How to Manage Bring Your Own Devices (BYOD) During an Audit
In this article we'll walk you through some best practices to handle a BYOD program during your audits for SOC 2, PCI, ISO 27001, and more.
What do I do when all our employees bring their own devices?
We get asked this question quite often and it’s a tough situation from a compliance standpoint. Since you don’t own the device, you can’t enforce configurations like hard drive encryption, screensaver lock, and other workstation controls. And even when these settings are enabled on those devices, getting evidence from them can be difficult.
Additionally, users may not want to enroll in mobile device management (MDM) software or provide a screenshot from their personal device. So how do you handle these situations when you’re going for your audit? We’ll walk you through this, below.
Establish a BYOD Program
The very first step should be to formally authorize your employees to use BYOD workstations or devices. This is done by explaining within a policy that your organization is authorizing employees/contractors to use their own devices.
Some organizations create an entirely separate BYOD policy, which is fine. However, most organizations add these details to an existing policy such as the acceptable use, asset management, or information security policy.
Any of those three policies would work for this, it’s really up to you and where you think it fits best.
Updating an Existing Policy
If you opt to add these statements to an existing policy, it could say something like:
“[Company Name] has authorized employees and contractors to use a Bring Your Own Device (BYOD) machine of their choosing as a workstation. [Company Name] does not own these devices, but encourages employees/contractors to enable the following settings on their devices:
Hard drive encryption
Anti-virus/anti-malware
[Additional Controls/Requirements]
The above settings are only required for workstations such as laptops and desktops. For mobile devices such as smartphones and tablets, [Company Name] encourages setting a screen timeout of one minute or less and enabling a password, PIN, or biometrics to be entered before the device will be unlocked. [Company Name] also discourages the use of “jailbroken” or “rooted” devices.
Additionally, employees/contractors are required to support [Company Name]’s efforts to demonstrate compliance with select security controls. This will entail enrolling in [Company Name]’s MDM solution or provide screenshots showing that these settings have been enabled.”
Restrictions
You should also consider listing any restrictions on the types of devices that employees can use. For example, if due to the nature of your business, all BYOD devices have to be a Windows machine, you should list those types of items here as well.
Reservation of Rights Clause
Finally, we recommend adding a statement to employee and contractor agreements which states something like:
“[Company Name] reserves the right to request and verify deletion of any company data downloaded to personal devices upon termination of employment at [Company Name].”
We recommend that you require this where possible. However, depending on the locality of the employee/contractor, this may not always be possible due to legal and privacy laws and regulations in specific jurisdictions.
So before you require the above, you should speak with your HR team and legal counsel to make sure that you are legally allowed to do so.
How BYOD Devices Affect an Audit
Regardless of who owns the device—the company or an individual employee/contractor—compliance frameworks like SOC 2 and ISO 27001 do contain controls around securing workstations, and BYOD does not remove these requirements in all cases.
The majority of companies are still required to prove that the devices being used to conduct business are configured securely. This will require you to collect evidence demonstrating this, such as enrolling those devices in an MDM or submitting screenshots from their workstations. However, if this isn’t possible, alternative controls can be implemented. Whether these controls are accepted or not is up to your auditor.
For instance, if you can’t show that workstation hard drives are encrypted, you may have to implement a control such as more stringent data loss protection (DLP) controls to show that data cannot be exported from systems like Google Drive, your cloud environment, etc.
If data cannot be saved locally on workstations due to DLP controls on these systems, hard drive encryption is less important.
Smartphones and Tablets
There is a second class of BYOD devices that come up are smartphones and tablets. How you handle these devices mostly depends on what the devices are being used for and what framework you are working towards.
One option is to establish a policy or technical control that prevents accessing customer data or regulated data, like protected health information (PHI) or cardholder data (CHD), from BYOD smartphones and tablets.
If these devices do store or access sensitive data, then these devices will likely be in-scope for the audit, but which controls need to be implemented will depend on the auditor. In this case, we suggest using a containerized MDM solution and having your employees/contractors load this solution on their device so you can demonstrate that the data is being protected.
To automate evidence collection to prove that your BYOD program is in compliance with SOC 2, HIPAA, and ISO 27001 be sure to book a demo with our team today.
