Bring Your Own Device (BYOD) Policies and Practices

By | January 21, 2018
Bring Your Own Device (BYOD)

Bring Your Own Device (BYOD): Organizations allowing employees to use their own personal devices such as smart phone and tablets to conduct organization business.

The SANS Reading Room article, SANS Survey on Mobility/BYOD Security Policies and Practices found that 61% of organizations allowed personal devices to connect to protected company systems, but only 9% of organizations were truly aware of the particular devices that were connecting to protected systems, and what resources they were accessing. Of all the organizations polled, 60% responded that they have a risk program in place, but 50% of those did not have BYOD Acceptable Use Policies in place even though 95% of those surveyed stated they understood the importance of having a robust policy in place.

The SANS survey specifically mentioned that respondents listed that the most critical practices to implement included; data protection and encryption, secure access to corporate resources, knowing what sensitive data that personal devices can access, and requiring end point protection such as anti-malware, mandatory updates and patches, data loss prevention, and secure web browsing. Other practices not commonly mentioned in the survey included mandatory user education, application white and black listing, and secure distribution of applications, example; corporate app store, keeping an inventory of installed apps, and mandatory “sandboxing”.

In addition to standard end-point controls, organizations should also practice secure network control, example; Virtual Private Networks (VPN), authentication to access data, and encrypting data in motion and at rest.

In conclusion, research shows that most organizations currently rely on traditional tried and true security controls when dealing with BYOD connections to protected systems. What was of note is that control over access can often be inconsistent and decentralized. Often the fall back or backup control was policies that did not specifically address BYOD. Often organizations do not have an organized and centralized way to secure BYOD access. Fortunately, many organizations are starting to respond to BYOD security concerns by implementing stronger policies and mobile-focused controls.


Johnson, K., DeLaGrange, T., & Filkins, B. (2012, October). SANS Survey on Mobility/BYOD Security Policies and Practices. Retrieved September 3, 2017, from

Johnson, R. (2015). Security Policies and Implementation Issues (2nd ed.). Burlington, MA: Jones & Bartlett Learning.

Leave a Reply

Your email address will not be published. Required fields are marked *