Technical BYOD Controls for Banks

by Sean Waugh and Dan Hadaway

First, let us confess that we used BYOD in the title merely so that we’d catch everybody’s attention. It’s a nice buzzword; who wouldn’t feel like partying after seeing it?

But this article is actually about Portable Devices, which is a superset to BYOD. In fact, policy language should establish that Portable Devices include both issued devices and authorized devices. Our boilerplates use the following language:

Definition of Portable Device

Name of Financial Institution defines portable devices as “any self-contained device that can transfer and store data that has the ability to be routinely removed from the network and carried outside of the organization, whether owned by the financial institution or not.” The following is a non-inclusive list of typical portable devices:

  • Laptops
  • iPads or other Tablet PCs (e.g. Motorola Xoom)
  • Smart Phones (e.g. iPhone, Droid, etc.)
  • Regular Cell Phones with Storage Capabilities (e.g. BlackBerry, Treo, etc.)
  • Digital Cameras
  • iPods and/or MP3 Players

This definition does NOT intend to include “portable electronic media” such as CDs, DVDs, USB drives, or SD-flash cards, though such media may be used in portable devices. The Acceptable Use Policy governs the use of electronic media.

Additional Definitions

Authorized Device: A device that is not company-owned that has been approved to store company-owned information is, for the sake of this procedure, considered to be an “authorized device.”

Bring Your Own Device (BYOD): Industry buzzwords for what we refer to as “authorized devices.”

Company-Owned Device: Any device that is owned by the organization is considered to be a “company-owned” device. A device that is owned by an employee is not company-owned.

Company-Owned Information: Information that originates on the financial institution’s information system, or that is given to an employee by a customer of the institution, is considered to be “company-owned” information. This information is required to be protected by law and if it is given to an employee as part of the employee’s job, it is considered to be owned by the financial institution regardless of the circumstances of the transfer of information.

Issued Device: A company-owned portable device is, for the sake of this procedure, considered to be an “issued device.”

The purpose of this paper is not really to establish what should be considered in establishing policies to govern portable devices, but in order to get us all on the same page, we should establish that the policy should at a minimum establish that:

  • Users are accountable for all activity on portable devices that store bank data, whether owned by the bank or not. If you want to put bank e-mail on your own (BYOD) device, you must agree to be accountable for EVERYTHING that occurs on that device, not just the data inherent in the e-mail.
  • Controls will be required by the bank (as a result of your risk assessment) that must be applied and enforced by those with issued and authorized devices. Examples of these controls include:
    • Access Management controls including screen lock, user restrictions, wireless security standards, and remote wipe.
    • Vulnerability management controls including patch management, antivirus (for devices that require it), etc.
    • Application Management controls restricting the types of applications allowed on the devices and other uses of the device.
    • Asset Management Controls including procedures for lost devices, restrictions on the amount of data allowed on the device (such as “no more than 3 days of e-mail), as well as procedures governing the device retirement process.
    • Audit Controls giving technical staff authority to conduct periodic and random audit of portable devices to ensure proper configuration and policy enforcement.
    • Legal controls including a signature page which should be an agreement between the employee and the bank that the employee will follow policy, submit to periodic and random audits, modify practices as a result of those audits, and inform the bank when preparing to retire an authorized device. This agreement should also include appropriate warnings. This currently amounts to notifying the employee that in the event of termination, remote wipe will be implemented which will (in most cases) cause the employee to lose data, including music and pictures that are not backed up.

Beyond establishing what we mean by portable devices, issued devices, and authorized devices, a procedure or standards document should be created that allows us to enforce, via technical controls, practices that our policies and procedures require. The “poor man’s version” of these technical controls is typically in the form of Microsoft Exchange ActiveSync (EAS), which allows limited remote control of portable devices. Most smaller banks, at this time, are finding EAS to be a sufficient solution. Coming down the road, and implemented by larger banks or banks that are aggressively pursuing a mobile strategy, are applications known as Mobile Device Management (MDM) applications. Though EAS has MDM capabilities, these applications offer much more granularity and control over the mobile device. Often, “endpoint security” applications will have an MDM module available.

Exchange ActiveSync

Free with the licensing for Microsoft’s Exchange Server is a utility that allows us to technically enforce certain portable device controls. EAS is a protocol designed for the synchronization of e-mail, contacts, calendar, tasks and notes from a messaging server to a mobile device. Built into it are certain mobile device management controls, which include:

  • Enforcement of E-mail, Contacts, Calendar, Task, and Notes restrictions in terms of the amount of data stored on the device. For example, EAS allows us to determine how many days of e-mail will be allowed. We typically recommend three days.
  • Enforcement of Screen Lock controls. If the device does not have screen lock enabled, it will not be allowed to sync to the Exchange Server.
  • The ability to return the mobile device to “factory default settings,” otherwise referred to as “remote wipe.” When this is initiated, the next time the phone tries to sync with the Exchange Server, it will be returned to factory settings. This means that all data and applications will be removed from the app.

There are two major drawbacks to EAS, which we will call “compatibility drawbacks” and “functional drawbacks.” The “compatibility drawbacks” arise from the fact that EAS does not work with every type of device. Making matters worse, the Microsoft website is not so forthcoming about which devices DO work with EAS. Suffice it to say that iPhones, iPads, and Droid devices should work with EAS. But you won’t know for sure until you try. This is causing most banks to establish an audit procedure for authorized (BYOD) devices at the initiation of approval, to ensure that the above three controls work with synchronization to the device. Other banks are simply restricting authorized devices to the iPhone, iPad, and Droids.

The “functional drawbacks” of EAS are best illustrated by investigating the benefits of more robust MDM software . . . .

Other Mobile Device Management Applications

Mobile Device Management (MDM) software is designed to fill an important gap in the security perimeter by providing tools that apply security policies, configuration of services, and software management capabilities across a wide range of mobile devices. These include corporate owned smartphones and tablets as well as bring your own device (BYOD). As these devices become more widely adopted administrators will be tasked with ensuring the secure transmission of corporate data and applications as well as remotely managing these devices.

There are a number of MDM solutions presently available to address this issue. Many of the market leaders offer free evaluations of their products and are listed below:


* Restrict device features, apps, or web browsing as well as enforce encryption
* Extensive reporting including device usage and inventory capabilities
* Ability to remote lock and wipe devices
* Supports Android, Apple, Blackberry, and Windows Phone
* Offered as on-premise service or cloud service
* Does not support containerization for corporate data and applications


* Secure distribution of documents through the content locker
* Ability to remote control screens, remote lock and wipe functions
* Restrict device features, apps, or web browsing as well as enforce encryption.
* Offers deployment through cloud, on-premise service, or appliance
* Supports Android, Apple, Blackberry, and Windows Phone
* Pricing is $3.25/mo or $50/perpetual per device plus additional fees for cloud
($0.75/mo/device) or appliance ($5000/once)


* Offered as on-premise service or cloud service
* Ability to remote lock and wipe devices
* Restrict device features, apps, or web browsing as well as enforce encryption.
* Integrates with Enterprise Management product
* Supports Android, Apple, Blackberry, and Windows Mobile
* Good reporting including device inventory capabilities

Good Technology

* Manages secure mobile email as well as document access as part of a Suite.
* Restrict device features, apps, or web browsing as well as enforce encryption
* Ability to remote wipe devices
* Supports Android, Apple, and Windows Phone
* Requires Enterprise Suite product for management capabilities
* Allows for multi-factor authentication and strong crypto standards


* Secure content container with context aware policies for data protection
* Ability to remote lock and wipe devices
* Restrict device features, apps, or web browsing as well as enforce encryption
* Offered as on-premise service or cloud service
* Integrates with third-party NAC solutions
* Supports Android, Apple, Blackberry, and Windows Phone

Other Technical Controls

We believe banks would benefit from the creation of a Portable Device Configuration Standards document that governs how your technical team will set up Exchange, Exchange ActiveSync, and Mobile Devices in order to mitigate risk. A good document will reflect definitions already in the policy document, establish what to look for in a periodic and/or random audit, establish encryption standards for data at rest and in motion, establish wireless configuration standards, establish connection control standards for both issued and authorized devices. Finally, the document should provide guidance on “incident reporting,” especially since most technical team members are going to see those using BYOD as a member of “management” and thus could be a bit intimidated about reporting poor practices.

Again, we believe that this document should govern ALL portable devices (including laptops and tablets), and not just BYOD devices. Thus, the Portable Device Configuration Standards document establishes how you will use MDM or EAS, but also how you will set up your VPN, how employees will connect from a “public network” such as a hotel room, and AVS requirements for laptops, among many other issues.

Our point, and the main deliverable of this paper, is that you shouldn’t just focus in on BYOD.  Take advantage of the momentum and focus senior management currently has on this buzzword to establish standards that apply to ALL portable devices, and you will increase risk mitigation!

We thank our client, John Mickle of Mutual Bank, for allowing us to use his research report in the development of this article.

Related Posts

Considerations – Why you should choose infotex, Inc. as your next MSOC!

Reasons why we should be considered! infotex provides a number of services that can be checked out if you click over to! We even made a movie with all the reasons why infotex...

The Magnificent Seven 2023

Seven Trends . . . …that small bank Information Security Officers face in 2023 Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . Welcom...

“Cooked Turkey” – Awareness Poster

Another awareness poster for YOUR customers (and users). Now that we have our own employees aware, maybe it’s time to start posting content for our customers!Check out for...