems can be difficult considering the various devices available in the market, and employees store personal and professional data irrespective of whether a device is personal or belongs to the employer. CYOD Advantages = Users are allowed to carry only one smartphone and one tablet. = |t reduces hardware costs compared to COPE. = End users are still in control of their own technology. = Procurement standards are stricter than those of BYOD. = |ts support standards are streamlined. = Each security device is preinstalled with a security solution and predefined firewall and network settings of a dedicated administrator. = Administration of a small number of different specifications makes record-keeping easy. = Employees comply with data and information management requirements. CYOD Disadvantages = Some IT staff may not be happy with the choices. Module 12 Page 1501 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Mobile Device Security * |tinvolves a more complex procurement process than BYOD or COPE. = End users face replacement and repair problems. = |t needs to be updated with the mobile technology / apps used by the organizations. ® |t comprises a slower deployment timeframe. Module 12 Page 1502 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.
