Mobile Ownership Model

BYOD (Bring Your Own Device) allows employees to use personal devices for work. COPE (Corporate-Owned, Personally Enabled) provides company devices that employees can use for personal tasks. COBO (Corporate-Owned, Business Only) restricts company devices strictly to work functions.

Organizations should evaluate their budget, security requirements, and employee privacy concerns. BYOD is cost-effective but harder to secure, while COPE offers better control over corporate data and enterprise mobility management at a higher hardware cost.

A BYOD risk assessment should document threats like data leakage on personal apps, lost or stolen personal devices, challenges enforcing security updates, and complications with remote wipe capabilities affecting employee personal data.

Risks for a COPE model include employees downloading malicious personal apps onto corporate hardware, increased financial costs, and balancing the privacy of the user's personal data against the organization's monitoring tools.

The rationale should clearly state why the model was chosen, citing business needs like cost savings or strict data control. It must also detail the accepted risks and the enterprise mobility management (EMM) controls implemented to mitigate those risks. Tools like WatchDog Security's Policy Management can help maintain the decision record, approvals, and controlled revisions as auditor-ready documented information.

Mobile Device Management (MDM) and Enterprise Mobility Management (EMM) tools help enforce security policies, segregate work from personal data, ensure devices are updated, and provide remote wipe capabilities, which are crucial for securing mobile device ownership models.

BYOD devices should require basic access controls like PINs or biometrics, encrypted storage, separation of work and personal data, and prohibition of connecting to untrusted Wi-Fi without a VPN.

Organizations should use containerization or secure work profiles to segregate business data. This allows IT to perform a selective remote wipe of only corporate data without touching the employee's personal photos or applications.

To meet CyberSecure Canada control 6.1.3.1, organizations must formally decide on an ownership model for mobile devices (e.g., COPE vs BYOD) and document both the business rationale for the decision and the associated cybersecurity risks. Tools like WatchDog Security's Compliance Center can help map this requirement to evidence (policy, approvals, and risk assessment) and highlight gaps before an assessment.

Yes, if an organization supports a hybrid environment, distinct mobile device security policies are recommended. Each model presents different legal, privacy, and technical challenges that require tailored acceptable use and security guidelines.

Start by documenting the business drivers (cost, productivity, privacy) and the security requirements (data separation, remote wipe, compliance). Then route the decision through a formal review and approval process with sign-off from IT, Security, and HR. Tools like WatchDog Security's Policy Management can help maintain version control, capture approvals, and track employee acknowledgment for the chosen mobile ownership policy.

Identify risks specific to the model (lost devices, unmanaged apps, patching gaps, privacy constraints) and define mitigations with owners and due dates (MDM enrollment, containerization, conditional access, selective wipe). Evidence should link back to the decision rationale and the control requirement. Tools like WatchDog Security's Risk Register can capture risk scoring, treatment plans, and ongoing status to support audits and management reporting.