Risk Management of Enterprise Mobility including Bring Your Own Device (BYOD)
Published June 2013
Enterprise mobility enables employees to perform work in specified business-case scenarios using devices such as smartphones, tablets and laptops, while leveraging technologies that facilitate remote access to data. A well-designed enterprise mobility strategy can create opportunities for organisations to securely improve customer service delivery, business efficiency and productivity. Some of these opportunities might permit employees to use their personally-owned devices, referred to as Bring Your Own Device (BYOD).
This document provides senior business representatives with a list of enterprise mobility considerations including business cases, regulatory obligations and legislation, available budget and personnel resources, as well as risk tolerance. Additionally, risk management controls are provided for cyber security practitioners.
This document aims to assist readers to understand and help mitigate the significant risks associated with using devices for work-related purposes that have the potential to expose sensitive data. Risks can be partially mitigated through a policy outlining the permitted use of devices, including the required behaviour expected from employees, which is complemented by technical risk management controls to enforce the policy and detect violations. Organisations must decide whether applying the chosen risk management controls would result in an acceptable level of residual risk.
Organisations or individuals with questions regarding this advice can contact the ACSC by emailing firstname.lastname@example.org or calling 1300 CYBER1 (1300 292 371).