IT Risk Assessment for BYOD Case Study

Question: Discuss about the IT Risk Assessment for BYOD. Answer: Introduction Bring Your Own is one of the most effective and advanced technologies within the technical field. BYOD is defined as the practice that allows the user for using their own devices in the workplace for their personal as well as official works. In addition to this, Information Technology introduces several technological advancements in to the technical field of application (Agudelo et al., 2016). Among all of these technological advancements BYOD is one of the most effective technologies that effectively reduced the hazards of providing devices to the employees for their official usages within the organization. This report is elaborating IT risks assessment related to the BYOD technology within the technical scenario. In contrast with this fact, first of all this report is providing a brief introduction to the financial sector that is considered for a fictional organization Aztek. After this brief description this report is elaborating about the risk assessment scenarios about the organization within the concerned target market. Review of the Project with respect to Financial Service Sectors BYOD is one of the beneficial aspects to be considered within any organization that easily mandates the situation in order to bring the effective technical solutions within the organization (Bello, 2015). In addition to this, if the organization allows their employees to bring their own devices for their official work to be done within the organization, this aspect will be effective to the organization as there will not be any hazards in providing devices to the organizational members but there are other various issues that are considered only for the financial service sectors these aspects are elaborated in this part of the report that describes the effects and negative impacts of the BYOD on the financial service sectors (Bessis O'Kelly, 2015). These are explained as follows: Security issues related to BYOD: BYOD applications allow the organization in reducing the effective cost of devices within the organization but the security issues are introduced within the corporate network of the organization (Brodin et al., 2015). previously the smart devices were market driven but in the contemporary times, the devices are customer driven and every single person has one smart device with them, so the security concern are increasing day by day (Chance Brooks, 2015). Organizational data are at risks when the employee uses their own devices for corporate purposes and financial data are leaked with the help of these kinds of applications. Dangers associated with uncontrolled devices: Allowing the personal devices within the corporate network for getting the official work are done introduces various risks associated with financial and other confidential organizational data (Cole et al., 2013). This aspect can bring the organization down to their knees. Positive impact of the BYOD on the financial sector: There are various positive impacts of BYOD that are also helping the financial sector for making their effective tasks done (Ghosh et al., 2013). Among all of these important benefits of BYOD over the financial service sectors are that the organization get their effective investments reduced that are invested for buying or hiring the devices for employees. In addition to this, with the help of BYOD technology the organization can easily takes care of the personal needs of the employees within the organization. Mobility of operations involved in financial services: The financial service sector introduces various critical situations for the organization that needs mobile operations (Keyes, 2013). BYOD application brings the mobility within the system architecture of the organization. Business communication, fund transfers and other financial data related operations allows the organizational members to be active within the scenario (Lee Still, 2015). This functional specification is another benefit of BYOD for increasing the revenues of the financial institution. Review of the Project Impact on the current security posture of Aztec The BYOD introduces various security issues within the financial service sectors. In contrast with these security issues, some of them are being elaborated in this report in order to highlight the disadvantages of BYOD with respect to the financial service sectors. These are discussed as follows: Restrictions can be bypassed: The employee devices have the access to over the restrictions that are generally provided by Aztek in order to get security of the confidential data within the organization (Lobelo et al., 2016). The employees are able to access these kinds of data. The employees can easily bypass the organizational security in order to retrieve the organizational data used or confidentially stored for the security aspect of the organization. Vulnerable devices and software: Each and every device that includes various security issues within the Aztek. These vulnerabilities are harmful for the organization in that affects the security structure of the organization (Mitrovic et al., 2014). Whenever Aztek is allowing the any third party in using their own network there are chances the vulnerability software to be introduced within the system. Wireless access point: There are always such employees that have configured devices those have the capability to be connected with any kind of networks (Moshir et al., 2014). These kinds of access over open WIFI allow the employees to introduce various snooping activities within the Aztek open network. This is another security risk for BYOD applications within the network. Exposure of Emails: This is another security threat involved within the official or corporate network of the system architecture of Aztek. If the employees of Aztek forget to lock their devices within the organizational premises and the device is transfer to a wrong person who misused the device data then he can get easily the access over the email and misuse all the personal and organizational information of the employee (Moyer, 2013). Adware and Spyware: These are two very common disasters involved within the system architecture of the Aztek system architecture. The employee uses various kinds of mobile applications for their own benefits in order to get their work done (Niesen et al., 2016). In addition to this, the security vendors are responsible for managing the adware and spyware within the system architecture of Aztek. Cloud based service attacks: There are various important aspects that are involved into the system architecture of Aztek. In addition to this, online or network activities introduces various security threats within the system architecture of Aztek. The cloud based service involves snooping, data leakage in to the web etc (Ogie, 2016). These needs to be resolved by Aztek in order to avoid various security threats within the organization. Android Malware: This is another security threat involved within the system architecture of the Aztek. The security vendors are responsible for introducing various security threats within the system architecture of Aztek. There are various aspects that are introduced in to the system architecture of Aztek in order to harm the confidential information within the organization (Rampini Viswanathan, 2016). Chances of loosing devices: There are chances of loosing devices from Aztek premises. In addition to this, if the organizational members leave their devices within the company premises then there are chances of losing their devices (Sadgrove, 2016). In contrast with this fact, if the devices are stolen by any wrong parties then there are chances of leakage of the confidential organizational data. Financial risks involved in system architecture: Though BYOD provides reduction in cost structure for improving the technical set up but the organization increases the cost structure as the threats are getting increased in to the system architecture of Aztek. System architecture of the organization is entirely dependent on the Azteks economic structure. Jail-breaking or rooted devices: This is another possible threat involved within the BYOD structure of concerned organization Aztek. Aztek have the employees within their organization that demands for latest technology in order to root their devices with the firmware. This aspect introduces various technical threats within the system architecture of Aztek. Therefore, Aztek should consider these threats in order to resolve for better solutions (Samaras et al., 2014). Risks Assessment of the BYOD with the help of IT control framework Threats, vulnerability involved within the application of BYOD According to various IT control framework involved within the system architecture of any organization it is clear that BYOD provides various benefits over the organizational network. In contrast with these facts, Aztek is conducting a risk assessment process within their organization in order to recognize the threats, vulnerabilities involved within the system architecture of the organization (Sansurooh Williams, 2014). These risks associated with BYOD applications are being elaborated in this part of the report: Risks associated with Securing Mobile Devices The regulatory measures involved within the BYOD implementation process introduces various risks associated within the system architecture of Aztek. One of the most effective risks associated with BYOD regulatory measures are the risks involved due to security issues for the mobile devices (Seigneur et al., 2013). These are elaborated in this part of the report: Lost Devices: Millions of cell phones and other mobile devices are stolen during the use within organization for official usages. This aspect is a serious concern for the organizational heads as well as the employees. Physical Access: The stolen devices are mainly used by the hackers within the organizational premises in order to hack the official and confidential data over the organizational network (Song Lee, 2014). The user whenever leaves their devices without locking their devices there are chances of confidential data theft. Role of end user devices ownership: In most of the cases of BYOD usages among the employees within Aztek. The employees are not compatible with the usages of the software for their own usage and official usages within the organization (Spears San Nicolas-Rocc, 2016). Increased data access: Increased data access reduces the strength of the corporate network. As the employee gets the free access over the network they make themselves connected to the network always in order to make their own needs to be fulfilled (Tu et al., 2015). This aspect makes the system architecture of the organization weak with respect to the network connectivity. Lack of awareness: lack of awareness over the technical issues and security of mobile devices causses the risks associated with the mobile devices within Aztek. This aspect makes the employees ability questionable within the system architecture within the organization (Webb et al., 2014). The left data openly accessible by any other person allows the hackers and cyber criminals to attack the organizational information system. Addressing app risks Applications introduce various threats and malicious viral threats within the system architecture of Aztek. In addition to this, there are mainly two types application vulnerabilities involved by the usages of applications (Weeger Gewald, 2014). These are malicious codes from applications and application vulnerabilities. These are called addressing application issues. Addressing app risk is elaborated in this section of the report. These are explained as follows: Malicious apps or malware: There are various applications within a particular system within Aztek. Every application involves several security issues within the system architecture of the concerned information system within the Aztek. Whenever the organization decides to involve more number of mobile or smart devices to be connected with the corporate internet connection, the chances of security threats as well as the chances of vulnerabilities are increased within the organization (Yang et al., 2013). The malwares coming from the applications used by the organizational members as well as corporate network allows the hacker to inject several threats and malicious aspects within the system architecture of the organization. Figure 1: BYOD Utilizations (Source: Brodin, 2015, pp-161) App vulnerabilities: App vulnerabilities are also one of the most effective and effective security threats involved within the system architecture of Aztek. This aspect makes the information system weak (Brodin et al., 2015). The increased number of devices connected over the internet increases the involvement of new applications within the system architecture of Aztek. This aspect increases the chances of the application vulnerabilities of Aztek. Management of the Mobile Environment BYOD increases the risks associated with the mobile environment within Aztek. These concerned mobile environment risks are elaborated in this part of the report. These are given as follows: Inventory and platform management risks: The inventory and platform management aspects and field are entirely affected by the BYOD application within the premises of Aztek. In addition to this, BYOD regulatory environment is entirely dependent on the versions of hardware as well as software working within the organization (Chance Brooks, 2015). This aspect increases the chances of risks involvement within Aztek. Therefore, there are huge amount of variability within the system architecture of Aztek if BYOD application is introduced within the system architecture of the organization (Cole et al., 2013). The inventory platform deals with various kinds of data and information that allows the hackers and cyber criminals to attacks the organizational databases. As a result of this aspect, the organization faces various critical security issues within their organization that harms their internal and data security aspects. Recommendations for resolving the threats of BYOD BYOD is beneficial to the information system as well as technical infrastructure of Aztek. In spite of this fact, there are various threats and vulnerabilities involved in the BYOD implementation process (Ghosh et al., 2013). These risks must have to be resolved with the help of appropriate steps and functionalities within Aztek. For this purpose some recommendations are provided in this part of the assignment with respect to the risks assessment done on BYOD implementation within Aztek. These are described as follows: Recommendations for Risks associated with Securing Mobile Devices Evaluation of devices usage scenarios: This aspect helps Aztek in recognizing the data usage scenarios within the organization. Mobile Device Management: Mobile Device Management is one information system that helps to protect the mobile devices. Enforcement in the industry standards and security policies: Enforcement in the industry standards are helpful in solving the issues (Keyes, 2013). Differentiable trusted and untrusted employee access: There must be a system architecture that has to be introduced within the system in order to differentiate the trusted and untrusted user access. Recommendations for addressing app risks Mobile antivirus activation: Activation of the mobile antivirus will be helpful for the device to be protected from the external threats and vulnerabilities. Security aspect for mobile application: Security aspects are very important to be incorporated within the system architecture of Aztek. Involvement of services that ensures data sharing: Data sharing is very important in order to maintain the database security within Aztek. Confidential data access: Confidentiality of databases are very important in order to maintain the security measures within the system architecture of the organization. Recommendations for Management of the Mobile Environment Creation of an appropriate BYOD support: BYOD support system is very important in order to maintain the security infrastructure within Aztek. Review of existing application processes: Review of the existing process and application within organizational premises are very important in order to maintain security perspectives. Social support mechanism: Social support mechanism is very important to be managed with the help of security measures for Aztek. Risk for Data Security There are various aspects that are considered as the data security concern involved within the system architecture of Aztek. In addition to this, the system architecture of the organization should be concerned about these security risks (Lee Still, 2015). There are various risks associated with the implementation of BYOD within Aztek. Among all of these risks this part of the report is discussing about the data security risks within the system architecture of Aztek. These risks are being elaborated as follows: Unknown third party data access over the confidential data of Aztek: This is the most effective and harmful data security measures involved within the system architecture of the organization (Lobelo et al., 2016). Lack of awareness among the employees causes the data theft or data misuse by the third party within the organization. Vulnerable mobile application threats: This is another vulnerable threat to be considered in case of the BYOD applications within the system architecture of the organization. Mobile applications are very affective for the organizational data (Mitrovic et al., 2014). The hacker easily accesses the data over the organizational network in order to get the confidential information from the organizational network. Challenges in tracking data: This is another important threat that affects the organizational information security system of Aztek. In addition to this, the application of cloud services and mobile storage of data are increasing the data insecurity within the organization (Moshir et al., 2014). The organization does not have any process to track the organizational confidential data within it. Management of data and segregation of data: This is another aspect that is known as the most effective threat within the system architecture of the organization that is harming the organizational resources as well as the confidential information within the organization (Niesen et al., 2016). This data security risk hampers the effective organizational structure of the organization. Leakage of data over stolen devices: This risk is introduced by the organizational employees as they provide lack of awareness over their devices and organizational information within the organization. The hackers get advantages from this stolen device that allows them to get the information from the organizational information structure. Displeased Employees a risk: This is another threat involved in the BYOD implementation process (Ogie, 2016). There are different employees within the organization who left the organization due to some serious issues but they have all the idea about the confidential information within the organization. This aspect makes the system architecture weak and affected. Business and personal data: There are various scopes of mixing of personal and organizational data within the organizational operations (Sadgrove, 2016). This aspect increases the chances of data theft or misuse of organizational data. Therefore, this another matter of data security risks involved within the system architecture of Aztek. Conclusion This can be concluded that the BYOD is one of the most effective solutions for managing various official operations as well as personal work within the organizational premises. In addition to this, this report is considering Aztek, one factious financial institution that want to implement BYOD within their organizational premises. In spite of this fact that there are various advantageous situations within the organization that helps the organization in having growth, there are various risks associated with this implementation process. This report is mainly conducting risk assessment in order to mandate these risks within the organizational architecture. In contrast with this fact, the report has described the possible risks involved in to the system architecture of BYOD and current security postures are also elaborated. In addition to this, the report is elaborating about the effective and solutions for the risk management for BYOD risk policies involved within the system architectur e of Aztek. References Agudelo, C. A., Bosua, R., Ahmad, A., Maynard, S. B. (2016). Understanding Knowledge Leakage BYOD (Bring Your Own Device): A Mobile Worker Perspective.arXiv preprint arXiv:1606.01450. Bello, A. G. (2015).A Framework for Investigating, Assessing, Understanding, and Controlling the Information Security and Privacy Risks in BYOD Environments. Bessis, J., O'Kelly, B. (2015).Risk management in banking. John Wiley Sons. Brodin, M. (2015). Combining ISMS with strategic management: The case of BYOD. In8th IADIS International Conference on Information Systems 2015, 1416 March, Madeira, Portugal(pp. 161-168). IADIS Press. Brodin, M., Rose, J., hlfeldt, R. M. (2015). Management issues for Bring Your Own Device. InEuropean, Mediterranean Middle Eastern Conference on Information Systems 2015 (EMCIS2015). Chance, D. M., Brooks, R. (2015).Introduction to derivatives and risk management. Cengage Learning. Cole, S., Gin, X., Tobacman, J., Topalova, P., Townsend, R., Vickery, J. (2013). Barriers to household risk management: Evidence from India.American Economic Journal: Applied Economics,5(1), 104-135. Ghosh, A., Gajar, P. K., Rai, S. (2013). Bring your own device (BYOD): Security risks and mitigating strategies.Journal of Global Research in Computer Science,4(4), 62-70. Keyes, J. (2013).Bring your own devices (BYOD) survival guide. CRC press. Keyes, J. (2014).BYOD for Healthcare. CRC Press. Lee, L., Still, J. D. (2015, August). Re-designing Permission Requirements to Encourage BYOD Policy Adherence. InInternational Conference on Human Aspects of Information Security, Privacy, and Trust(pp. 369-378). Springer International Publishing. Lobelo, F., Kelli, H. M., Tejedor, S. C., Pratt, M., McConnell, M. V., Martin, S. S., Welk, G. J. (2016). The Wild Wild West: A Framework to Integrate mHealth Software Applications and Wearables to Support Physical Activity Assessment, Counseling and Interventions for Cardiovascular Disease Risk Reduction.Progress in cardiovascular diseases,58(6), 584-594. Mitrovic, Z., Veljkovic, I., Whyte, G., Thompson, K. (2014, November). Introducing BYOD in an organisation: the risk and customer services view points. InThe 1st Namibia Customer Service Awards Conference(pp. 1-26). Moshir, S., Moshir, K. K., Khanban, A. A., Mashatian, S. (2014).U.S. Patent Application No. 14/170,449. Moyer, J. E. (2013). Managing mobile devices in hospitals: A literature review of BYOD policies and usage.Journal of Hospital Librarianship,13(3), 197-208. Niesen, T., Houy, C., Fettke, P., Loos, P. (2016, January). Towards an Integrative Big Data Analysis Framework for Data-Driven Risk Management in Industry 4.0. In2016 49th Hawaii International Conference on System Sciences (HICSS)(pp. 5065-5074). IEEE. Ogie, R. (2016). Bring Your Own Device: An overview of risk assessment.IEEE Consumer Electronics Magazine,5(1), 114-119. Rampini, A. A., Viswanathan, S. (2016).Household risk management(No. w22293). National Bureau of Economic Research. Sadgrove, K. (2016).The complete guide to business risk management. Routledge. Samaras, V., Daskapan, S., Ahmad, R., Ray, S. K. (2014, November). An enterprise security architecture for accessing SaaS cloud services with BYOD. InTelecommunication Networks and Applications Conference (ATNAC), 2014 Australasian(pp. 129-134). IEEE. Sansurooh, K., Williams, P. A. (2014). BYOD in ehealth: Herding cats and stable doors, or a catastrophe waiting to happen?. Seigneur, J. M., Klndorfer, P., Busch, M., Hochleitner, C. (2013). A Survey of Trust and Risk Metrics for a BYOD Mobile Worker World: Third International Conference on Social Eco-Informatics. Song, M., Lee, K. (2014). Proposal of MDM management framework for BYOD use of large companies.International Journal of Smart Home,8(1), 123-128. Spears, J. L., San Nicolas-Rocca, T. (2016, January). Information Security Capacity Building in Community-Based Organizations: Examining the Effects of Knowledge Transfer. In2016 49th Hawaii International Conference on System Sciences (HICSS)(pp. 4011-4020). IEEE. Tu, Z., Turel, O., Yuan, Y., Archer, N. (2015). Learning to cope with information security risks regarding mobile device loss or theft: An empirical examination.Information Management,52(4), 506-517. Webb, J., Ahmad, A., Maynard, S. B., Shanks, G. (2014). A situation awareness model for information security risk management.Computers security,44, 1-15. Weeger, A., Gewald, H. (2014). Factors Influencing Future Employees Decision-Making to Participate in a BYOD Program: Does Risk Matter?. Yang, T. A., Vlas, R., Yang, A., Vlas, C. (2013, September). Risk Management in the Era of BYOD: The Quintet of Technology Adoption, Controls, Liabilities, User Perception, and User Behavior. InSocial Computing (SocialCom), 2013 International Conference on(pp. 411-416). IEEE.