All Articles

A CISO need to understand the exact requirement before designing the BYOD domain in the organization. Keeping in mind the exact business need and value add which can be or intended to obtain using this technology.

(Read more:  5 easy ways to build your personal brand !)

Build of solution for BYOD is directly related to business requirement without any compromise to security of information or unauthorized access. Solutions should be designed basis of:-

Flexibility

• Depends on how flexible the solution is to incorporate the changing business needs and daily changing hardware / mobile devices models and landscapes.

Availability

• Solution should be high on availability to avoid any impact to business due to unavailability of service.

Controlled access

• There should be strict controls from information security perspective on device to avoid copy or storage of official data on personal devices. Official data and information should only be accessed using layered security parameters without any compromise to access control. All these controls should be managed centrally from a console for easy access monitoring and review.

Security of data residing

• Controls should be built to erase the data remotely incase the device is lost or stolen. Also provisions should be made to avoid any storage of official information on device, even for any offline activity.

Monitoring

• Maximum possible monitoring mechanism should be a feature of the solution to help in understanding the day to day operations issues, access logs and for better performance monitoring.

Scalability

• A scalable solution to handle growing business need.

(Read more:  Top 5 Big Data Vulnerability Classes)

The key parameters based on which a CISO should choose a vendor for the same: 

Vendor selection parameters should be the same basis of solution requirement in addition following should also be considered:-           

Infrastructure

• A robust infrastructure is essential to support for this domain.

Reliability

• Vendor reliability towards delivery, handling and management of services.

Financial stability

• Vendor should be financially stable with sufficient funding and infrastructure support.

Maturity of processes towards handling of customer information

• Maturity of systems and human resources with awareness towards information security to understand the criticality, importance of safe upkeep of customer information with built in controls for information security at every level.

IT Security certifications

• Beneficial for organization to have IT Security certifications which showcase the availability of processes and management support.

DR Infra availability

• As availability of infrastructure is critical to business, vendor should have workable DR solution and related infrastructure for uninterrupted system availability.

Industry reference / prior installations

• Reference or any prior installation experience is an added advantage to have comfort of understanding.

Watch more : Checklist: How to choose between different types of Application Security Testing Technologies?

Top Questions to ask vendor for evaluating the offering/Vendor Evaluation Checklist 

Questions and queries from vendor will be around the selection criteria for project and vendor as mentioned above to have clear understanding of vendor readiness and comfort about his infrastructure and service offerings. In addition, understanding of various solution designs and related alternatives should be a part of evaluation criteria for vendor checklist. Solution design is a critical part of this complete project with usage of latest available technology and integration of the same with available IT Infrastructure.

Top mistakes to avoid while selecting a vendor

While selecting a vendor the top most priority should be given to organizational business requirement and not to the selling or advantages showcased by vendor about his service offerings.  Hence we should not go by just the differentiating factor showcase by the vendor which separate his service offerings with other vendors rather more emphasis should be on the own business need and how a vendor can do the best through their service offerings. To avoid mistakes it is always better to have reference verification from the customers of the vendor to have a firsthand experience of the vendor offerings and support provisions. 

-Nitin Chauhan, Head IT Security - CISO, Ratnakar Bank Ltd. tells us How should a CISO define the requirement for solutions for BYOD Security.