The Key Methods to Establish PCI Compliant Risk Management for BYOD Initiatives
It is clear that successful BYOD implementations are tied to a larger business push with the goal of achieving productivity gains. However, too many BYOD initiatives fail to properly prioritize and establish a risk management strategy. This is especially important in PCI compliant industries, such as banking or financial institutions. Risk management of BYOD deployments must not only meet business goals, but also align to an organization’s security policies in order to achieve success. It is therefore of utmost importance that the financial industry enhance MDM capabilities to ensure that appropriate PCI compliant risk management is in place for BYOD initiatives.
While the methods behind securing BYOD are many and far reaching, there are some key methods that I hone in on when working with financial houses. These methods ensure PCI compliance while maintaining a high degree of usability for an organization’s BYOD user base.
Know The Who’s, The What’s, The Why’s, Etc.
I like to start with knowing the who’s, the where’s, and the what’s behind network and data access. When implementing BYOD initiatives, a financial organization must know what data can be accessed by whom and through what network connectivity route said access is traveling. While this seems obvious, it brings up internal questions:
- What email accounts are affected by BYOD?
- What about VPN connectivity or cloud-based applications?
- Are any BYOD accounts showing suspicious activity or an elevated level of failed authentication attempts?
- Do any business applications have open authentication that can be accessed by BYOD users?
Having the ability to monitor BYOD users and devices is required to carefully guard data access.
BYOD Device Configuration
This should be a given, but the number of financial organizations I have seen that have multiple—and in some cases, personal—BYOD configurations is just outright baffling. Since most BYOD policies revolve around mobile devices, and mobile devices are highly susceptible to physical loss, the level of risk management in guarding from data loss also is high.
The best line of defense is to make sure that any BYOD policy includes a hardened security policy that leverages security intelligence that is easily reproducible from device to device. Financial organizations need to have a default, one size fits all, BYOD security policy that goes into effect during device provisioning. And while in some industries having the user provision the device themselves is adequate, financial institutions cannot take the risk of running afoul of a PCI requirement, and should plan their BYOD security policy accordingly.
Have a Data Breach Plan
Even the best security intelligence may not be enough to thwart a data breach and it would be largely impossible to prevent data breaches altogether, which is why I always stress that the best approach to preventing a data breach is to reduce the risk. This means organizations need to be prepared for what to do when a breach does occur.
Think about who needs to be notified, what a root cause analysis needs to include, what configuration changes are needed, and most importantly, remediating the immediate threat. While getting this setup may be time consuming, it will pay dividends when the proverbial you know what hits the fan, and will keep the situation from becoming overwhelming to the business.
Something I like to recommend is to have both a digital and print copy of a data breach plan runbook. In the event of a DDoS, the ability to access any online systems, internal or cloud, will be severely inhibited. It is best to have a physical copy so an organization can spring into action without pause.
Initiate Regular Internal Audits
Instead of waiting for an auditor to tell your organization what is wrong, conduct regular and equally (if not more) stringent audits on your BYOD environment. This aids financial organizations in keeping BYOD risk management processes up-to-date with the business needs and regulatory changes.
Use an All-In-One BYOD Management Tool
The best way to go about implementing all the above steps is to find a great all-in-one tool that eliminates the user factor for the most part while maintaining a secure and standardized BYOD environment. I always go reach with IBM’s BigFix as my MDM tool of choice. It is an all encompassing, security and management heavyweight that is configured right out of the gate with PCI compliance in mind. BigFix provides a single, scalable solution that provides constant real-time monitoring of not only your BYOD devices, but any asset in the organization. The easy to configure baselines can provision BYOD devices with an organization’s security compliant policy, and remediate devices on the fly as needed.
When I put these abilities into play during a BYOD initiative has always resulted in huge gains and increased ROI for the organization. The ability to manage, report and remediate devices in real-time is a must for a financial organization with PCI concerns.
The Key To Success
Experienced and proven solutions are a must when it comes to establishing a risk management policy for BYOD devices. Champion is a great partner in maintaining BYOD usability for device users while meeting a financial institution’s stringent regulatory and PCI requirements through the use of an advanced MDM system like BigFix.