|
| HYOD (employer’s devices) | BYOD (employee’s devices) |
|
Information security governance | (i) Standardized devices (ii) Tightly coupled (iii) Focus on corporate control (iv) Fully controllable | (i) Diverse devices (ii) Loosely coupled (iii) Focus on flexibility and agility (iv) Partially controllable, require user awareness |
|
Operations | (i) Full centralized management (ii) Standard hardware (iii) Standard software (iv) Acceptable use policy | (i) User is responsible for their own devices (ii) Hardware of their choice (iii) Standard and user’s software (iv) Acceptable use policy and BYOD policy |
|
Personnel | (i) Lesser level of employee technical ability (ii) Central support (iii) Lower cost for personnel training due to standard devices | (i) Higher level of employee technical ability (ii) Central support and self-service (iii) Higher cost for personnel training due to diverse devices |
|
Information and data flow | (i) Centrally provisioned and secured information (ii) Easier to comply with rules and audit (iii) Easier to implement access control to limit information leakage | (i) Centrally provisioned, distributed security (ii) Harder to comply with rules and audit (iii) Harder to implement access control to limit information leakage (iv) Remote information wiping is required |
|
Application | (i) Standard and corporate applications (ii) Controllable vulnerabilities and data leakage | (i) Standard, corporate, and user’s applications (ii) Harder to control vulnerabilities and data leakage, sandboxed or container management (iii) Focus on open standards |
|
System | (i) Centralized control of access to applications, systems, and information | (i) Centralized control of infrastructure, distributed control of applications and information |
|