Expert Advice Community

Guest

Controls for BYOD

  Quote
Guest
Guest user Created:   Oct 08, 2019 Last commented:   Oct 08, 2019

Controls for BYOD

The issue is that not all employees have been granted a company-sanctioned device for accessing our office’s network. Policy-wise we have restricted them to only using RDP and that they must have anti-virus software on the machine they’re using to access our network, however, I feel this is not enough. I do not have as much experience in this area as others may have, so I’d like to know how do other companies deal with such a thing? Can we force our employees using their own devices to install an MDM software provided by the company so that we have some control over what’s connecting to our network? Is that the best route or will backlash/pushback from the employees being forced to install something they may deem intrusive actually work against us in this process? What about employees accessing our email system (office 365) on their personal phones – should we extend MDM and controls to those devices as well? Can/should we define a list of acceptable phones/operating systems to be used in our BYOD policy?

Any insight you could provide here would be greatly appreciated. In a perfect world, I would issue each employee a company-owned laptop/phone to deal with this situation, however, we just do not have the budget to go that route.

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Oct 08, 2019

First, it is important to note that no controls or technologies are mandatory by ISO 27001. You can apply those you consider will resolve particular risks.

Considering that, both RDP (Remote Desktop Protocol) and MDM (Mobile Device Management) are good and common applied solutions to help protect the organization's information on employees' personal devices.

Now, considering you are referring to personal devices, the main topics to support this decision are legal requirements regarding privacy and labor relations your organization has to follow. Our suggestion is for you to seek expert legal advice on these matters to understand the risks related to the application of these controls and see if by implementing them you will not be incurring on risks higher than the ones you are trying to mitigate regarding your own information.

This article will provide you further explanation about BYOD:
- How to write an easy-to-use BYOD policy compliant with ISO 27001 https://advisera.com/27001academy/blog/2015/09/07/how-to-write-an-easy-to-use-byod-policy-compliant-with-iso-27001/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Oct 08, 2019

Oct 08, 2019

Suggested Topics

Guest user Created:   Oct 01, 2020 ISO 27001 & 22301
Replies: 1
0 0

Questions for applicability

Guest user Created:   May 13, 2020 ISO 27001 & 22301
Replies: 1
0 0

Annex controls in SOA