Regulatory Developments

Last updated: 
3 months 2 weeks ago
Blog Manager
Log in to request membershipHide blog description
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Recent members:

ENISA Guide to Risk Mitigation for BYOD

Thursday, January 10, 2013 - 12:24

ENISA have published a useful set of controls and best practices for managing the risks in a Bring Your Own Device (BYOD) program. They identify three groups of controls

  • Governance
  • Legal, Regulatory and HR
  • Technical (Device, Application, User and Data)

Throughout, the focus is on the owners, not the devices, which seems right. If the owners don’t understand the need for behavioural and technical controls and aren’t provided with the skills and motivation to follow them, then with full control of the device they can ignore or override them anyway. For example it may be cheaper and more effective to support staff in appropriate use of social networking tools rather than to try to impose software on all their devices to prevent loss of business information. BYOD programs should therefore be voluntary, with owners making a positive choice to share their devices with their organisations, understanding and accepting the responsibilities that brings.

There are some interesting ideas on how to encourage participation in the programme, including provision of support, offer of additional services, or even financial benefits! It strikes me that at least the first two have beneficial side-effects for the organisation too. Making things work well for those who participate in the official scheme may bring into the fold those who would otherwise try to connect their devices unofficially (I remember universities achieving successful deployment of quality wifi by a similar technique). Providing or recommending services such as webmail and storage means that the organisation can direct users to options that satisfy the security requirements of both users and the organisation.

There are interesting ideas on keeping organisational and personal use separate, not just in technical terms but also in policy. An explicit policy that organisational support staff and management software will only look at organisational data and applications should help staff/owners trust that their privacy is being respected and encourage them to respect the organisation’s interests in return.

Finally there’s a recognition that this is a very rapidly changing area where new technologies and practices quickly move from brand new to completely routine. Organisations need to work with their staff to incorporate BYOD into their existing systems for managing information security to ensure this is done in a way that benefits both.

BYOD
Information Security
  • Twitter logo
  • LinkedIn logo
  • Google+ logo
  • Reddit logo
  • StumbleUpon logo