Sorry, you need to enable JavaScript to visit this website.
Skip to main content

Risk Management of Enterprise Mobility Including Bring Your Own Device

This document discusses the risks associated with the use of enterprise mobility within organisations, including the use of Bring Your Own Device (BYOD) scenarios, and provides guidance on mitigating these risks.

Published June 2013; Latest version April 2019

Executive summary

Enterprise mobility enables employees to perform work in specified business-case scenarios using devices such as smartphones, tablets and laptops while leveraging technologies that facilitate remote access to data. A well designed enterprise mobility strategy can create opportunities for organisations to securely improve customer service delivery, business efficiency and productivity. In addition, employees obtain increased flexibility to perform work regardless of their physical location.

This document is developed to provide senior business representatives with a list of enterprise mobility considerations. These include business cases, regulatory obligations and legislation, available budget and personnel resources, and risk tolerance. Additionally, risk management controls are provided for cyber security practitioners.

This document aims to assist readers to understand and help mitigate the significant risks associated with using devices for work-related purposes that have the potential to expose sensitive data. Risks are primarily due to the likelihood of devices storing unprotected sensitive data being lost or stolen, use of corporately unapproved applications and cloud services to handle sensitive data, inadequate separation between work-related use and personal use of a device, and the organisation having reduced assurance in the integrity and security posture of devices that are not corporately managed. Additional risks arise due to legal liability, regulatory obligations and legislation requiring compliance, and the implications for the organisation’s budget and personnel resources.

Risks can be partially mitigated through a policy outlining the permitted use of devices, including the required behaviour expected from employees, which is complemented by technical risk management controls to enforce the policy and detect violations.

Business cases for enterprise mobility that involve accessing non-sensitive data might permit employees to use their personally owned devices, referred to as Bring Your Own Device (BYOD).

Business cases for enterprise mobility that involve accessing and potentially storing sensitive data might permit employees to use devices that are listed on a corporately approved shortlist of devices. Such devices are partially or completely corporately managed to enforce policy and technical risk management controls. These controls can include preventing unapproved applications from running and accessing sensitive data, applying patches to applications and operating systems in a timely manner, and limiting the ability of employees to use devices that are ‘jailbroken’, ‘rooted’ or otherwise run with administrative privileges. Optionally, some organisations might provide devices to employees, permit a reasonable degree of personal use, and retain ownership of the devices for legal reasons that facilitate the organisation monitoring devices, remotely wiping sensitive data, performing security and legal investigations, and retaining ownership of intellectual property.

Before implementing enterprise mobility for a specific business case, organisations must decide whether applying the chosen risk management controls would result in an acceptable level of residual risk.

Table of contents

  • Executive summary
  • Risk management of enterprise mobility
    • Potential benefits of enterprise mobility
    • Potential benefits of using personally owned devices
    • Develop an enterprise mobility strategy
    • Determine the extent of existing enterprise mobility
    • Develop business cases with suitable mobility approaches
    • Identify regulatory obligations and legislation
    • Allocate budget and personnel resources
    • Develop and communicate enterprise mobility policy
    • Monitor the implementation and report to management
    • Facilitate organisational transformation
    • Further information
    • Contact details
  • Appendix A: Arbitrary unmanaged devices for internet access
    • Corporately enforced risk management controls
    • User-reliant risk management controls
  • Appendix B: Arbitrary unmanaged devices for non-sensitive data
    • Corporately enforced risk management controls
  • Appendix C: Corporately approved and partially-managed devices for sensitive data
    • Corporately enforced risk management controls
    • User-reliant risk management controls
  • Appendix D: Corporately approved and managed devices for highly sensitive data
    • Corporately enforced risk management controls

Further information

The Australian Government Information Security Manual (ISM) assists in the protection of information that is processed, stored or communicated by organisations' systems.

The Strategies to Mitigate Cyber Security Incidents complement the advice in the ISM.

Contact details

Organisations or individuals with questions regarding this advice can contact the ACSC by emailing asd.assist@defence.gov.au or calling 1300 CYBER1 (1300 292 371).

Date
April 30th, 2019