BYOD
BYOD PROJECT
Revised Jan 8, 2014
IMPORTANT NOTE: This is a Project, IT IS NOT UAS POLICY
This is an Open Project that anyone may contribute to.
General Description
Build a model for implementing BYOD (Bring Your Own Devices) Policies and Procedures in a Production Workplace Environment. In this case, it will be a hybrid BYOD environment where the following apply:
- BYOD usage is permitted - e.g. A visitor or employee acceptably uses with their own cell phone and their own 3G service, not connected to the Company's Intranet.
- Authorized BYOD is permitted - e.g. The President wants to access Company resources with her laptop when in the office or on the road.
- Unauthorized BYOD is prohibited - e.g. An employee brings their own wireless router in and connects it to the Company Intranet so he can have a wireless access point to surf the Internet.
PART 1 - DESCRIPTION, DEFINITIONS, AND SCOPE
BYOD = Bring Your Own Devices
Employee owned network devices are becoming more prevalent in the workplace. This document defines what BYOD devices are and what Policy is regarding their use.
Recently, many employees are now the proud owners of BYOD devices – and some people may not even realize it! Every “Smart Phone” capable of transmitting and receiving data (text, photos, music, videos, etc.) is a BYOD capable of connecting to the Production Network and potentially affecting its performance, reliability, privacy, and security. The Policy and Procedures described in this document are intended to be implemented to protect the Production Network from Unauthorized or Intruding devices.
The activities not applicable to this document are the acceptable uses of BYOD devices not connected to the Production Network by employees in the shop. For example: Cell Phone voice calls and employees using their own personal 3G/4G Internet services on their devices.
BYOD Criteria
The Production Network in this document is the Company's Internal (LAN Intranet) Network accessed from within the facility itself or from the Internet using Remote Control software or VPN. A BYOD is a device with any of the following criteria:
- A device that attempts to connect to the Production Network and the device is not owned or maintained by the Company.
- The device’s significance, usage, or functions are not related to Company Production.
- The device is attached to another network outside of the Production Network for significant periods of time.
Typical BYOD Devices
Typical BYOD Devices are Hardware Devices that include, but are not limited to the following:
- Personal Computers, Laptops, Tablets, and Hand Held PC network devices.
- Cellphones with WiFi capabilities
- Personal WiFi Access Points and Routers
- Network Printers and Multi-Function Devices
- Network Games and Media Players
BYOD Status in the Production Network
UNAUTHORIZED
DEFAULT
- New unidentified Devices that is trying to connect to the Production Network
Example: Employee’s cell phone with WiFi capability turned on while working in the shop.
INTRUDER
- Unauthorized Device that successfully connected to the Production Network.
Example: Unknown cell phone connecting to the Production Network without Admin Authorization.
AUTHORIZED
GUEST
- Authorized Device that connected to the Production Network
Example: Consultant brings in a laptop and wants to access the Internet.
AUTHENTICATED
- Authorized Device that is connected to the Production Network and the user has authenticated a login to one or more Production Network Resources.
Example: Consultant brings in a laptop and wants to access the printers or ERP system.
PART 2 - BYOD POLICY – APPLIES TO EVERYONE AT THE COMPANY
BYOD Device Authorization
- Each BYOD device must be uniquely identifiable when connected to the network
- Each BYOD device must be reviewed by the System Administrator
- Each BYOD device will be reviewed for compatibility and security to determine its eligibility for Authorization.
- Authorized device and owner information will be cataloged in the ISOE database.
- The usage of BYOD devices may be recorded, logged, or monitored in real time by the System Administrator or delegate.
Unauthorized BYOD Devices are Prohibited
- Any Unauthorized BYOD device whose capabilities may impact the performance or reliability of the Production Network are prohibited.
Examples of Prohibited Unauthorized Devices
- Routers, VLAN Switches, any devices capable of running network routing and discovery protocols
- Wireless Access Points
- Cell Phones with Access Point Feature Enabled
- ANY device potentially acting as a DHCP or BOOTP Server!
- Device Servers
- Routers, Network Game Servers
- Laptop with ICS [internet connection sharing] enabled
- NAT enabled devices with more than 1 network port.
- Network Recording Devices (personal web cams, network radios, network audio, keyboard loggers)
- Laptops, PCs, Tablets, Severs, Embedded Servers, and Virtual Machines on those.
BYOD Detection and Enforcement
- The Systems Administrator may use any means of detection to determine the presence of BYOD devices on the Production Network.
Definition: An Unauthorized BYOD Device that succeeds in connecting to the Production Network is considered an INTRUDER and considered a high risk security threat.
- The Systems Administrator may use any means of penetration testing to determine the identity and functional features of any INTRUDER (Unauthorized and Connected).
- The Systems Administrator may aggressively use any security measures or tools to protect the Production Network from Unauthorized Devices attempting to connect or INTRUDERS.
- The Systems Administrator is not responsible for problems that an Unauthorized BYOD device may experience as the result of penetration testing or security measures.
Penalties for Unauthorized Use and BYOD Intrusion
- The Systems Administrator may revoke or refuse authorization and force disconnection or change of status to INTRUDER for BYOD devices without providing a reason to the device owner or user. Reasons for such action are often technical in nature and beyond the immediate scope of the offense (i.e. post mortem forensics may be required).
- INTRUDER BYOD devices may be immediately confiscated by the Systems Administrator. Return of a confiscated BYOD device will be done after mediation between the INTRUDER BYOD Device Owner, Company Management, and the Human Resources Management.
Making BYOD Devices Safe Near the Production Network
- Employees should configure their Unauthorized BOYD devices to not connect to the Production Network and to not disable shared Wireless Access Point mode. Using the following device configurations will prevent the BYOD from being tagged as an INTRUDER.
> Turn Off WiFi Autoconnect feature in all Unauthorized BYOD devices > Turn Off Access Point (shared wireless router) feature in all Unauthorized BYOD > Do not attempt to physically connect any Unauthorized BYOD device to the network.
PART 3 - IMPLEMENTING BYOD INTRUSION DETECTION
Detection Requirements
- Detect and Uniquely Identify BYODs attempting to connect to the LAN
- Log BYOD connection attempts and successes
Action Requirements
- Determine if a BYOD connection is Authorized or Unauthorized
- Transmit an email/text notification to the Sys Admin alerting to unauthorized connections
2.C. Detection Software Candidates Required Features / Product Matrix (To Do)
- PADS
- Security Onion
- ...(To Do)
PART 4 - SECURITY IMPLEMENTATION - PRODUCTION NETWORK
- (To Do)
PART 5 - SECURITY IMPLEMENATION - GUEST NETWORK
Physical Separation of Guest and Production Network Zones
- (To Do)
Guest >< Production Zone Routing Policies Similar to Internet Firewall
- (To Do)