Risk Management of Enterprise Mobility including Bring Your Own Device (BYOD)
Download CSOC Protect Notice: Risk Management of Enterprise Mobility including Bring Your Own Device (BYOD) (PDF), June 2013
Read CSOC Protect Notice: Risk Management of Enterprise Mobility including Bring Your Own Device (BYOD) (HTML), June 2013
Enterprise mobility enables employees to perform work in specified business-case scenarios using devices such as smartphones, tablets and laptops, while leveraging technologies that facilitate remote access to data. A well-designed enterprise mobility strategy can create opportunities for organisations to securely improve customer service delivery, business efficiency and productivity. Some of these opportunities might permit employees to use their personally-owned devices, referred to as Bring Your Own Device (BYOD).
This document provides senior business representatives with a list of enterprise mobility considerations including business cases, regulatory obligations and legislation, available budget and personnel resources, as well as risk tolerance. Additionally, risk management controls are provided for cyber security practitioners.
This document aims to assist readers to understand and help mitigate the significant risks associated with using devices for work-related purposes that have the potential to expose sensitive data. Risks can be partially mitigated through a policy outlining the permitted use of devices, including the required behaviour expected from employees, which is complemented by technical risk management controls to enforce the policy and detect violations. Organisations must decide whether applying the chosen risk management controls would result in an acceptable level of residual risk.
This document complements advice in the Australian Government Information Security Manual, ASD Protect publication BYOD Considerations for Executives and ASD device-specific hardening guides.
Australian government customers with questions regarding this advice can contact ASD Advice and Assistance.
Australian businesses and other private sector organisations seeking further information should contact CERT Australia.