General discussion


Personally owned devices on Corporate Network?

By JohnMonthrots ·
Does anyone have the top ten reasons to not allow personally owned devices, specifically PDA's, into your corporate infrastructure. What if an individual purchases the exact make and model that your IT department deploys anyway? Why not allow them to utilize that device on your network? I can think of a few reasons why not, but I'm trying to build a case to stick with IT purchased and supporte devices. Any ideas?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

IT vs Staff Welfare Policy

by Deadly Ernest In reply to Personally owned devices ...

I once worked in an organisation where this came up, it resulted in a new policy as it was a conflict between IT and staff convenience and usage issues.

The main reasons against that came up were - compatibility, maintenance, software, data security, unnoticeable policy violations (especially re laptops and Internet usage).

The final policy was that private equipment was permitted access under tight restrictions - must be a make and model currently used by corporate IT; software being used must be fully compatible; security set up must match corporate IT set up; evidence of software licences shown to IT and noted; no classified data to be placed on private equipment; scanned by corporate AV software prior to each use; no Internet access by private hardware; staff take full responsibility for their hardware, totally at their own risk.

The end result was a policy that allowed people to readily use PDAs etc but made using your own laptop a real pain due to the security etc. The risk is all theirs and no come back if they get damaged at work or by the work systems. No support at all by corporate staff. The reason for make model and software matching was to simplify checking of security and compatibility.

IT management wanted a blanket NO WAY, but many staff and general management recognised the productivity improvement capability for some and that it was very difficult to totally stop such actions, especially when some people were using corporate issued hardware.

Collapse -

You need a policy

by Tony Hopkinson In reply to Personally owned devices ...

Where I work you are just not allowed to plug a personally owned device into the infrastructure full stop. It can only be allowable outside the DMZ. Most of the tools you use to protect the network stop things coming in from the outside. So allowing a 'foreign' device to carry unnkown software past your firewall potentially negates all of your security. PDA's, portables, bluetooth, unmanaged wireless access point, inside the dmz doesn't matter.
As a for instance you may allow windows file sharing inside the network, but you'd block it going outside. So if someone humped a bad guy inside the firewall, any trick they could have played outside if you hadn't secured your network they can now play inside.

Collapse -

Only 2 reasons that matter.

by deepsand In reply to Personally owned devices ...

1) Security; and
2) Support requirements.

Collapse -

Addition to what Tony put

by jdclyde In reply to Personally owned devices ...

One of the biggest problems is that fact that it is THEIR device and can do what they wish with it.

While you may make rules limiting what they can be used for outside of work, are you able to detect and enforce this?

How will you know if they are violating policy?

Do you have authority to do anything about it if they are?

It looks like a quick win for the company as they don't have to pay for the device, but they lose control over that device at the same time and there goes policy and security right out the window.

Remember, systems that have been compromised can automatically attack anything that it sees sitting on the LAN.

What do you do when it is time to upgrade and they don't feel like it? Do you buy one for them then? What if their kids break this? Who fixes it? Them or work? What do they do until it is fixed?

It is a bad direction to go down just about any way you look at it.

Collapse -

Better late than never, . . .

by xcaliber In reply to Personally owned devices ...

1.) Loss of control. You cannot control what the person does with the device away from work.
2.) Recovery. You cannot force the person to remove information from the device once they move on or are terminated.
3.) Locations of information. Once the person is allowed to synch information at work, what is to keep them from synching up the home PC as well?
4.) Malitious content. The device can be a vessel to carry malitious content from home to the office.
5.) Accountability. If lost, the person may or may not report this. Once a corporate owned item is lost, it is much more likely that the loss would be reported. They may just replace the device. Corporate information may be compromised.
6.) Open Access. If the device is not owned by the company and is not configured by the company, passwords may be bypassed, ports activated, and security compromised due open IR or WiFi ports and lax security.

Collapse -

Don't forget to protect corporate data

by oldbag In reply to Better late than never, . ...

What about protecting your customer information? These devices could be used to download the database, allowing a disgruntled employee to sell the information or leave the company and take it to a competitor.

Related Discussions

Related Forums