www.adira.org
Philippe LE TERTRE
IS Governance Consultant
 Founder and managing partner of VADEGIS (company specialized
in Information System Management and Governance)
 IS governance consultant, certified by ISACA, (CGEIT)
 Teacher at ……..
 IS Auditor trained at IAE of Paris
 Operational experience based on more than 20 years as CIO in
international environment
www.adira.org
Governance & management rules 1/4
Governance structure
Goal : BYOD is subject to oversight and monitoring by management
 BYOD policy must be approved by executive management
 Executive management receives regularly scheduled status reports on BYOD usage
 Executive management receives on risk management status report on regular basis
Policies
Goal : Policies supporting BYOD initiatives have been defined, documented, approved,
implemented and maintained
 Employee BYOD Agreement / Mobile Acceptable Use Policy (MAUP)
 BYOD processes are integrated into HR services, policies, and compliance.
 Limited access for third parties when connecting to the enterprise networks and IT systems
 Exemptions from BYOD policies
www.adira.org
Governance & management rules 2/4
Legal
Goal : BYOD procedures comply with legal requirements and minimize the
organization’s exposure to legal actions
 Impact analysis must be carried out to identify potential impacts and risk on BYOD approach
 BYOD procedures must be updated according to the legal requirements
Technical and users support
Goal : A support function, dedicated to BYOD area must be established to process
technical and user issues
 Identifying skills and competences needed for the BYOD environment
 Setting up the process to support BYOD usage within the enterprise
www.adira.org
Governance & management rules 3/4
Risk management
Goal : BYOD is subject to routine risk assessment processes
 BYOD Initial Risk Assessment (prior to implementing the BYOD program)
(data confidentiality, juridical, human, technical,..)
 BYOD Ongoing Risk Assessment
Training
Goal : BYOD users attend initial orientation training and regular follow-up training
 Initial Training : BYOD users are required to attend initial training on BYOD policy and procedures
 Security and Awareness Training : Security awareness, at least annually
www.adira.org
Governance & management rules 4/4
Mobile device layer security
Goal : BYOD users are required to maintain basic security procedures for the device
 Device Access Restrictions: BYOD users are required to restrict access to their devices.
 Data Access / Encryption / Data Protection
 Malware Protection: BYOD mobile devices are required to have standard anti-malware defenses.
 …….
Mobile device management
Goal : Enterprises has to use an Identification and Maintenance of Configuration Items
 Central management of BYOD devices characteristics, configuration, owner,....
 Central management of IT procedures / Monitoring of BYOD usage
 Remote management
 .......
www.adira.org
Maturity assessment, example and tools
This spider graph is an example of the assessment results and maturity target for a
BYOD management assessment
Link to COBIT
process
PO6.3 IT Policies Management
DS9.2 Identification and
Maintenance of Configuration
Items
DS9.1 Configuration Repository
and Baseline
5
PO7.4 Personnel Training
4
3
2
PO9.2 Establishment of Risk
Context
1
DS5.11 Exchange of Sensitive
Data
0
DS5.10 Network Security
PO9.4 Risk Assessment
DS5.3 Identity Management
DS5.9 Malicious Software
Prevention, Detection and
Correction
DS5.4 User Account
Management
DS5.5 Security Testing,
Surveillance and Monitoring
Assessment
Target
www.adira.org
Going Further …Conclusion
BYOD phenomenon is a risk but could be a value creation opportunity





Operational sales force tools
Attract talents
E-reputation
Users satisfaction / productivity
……..
BYOD reinforces the enterprise data management and governance
needs
Data governance encourages behavior in the valuation, creation, storage, use, archival and deletion of
data and information. It includes the processes, roles, standards and metrics that ensure the effective
and efficient use of data and information in enabling an organization to achieve its goals.







Data policies
Data classification and valuation
Data quality (accuracy, accessibility, consistency, completeness,…..)
Data compliance
Data security
Data management and ownership
………..
www.adira.org
Questions
Thanks for your attention