About Us | Contact Us
View Cart

Technical BYOD Controls for Banks

By Dan Hadaway | Thursday, September 13, 2012 - Leave a Comment

by Sean Waugh and Dan Hadaway

First, let us confess that we used BYOD in the title merely so that we’d catch everybody’s attention. It’s a nice buzzword; who wouldn’t feel like partying after seeing it?

But this article is actually about Portable Devices, which is a superset to BYOD. In fact, policy language should establish that Portable Devices include both issued devices and authorized devices. Our boilerplates use the following language:

Definition of Portable Device

Name of Financial Institution defines portable devices as “any self-contained device that can transfer and store data that has the ability to be routinely removed from the network and carried outside of the organization, whether owned by the financial institution or not.” The following is a non-inclusive list of typical portable devices:

  • Laptops
  • iPads or other Tablet PCs (e.g. Motorola Xoom)
  • Smart Phones (e.g. iPhone, Droid, etc.)
  • Regular Cell Phones with Storage Capabilities (e.g. BlackBerry, Treo, etc.)
  • Digital Cameras
  • iPods and/or MP3 Players

This definition does NOT intend to include “portable electronic media” such as CDs, DVDs, USB drives, or SD-flash cards, though such media may be used in portable devices. The Acceptable Use Policy governs the use of electronic media.

Additional Definitions

Authorized Device: A device that is not company-owned that has been approved to store company-owned information is, for the sake of this procedure, considered to be an “authorized device.”

Bring Your Own Device (BYOD): Industry buzzwords for what we refer to as “authorized devices.”

Company-Owned Device: Any device that is owned by the organization is considered to be a “company-owned” device. A device that is owned by an employee is not company-owned.

Company-Owned Information: Information that originates on the financial institution’s information system, or that is given to an employee by a customer of the institution, is considered to be “company-owned” information. This information is required to be protected by law and if it is given to an employee as part of the employee’s job, it is considered to be owned by the financial institution regardless of the circumstances of the transfer of information.

Issued Device: A company-owned portable device is, for the sake of this procedure, considered to be an “issued device.”

The purpose of this paper is not really to establish what should be considered in establishing policies to govern portable devices, but in order to get us all on the same page, we should establish that the policy should at a minimum establish that:

  • Users are accountable for all activity on portable devices that store bank data, whether owned by the bank or not. If you want to put bank e-mail on your own (BYOD) device, you must agree to be accountable for EVERYTHING that occurs on that device, not just the data inherent in the e-mail.
  • Controls will be required by the bank (as a result of your risk assessment) that must be applied and enforced by those with issued and authorized devices. Examples of these controls include:
    • Access Management controls including screen lock, user restrictions, wireless security standards, and remote wipe.
    • Vulnerability management controls including patch management, antivirus (for devices that require it), etc.
    • Application Management controls restricting the types of applications allowed on the devices and other uses of the device.
    • Asset Management Controls including procedures for lost devices, restrictions on the amount of data allowed on the device (such as “no more than 3 days of e-mail), as well as procedures governing the device retirement process.
    • Audit Controls giving technical staff authority to conduct periodic and random audit of portable devices to ensure proper configuration and policy enforcement.
    • Legal controls including a signature page which should be an agreement between the employee and the bank that the employee will follow policy, submit to periodic and random audits, modify practices as a result of those audits, and inform the bank when preparing to retire an authorized device. This agreement should also include appropriate warnings. This currently amounts to notifying the employee that in the event of termination, remote wipe will be implemented which will (in most cases) cause the employee to lose data, including music and pictures that are not backed up.

Beyond establishing what we mean by portable devices, issued devices, and authorized devices, a procedure or standards document should be created that allows us to enforce, via technical controls, practices that our policies and procedures require. The “poor man’s version” of these technical controls is typically in the form of Microsoft Exchange ActiveSync (EAS), which allows limited remote control of portable devices. Most smaller banks, at this time, are finding EAS to be a sufficient solution. Coming down the road, and implemented by larger banks or banks that are aggressively pursuing a mobile strategy, are applications known as Mobile Device Management (MDM) applications. Though EAS has MDM capabilities, these applications offer much more granularity and control over the mobile device. Often, “endpoint security” applications will have an MDM module available.

Exchange ActiveSync

Free with the licensing for Microsoft’s Exchange Server is a utility that allows us to technically enforce certain portable device controls. EAS is a protocol designed for the synchronization of e-mail, contacts, calendar, tasks and notes from a messaging server to a mobile device. Built into it are certain mobile device management controls, which include:

  • Enforcement of E-mail, Contacts, Calendar, Task, and Notes restrictions in terms of the amount of data stored on the device. For example, EAS allows us to determine how many days of e-mail will be allowed. We typically recommend three days.
  • Enforcement of Screen Lock controls. If the device does not have screen lock enabled, it will not be allowed to sync to the Exchange Server.
  • The ability to return the mobile device to “factory default settings,” otherwise referred to as “remote wipe.” When this is initiated, the next time the phone tries to sync with the Exchange Server, it will be returned to factory settings. This means that all data and applications will be removed from the app.

There are two major drawbacks to EAS, which we will call “compatibility drawbacks” and “functional drawbacks.” The “compatibility drawbacks” arise from the fact that EAS does not work with every type of device. Making matters worse, the Microsoft website is not so forthcoming about which devices DO work with EAS. Suffice it to say that iPhones, iPads, and Droid devices should work with EAS. But you won’t know for sure until you try. This is causing most banks to establish an audit procedure for authorized (BYOD) devices at the initiation of approval, to ensure that the above three controls work with synchronization to the device. Other banks are simply restricting authorized devices to the iPhone, iPad, and Droids.

The “functional drawbacks” of EAS are best illustrated by investigating the benefits of more robust MDM software . . . .

Other Mobile Device Management Applications

Mobile Device Management (MDM) software is designed to fill an important gap in the security perimeter by providing tools that apply security policies, configuration of services, and software management capabilities across a wide range of mobile devices. These include corporate owned smartphones and tablets as well as bring your own device (BYOD). As these devices become more widely adopted administrators will be tasked with ensuring the secure transmission of corporate data and applications as well as remotely managing these devices.

There are a number of MDM solutions presently available to address this issue. Many of the market leaders offer free evaluations of their products and are listed below:


* Restrict device features, apps, or web browsing as well as enforce encryption
* Extensive reporting including device usage and inventory capabilities
* Ability to remote lock and wipe devices
* Supports Android, Apple, Blackberry, and Windows Phone
* Offered as on-premise service or cloud service
* Does not support containerization for corporate data and applications


* Secure distribution of documents through the content locker
* Ability to remote control screens, remote lock and wipe functions
* Restrict device features, apps, or web browsing as well as enforce encryption.
* Offers deployment through cloud, on-premise service, or appliance
* Supports Android, Apple, Blackberry, and Windows Phone
* Pricing is $3.25/mo or $50/perpetual per device plus additional fees for cloud
($0.75/mo/device) or appliance ($5000/once)


* Offered as on-premise service or cloud service
* Ability to remote lock and wipe devices
* Restrict device features, apps, or web browsing as well as enforce encryption.
* Integrates with Enterprise Management product
* Supports Android, Apple, Blackberry, and Windows Mobile
* Good reporting including device inventory capabilities

Good Technology

* Manages secure mobile email as well as document access as part of a Suite.
* Restrict device features, apps, or web browsing as well as enforce encryption
* Ability to remote wipe devices
* Supports Android, Apple, and Windows Phone
* Requires Enterprise Suite product for management capabilities
* Allows for multi-factor authentication and strong crypto standards


* Secure content container with context aware policies for data protection
* Ability to remote lock and wipe devices
* Restrict device features, apps, or web browsing as well as enforce encryption
* Offered as on-premise service or cloud service
* Integrates with third-party NAC solutions
* Supports Android, Apple, Blackberry, and Windows Phone

Other Technical Controls

We believe banks would benefit from the creation of a Portable Device Configuration Standards document that governs how your technical team will set up Exchange, Exchange ActiveSync, and Mobile Devices in order to mitigate risk. A good document will reflect definitions already in the policy document, establish what to look for in a periodic and/or random audit, establish encryption standards for data at rest and in motion, establish wireless configuration standards, establish connection control standards for both issued and authorized devices. Finally, the document should provide guidance on “incident reporting,” especially since most technical team members are going to see those using BYOD as a member of “management” and thus could be a bit intimidated about reporting poor practices.

Again, we believe that this document should govern ALL portable devices (including laptops and tablets), and not just BYOD devices. Thus, the Portable Device Configuration Standards document establishes how you will use MDM or EAS, but also how you will set up your VPN, how employees will connect from a “public network” such as a hotel room, and AVS requirements for laptops, among many other issues.

Our point, and the main deliverable of this paper, is that you shouldn’t just focus in on BYOD.  Take advantage of the momentum and focus senior management currently has on this buzzword to establish standards that apply to ALL portable devices, and you will increase risk mitigation!

We thank our client, John Mickle of Mutual Bank, for allowing us to use his research report in the development of this article.

Latest News
    A new study highlights the benefits of looking at your network from the other side… An article review. If you were trying to attack your organization’s network, how would you start?  That’s a question you may not have asked yourself, but experts say it’s something that can help you strengthen your security.  That’s according to […]
    Google Ads, Gitlab and OneDrive have been used to distribute the BATLOADER malware… An article review. We’ve always believed that “watch where you click” has always been good advice when it comes to security online, however Microsoft is tracking the spread of malware that has been using legitimate websites to help facilitate its spread, counting […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape) You are welcome to print out and distribute this around your […]
    A new way of helping people “read” new guidance… Look for more in the future! To save you time, we are proud to present “Adam Reads” . . . recorded versions of our Guidance Summaries! Below you can find an embedded player for the audio file. If you are having issues with that working, you […]
    Thanks for being interested in our Technology Planning Webinars! The 2022 annual webinar update on technology planning includes a review of the previous years’ movies that are available, as well as alternative tactics that have arisen from recent conferences, forums, and industry experience. Feel free to invite your entire technology committee! Click the Button to […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! In the spirit of October and Halloween we have put together a gallery of our “spooky” Awareness Posters at halloween.infotex.com. Use them to help decorate for the holiday! Check […]
    Microsoft, Cisco and Uber are among the companies hit by this new threat… An article review.  As more organizations adopt multi-factor authentication to help safeguard their systems hackers have adapted, and several major corporations have been among those hit by this new style of attack.  This new technique, called MFA Fatigue or Push Spamming, involves […]
    A Webinar Movie This presentation is intended for those who are planning to participate in an infotex incident response test. Please let us know what questions you have, when we have our Plan Walkthrough and Test Plan Approval meeting!
    What you need to know for compliance coast-to-coast. Back in 2020 we posted an article containing links to data breach laws from each state, and it has proven to be one of our more popular posts.  Because laws surrounding the use (and abuse) of technology are always evolving, we thought it was worth taking another […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! In the spirit of October and Halloween we have put together a gallery of our “spooky” Awareness Posters at halloween.infotex.com. Use them to help decorate for the holiday! Check […]