dc.description.abstract | Employees are increasingly bringing their personal devices into the work environment,
and they often use these devices to access company data. This trend is commonly
referred to as Bring Your Own Device (BYOD).
I have in this Master s thesis conducted a Systematic Literature Review (SLR)
on research literature which identifies and discusses benefits, threats and risks associated with BYOD. The literature was then analyzed to identify some of the most
common risk mitigation methods, and to acquire insight on how a policy governing
the use of personal devices in a work environment can be designed, implemented
and enforced.
The findings indicates that using personal devices for work related tasks can
lead to benefits such as increased productivity, flexibility, employee satisfaction,
and in some cases reduced IT costs. It is however reliant on risks and threats to the
confidentiality and integrity of company data being properly identified and mitigated,
and that employees are aware of the identified risks and the corresponding
control measures.
The main risks were found to be information leakage and data loss, and the
most prominent threats includes malware, lost or stolen devices, usage of open
Wi-Fi networks, and non-technical attacks, such as phishing and social engineering
attacks. Encryption of data at rest and at transit, isolation of company and private
data, access control enforcement, anti-malware tools, enforcement of strong
passwords, the ability to remotely lock devices and delete company data on a personal
device, and having a well-defined BYOD policy were all found to be good risk
mitigation methods.
The new privacy regulation for European Union countries, the General Data
Protection Regulation (GDPR), will be in effect from May 2018. I have identified
certain BYOD relevant regulatory requirements in GDPR, and highlighted some privacy
enhancing recommendations. It is very important to acquire a written consent
from the data subject, if personal data are to be processed. It is also very important
to document all information security procedures, and to ensure that any data
processing partners also have sufficient information security procedures.
I have at last examined how employers can gain valuable insight on BYOD management
from the ISO/IEC 27000 family of standards and AXELOS frameworks ITIL and RESILIA.
ISO/IEC 27001 and 27002 does not explicitly mention BYOD, even though some
controls in ISO/IEC 27002 should be applicable for a BYOD program. From an
ITIL/RESILIA standpoint it is important to understand what devices are being used
within the corporate environment and how they are used, so risks to the company s
assets can be identified and mitigated. Several of the control objectives and processes
in ITIL and RESILIA provides valuable insight on how to manage a BYOD
program. | en |