Chapter 12 - 03 - Discuss Common Mobile Usage Policies in Enterprises - 01_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Mobile Device Security Exam 212-82 Module Flow Discuss Security Risks and Guidelines Associated with Enterprises Mobile Usage Policies Understand Various Mobile Device Connection Methods e SRR o Discuss and Implement Enterprise-level Mobile Security Management Solutions Discuss Mobile Device S Discuss Common Mobile Discuss and Implement General Security Guidelines and Best e Practices on Mobile Platforms Copyright © by EC iL All Rights Reserved. Reproductionis Strictly Prohibited Discuss Common Mobile Usage Policies in Enterprises An organization that enables its employees to work remotely using a smartphone must design a policy to secure these devices and protect the company data. This or tablet section introduces the various mobile usage policies that can be implemented by an organization based on its requirements. Module 12 Page 1496 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Mobile Device Security Exam 212-82 Mobile Use Approaches \ ~No in Enterprise m Organizations follow four types of approaches to grant permissions to employees to use mobile devices for business purposes @ Own Device) O 3 ‘9 ' \_)!‘3)4&77 f COPE (Company Owned, Personally Enabled) ‘““!?' &‘ 4 COBO (Company Owned, Business Only) CYOD (Choose Your Own Device) Mobile Use Approaches in Enterprise An organization can implement any of the following policies based on their requirements as well as the role and responsibilities of its employees to enable them to use mobile devices for business purposes. = BYOD (Bring Your Own Device) = COPE (Company Owned, Personally Enabled) = COBO (Company Owned, Business Only) = CYOD (Choose Your Own Device) The following questions can help an organization to determine which approach to follow: = = o Device Specific o Device type (which device to use (smartphone/phablet/laptop)?) o Selection of device (who uses which devices?) o Who pays for the device? o Service providers for cellular connectivity and monthly plans Management and Support o Who manages the device? o Whois responsible for support? Describe Integration and Application o Describe how closely the device is integrated and important for everyday workflow? o Describe the installed/running applications o Should personal applications be restricted? Module 12 Page 1497 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Mobile Device Security Exam 212-82 Q Bring your own device (BYOD) refers to a policy that allows employees to bring their personal devices such as laptops, smartphones, and tablets to the workplace and use them for accessing the organizational resources based on their access privileges O The BYOD policy allows employees to use the devices that they are comfortable with and best fits their preferences and work purposes Bring Your Own. Device (BYOD). BYOD Benefits. Increased productivity. Work ‘ Employee satisfaction. Lower Copyright © by flexibility costs iL Al Rights Reserved. Reproductionis Strictly Prohibited. Bring Your Own Device (BYOD) Bring Your Own Device (BYOD)/Bring (BYOP)/Bring Your Own PC (BYOPC) devices such as laptops, smartphones, the organizational resources based on Your Own refers to a and tablets their access Technology (BYOT)/Bring Your Own Phone policy that allows employees to bring their to the workplace and use them for accessing privileges. The BYOD policy allows employees to use the devices they are comfortable with that best fit their preferences and work purposes. With the “work anywhere, anytime” strategy, the BYOD trend encounters requirements. challenges in securing the company data and satisfy compliance BYOD Advantages The adoption of BYOD is advantageous to the company as well as its employees. Its advantages include: = Increased productivity and employee satisfaction = Enhances work flexibility = Lower IT Costs * Increased availability of resources BYOD Disadvantages = Difficult to maintain security access in organizational networks ® Increased compatibility issues = Reduced Scalability Module 12 Page 1498 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Mobile Device Security Exam 212-82 BYOD Policy Implementation Decide how to manage the employee devices Define the requirements and their data access Develop policies Security Copyright © by BYOD EC AL All Rights Reserved. Reproduction s Strictly Prohibited. Policy Implementation For the implementation of the BYOD policy, the employee devices must be introduced to the corporate environment to minimize the risks associated with data security and privacy. = Define the requirements Not all user requirements are similar. Thus, the employees must be grouped into segments considering the job criticality, time sensitivity, value derived from mobility, data access, and system access. Further, end user segments should be defined based on the location/type of worker (e.g., an employee working from home, full-time remote, day extender, part-time remote), and a technology portfolio should be assigned for each segment based on user needs. Privacy impact assessment (PIA) should also be performed at the beginning of each BYOD project in the presence of all relevant teams after assigning the responsibilities and collecting the requirements. It provides an organized procedure to document the facts, objectives, privacy risks, and risk mitigation approaches and decisions throughout the project lifecycle. It should be a central activity performed by the mobile governance committee (end users from each segment/line of business and IT management). = Decide how to manage the employee devices and their data access Apart from the mobile device management (MDM) system that provides a minimum level of control, other options such as virtual desktops or on-device software can be used to improve the security and data privacy. Additionally, it should be ensuring that the corporate environment supports WLAN device connectivity and management. Module 12 Page 1499 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Mobile Device Security = Exam 212-82 Develop policies o A delegation of company resources should develop the policies, instead of just IT. It should include key participants such as the HR, legal, security, and privacy. o Each device (smartphone, PC, laptop, tablet, or even smartwatch) and OS in the BYOD policy of a company should be listed; devices with a poor security record should not be permitted. This involves only permitting devices with specific OSes or manufacturers. o Establish a policy to determine a reasonable, secure businesses and employees. o The IT staff of an organization should devices, and OSes to familiarize them binding policy regarding be trained about the various BYOD to platforms, with the risks associated with wrong device handling or to avoid the security threats imposed by a BYOD work environment. o The BYOD policy should also ensure that the devices are appropriately backed up to prevent the loss of critical data under unforeseen circumstances. = Security The mobile management technology established, implemented, and is effective supported. The only when organizations suitable must policies ensure are sufficient security in the mobile ecosystem to make the BYOD programs work. This requires a thorough assessment of the operating environment and the development of a solution that provides the following. = o Asset and identity management o Local storage controls o Removable media controls o Network access levels o Network application controls o Corporate versus personal app controls o Web and messaging security o Device health management o Data loss prevention Support The inconsistent nature of BYOD users will increase the frequency of support calls. Therefore, organizations should establish suitable processes and capabilities in the early stages to ensure success. Mobile committees should frequently reassess the support levels and ensure the productivity of their mobile employees. Module 12 Page 1500 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Mobile Device Security Exam 212-82 Choose Your Own Device (CYOD) Choose Your Own Device (CYOD) refers to a policy that allows employees to select devices such as laptops, smartphones, and tablets from the list of devices approved by the company. The company purchases the selected device, and the employees use it for accessing the organizational resources according to their access privileges @ CYOD ‘ J @ Benefits Streamline device options Devices compatible with the company security policy Employee satisfaction with company’s control Lower cost compared to COPE. Copyright © by EC-Council All Rights Reserved. Reproduction s Strictly Prohibited. Choose Your Own Device (CYOD) Choose Your Own Device (CYOD) refers to a policy in the employees select their device of choice from a preapproved set of devices (laptops, smartphones, and tablets) to access company data according to the access privileges of an organization. For example, allowing employees to select an Apple device instead of Android devices. CYOD has recently garnered more attention than BYOD in the business world because securing BYOD systems can be difficult considering the various devices available in the market, and employees store personal and professional data irrespective of whether a device is personal or belongs to the employer. CYOD Advantages = Users are allowed to carry only one smartphone and one tablet. = |t reduces hardware costs compared to COPE. = End users are still in control of their own technology. = Procurement standards are stricter than those of BYOD. = |ts support standards are streamlined. = Each security device is preinstalled with a security solution and predefined firewall and network settings of a dedicated administrator. = Administration of a small number of different specifications makes record-keeping easy. = Employees comply with data and information management requirements. CYOD Disadvantages = Some IT staff may not be happy with the choices. Module 12 Page 1501 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Mobile Device Security Exam 212-82 * |tinvolves a more complex procurement process than BYOD or COPE. = End users face replacement and repair problems. = |t needs to be updated with the mobile technology / apps used by the organizations. ® |t comprises a slower deployment timeframe. Module 12 Page 1502 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.