It's time for organizations that have yet to educate their employees about mobile device security to take control, starting with a comprehensive policy.
A good mobile device security policy defines
Planning a mobile device security policy
If you're considering implementing a mobile device security policy, you must ensure that the policy defines what employees can do, what the company can do and what the company will do under specific circumstances.
Because some mobile devices are employee-owned and others are company-owned, you might need two policies to address both groups of users. In some cases, your ability to check an employee's device will be limited, depending on who owns the device. As a result, you might want to enact stricter controls over what users are allowed to do with their own devices versus what they can do on a corporate mobile device. At the same time, it's difficult to control which apps users download or other actions they take with their devices if they own them.
The contents of a mobile device security policy will depend on the specific needs of your organization. When you're putting a policy together, consider including the following sections:
- Policy statement: An introduction that explains the policy's purpose and why the policy is necessary. Include a brief description of the issues the policy addresses and the resources it protects.
- Scope: The people and devices the policy applies to. The policy might only apply to mobile workers approved to use enterprise-owned devices, or it might apply to all employees and their personal devices. This section should also include details about any people or devices exempt from the policy.
- Definitions: Any terms that might need to be defined, such as passcode, lock-out, encryption, or even mobile device.
- Rules and guidelines: Details about how employees can use their devices, what resources they can access, how they should transmit and store data, and so on. This section is the heart of the document.
- Enforcement: Specific details about the consequences of non-compliance. Outline what the organization is allowed to do under such circumstances -- for example, confiscating or searching a device.
- Contacts: Who to ask for help and who to notify about a lost or stolen device.
- Approval: Tell users who approved the policy. The higher up these individuals are in the organization, the more weight the policy carries. The staff must understand that mobile device security is a serious concern and everyone is expected to adhere to this policy.
Whether you include these sections or others depends on your company's requirements. Your goal is to try to make your mobile device security policy as comprehensive as possible, without overwhelming your staff with pages of fine print.
Defining your mobile device security policy
The most important section of your mobile device security policy is the rules and guidelines section. It must be comprehensive enough to cover all aspects of mobile device usage, including defining which devices and platforms employees may or may not use for work. For example, the policy might specify that only company-owned devices are permitted, or it might list operating system versions and device models that employees are allowed to use. The devices you support might depend on whether you're using management software, in which case you would limit devices only to those you can actually control.
Your mobile device security policy should also address any issues related to connectivity. Should all connections to the corporate network be via a virtual private network? Will you even permit remote access? You must be clear on what resources a mobile device can access and how.
Another issue to address is how to handle the transfer and storage of sensitive data. Specify the kinds of data users can transfer to or from mobile devices, what they can store on devices or in the cloud, and whether they should encrypt data in transit or at rest.
You should also outline which applications are required, which are disallowed and which are optional. For instance, you might require that users have a management client installed and that all the apps they download come from an enterprise app store. Also, state whether users may update apps and/or operating systems, whether users can download browser add-ons and whether or not they should have security software installed.
Remember to address issues such as passcode policies, remote wipe settings and participation in a centralized device management system. In addition, explain what steps a user should take if his device is lost or stolen, if the user suspects the device has been compromised, or if that user is traveling out of the country. Also note instances when and if employees should refer to other policy documents or receive special training.
A mobile device security policy is only part of an overall employee education program, but it is at the core of these efforts. It should therefore be readily available to all employees to whom it applies, so they can read and sign off on it. Only then can you hope to benefit from other security efforts and achieve the level of protection you need.
This was first published in July 2012