Solving the Byod Problem for the Enterprise Essay Example for Free

Solving the Byod Problem for the Enterprise Essay Introduction Enterprise computing, as we know it, is facing a dimensional shift with the widespread diffusion of the BYOD (Bring Your Own Device) phenomenon. BYOD is the latest trend hitting businesses where employees are bringing their own personal mobile devices. Some of these devices include smartphones and tablets which are brought into their place of work, and used on the corporate network for purposes such as accessing files, email servers, and databases. Over the past few years, employees in many organizations are bringing their own personal devices to the work environment to handle business needs. With employees using their own devices, CIOs and IT departments across the nation are frantically trying to keep up with their employees by ensuring their networks are safe and secure. There is no doubting mobile devices have taking over a big part of our lives. These devices travel with us wherever we go while always being within a short reach away. People are beginning to realize the usefulness of getting work done from their own mobile devices. With this trend enterprises are in need of a policy for employees bringing their own devices to work. Although a relaxed BYOD policy can offer an organization many benefits, it tends to be a double edged sword. A lax policy leaves sensitive data vulnerable; an overly strict one stifles employees trust relationship with their employer. A balance must be struck between offering employees a pleasant and enjoyable work environment and maintaining the security of enterprise data. As the expectations of workspace personnel evolve, organization leaders must find ways to adapt and overcome the challenges that arise when corporate culture has a conflict with social standards and consumer trends. Management must consider the potential detriment to the workforce morale and how this could ultimately result in productivity loss. This is evident in the current 90% of employers who have chosen to allow personal devices at work with little or no precautions (Miller, Voas, and Hurlburt, 2012). Most workers consider themselves, not the company, to be responsible for the personal devices they use for work purposes. This all begs the question, how should an organization go about implementing a BYOD policy? Which policy can best suit a particular type of business? Should organization leaders place priority on protecting its data assets, or must they protect the health of their workers? If the latter is chosen, what compromises must employees be expected to make to ensure a necessary, minimal level of security is in place? These are all the major questions IT departments are seeking answers for when providing a BYOD environment. This research paper will provide a working outline with the correct steps needed for the development process for a BYOD work environment. The paper will touch upon key subjects addressing the careful decisions that must be made in order to set up the proper policies. An organization’s main goal is making certain your business has both a safe and secure network while keeping the employees satisfied. II. Key Issues. The key issues for the implementation of BYOD involve five main areas. The main areas are people, planning, management of technology, assessment and execution. The first main area, people, involves how management must communicate with the enterprise’s employees, provide leadership and proper governance. The second area, planning, management must provide a plan to implement BYOD into the enterprise that aligns with the business,   communicates the IT strategy to the business and provides sound quality control. The third area, management of technology, IT management should provide a flexible and standard BYOD policy for employees. The fourth area, assessment, management should provide a way to measure risk, eliminate risk and provide a sufficient audit of the BYOD policy. Lastly, execution of the BYOD policy should provide an implementation that coincides with the needs of the other key issues. III. Models and Frameworks. Models and frameworks provide the ability to analyze, â€Å"a structured set of essential components of an object for which clear expressions is necessary and perhaps even mandatory for creating, operating, and changing the object† (Zachman, 2008). The object is the enterprise and the ability to implement any new business policy requires structure from models and frameworks. The models and frameworks that relate to providing structure in implementing BYOD are the Zachman Framework, Rogers’ Diffusion of Innovation Theory, Risk IT framework and Val IT Framework. The Zachman Framework is the foundation for architecture of any kind and enterprises that are growing in complexity can be represented with the Zachman Framework. With bring your own device the enterprise architecture of an organization will need to change to fit with the architecture change that BYOD brings. The two columns from the Zachman Framework that BYOD will affect is the Where and W ho columns. The Where column involves the network and how the system of an enterprise will change in regard to BYOD. The technology will need to be provided by or to employees that will change the architecture of an enterprise. The system will be with employees everywhere which means the business will be with employees everywhere they go. Leaving the business in a more vulnerable state that may create the loss of important data, which will increase the need for employees to be more responsible. The Who column needs to interact with the Where column that provides a distributed system that will require Responsibility from the organization’s employees. The business role of the employee’s device will need to have specifications, be defined and represented. The engineer perspective will need to define for the devices role for both the device and employee. The architect perspective will need to   define the potential locations for the system and where it can reach. With a clearly defined system role for the devices themselves the business management perspective should focus on how the devices are defined for the employees. To implement BYOD the enterprise will need to focus on those columns of the Zachman Framework. While the Zachman Framework provides the structure organizations will need the Rogers’ Diffusion of Innovation Theory provides aspects of innovation that will help mold business policies that should increase the ability of BYOD to be implemented. Rogers’ Diffusion of Innovation Theory provides four theory elements. The four theory elements are the innovation, communication, time and social system. â€Å"The innovation does not need to be new in terms of being recently developed, it only needs to be new to the person or organization that is adopting and implementing it† (Lundblad, 2003). The theory continues that there are five parts to the innovation that increase rate of implementation as each of these characteristics increase. The five characteristics of the innovation are â€Å"relative advantage, compatibility, complexity, trialability, and observability (Rogers, 1995)† (Lundblad, 2003). Relative advantage is a perceived improvement over the current status. To implement BYOD their needs to be a perceived improvement according to the employee’s view. Planning the implementation of BYOD will help make sure the improvement is seen and the employees will accept the innovation. The characteristic, Compatibility measures how well the innovation aligns with organization. Implementing the system in line with the organization with good understanding of the business will increase the compatibility and make the implementation possible. The next characteristic is complexity which is the measure of ease of use. Knowing the end users of the implementation and what they want in a BYOD implementation will help them have a positive user experience and increase the rate of adoption. Another characteristic is trialability. It is the measure of testing and more testing makes adoption faster. Providing good quality control when testing will make sure that the implementation will be in line with the implementation planning. The last characteristic is observability and it is the measure of visibility others have of the innovation and if more visible the faster the adoption. Providing end users with a positive visible experience will make employees more willing to go along with the innovation. â€Å"The second element of Rogers diffusion of innovation theory is communication, or the process by which people develop and share information with each other to achieve common understanding (Rogers, 1995)† (Lundblad, 2003). The need for IT managers to speak the business’s language is very important. So an emphasis will need to be on communication for the IT department to ensure all needs of the business are being met. â€Å"Realizing value from business change requires effective communication† (IT Governance Institute, 2008). Time and social system are the last two theory elements. Time involves the different adoption rates of innovation and social system involves members in group or organization with a common goal. â€Å"Opinion leaders, change agents, and champions are the people within a social system who have the ability to influence the diffusion of innovation within a social system (Rogers, 1995)† (Lundblad, 2003). Winning over the most influential employees of the business will help influence other employees and ensure the business wants the implementation of BYOD to succeed. The last two frameworks needed to be taken into account when implement BYOD is Risk IT framework and Val IT Framework. The Risk IT framework needs to be taken into account when implementing BYOD or any other system. There are six Risk IT principles that will help effectively assess risk. The Risk IT principles are connect to business objectives, align IT risk management with ERM, balance cost/benefit of IT risk, Promote fair and open communication, establish tone at the top and accountability and function as part of daily activities. (ISACA, 2009) Effective enterprise governance of IT risk should have the potential amount of risk the enterprise is ready to take clearly defined with business objectives (ISACA, 2009). â€Å"Effective enterprise governance of IT risk always connects to business objectives† (ISACA, 2009). Controls should also be implemented to address risk. â€Å"Controls are implemented to address a risk and based on a cost-benefit analysis. In other words, controls are not implemented for the sake of implementing controls† (ISACA, 2009). IT risk should always be taken into account. â€Å"Risk management practices are appropriately prioritized and embedded in enterprise decisionmaking process† (ISACA, 2009). Val IT is another framework that should be assessed when implementing BYOD to ensure the creation of value with the implementation. Val IT is used with CobIT, â€Å"Val IT both complements CobIT and is supported by it† (IT Governance Institute, 2008). â€Å"CobIT processes manage all IT-related activities within the enterprise† (ISACA, 2009). â€Å"Val IT and CobIT provide business and IT decision makers with a comprehensive framework for the creation of value from the delivery of high-quality IT-based services† (IT Governance Institute, 2008). Four questions can be asked to assess the enterprise and ensure value. (IT Governance Institute, 2008). All the frameworks of Risk IT, Val IT and CobIT can interconnect and provide an efficient management of IT. (ISACA, 2009)With both Val IT and CobIT, Risk IT can help enhance risk management and should be applied to an enterprise that is implementing a BYOD policy. IV. Plan of Action PLANNING Planning should be considered a crucial part when creating a BYOD policy. Depending on how a policy is created will determine the success it has going forward. A lackadaisical approach during the development can cost a company immediate complications (Pendleton, 2012). The planning stage is where management will cover the concerns and questions related to creating a standard policy for the organization to administer. It is imperative the planning stage not be taking lightly. Planning should never be rushed or thrown together in an â€Å"ad-hoc† like manner. Carelessness shown during planning can have devastating effects for the company’s future (McKendrick, 2012). PEOPLE Developing a successful policy should promote an open collaboration between both the employees and the organization (AbsoluteSoftware 2012). Important details to include are the specifics for the guidelines set for users on the network. These areas of policy can become very blurry for both organizations and their staff to deal with (Kaneshige, 2012). It is vital to outline details for what usages are allowed on the network, a user’s classification on the network, the user restrictions for specific classifications, and the disciplinary actions for abusing the use. Personal ownership must be directly associated to the users on the network. Violations to the end-user agreement develop for network usage must be outlined with explanations that are clear and concise. Management must set a good example by following the regulations put into place just as any employees are expected to do. Realizing value from business change requires effective communication- a critical requirement difficult to achieve without widespread acceptance of a consistent set of terminology† (IT Governance Institute, 2008). MANAGING TECHNOLOGY When initiating a policy into the business structure there are key subject matters to be addressed. It is important to designate the governance for the plan being implemented. So there will be an enterprise wide discipline for the policy. Each device that is allowed to have access to the network becomes a problem waiting to happen if lost or worse, stolen with malicious intent. There are key strategies to keep in mind when preparing a solution for defending against possible vulnerabilities on mobile devices. The components offering the most reliable solutions are focusing on access control and identity management (Chickowski, 2012). The capability to have both the control and visibility on events on the company’s network is key for management. Lately, there has been various mobile security providers stating the solution is to control the data, rather than the device itself (Corbin, 2012). Personal owners are still strongly encouraged in taking preventive actions to securing th eir device. Nevertheless, IT departments can only do so much [software-wise] when taking security precautions handling devices on the network. In the case of IT being the direct barrier of prevention, the use of devices and   software the directed focus is more information-centric (Corbin, 2012). IT staff must direct attention towards securing data itself by blending the right amount of features to check authorizations and authentications. This layered approach centered at the information will provide more control over security wherever it should move or stop. The protection of corporate data is of utmost importance for a business. Any data obtained through lost or stolen devices would be a nightmare for an organization; but, having data fall into the wrong hands could compromise a company’s integrity to other competitors can be disastrous. Therefore, it is crucial that preventive measures are put in place to ensure the integrity of an organization and its data. A beneficial solution to security is to include proper hardware and software that facilitates automatic provisioning that can be administered by the IT de partment. The Identity Services Engine (IES) by Cisco is one great example to the controllability needed for security. This software offers an efficient way for enterprises to manage network connections through an identity and access control policy platform. With access to vital information in real-time, enterprises can make proactive governance decisions about access (Cisco, 2012). This is the type of authority organizations need to ensure a safer network for users while securing valuable data. In connection with the security policies established there are legal issues bound to arise from the control organizations place over data being transferred and stored on employee devices. This topic of rights can leave both sides feeling uneasy. Nonetheless, businesses must protect their data that accessed by users on the network. The development process of the BYOD policies is where organizations will want to include details pertaining to ownership. Such discussion must include the liability for the information being used, how and when should a device-wipe be used, and exit strategies taken for employees leaving the business (Hassell, 2012). A great example of this problem would be defining the jurisdiction concerning who has authority and rights of the data located on an employee’s device if he or she should be terminated or leave the company. These are all big issues that must be addressed depending on the vulnerability of your corporate data; otherwise, this going unstated that lead to annoying litigation for management. EXECUTION/ASSESSMENT Finally, once the components of execution and governance have been covered it is necessary for the organization to assess its current transition. It is here management must audit the new BYOD strategy to determine their Return on Investment (ROI). When reviewing the results of a recently implemented strategy there are two sets of key questions to measure the success of its use. The governance-related questions based from a Val IT approach include: Are we doing the right things? (The strategic question) and Are we getting the benefits desired? (The value question). The last set of questions are COBIT focused taking on an IT view. These two are: Are we doing them the right way? (The architecture question) and Are we getting them done well? (The delivery question) (IT Governance Institute, 2012). The combination of both the Val IT and COBIT frameworks create a synergistic relationship that will ensure a highquality IT-based service is creating value across the enterprise. V. Critical Success Factors The critical success factors for successful management of the BYOD policy are to plan, manage, assess, execute and communicate. Planning must be done first using Rogers’ Diffusion of Innovation Theory and Zachman Framework as a basis to planning to ensure the BYOD policy is going to be accepted by the enterprise’s employees and align with the business. Communication needs to be an important part of planning to understand the business objectives. Planning must include how BYOD will be managed, executed, communicated and assessed. The management of the technology needs to ensure data safety using authentication and governance. The BYOD policy needs to be assessed before execution. â€Å"The risk that a large IT-enabled project will fail for lack of business change should be assessed by top management at the very conception of the project and by project management at key phases over the life of the project† (Gibson, 2004). Other frameworks to assess the BYOD policy are Risk IT, Val IT and CobIT. These are needed to understand the business risk associated with the BYOD policy, ensure value and assess the IT processes involved in the IT strategy switch. To execute, management needs to implement the policy with good quality control aligning it with the plan and technology management of the BYOD policy. Management needs to also communicate the governance and rules of the BYOD policy to ensure discipline. Explanation of consequences is also needed so employees understand the consequences of their actions using their own devices as a part of the enterprise. Lastly, the BYOD policy will need to be audited continuously to guarantee the safety and integrity of information while operating properly to attain the enterprise’s goals and objectives. Work Cited Aala Santhosh Reddy. (June 2012). Bring Your Own Device (BYOD) Making It Work For Your Organization. In Slideshare.com for Cognizant Research Center. Retrieved , from http://www.slideshare.net/cognizant/making-byod-work-for-your-organization 13450463. BYOD Policy Implementation Guide. London: Absolute Software, 2012. PDF. Cisco Systems, Inc.. (2012). Cisco Identity Services Engine Software 1.1.1 (aka 1.1MR). In Cisco. Retrieved , from http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/qa_ 67-658591.html. Ericka Chickowski. (June 19, 2012). Visibility and Control Still an Issue With BYOD Policies. I Network Computing: For IT By IT. Retrieved , from http://www.networkcomputing.com/security/visibility-and-control-still-an-issue wi/240002308. Gibson, C. (2004). It-enabled business change: An approach to understanding and managing risk. Retrieved from http://papers.ssrn.com/sol3/papers.cfm? ISACA. (2009). The risk it framework. Retrieved from http://www.isaca.org/Knowledge Center/Risk-IT-IT-Risk-Management/Pages/Risk-IT1.aspx IT Governance Institute. (2008). Enterprise value: Governance of it investments. the val it framework 2.0. Retrieved from http://www.isaca.org/KnowledgeJoe McKendrick. (October 23, 2012). 10 steps for writing a secure BYOD policy. In ZDNet.com. Retrieved , from http://www.zdnet.com/10-steps-for-writing-a-secure-byod-policy 7000006170/ Jonathan Hassell. (May 17, 2012). 7 Tips for Establishing a Successful BYOD Policy. In CIO.com. Retrieved , from http://www.cio.com/article/706560/7_Tips_for_Establishing_a_Successful_BYOD_Poli y. Kaneshige, T . (March 06, 2012). BYOD: Making Sense of the Work-Personal Device Blur. In CIO.com. Retrieved , from http://www.cio.com/article/701545/BYOD_Making_Sense_of_the_Work_Personal_De ce_Blur. Kenneth Corbin. (August 23, 2012). BYOD Security Demands Mobile Data Protection Strategy. In CIO.com. Retrieved , from http://www.cio.com/article/714550/BYOD_Security_Demands_Mobile_Data_Protecti n_Strategy. Lundblad, J. (2003). A review and critique of rogers diffusion of innovation theory as it applies to organizations.Organization Development Journal, 21(4), 50-64. Retrieved from http://search.proquest.com/docview/197971687?accountid=7113 Miller, K., Voas, J., Hurlburt, G. (2012). BYOD: Security and Privacy Considerations. IT Professionals. 14 (5), 53-55. Retrieved from http://ieeexplore.ieee.org Mark Pendleton. (August 13, 2012). Top Concerns When Creating a BYOD Policy. In NEC Corporation of America . Retrieved , from http://info.necunified.com/bid/153070/Top Concerns-When-Creating-a-BYOD-Policy. Rob Humphrey. (March 07, 2012). Manage Risks Reap Rewards: BYOD. In Kensington Safe Zone with Rob Humphrey Blog