3.3.10 Bring Your Own Device (BYOD)
| No: 381000091275 | Date(g): 24/5/2017 | Date(h): 28/8/1438 | Status: In-Force |
Principle
When the Member Organization allows the use of personal devices (e.g., smartphones, tablets, laptops) for business purposes, the use should be supported by a defined, approved and implemented cyber security standard, additional staff agreements and a cyber security awareness training.
Objective
To ensure that business and sensitive information of the Member Organization is securely handled by staff and protected during transmission and storage, when using personal devices.
Control considerations
| 1. | The BYOD cyber security standard should be defined, approved and implemented. | |
| 2. | The compliance with the BYOD cyber security standard should be monitored. | |
| 3. | The effectiveness of the BYOD cyber security controls should be measured and periodically evaluated. | |
| 4. | The BYOD standard should include: | |
| a. | responsibilities of the user (including awareness training); | |
| b. | information regarding the restrictions and consequences for staff when the Member Organization implements cyber security controls on their personal devices; for example when using modified devices (jailbreaking), terminating the employment or in case of loss or theft of the personal device; | |
| c. | the isolation of business information from personal information (e.g., containerization); | |
| d. | the regulation of corporate mobile applications or approved “public” mobile applications; | |
| e. | the use of mobile device management (MDM); applying access controls to the device and business container and encryption mechanisms on the personal device (to ensure secure transmission and storage). | |