Approaching the BYOD trend securely
MetadataShow full item record
Employees are increasingly bringing their personal devices into the work environment,and they often use these devices to access company data. This trend is commonlyreferred to as Bring Your Own Device (BYOD). I have in this Master s thesis conducted a Systematic Literature Review (SLR)on research literature which identifies and discusses benefits, threats and risks associated with BYOD. The literature was then analyzed to identify some of the mostcommon risk mitigation methods, and to acquire insight on how a policy governingthe use of personal devices in a work environment can be designed, implementedand enforced. The findings indicates that using personal devices for work related tasks canlead to benefits such as increased productivity, flexibility, employee satisfaction,and in some cases reduced IT costs. It is however reliant on risks and threats to theconfidentiality and integrity of company data being properly identified and mitigated,and that employees are aware of the identified risks and the correspondingcontrol measures. The main risks were found to be information leakage and data loss, and themost prominent threats includes malware, lost or stolen devices, usage of openWi-Fi networks, and non-technical attacks, such as phishing and social engineeringattacks. Encryption of data at rest and at transit, isolation of company and privatedata, access control enforcement, anti-malware tools, enforcement of strongpasswords, the ability to remotely lock devices and delete company data on a personaldevice, and having a well-defined BYOD policy were all found to be good riskmitigation methods. The new privacy regulation for European Union countries, the General DataProtection Regulation (GDPR), will be in effect from May 2018. I have identifiedcertain BYOD relevant regulatory requirements in GDPR, and highlighted some privacyenhancing recommendations. It is very important to acquire a written consentfrom the data subject, if personal data are to be processed. It is also very importantto document all information security procedures, and to ensure that any dataprocessing partners also have sufficient information security procedures. I have at last examined how employers can gain valuable insight on BYOD managementfrom the ISO/IEC 27000 family of standards and AXELOS frameworks ITIL and RESILIA. ISO/IEC 27001 and 27002 does not explicitly mention BYOD, even though somecontrols in ISO/IEC 27002 should be applicable for a BYOD program. From anITIL/RESILIA standpoint it is important to understand what devices are being usedwithin the corporate environment and how they are used, so risks to the company sassets can be identified and mitigated. Several of the control objectives and processesin ITIL and RESILIA provides valuable insight on how to manage a BYODprogram.