Using ISO 27001 to make Endpoint Management Secure, Safe, and Scalable
2020 was a transformative year for Endpoint Management...
The pandemic changed the modern workspace. For some industries, Work from Home (WFH) suddenly became the only way to continue their operations. The sudden shift left some IT teams scrambling to make sure each member still had access to their work in the new environment, whether that meant issuing corporate-owned devices that could be taken home, or asking employees to use their own personal devices.
A study from Palo Alto Networks by ONR showed that while 60% of companies expanded their BYOD policies to accommodate the sudden shift to WFH, it was at the cost of security.
Thankfully, now that the quick-fire logistical challenges and decisions are behind us, teams now have the time to take a step back, breathe, and create a plan for the future of BYOD ("Bring Your Own Device").
BYOD-centric company strategy is not a new concept, but it appears to have become the new norm for IT deployment. The rapid shift to remote work brought on by pandemic necessitated major overhauls and drastic changes to many IT infrastructures, but also introduced new workplace issues.
Without the right asset management policies in place and endpoint management tools, BYOD can create significant security vulnerabilities. To ensure policies and tools are aligned, we tell clients to follow, what we call, Three Ss of Endpoint Management: Secure, Safe, and Scalable.
Exactly what you think it means. Without proper pre-approval from authorized personnel, those assets will be protected against outside actors gaining access to the information within.
If a device somehow falls into the wrong hands, with the correct preventative controls in place such as proper MFA and policies to match them, your organization can rest easy knowing that despite the theft, your proprietary information or data is safe and encrypted. Don’t forget to require pin codes and remote wipe features!
Like with any quickly-growing organization, there must be some kind of established way to make sure your asset count keeps up with your staff member count. This includes making sure that staff members who have changed access levels or have left the organization are documented, accounted for, and match company records. Quarterly (at minimum) auditing and review of source of truth within your endpoint management tool should be benchmarked against HR registers and asset inventory lists.
With ISO 27001/27002 there are multiple clauses and controls that can help guide your organization to make sure everything is not only safe, secure, and scalable, but can also provide guidance on how to implement an Information Security Management System (ISMS) for your organization.
Furthermore, with a recent update as of 2022, this ISMS guidance considers the new challenges associated with BYOD in a “post-pandemic” work environment. While not exhaustive, the following ISO 27001:2022 controls could help lay the groundwork for any organization looking to gain some insight on maintaining their assets.
We have pulled out the most relevant guidance for BYOD policy and endpoint management here. For the full guidance, please refer to ISO/IEC 27002:2022 - Information security, cybersecurity and privacy protection — Information security controls:
6.7 – Remote Working
Make sure that team members are aware of the expected rules and security mechanisms expected to be in place should BYOD be adopted by the organization
5.10 – Acceptable Use
What is considered expected/unacceptable behavior for use of IT and information assets
Permitted and prohibited use of information and associated assets
Monitoring activities being performed by the organization
8.22 – Data Segregation
Criteria of segregation should be based on an assessment of each domain’s security requirements
5.18, 8.2, 8.3 – Data Access
Should include segregation of duties/roles, possible temp access for temp workers, modifying access rights on people who have changed roles or jobs, etc
8.5 – Authentication and user sessions
Password management systems
Logging of sign in/out attempts
Termination of inactive or unsuccessful log-ins
Mobile Application Manager (MAM) or Mobile Device Manager (MDM) – Multiple annex controls could apply to ensure proper implementation of a MAM or MDM
A.5.34 – Privacy and protection of PII
A.8.1 – User endpoint devices
A.8.13 – Information backup
A.8.26 – Application Security Requirements
A.8.12 – Data Leakage Prevention
In summary, figuring out a proper BYOD policy/management framework doesn’t have to difficult. We recommend written policies and procedures be aligned to ISO 27001/27002 for best practices approach. With the guidance that ISO 27001/27002 offers, this daunting task can be broken down into bite-sized pieces which will eventually form into a cohesive framework that everyone in your organization can easily follow with enough flexibility to grow and change along with your organizational needs.
Contact and let our team at ARORA Solutions know how we can assist your IT teams to implement a Secure, Safe and Scalable approach to BYOD and Endpoint Management.