Review of The "Bring Your Own Device" Model

BYOD is trendy, cost-effective and employee-friendly. Intel on the other hand is the largest chip manufacturer in the world, a pioneer in the technology industry. Adopting the BYOD model is a great move for Intel, as the employees are happy and more accountable for their devices. This will also improve employee’s productivity. Like any other model, BYOD came with its own set of risks. As mentioned in many of our Information Security classes, no matter how strong the security is, it’s never 100%. Not only did it have technical challenges, but security and privacy were also the primary BYOD risks.

One of the main concerns for Harkins is the security of data. As suggested in the case, Intel Corp.-Bring Your Own Devices (pg.1) employees are bringing their own devices and using them during office hours because of which, the distinction between corporate data and private data was blurring. Further, use of personal devices can also lead to a loss of productivity among the employees as mentioned in the case Intel Corp.-Bring Your Own Device (pg.2).

Another vulnerability in the security of corporate data is the use of unsecured public networks. It is very likely for an employee to connect their personal devices to public networks like in a cafeteria and or in the hotel. As much as these networks are alluring to the users, they also gain the attention of hackers, since it is easy to enter these networks with a small software and get access of any information being shared.

As per the article Guide to IPsec VPNs (pg.2-4), in order to avoid security risk to corporate data, Intel should configure symmetric cryptography VPN to encrypt corporate data. Keeping note of the vulnerabilities in each encryption method, using the WPA2 method for encryption would be the best solution. Six Keys to Improving Wireless Security (pg.394). This will help mitigate the risk of corporate data shared inadvertently from personal devices. As mentioned in Intel Corp.-Bring Your Own Device (pg.2), Harkins saw certain law that said, “Information wants to be free”. This compromises security and the CIOs cannot enforce rules of their own. We advise Harkins to add certain authentication methods during connection to the company network. As mentioned in the article Digital Identity Guidelines: Authentication and Lifecycle Management (pg.13) while connecting to the company network the user is needed to provide a memorized secret verifier. In this way, an unknown device/user trying to connect to the company network is unsuccessful.

The access to the data on an employee’s personal device can be challenging, as it can lead to violation of privacy of the employee. And the increased use of smartphones on the company network will lead to breach of security and increased risks. As per the article Six Keys to Improving Wireless Connection (Key 2: Require Strong Authentication pg.3), Intel can employ a strong multifactor authentication system to authorize user access to sensitive data. Also, applying the COBIT DSS05.03 Manage endpoint security protocol will secure network and protect the system integrity.

Changes in the FRCP rules and the recent lawsuit as mentioned in the article Intel Corp- Bring Your Own Device (pg.10) raise an alarm to set controls over archiving data such as emails and instant messages of all the employees COBIT DSS06.05. These controls however should be limited only for the accounts related to the Intel and not the employee’s personal data thereby ruling out any issues of their privacy. We also recommend to have the employees sign a service agreement regarding the legal safeguards, ensuring that the employee is aware of legal requirement and implications of breach of the agreement.

In Vlachos” article User Threats Vs. User Privacy: Striking the Perfect Balance he asked the questions, “Should companies watch everything their employees are doing? Or should they blindly trust them to safeguard company data? The answer is: Neither”. Monitoring your employees on their personal devices does assure that Intel is complying with PCI, NCE, HIPAA, and many other regulations. Logging of employee data is also the most important requirement for a strong security system. By using the COBIT DSS06.05 Ensure traceability of information events and accountabilities practice can prevent the loss of data after any breach of security or departure of any employee. According to the article User Threats Vs. User Privacy: Striking the Perfect Balance (pg.2), it also assures that Intel adheres to the mandates of E-Discovery guidelines. This also allows a company to assure that its own internal security policies are being adhered to. Furthermore, it creates a “safer” system for the company.

As commonly said “If it isn’t written down, it doesn’t exist”. For the above-mentioned controls to be effective, it is ideal to have appropriate policies set across the organization. The policies should clearly state the consequences of policy violations Six Keys to Improving Wireless Security (pg 398). We suggest Intel to have an initial registration for all the devices that are being used under the BYOD model. During the registration, the device should be checked for the firewalls and other security layers in place to safeguard the corporate data. Although the firm cannot force any updates regarding firewalls and patchworks to the employee’s personal device, it can, however, deny the use of such devices under BYOD.

Additionally, we suggest a policy regarding the use of wireless network. Installation of wireless access points should only be restricted to the IT staff who are skilled in information security. Installation should be followed by frequent audits to identify any “rogue” access points that will make the network vulnerable for hackers violations Six Keys to Improving Wireless Security (pg 398).Also, Intel needs to have explicit policies for what is acceptable use of a devices while at work as suggested in Key five of the article Six Keys to Improving Wireless Connection. For example, the policies can include discouraging the use of social media (unless position requires), forbidding the use of device or Intel networks to view pornographic materials. Many employees will have significant issues if Intel continually monitors their personal devices and how information is used.

According to the case Intel Corp- Bring Your Own Device (pg.3), though a majority of employees were open to training about safety and understood the need for security, at least 70% were not inclined to allow Intel to monitor their devices. Intel also needs to train their employees and users about the security risks involved in order to find the right balance according to the article User Threats Vs. User Privacy: Striking the Perfect Balance (pg.2).

Lastly, we recommend that Harkins considers Intel managed devices for employees who work on confidential data. Apart from the Intel Corp- Bring Your Own Device Risk Management Model (Exhibit 2), we suggest that Harkins provides the research team and HR team Intel owned devices in order to prevent loss of classified information related to product or person. This will help Intel avoid situations similar to the AMD case Intel Corp- Bring Your Own Device (pg.9). We also recommend that Intel use point six and seven “Filter all input” and “Filter on the server side” from Protecting Your Web Apps Two Big Mistakes and 12 Practical Tips to Avoid Them to cover all bases and protect functionality of the system from attackers.