Discuss about the Implementation Of A BYOD System In Aztek.
The project involves implementation of a BYOD system in Aztek which is a financial organization from Australia. The company is facing financial challenges and is looking for saving IT costs by allowing personal devices of new employees to be used for the purpose of business. Thus, the company has decided to adopt BYOD systems but this approach is likely to modify the security posture or the organization. To remain safe from cybersecurity risks, company would need to strengthen its security systems to suit the security needs after BYOD adoption. The project would involve development and implementation of BYOD scheme (ACHS, 2013).
With implementation of the BYOD scheme, some regulatory policies and procedures have to be followed. Australian Capital Territory of Australia is one of the main areas where regulatory policies are defined. At the organizational level, policy based surveillance can track employee communication such that the management would know how employees are using their systems and if their usage patterns are secure for Aztek (GILBERT, 2014).
There are also some laws at the state, federal and territory levels that have to be followed when concerning employment in the organization. At the organizational level, Aztek can install access control systems on the devices used by users such that the employee communication can be tracked and monitored. This would help Aztek ensure that the confidential data of the company is not shared by employees outside the company. A cover surveillance can be launched on employees which would allow company to track the suspected employee after 14 days notice given (APM Group Ltd, 2017).
NSW Act is one such act which is created for governance of employee management practices. As per this act, employee activities can be tracked including sending and receiving of files or messages but only on the official accounts. The personal accounts and the resources used by employees may not be tracked (Afaq, et al., 2014).
Another useful act is Telecommunications (Interception and Access) Act 1979 . This act talks of the interception by companies on the employee communication between two employees which is done without the knowledge of both employees. The act allows employers to see the content that is being exchanged but not the related personal information such as email addresses, communication time, and the metadata. The way this interception can be carried out is highlighted in the section 5F of the telecommunications act. This provides protection to the employers but only to some extent (Berg, 2010).
A usage policy can be created for IT assets in the BYOD scheme which is formulated as per the rules defined in the regulatory acts which would include considerations of types of surveillance, methods of tracking, and span of interception The Privacy Act (APP 5) suggests following statements can be included in such a policy (Alali & Yeh, 2012):
With the introduction of the BYOD devices in the Aztek IT network, the security posture of the company would be modified as the private devices of the users would now be connected to the critical infrastructure of the organization. There would be added risks because of addition of BYOD which would change this posture. Thus, the company needs to make considerations for these risks while defining security management strategies for the IT systems of Aztek (Avdoshin & Pesotskaya, 2011).
Finance industry poses some barriers to implementation of BYOD as security risks are higher in the cases. To manage these risks, industries and regulatory bodies in various countries have identified certain security procedures and Aztek needs to follow them for enhance protection. However, regulatory bodies also has certain mandates that would make it difficult for Aztek to keep a high level of control over the mobile devices used by its employees especially when they would be used outside the corporate network. The companies in the finance industry use certain protection measures for BYOD devices such as (Oracle, 2009):
Securing Mobile Devices: Earlier, company had given mobile phone devices to its employees and these devices were procured from the same manufacturer and thus, had same make and features. This made it easy for Aztek to create a unified interface for controlling all the devices remotely and establish standard usage procedure. With BYOD devices in the IT infrastructure of the company, the device configurations make and features would not remain same but would vary significantly and thus, a single unified system cannot be used for controlling or securing these devices (ACHS, 2013). The company would need to consider the change device portfolio while defining security strategies for mobile systems which would be more challenging. The earlier system used for security by Aztek would no longer be able to support the multiple devices belonging to different users who could be having different settings used and applications installed. The current device management system of Aztek would not be sufficient as it would not be able to manage the vulnerabilities and thus, a new measure is needed (Bodicha, 2005).
Aztek can lock the mobile devices for personal uses such that employees would not be able to misuse those posing threats to the security of company’s infrastructure. However, this would discourage employees from using their devices if they would not have freedom of usage of their own deice. Thus, a new approach that is acceptable to both employers and employees has to be arrived at (Bhatta, 2008).
Some risks can be faced predominantly in case BYOD devices are used as the part of IT infrastructure of Aztek such as lost or stolen devices, physical access gained by a non-company person, lack of awareness of security implications leading to misuse of devices by employees, and more. If the devices are lost or stolen, any one getting the device can use it for connecting to the company network through VPN which would make it also possible for the user to gain access to the confidential information of the organization which can be dangerous for the company. In such cases, security can be enhanced with pass encryption but even that can be cracked at certain stage (APM Group Ltd, 2017). Thus, the company needs to have a system in place which allows remote wiping of the device from the company network so that the user would not be able to connect to organizational applications remotely. This would reduce the chances of damage from the stolen device (Rule Works, 2017).
There could also be instances that attackers get the device in hand inside or off the office premises in which case, the risk would be even more. In the case, the device used is old then the security threat would rise even more. As the device has been chosen for office use by employee, the company would not have any control over the device age, specifications or configuration settings unless a BYOD policy defines a minimum configuration that a device must have to be used for the official purpose by the employees (CDC, 2006).
When employees are using their own personal devices, they want to have more control over it than the company which is why they may change the settings suggested by company to enjoy freedom of usage. This can result into disabling of some essential security feature thereby increasing risk to the employer. An employer may not have the awareness of the change and can fall prey to security hassles because of reduced protection level (Campbell, 2005).
Some key measures can help company enhance its security posture with the use of BYOD devices such as:
Managing Application related Risks: If malicious software applications get installed in the mobile devices due to some mistake of an employee or by others having access to the device, it would risk the security posture of the company as the hacker can launch attack on the critical infrastructure of the company by connecting through VPN using the device. Every device that is configured in the corporate network must be protected with an anti-virus and anti-malware for which the company can include mandatory measures for their installation in the company policy (Alali & Yeh, 2012). Moreover, it is essential that the devices are managed well by the users failing which the company would face larger risks. Compartmentalization of the company data on devices can help reduce risks further (HP Enterprise, 2015).
Managing mobile environment: The mobile devices must be updated and patch regularly by the users. However, users may not be very particular about such needs and thus, company needs to take the responsibility by sending notifications, updates and reminders to the employees using BYOD devices for regular updates. This would make the environment safer for the company as the updates would patch any new vulnerability as per the increasing threat scenarios (Curtis & Carey, 2012).
A supportive usage policy may be defined by Aztek for the use of mobile devices by employees for the official purpose which would define patching as mandatory procedure to be followed in certain time. Moreover, self-service solutions given to employees for patching or getting support from technical staff of the organization can also help further (Avdoshin & Pesotskaya, 2011).
The framework used for managing security in the cyberspace defines certain practices that are cost-effective, reusable, performance based and cost effective. These practices have been identified by a team of security experts and industry professionals working on security systems (Paschke, 2014). The framework presents a mechanism that can be used for defining the security posture of Aztek, exploring the target state of the company network, prioritizing improvement opportunities, assessing security systems and communicating the security risks to company stakeholders (Delhi Government, 2014).
Aztek managers can create a checklist which could be based on the security categories, functions and industry references for the management of security posture of the company. Some examples of the security functions are asset protection, intrusion detection, data recovery, risk identification and risk response planning. Certain security categories can be identified for inclusion in security policies such as access control. Asset management and intrusion detection (Berg, 2010). There can also be some sub-categories within these such as threat notification under intrusion detection and data protection under access control. All these security themes if taken care in security measures can enhance the security posture of Aztek (E&Y, 2013).
The security framework defines some tiers of security that define different protection levels such as:
Tier 1: At this level, the company would have the partial protection with each device covered but there would not be any integration of the risk based programs and neither processes in the company nor the processes would be formalized (Bhatta, 2008)
Tier 2: Risk management processes are formalized at this stage and activities have priorities based on the security needs and impacts (Paschke, 2014)
Tier 3: The risk management processes and procedures are all formalized and repeatable security measures that can be taken by the company would be defined. The methods defined would be consistent with the level and would help in strengthening the security posture of the company by providing better protection (Health and Safety Authority, 2006)
Tier 4: The company would adapt to the required changes in the security systems in this stage as per the changed security posture and levels of threats that the company would be exposed to. At this level, security processes are integrated and the security practiced become the part of organizational culture (Elky, 2006)
The framework can be used by Aztek for other purposes such as reviewing the security practices and policies already used in the company such that scope for improvement can be defined. The framework would be used as a guide for communicating the risks to the stakeholders as well as for enforcement of the policies (Bodicha, 2005).
Security Profile Review: The security posture of the company would be reviewed in order to understand the practices that company is using for detecting threat, protecting its IT systems, responding to risks and recovering from security challenges (Rule Works, 2017). The current structure of the company is used as per the traditional system of the organization where the devices were connected and were all owned by the company. However, the current need of the company is to alter the security management structure to adapt to the needs of BYOD devices to enhance its level of protection (John Snow, Inc., 2010).
|
Risk Category |
Stakeholders |
Requirements |
|
Identity Thefts |
Employees Users |
Personal information of users and employees need to be protected from getting stolen or leaked (European Commission , 2010) |
|
Records alteration |
Management Employees Users |
Customer and users data has to be managed securely without any allowance to user or any other third party person to make modifications without the proper approval of the customer and the company officials (GILBERT, 2014) |
|
Unauthorized access |
Customers Management |
Customer credentials should be kept safe such that they do not get leaked and misused by a hacker or unauthorized user (HP Enterprise, 2015) |
|
Financial fraud |
General Consumers Finance companies Investors |
Fraud patterns can be identified and analyzed to understand how the industry is getting affected by the security threats and mutual steps must be taken to identify best protection measures that must be shared and used for increasing security posture of all the companies in the finance industry (Health and Safety Authority, 2006) |
Opportunity Identification: Company staff can explore the practices used by industry companies for securing their IT systems including those using BYOD schemes. With this exploration, best security practices that have worked well with BYOD schemes can be identified and used for the enhancement of the protection of Aztek. Some of the best practices used in the finance industry include (Infrascale, 2014):
One major risk that finance industry faces is the loss of the data of the organization and its customers. With proper policies defined for managing different types of access systems such as remote or wireless access, privacy settings, codes of conduct, social media access, ad incidence response plans (MYOB, 2016), risks of losing data can be reduced. Devices can be directly or indirectly secured from these threats using measures like encryption, remote wiping, authorization, sandboxing, and inventory securing. Employees must be provided with sufficient training so that they can identify vulnerabilities and take steps for securing their devices (Paschke, 2014).
Another risk that BYOD environment is increased exposure to the data through the end point devices connected to the system. End point protection measures have to be used with BYOD devices which would need different protection techniques than those used with traditional systems. Two major risks faced by the finance industry are data leakage and productivity reduction because of the use of BYOD (Microsoft Asia News Center, 2016). Thus, Aztek needs a mechanism that allows tracking the activities at the end point and provide authorization systems for remote data access. If an end point device faces a threat such as after getting stolen, a remote wiping feature can be used such that the device is disconnected with the system which would not allow user to connect with company systems any more. This would protect the unauthentic user for gaining access to the confidential data of Aztek (NCSU, 2017).
The methods people use for accessing data and applications on BYOD devices can also affect the security and thus, company must have a way to check the access methods and define some data protection strategies for overcoming these challenges such as (National Treasury, 2011):
Conclusions
The aim of this paper was to explore the case of Aztek which is a financial organization to identify changes in security posture and finding measures that can be used by the company to enhance protection. It was found that the company uses a security structure that is more suitable to an IT infrastructure that is wholly owned by the company and thus, new strategies are required with addition of end point devices as the company is planning to implement BYOD scheme in it. The study of the security posture suggests that the risk of leaking data, loss of control over devices and risking unauthentic access by attackers would be major concerns for the company with BYOD scheme. A cybersecurity framework can be used to develop security management strategies that are suitable for the end point protection. This would include security management methods like surveillance, device management, policy enforcement, and employee awareness to give them responsibility for protection of devices.
References
ACHS. (2013). RISK MANAGEMENT & QUALITY IMPROVEMENT HANDBOOK. EQuIPNational .
Afaq, S., Qadri, S., Ahmad, S., Siddique, A. B., Baloch, M. P., & Ayoub, A. (2014). Software Risk Management In Virtual Team Environment. INTERNATIONAL JOURNAL OF SCIENTIFIC & TECHNOLOGY RESEARCH , 3(12), 270-274.
Alali, F., & Yeh, C.-L. (2012). Cloud Computing: Overview and Risk Analysis. Journal of Information Systems, 26(2), 13-33.
APM Group Ltd. (2017). DEFINING RISK: THE RISK MANAGEMENT CYCLE. Retrieved September 14, 2017, from https://ppp-certification.com/ppp-certification-guide/52-defining-risk-risk-management-cycle36
Avdoshin, S. M., & Pesotskaya, E. Y. (2011). Software Risk Management: Using the Automated Tools. Russian Federation.
Berg, H.-P. (2010). Risk Management: Procedures, Methods and Practices. Salzgitter, Germany: Bundesamt für Strahlenschutz.
Bhatta, G. (2008). Public Sector Governance and Risks: A Proposed Methodology to do Risk Assessments at the Program Level . Asian Development Bank .
Bodicha, H. H. (2005). How to Measure the Effect of Project Risk Management Process on the Success of Construction Projects: A Critical Literature Review . The International Journal Of Business & Management, 3(12), 99-112.
Campbell, D. (2005). Risk management guide for small business. Global Risk Allianz.
CDC. (2006). CDC Unified Processes Practice Guidance for Risk Managment. CDC.
Chan, A., Lam, P., Chan, D., & Cheung, E. (2008). Risk-Sharing Mechanism for PPP Projects – the Case Study of the Sydney Cross City Tunnel. Surveying and Built Environment, 67-80.
Curtis, P., & Carey, M. (2012). Risk Assessment in Practice. COSO.
Delhi Government. (2014). HAZARD, RISK AND VULNERABILITY ANALYSIS. New Delhi: Delhi Government.
E&Y. (2013). Bring your own device – Security and risk considerations for your mobile device program. E&Y.
Elky, S. (2006). An Introduction to Information System Risk Management. SANS Institute.
Engine Yard, Inc. (2014). Security, Risk, and Compliance. Engine Yard.
European Commission . (2010). Risk management in the procurement of innovation. European Commission .
GILBERT, P. L. (2014). Surveillance of workplace communications:What are the rules? TOBIN.
Health and Safety Authority. (2006). Guidelines on Risk Assessments and Safety Statements . Dublin: Health and Safety Authority.
HP Enterprise. (2015). Cybersecurity Challenges, Risks, Trends, and Impacts: Survey Findings. MIT.
IBM Global Technology Services . (2011). Security and high availability in cloud computing environments. IBM Corporation.
Infrascale. (2014). BYOD Program Best Practices for Data Protection & Security . Infrascale.
John Snow, Inc. (2010). Developing a Risk Management Plan. USAID.
La Trobe University. (2017). Video 4: Project Risks. Retrieved September 14, 2017, from https://lms.latrobe.edu.au/mod/book/view.php?id=2493632&chapterid=201714
Microsoft Asia News Center. (2016, June 7). Malware Infection Index 2016 highlights key threats undermining cybersecurity in Asia Pacific: Microsoft Report. Retrieved from Microsoft News: https://news.microsoft.com/apac/2016/06/07/malware-infection-index-2016-highlights-key-threats-undermining-cybersecurity-in-asia-pacific-microsoft-report/
MYOB. (2016, September 13). Protecting your confidential information. Retrieved from MYOB: https://myob.com.au/myob/australia/myob-security-recommendations-1257829253909
National Treasury. (2011). Public Sector Risk Management Framework. Republic of South Africa.
NCSU. (2017). Risk Management . Retrieved September 14, 2017, from https://agile.csc.ncsu.edu/SEMaterials/RiskManagement.pdf
NIST. (2014). Framework for Improving Critical Infrastructure Cybersecurity. National Institute of Standards and Technology.
OECD. (2008). Malicious Software (Malware): A security Threat to Internet Economy. OECD.
Office of the Privacy Commissioner of Canada. (2015). Is a Bring Your Own Device (BYOD) Program the Right Choice for Your Organization?: Privacy and Security Risks of a BYOD Program. Office of the Privacy Commissioner of Canada.
Oracle. (2009). Managing Risk with Project Portfolio Management in the Oil and Gas Industry During an Economic Downturn . Oracle.
Paschke, C. (2014). Bring Your Own Device Security and Privacy Legal Risks. Information Law Group.
Rule Works. (2017). The risk management cycle. Retrieved September 14, 2017, from The risk management cycle
Security Awareness Program Special Interest Group. (2014). Best Practices for Implementing a Security Awareness Program. PCI.
Veracode. (2017). APPLICATION SECURITY SOFTWARE. Retrieved May 19, 2017, from https://www.veracode.com/products
WatchGaurd. (2013). BYOD: Bring Your Own Device – or Bring Your Own Danger? WatchGaurd.
Essay Writing Service Features
Our Experience
No matter how complex your assignment is, we can find the right professional for your specific task. Contact Essay is an essay writing company that hires only the smartest minds to help you with your projects. Our expertise allows us to provide students with high-quality academic writing, editing & proofreading services.
Free Features
Free revision policy
$10Free bibliography & reference
$8Free title page
$8Free formatting
$8How Our Essay Writing Service Works
First, you will need to complete an order form. It's not difficult but, in case there is anything you find not to be clear, you may always call us so that we can guide you through it. On the order form, you will need to include some basic information concerning your order: subject, topic, number of pages, etc. We also encourage our clients to upload any relevant information or sources that will help.
Complete the order form
Once we have all the information and instructions that we need, we select the most suitable writer for your assignment. While everything seems to be clear, the writer, who has complete knowledge of the subject, may need clarification from you. It is at that point that you would receive a call or email from us.
Writer’s assignment
As soon as the writer has finished, it will be delivered both to the website and to your email address so that you will not miss it. If your deadline is close at hand, we will place a call to you to make sure that you receive the paper on time.
Completing the order and download