Journal Online

Srikanth Ravindran is
a service management/

BYOD in the EnterpriseA Holistic Approach

information security
consultant and ITIL
practitioner with Infosys Ltd.
Ravindran has the ITIL v3
Intermediate and COBIT 4.1
Foundation certificates. He
can be contacted at srikanth_
ravindran@infosys.com.
Rajat Sadana is a process
consultant with Infosys Ltd.
He is an ITIL expert and holds
the ITIL v3 Intermediates, ITIL
v2 Practitioner and COBIT 4.1
Foundation certificates.
Sadana can be contacted at
rajat_sadana@infosys.com.
Deepa Baranwal is an
associate process consultant
with Infosys Ltd. and holds the
ITIL v3 Foundation Certificate.
She can be contacted at
deepa_baranwal@infosys.
com.

The latest trends in IT are endeavoring to make

it a remote, agile, flexible and scalable resource.
With the advent of cloud, virtualization, remote
infrastructures and an increasingly mobile
workforce, the world of IT is increasingly
becoming consumer-driven.
Consumerization has brought with it a pathbreaking yet potentially disruptive concept
bring your own device (BYOD). BYOD allows
ITs customers to use their own devices, such
as tablets, smartphones and laptops, and
mobile applications to enable business services.
It enables the organizations staff members
(operations/field staff and business users) to
connect to the organizations network and access
official data on their personal devices.
While organizations view this initiative as
a strategy for cost reduction and productivity
enhancement, IT departments and security
gurus argue that it poses a potential threat to
the organizations control over its data, making
it highly vulnerable to security threats, and
drastically increases the scope of support due
to the vast expanse of devices, platforms and
applications that are used. Thus, it is important
to bring consensus and adopt a hybrid approach
for framing an effective BYOD policy with
minimal and clearly documented risks.
This article provides insights on BYOD, its
implication to IT and how organizations need to
approach and adopt it.

BYOD INDUSTRY SPEAK

Widespread BYOD adoption is fueled primarily
by technology trends and advancements, such
as the proliferation of smartphones and tablets,
newer platforms (e.g., Windows Metro, iOS,
Android), app stores, app streaming and
storage in the cloud, desktop and application
virtualization, and changing employee
preferences (those who find it more convenient
to use their private devices for personal as well
as professional use). Gartner has predicted that
by 2014, approximately 1 billion smartphones
and tablets will be sold globally and 90 percent of
organizations will support corporate applications
on personal devices.1, 2 In a recent report,
Forrester revealed that around 60 percent of
organizations in the US already permit BYOD.3
Aruba interviewed IT professionals working
for 130 hospitals and found that 85 percent of
hospitals are providing access to physicians and
staff through personal mobile devices.4 Good
Technology, in a survey of companies in different
segments, found that, among the total number
of organizations surveyed across industries, 72
percent of organizations currently support BYOD
(figure 1), and across the industries surveyed, the
finance/insurance industry has the highest rates
of BYOD adoption at 35 percent (figure 2).5

Figure 1Percent of Organizations Supporting BYOD

9.3%
14.8%
3.9%
72.2%

ISACA JOURNAL Volume 1, 2013

may not capture the details related to hardware and OS

as the organization is not responsible for providing any
hardware or OS-related upgrades. This may potentially save
time and effort for asset management.
Cost advantagesCost reduction is achieved by offloading
device procurement, maintenance and data plan charges to
the employee. Citrix Systems is one such organization that
has realized remarkable savings over three years. IT had been
investing approximately US $2,600 for the procurement and
support costs of notebooks, and after BYOD
ADVANTAGES OF BYOD
implementation, it pays US $2,100 in stipends to its
BYOD envisages a win-win situation for organizations as well
employees to buy and use a notebook without the
as employees, given a policy is framed carefully addressing
responsibility of device support. The net gain works out to
critical success factors and risk. BYOD offers numerous
US $500 in savings per device over three years.6
advantages over traditional IT including:
Asset managementA well-managed BYOD environment
Employee satisfactionBYOD brings with it flexibility,
may result in reduced load on asset management as
familiarity, anytime and anywhere access, and connectivity.
the asset management team need not capture the
This results in a mobile and flexible workforce and higher
employee-owned asset details in as much detail as the case
productivity. Aberdeen Group found that among the top
would be for company-owned assets. For example, in the
20 percent of firms implementing BYOD, there was a 90
case of a company-owned laptop, the asset management
percent success rate of critical information availability
repository must have all the details related to hardware
within the necessary time framea 42 percent year-on-year
(e.g., RAM, hard drive), OS, installed licensed software
improvement.7 Since most employees/consumers prefer
and support-related details; while in the case of an
devices with updated technology, BYOD also brings with it
employee-owned laptop, the asset management repository
the benefits of the latest features and a superior user
experience.
Figure
2Support
of
BYOD
by
Industry
According to the
Good
Aruba survey,
Finance/insurance
58 percent of the
hospitals surveyed
Health care
use virtualization to
Professional services
access applications
Manufacturing
on tablets.8
Transportation/logistics
EfficiencyBYOD
Legal
can improve business
Software
process productivity
Government (federal)
by eliminating
Currently support
paper-based,
Communications
Planning to support; next 6months
manual or onsite
Retail/wholesale
Planning to support; 612 months
requirements for
Life sciences
Considering, but no specific time frame
dispatch, inventory
Government (local)
management and
Not planning to support
Entertainment/media
helpdesk support.
0%
5%
10%
15%
20%
25%
30%
35%
40%
Unisys Corp. has
realized a cost savings
These studies show that organizations across various industry
domains are adopting BYOD, albeit at different levels. It is
too early to predict what key factors are driving the levels of
BYOD adoption. Organizational strategy, budgets, type of
IT infrastructure in place, business growth, field user levels,
technical support capabilities, resource scalability and business
confidence in IT are some of the common considerations to
BYOD adoption, irrespective of the industry.

ISACA JOURNAL Volume 1, 2013

 of US $50,000 in licensing costs and the autoprovisioning

process (built in-house) reduced help desk calls by
US $1,000.9
There are also environmental benefits to BYOD: optimum
hardware utilization and a reduced carbon footprint by usage
of the same device for personal and work use.
CHALLENGES OF BYOD
Chief information officers (CIOs) face a number of challenges
around device control, data security, consistency of delivery,
platform/device selection and support creep in a BYOD
environment. The catch is to ensure that user experience is
unaffected while addressing the following challenges.
Security and Compliance
BYOD may expose the organizations data to misuse, theft and
vulnerabilities. Due to the ability of devices to interconnect and
share resources, access to the corporate network is possible for
a nonauthenticated device tethered to an authenticated device.
Data breaches may also happen if the device gets stolen or lost.
It is also possible that data can be transferred or shared through
social media, local or personal file and cloud storage, webmail,
instant messaging, and other communication channels. This puts
confidential data at risk if device usage is not monitored.
Since a BYOD environment offers more flexibility to
employees in terms of how the device is used, which apps and
software are installed, when to install new updates and so
forth, this practice may lead to devices being more vulnerable
to attacks compared to organization-owned devices, on
which the organization may put restricted policies on all the
previously mentioned activities.
BYOD opens up doors to virus and malware injection
into the corporate network. An infected user device that was
previously connected to an insecure network may expose
the corporate network to unexpected security attacks. Thus,
firewalls and intrusion-prevention techniques are essential
for smartphones and every other device that connects to the
corporate network.
Regulations and standards such as the Payment Card
Industry Data Security Standard (PCI DSS), the US Health
Insurance Portability and Accountability Act (HIPAA) or
the US Gramm-Leach-Bliley Act (GLBA), which mandate
safeguarding of data and specify certain rules pertaining to
information usage and security, have to be considered before

Read BYOD Audit/Assurance Program.

www.isaca.org/auditprograms
Read Securing Mobile Devices Using COBIT 5 for
Information Security.

www.isaca.org/
Securing-Mobile-Devices
Discuss and collaborate on mobile computing in the
Knowledge Center.

www.isaca.org/
topic-mobile-computing
implementing BYOD. According to the requirements of
PCI DSS, all devices used in processing payment card
transactions must implement encryption and passcode
protection. Similarly, the US Health Information Technology
for Economic and Clinical Health (HITECH) Act states that
health care organizations are accountable for:
The condentiality, integrity and availability of the electronic
protected health information (ePHI) of their patients
Maintaining a record of disclosure of patients PHI, failing
which they may incur financial penalties in the case of
data breaches
Ensuring that patients know who has accessed their PHI
records and when
Network/Support Capability and Platform Compatibility
BYOD can result in a plethora of additional devices being
supported by the IT infrastructure and staff. If BYOD is
implemented without having enough staff with the required
skill sets and clearly defined boundaries for scope in place,
BYOD adoption levels, user satisfaction and user productivity
will decrease. New skill sets will also be required for the
service desk, application development and maintenance
teams because they will no longer be developing apps for
a single environment. Applications and their security must
be customized to support different platforms across diverse
devices. Mobile device management (MDM) is an essential
ISACA JOURNAL Volume 1, 2013

component of BYOD operations, but there are no commercial

off-the-shelf (COTS) solutions for MDM that work on every
platform. Network upgrades may be needed to support the
increased number of devices.
Financials
A BYOD setup appears to be cost-effective initially as capital
expenditure (CAPEX) costs are reduced because of user
ownership of the device. However, it may be neutralized
by the cost involved in other areas such as planning,
implementation, operations and scalability. Hence, realization
of cost benefits should be expected over a longer term.
Operational expenditure (OPEX) may increase as users
may prefer individual data plans that may be more expensive
than company-provided plans, which have the benefit of
corporate leases in bulk for telecom services. Also, in the
case of company-owned devices, organizations can leverage
volume discounts from device manufacturers. BYOD negates
those benefits as well.
OPEX may also be higher due to the requirement of
telecom expense management (TEM) to track investment and
costs in the mobility space. In an organization, non-BYOD
setup TEM is addressed by the telecom service providers.
Another consideration for financials is additional support
costs, as development of capabilities on newer platforms
and technology will require training and skill upgradation.
Additionally, employee awareness programs, program/project
management, compliance and infrastructure upgrades are
other prominent items on BYOD expense sheets.
Employee Privacy
The IT departments level of control over a privately owned
device may conflict with the employees user experience.
Defining the boundaries of corporate control over the data
residing on personal devices is a major issue. There may be
cases where the employees personal information is lost due to
remote wiping.
In a survey conducted by Trend Micro, 91 percent of
employees did not want employers to control their devices in
order to access corporate applications, while nearly 80 percent
of organizations believed in their need to have authority or
control over devices through MDM mechanisms.10
There are also legal aspects regarding device usage in case
of a shared environment, such as BYOD, where usage is
hybrid with a mix of work-related and personal activities. For
4

ISACA JOURNAL Volume 1, 2013

example, an employee can install an unlicensed application

or access objectionable content that would not have been
accessible on an organization-provided device. Such risk
factors mandate that an agreement be signed between
the employee and the organization to cover the liabilities
pertaining to ownership and activities.
KEYS TO SUCCESS WITH BYOD
An effective BYOD program should strike a balance between
user-centric and device-centric strategies. Stakeholders,
including customers, organizational functions (such as IT,
human resources, sales, legal and marketing), leadership and
the executive board, have to be involved in policy framing to
avoid loopholes and ambiguity.
In the interest of the previously mentioned stakeholders,
the keys to success include:
Define a clear and inclusive BYOD policyA clear and
crisp BYOD policy must be carefully crafted to ensure that
the BYOD program remains sustainable over a period of
time. Organizations should not fall into the trap of defining
a rigid policy. To be sustainable, the policy must meet the
requirements of both IT and users, for example:
Secure sensitive and proprietary corporate data.
Minimize overall asset ownership cost.
Ensure that the user experience is not compromised.
Allow mandatory updates, nondisruptive upgrades and
technological innovation.
IT departments often emphasize the first two requirements,
but it is of utmost importance that the last two be also
focused on as they are key to sustaining employees interest
in the BYOD program over the longer term. If the BYOD
policy compromises the user experience, employees will find
ways to work around it or drop out of the program, thereby
defeating the purpose of having a BYOD policy.
Focus on securing data-in-transit and data-at-restThe
ability of smartphones and tablets to connect to the
organizations intranet through public Wi-Fi and mobile
networks, which are more prone to security attacks as
compared to the organizations LAN, mandates the need
for specific controls to protect data-in-transit. The following
are techniques that organizations can consider for securing
data-in-transit:
Encrypt data transmission between the device and the
corporate network through a Secure Sockets Layer (SSL)

virtual private network (VPN). For example, A VPN client

named Junos Pulse was implemented to provide secure
remote access (SSL VPN) for mobile devices to connect to
the Unisys Juniper infrastructure (intranet).11
Create and deploy user identification/device certificates
to quickly and easily provide users with secure access to
corporate resources.
Most smartphones and tablets support VPN for allowing
a secure connection to the corporate network protecting
data-in-transit, but do not secure the information stored
on the devicedata-at-rest. In the case of organizationowned devices issued to an employee, the organization
has a number of controls in place such as encrypting data
on the device, applying security patches and monitoring
device usage. These dictate devices compliance with the
organizations security policy and enable secure connectivity
to the organizations network. However, on employeeowned devices, the ability to implement these controls is
restricted. When it comes to protecting data-at-rest, most
mobile devices either do not have device encryption or the
encryption can be hacked easily by jail breaking or rooting
the device. A Harris Interactive survey commissioned by
ESET revealed that 33 percent of those surveyed agreed
that the company data on their personal devices were not
encrypted and another 33 percent did not know if they were
encrypted, meaning that as few as one-third of people are
encrypting company data on their personal devices.12 To
overcome these challenges, the organization should
consider implementing compensating controls to protect
the data-at-rest and, in turn, reduce the security risk to an
acceptable level.
The following are examples of compensating controls that
organizations should consider:
iOS jailbreak or Android rooting detection is implemented
to prevent compromise of devices.
Secure container segregates the storage area for corporate
and personal data on users mobile phones, smartphones
and tablets. The device integrity (which ensures that it
is not affected by malware or viruses) is checked before
the containers start, which reduces the risk to corporate
data. Also, the container with the corporate data can be
independently wiped without accidentally wiping the
employees personal content.

The ability to remote wipe corporate data is mandated in a

BYOD environment and apps such as 3CX Mobile Device
Manager, Mobile Defense, Android Lost, Mobile Me and
Google apps must be considered.
Ensure complianceOrganizations must ensure that BYOD
implementation is carried out in alignment with legal,
regulatory and organizational standards. In consideration
of these, a tracking mechanism has to be implemented to
record the email details (i.e., the sender, recipient, time stamp,
content) for purposes of legal e-discovery and regulatory
compliance. For example, ePHI and confidential data sharing
need to be handled through secure channels and the entire
information life cycle (for email, data and documents) needs
to be documented with security implications and maintenance
procedures and audit trails enabled where required. This
is reflected in the Aruba survey in which IT teams working
in hospitals say that only 24 percent of hospitals that have
implemented BYOD provide at least limited access to hospital
applications and patient data.13
BYOD should be an integral part of the enterprisewide riskassessment initiative, identifying opportunities and threats,
and a risk management strategy must be in place for the
same. Policies must be in place for asset management (to
track access), configuration management, patch management,
access management and security audits. Employees must
be trained regularly on information security policies, and
a strong password policy must be in place. IT controls like
secure texting can be used to take care of security issues since
these messages are on a closed network and the messages can
be deleted by the hospital or concerned authority, or can be
set to delete automatically. Devices and the network should
be updated with the latest security patches; device integrity
should be continually monitored; and data and application
privacy, protection and entitlement should be enforced and
monitored to prevent hacking and malicious attacks.
Develop and manage a list of supported platforms
and devicesThe primary driver behind BYOD is that
employees prefer their personal devices to those provided
by their organization. A study conducted by Dimensional
Research revealed that 87 percent of employees use
their personal devices for work-related purposes.14 The
most common example may be an employee who has an
organization-issued device for work and a different type
of personal device and would prefer to carry only one
device instead of two. However, in todays world where
ISACA JOURNAL Volume 1, 2013

consumer preferences shift frequently and the devices and

apps landscape keeps evolving, employee freedom on device
selection should be carefully thought out.
IT must also develop a list of supported devices and
platforms and allow employees to use any device as long
as it is on that list. IT should work to update this list
continually, adding new devices and platforms. The BYOD
policy should clearly state that any employee-owned device
should be set up for business use before getting access and
should be registered as a users official device. This typically
means that the IT group prepares the device for business
use by:
Enabling security features and MDM to implement
security policies
Enabling corporate network and data access
Installing business applications
Segregating business and personal data
Equip the staffThe IT teams in place (developers and
support) to partner with the business must be trained on
new technologies and platforms (e.g., iOS, Android, Metro,
Symbian, Blackberry) to effectively support BYOD. A
continual service improvement (CSI) program should be
in place for IT personnel to assess their current skills, roll
out training in required areas, encourage improvement
initiatives and reward excellence (figure 3).
Figure 3Continual Service Improvement Program
Assess

Reward

CSI
Strategy

Train

Encourage

Consider investing in mobile apps developmentBYOD

causes a shift in the way applications are developed and
delivered, as organizations have to develop applications
for multiple environments. An organization app store is a
critical step toward gaining more operational control over
6

ISACA JOURNAL Volume 1, 2013

the application environment. Organizations must plan to

have a unified delivery method for apps, as development
across multiple platforms results in huge CAPEX
expenditure and increased operational complexities. Custom
applications should be distributed through an organization
app store. There must be a facility to identify, segregate and
secure critical business apps by using a VPN-like tunnel
(i.e., mobile app tunnel). Malicious apps should be blocked
via a mobile app lock that detects the security vulnerabilities
associated with a particular app by testing an application for
security threats during runtime.
Web browser delivery using HTML5 coding allows a single
app to be supported across multiple devices and platforms.
As far as software development languages are concerned,
HTML5 offers advantages such as cross-platform
compatibility, offline storage and synchronization. Concerns
such as inconsistent compatibility with different devices and
browser memory management have to be considered before
adopting BYOD.
User experience can also be enhanced by using technologies
such as Responsive Web Design, which adapts the layout to
the viewing environment using techniques including flexible
grids, flexible images and cascading style sheets (CSS)
media queries.
Although these are not perfect solutions, they do provide
an alternative to the high costs and increased development
windows for building individual native apps for each device
and platform.
Ensure that corporate network infrastructure is capable
of meeting BYOD demandsAn increased number
of employee-owned smartphones and tablets getting
connected to the corporate network through BYOD makes
it imperative for organizations to be proactive in addressing
potential bandwidth and security issues. A separate guest
wireless network can serve as the enrollment network
for employee-owned devices. Automated evaluation and
privileges and restrictions assignment (access to company
email, Wi-Fi and VPN configurations) should take place
through the MDM solution based upon policies created after
enrollment. Devices that do not comply with the security
policy should be blocked.

 Include decommissioning as part of BYOD policyA

significant issue arises when it comes to ownership of the
device when employees change or lose their device or leave
the organization, and assumes even more significance when
an employee moves to a competitor organization. There
should be a formal decommissioning procedure defined to
facilitate a smooth exit for employees and/or devices leaving
the organization, or the company runs the risk of sensitive
propriety data being compromised. An agreement should
be signed between the organization and the employee that
allows for wiping the complete device including personal
and corporate data in the case of a lost device. An auto
wiping can be enabled following a number of failed login
attempts and an auto-lock can be activated in case of
periods of long inactivity.
The organization should also develop a process about which
business data or apps are to be removed or revoked upon
employee departure. The organization could follow a semiwipe option which would leave the employees with their
personal information intact while wiping the business data.
Use an affirmative contract for policy agreementThe
agreement between employee and organization should be
equivalent to an affirmative contract. Both parties must
assume accountability over the knowledge of what is in that
contract, thereby ensuring no ambiguity in understanding.
End users should be assessed on their knowledge of
the BYOD usage policy and must sign the affirmation
periodically (e.g., twice yearly). The user agreement should
include clauses around the following at a minimum:
Data wiping to prevent data misuse in case of
lost/stolen devices
Data access and camera use to prevent illegal/prohibited
access and data sharing
Email and social media usage
Confidential/sensitive data-handling procedures
Triggers for reporting data theft and misuse
CONCLUSION
In a world where sustainable success is increasingly elusive,
focusing on increasing productivity through BYOD may be
a profitable strategy. That said, integration of BYOD into
the existing IT infrastructure is not an easy task. To reap the

core benefits of BYOD, organizations need to carry out an

initial assessment to verify BYOD readiness, and security
and support gaps need to be filled to implement BYOD with
acceptable risk levels. A comprehensive approach is essential
for BYOD adoption, resulting in IT becoming user-centric,
as opposed to its earlier support-centric stance. Capability
development and constant
BYOD is not a project knowledge/skill upgrades are
key differentiators in providing
or a program. It is
a superior user experience.
a commitment to
Before implementing,
adopting technology
organizations need to consider
whether high operational
and innovation.
costs may even negate the cost
savings that BYOD can bring in the near term. With security
policies and employee awareness programs in place, BYOD
can bring benefits in the form of user experience, increased
productivity, user satisfaction, mobility and reduced CAPEX.
Further, data resource management (DRM) can be used so
the actions on data can be specified in advance.
BYOD is not a project or a program. It is a commitment
to adopting technology and innovation, and as with all other
tech initiatives the IT department should be at the center of it
fueling business need and advancement.
Though user experience is a key objective of BYOD,
the organizations stakeholders (e.g., its customers and
shareholders) are also of primary importance. A breach
or misuse of sensitive, customer or financial data could be
detrimental to the success of BYOD. Hence, an organizations
BYOD implementation should be based on an effective
strategy aligned to its business objectives (e.g., growth,
productivity, mobility, faster time to market) with an effective
support structure in place, monitored by MDM and data
privacy policies since security and support are paramount to
its success and scalability.

REFERENCES
Juniper Networks, B.Y.O.D. Without the R.I.S.K: How CIOs
Can Fully Harness the Enterprise Mobility Phenomenon, April
2012, www.juniper.net/us/en/local/pdf/pov/3200006-en.pdf
Finnie, Scot; Getting IT Set for Mobile, ComputerWorld,
8 November 2010, www.pcworld.com/businesscenter/
article/210079/getting_it_set_for_mobile.html
ISACA JOURNAL Volume 1, 2013

Zenprise, Go Ahead, BYOD. Make My Day, 2012,

www.zenprise.com/assets/ZEN-BYOD-Policy-SB-00.pdf
Avaya, BYOD and the Wireless Revolution, 2011,
www.avaya.com/usa/registration/byod-and-the-wirelessrevolution/
ENDNOTES
1 Bradford Networks, Ten Steps to Secure BYOD, 2012,
www.bradfordnetworks.com/ten-steps-to-secure-byod
2
Network World, Managing Your Employees Device,
Special Report, February 2012, www.networkworld.com
3 Werth, Whitney W.; Bitzer Mobile Solves BYOD Security
and Usability Clash for Enterprise Mobility, March 2012,
www.bitzermobile.com/press-release-9/
4 Op cit, Network World
5 IT World, Good Technology State of BYOD Report,
white paper, January 2011, www.itworld.com/mobilewireless/247888/good-technology-state-byod-report
6 Joch, Alan; BYOD: A Cost Saver or a Curse?, April
2012, www.biztechmagazine.com/article/2012/04/byodcost-saver-or-curse
7
Gourley, Bob; Alexander Olesker; The Current State
of BYOD, May 2012, http://ctolabs.com/2012/05/
currentstateofbyod/

8 
Op cit, Network World
9
Unisys Corp., Unisys Empowers Employees With
Anytime, Anywhere Access to Mission-critical
Applications, 2012, www.unisys.com/unisys/common/
download.jsp;jsessionid=D686D96891546594833F030
CCA056305?d_id=1120000970022510165&backurl=/
unisys/ri/cs/detail.jsp&id=1120000970022510165
10 Trend Micro, Bring em on!The Consumerization of
Enterprise Mobility, white paper, 2011, www.trendmicro.
com/cloud-content/us/pdfs/about/wp_bring-em-on-theconsumerization-of-ent-mobility.pdf
11 
Op cit, Unisys
12 Cobb, Stephen; BYOD Infographic: For Security Its
Not a Pretty Picture, 4 April 2012, http://blog.eset.
com/2012/04/04/byod-infographic-for-security-not-apretty-picture
13 Op cit, Network World
14 Dimensional Research, Consumerization of IT Survey
2011, September 2011, www.kace.com/~/media/Files/
Resources/Analyst-Reports/Consumerization-of-ITSurvey-2011.ashx

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving ITgovernance professionals, entitles one to receive an annual subscription
to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance
Institute and their committees, and from opinions endorsed by authors employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors content.
2013 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in
writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St.,
Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25 per page. Send payment to the CCC stating the ISSN (1526-7407), date,
volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without
express permission of the association or the copyright owner is expressly prohibited.
www.isaca.org
ISACA JOURNAL Volume 1, 2013