Saturday, November 21, 2015

BYOD - CJIS MOBILE APPENDIX - FBI

Bring Your Own (BYO) what?

Take away the scenario of government and local authorities involvement and merely consider private industry then the latter may have no enforcement rights to control BYOD (bring your own device) smartphone usage as these employees and out-source workers are being used and are paying for company communications out of their wages/salary merely so that a natural business costs can be reduced or removed.  Reported patterns of abuse by BYOD employees are scarce as are, funnily enough, the cost savings made by companies and as a consequence of the saving the beneficiaries of those company cost savings. What is the employment position to refuse BYOD? And what about employees and staff on wages and salaries under e.g. £40K down to national minimum wage; are they protected?

This "Bring Your Own" approach in business seemingly is not limited to devices. There is an instance of even an employer seeking to reduce vehicle fleet insurance costs by seeking the employee to have the company vehicle insured in their own name. So do we call this BYOI (bring your own insurance)? Significant problems could arise though if those company vehicles carry hazard items not disclosed to the insurance company. Moreover, would employees find themselves being coerced in the workplace if they refuse to comply? 

Given the vast increase in personal mobile devices in the workplace the UK Parliament may need to consider preventative legislation to stop employer abuses in all cases of "Bring Your Own" (BYO) whether device orientated or not without punishing the employee to pursue some form of equitable estopple (a doctrine preventing one party from taking unfair advantage of another perhaps through false language or conduct) legal action where the employers tries to treat employees as if the employee is somehow holding out in the course of a business (UCTA 1977).

God forbid the next thing is BYOM (bring your own mortgage) to pay for the company office building.

BYOD - CJIS MOBILE APPENDIX - FBI

FBI analysis of BYOD. There are many references to BYOD in the report, but two statements applicable to employees and out-source workers where they use their own devices are noteworthy at 1.7.3 and 1.10.2 below.

1.7.3  Bring Your Own device (BYOD) employment
BYOD environments pose significant challenges to the management of secure device configurations. In many cases it may be impossible to apply effective security that is acceptable to the device owner or it may require extremely costly compensating controls to allow access to CJI on personally owned devices. While allowed by the CJIS Security Policy, agencies are advised to conduct a detailed cost analysis of the ancillary costs of compliance with CJIS Security Policy on personally owned devices when they are approved for use. In some cases, a BYOD user may agree to abide by the same device configurations and limitations as imposed on an agency owned device, but signed user agreements should still be in place to ensure the agency has a legal right to recover or clear the device of all data prior to device disposal or employee termination. In other cases, robust secure applications may provide acceptable levels of compliance in a BYOD environment for limited CJI access but application design and architecture should assume the device itself is un-trusted. If MDM/EMM software capable of detecting rooting or jailbreaking of the device is not installed, any CJIS or data access occurring from the device is at a substantially higher risk of compromise.

1.10.2  Malicious code protection/Restriction of installed applications and application permissions

The most common method of malicious code installation is enticing the user to manually install the malicious app which can be mitigated on organizational devices using an MDM or other application installation restrictions which prevent the user from installing unauthorized or unknown applications. Mitigation of this issue within BYOD environments may not be possible and will present a significantly enhanced risk to the device.

https://www.fbi.gov/about-us/cjis/CJIS%20Mobile%20Mobile%20Appendix%2020121214.pdf



Previous Discussions:

BYOD: Cyber Classification
http://trewmte.blogspot.co.uk/2015/08/byod-cyber-classification.html

Android Copy and Paste - what risks?
http://trewmte.blogspot.co.uk/2015/06/android-copy-and-paste-what-risks.html

BYOD risks and minefields
http://trewmte.blogspot.co.uk/2014/03/byod-risks-and-minefields.html

One hit, hits all
http://trewmte.blogspot.co.uk/2013/02/one-hit-hits-all.html

Smartphone BYOD
http://trewmte.blogspot.co.uk/2013/01/smartphone-byod.html