The Bring Your Own Device Program’s Security Controls Need Improvement

The Chief Information Officer should update BYOD program procedures and guidelines to include: (1) Providing malware prevention training to users; (2) Updating the documentation for device operating system and technical baseline configurations; (3) Maintaining and reviewing application audit logs, specifically time frames for each; (4) Clarifying the Computer Security Incident Response Center reporting procedures for a lost or stolen device; (5) Informing the BYOD program when a device is lost or stolen so that the application data are remotely wiped; and (6) Tracking the manual and systemic application data wipes by the BYOD program on a periodic basis.

The Chief Information Officer should ensure that BYOD program participants complete the security risk awareness training annually and that the authorizing official certifies employee training compliance.