Personal Property in Security Scope

TL;DR

Generally, employees’ personal property isn’t automatically part of your security scope. However, it can become relevant if it connects to your company network or data, or is used for work purposes. This guide explains how to assess the risk and what steps you can take.

1. Understanding the Risk

Your primary security responsibility is protecting company assets (data, systems, etc.). Personal property introduces risks in these ways:

• Network Access: If an employee uses a personal device (laptop, phone) to connect to your Wi-Fi or VPN, it’s potentially a gateway for threats.
• Data Storage: Storing company data on personal devices increases the risk of loss, theft, or unauthorized access.
• Work Use: If an employee uses their personal property *specifically* for work (e.g., a personal car for deliveries), it’s more closely tied to your business operations and therefore security concerns.

2. Assessing the Scope

Determine if personal property falls within your scope by asking these questions:

1. Is it connected? Does the device/property connect directly or indirectly to your company network (wired, wireless, cloud services)?
2. Does it store data? Is any company data stored on the property? If so, what type of data and how is it protected?
3. Is it used for work? Is the property used for business-related tasks as part of an employee’s job description or with explicit company permission?

If the answer to any of these questions is ‘yes’, you need to consider including it in your security scope.

3. Policies and Procedures

Clear policies are essential. Here’s what to include:

• Acceptable Use Policy (AUP): Define acceptable use of personal devices for work purposes, including security requirements.
• Bring Your Own Device (BYOD) Policy: If you allow BYOD, outline specific security measures employees must take (antivirus, password protection, encryption).
• Data Protection Policy: Explain how company data should be handled on personal devices and the consequences of breaches.
• Incident Response Plan: Include procedures for handling security incidents involving personal property.

Example AUP snippet:

Employees using personal devices to access company resources must maintain up-to-date antivirus software and strong passwords. Company data should not be stored locally on these devices without explicit permission from the IT department.

4. Technical Controls

Implement technical controls to mitigate risks:

• Mobile Device Management (MDM): For BYOD, MDM allows you to remotely manage and secure devices (e.g., enforce password policies, wipe data).
• Network Segmentation: Separate personal device traffic from critical company systems.
• Data Loss Prevention (DLP): Prevent sensitive data from leaving the company network on personal devices.
• Virtual Private Networks (VPNs): Require employees to use a VPN when accessing company resources from personal networks.

Example command for checking firewall rules (Linux):

sudo iptables -L

5. Employee Training

Train employees on security best practices:

• Phishing Awareness: Teach them to identify and avoid phishing attacks, which can compromise personal devices and company data.
• Password Security: Emphasize the importance of strong, unique passwords.
• Data Handling: Explain how to properly handle sensitive company data on personal property.
• Reporting Incidents: Instruct them on how to report security incidents promptly.

6. Legal Considerations

Consult with legal counsel regarding BYOD policies and employee privacy rights. Ensure your policies comply with relevant data protection regulations (e.g., GDPR, CCPA).