National Cyber-security Policies oriented to BYOD (Bring Your Own Device): Systematic Review Andrea Vaca Herrera 1,2 , Mario Ron 2 , Carlos Rabadão 1,3 2152217@my.ipleiria.pt, mbron@espe.edu.ec, carlos.rabadao@ipleiria.pt 1 School of Technology and Management - Polythecnic Institute of Leiria, Leiria, Portugal 2 Universidad de las Fuerzas Armadas ESPE, Av. General Rumiñahui S/N, Sangolquí, Ecuador 3 Computer Science and Communication Research Centre - Polythecnic Institute of Leiria, Leiria, Portugal Abstract — There are some corporate policies in most of companies around the world, focus on mobile devices to be used as BYOD (Bring Your Own Device), but in Ecuador, these policies are not being established yet. In spite of that, this technology has been used frequently, even do some employers don’t allow to use employees’ mobile devices because of the inherent security risks, without being aware that BYOD carries a lot of advantages such as increase the company’s economy, improve its communication skills and help to work at home, which now is a good alternative. Business policies should follow national policy guidelines as already happens in several countries, but in the case of Ecuador, such guidelines are not present in a formal way, the regulatory framework of this human activity that must come from the state has not been developed, not only to regulate the activity, but also to guide its use in a safe and proper manner providing privacy to users in all social and economic activities. This research begins focusing on a systematic review about BYOD’s actual situation, its trend and impact, it will continue with the local situation and a proposal of recommendations oriented to have a National Policy in Ecuador. Keywords –Bring your own devices, Cybersecurity, risks, vulnerabilities, impact of using BYOD. I. INTRODUCTION There are many trends in today´s technology, one of those is known as "Bring Your Own Device (BYOD)," which allows workers to carry their personal devices with them to perform work tasks by connecting to the network and corporate resources. Employees could work with their own devices from home or save company information on their personal devices instead of using two computers, one personal and one for work, thus using the infrastructure more efficiently [1], making the company more competitive by reducing its operating costs and creating a climate of trust in collaborative work, however, not everything is positive in the use of personal devices within the company, due to security risks in the internal information system. The risks inherent to the use of the technology are increased with BYOD, but they must be controlled in some way so that its benefits take effect, therefore, it is necessary to properly configure a Company's Information Security Management System. Many companies, in order to avoid this technical work that represents them costs of consulting or implantation of new processes, have opted to restrict the use of personal devices in the company, without carrying out an analysis of impact, as much in the productivity of the company as in the risks Inherent in the use of these devices. The design of the Information Security Management System cannot be a particular initiative, but rather a state policy that promotes the use of technology in an efficient way and guides in an appropriate manner to the implementation of standards and procedures in order to maintain the confidentiality, availability and integrity of the information. This article, which is the beginning of a more extensive research on national cybersecurity policies in Ecuador and specifically about the BYOD trend in the country, details in section II the research questions formulated to solve this issue, the Section III describes the main security challenges in BYOD, section IV outlines the next steps of this research and section V presents the conclusions of all the work done. II. BYOD security concerns When implementing an alternative technology in a company, questions and concerns regarding the new tools’ security will arise. The main research questions are: • Which are the principle risks of BYOD and their impact to different companies in Ecuador? • Which are the threats that can be hidden or camouflaged between external mobile devices that are not easily detected by conventional means? • Is the use of methodologies and tools to ensure the integrity, confidentiality and availability of large volumes of data transmitted from external mobile devices in a company known? • How can you accurately determine unusual behaviour in cyberspace with the use of mobile devices? • Which systems and methods of defence and cyber security can be defined in Ecuador, based on strategies and policies developed at various levels of abstraction, with a coherent structure to act systematically against cyber threats? These research questions help to determine: the problem and possible solutions, and the principle criteria is: Ecuador does not have any national policy of cyber-security. This paper 644 978-989-98434-7-9/17/$31.00 c 2017 AISTI