Steps to creating an effective mobile security policy


As the holiday season has just whizzed past and some of us may have received thoughtful gifts from our love ones – perhaps the latest models of smartphone or  tablet.  Nowadays, these mobile devices come packed with impressive computing power and functionality than computers might have wished for a decade ago. However for enterprises,  these “gifts” could be costly.

These mobile devices give us around-the-clock connectivity that comes at a price not only to employees’ personal time, but also to enterprise information security. Many of the employees will be returning to work with new iPhone,  Samsung LTE in-hand that they “need” connected ASAP to check email, access corporate intranets, and update statuses on social networks.

These requests and activities give rise to tough questions. Who’s responsible for managing the security of “personal” devices that connect to the corporate network? What happens if a device capable of connecting to enterprise systems is lost? Should encryption be mandatory on portable devices that are used for work? What happen if these devices introduce viruses into the corporate network?

These are risks that enterprises cannot ignore and must formulate appropriate mobile device policies to manage it effectively.

According to BBC News report dated 12th Oct 2012,  there are 6 billions of mobile users to date, almost as many people in the world. (The world population is almost 7 billions) This present huge opportunities for malicious hackers to infiltrate  and  steal precious corporate  data.  The alarming new is that this can be so effortless with downloadable  rootkits from the internet.

Against this backdrop, few of us would disagree that enterprises should have a clear set of policies, requirements and standards that cover mobile devices which are used to conduct business. But what are the challenges to be met in formulating a security policy for mobile devices and how can these be met?

First and foremost, the kind of mobile devices that are allowed on the network should be dictated by the mobile device policy and this policy must be fiercely policed.  At the very least, basic security and malware protection should be present on every mobile device. If they are not compliant with the policy, they should be barred from connecting to  the corporate network.

The other rising challenge for many businesses is data and device ownership, particularly the ownership of the data on the device. It is not uncommon to witness policies that range from one extreme to the other in the corporate world. However there are three main approaches to deal with this challenge.

Provisioning is the Key

First, corporate ownership and provisioning, where the enterprise procures and retains ownership of the device, and may or may not allow any personal use depending on existing usage policies;  second, shared management, where employees accessing business data from their devices give their employers the right to manage, lock down or even wipe clean the devices; and thirdly , legal transfer, in which the enterprise purchases the device from the employee. This may involve a nominal price and allow the employee to use the device for personal communications, and maybe even allow them to buy the devices back when they leave the organisation.

Restricting business data

In addition to continual reviews, businesses can define what types of data can or cannot be processed on the mobile devices. The next level of detail should segregate between personal and business-owned devices; whether these are managed or unmanaged; and address the compliance with configuration standards.

Finally, the policy should define the delivery model of the applications and data, based on application types, employee role, location and the type of the mobile device.

The policy also needs to clearly articulate what happen when the device is lost or required for a forensic investigation. Take note that this might become a contentious  issue especially in some countries that have dissonant interpretation of privacy laws.

The policy should also include a cohesive device certification program, along with steps to secure the platform, including data encryption and secure authentication methods.

Although mobile device security policy is essential, it must be complemented with the right blend of mobile device management systems, anti-malware solutions and best practices, to ensure that the policy is effective and easily enforced.

I do hope this has been insightful and please feel free to add any comments and thoughts.