Authorized Access: 4 mobile security policy best practices

four best practices for mobile security

These four tips will help you on your way to creating a workable mobile security policy for employee-owned and corporate-owned devices.

IT administrators faced with the influx of mobile devices in the enterprise need to step up and define mobile security policies governing how employees can use these ubiquitous tools in the first place.

Employees are increasingly bringing their own mobile devices into the office, using them to check their corporate email, read documents, and access work-related applications. The mobile device dilemma isn’t limited to smartphones and tablets. Mobile security policies also have to address company-issue laptops. For example, you may have more employees than ever working remotely, or out in the field, and they need their work-issued laptops to be able to access the corporate network from whatever network they happen to be on. If any of those devices fall into the wrong hands, your corporate data, such as customer records, contracts, and even financial records, could be exposed.

Welcome to mobile security in the workplace, where IT has to protect both company-issued and employee-owned equipment, as well as all the corporate data and applications being accessed via these devices. Here are four tips for IT administrators to follow as you craft your company’s mobile security policies.

1. Mobile security policies must clearly identify what is supported

It doesn’t make sense to be overly restrictive (such as forcing everyone to standardize on one platform). Likewise, you have to be careful not to spread your IT organization too thing by trying to support every single mobile platform out there.

It’s also perfectly reasonable to demand a certain level of cooperation from your users. Many companies flat-out refuse to support rooted or jail-broken devices because of the mobile security risks they pose. Administrators can also refuse to support devices that don’t meet minimum mobile security standards, such as having an antivirus installed on a personal laptop or a passcode lock on the smartphone to prevent unauthorized access.

2. Mobile security requires clearly defined user risk profiles

Organizations have to figure out what the limits are when it comes to data access. Some organizations may choose to give employees access to data, but never let it be actually downloaded to the user device.

Some employees, based on their job title, may never be allowed to access certain applications from mobile devices. User risk profiles help clarify what levels of access different groups are allowed to have, and what attributes about the group require that level of control.

3. Mobile security involves defining your users’ responsibilities

Employees need policies clearly outlining their responsibilities, which may include promptly reporting lost and stolen devices, installing the minimum required security software, and complying with all policies. Being allowed to access the corporate network may mean agreeing to allow IT the power to remotely wipe all data from the device if it is ever lost, for example.

4. Don’t overlook physical mobile security

Loss, or theft, is a serious event. Smartphones and tablets should have a passcode and an idle timeout to lock the device so that unauthorized individuals can’t gain access to the data. Laptops should be secured with a strong password. Encrypting the entire drive is another smart step. This way, a stolen laptop, smartphone, or tablet, becomes less of a disaster.

There are plenty of resources for administrators looking for guidance. The National Institute of Standards and Technology last year updated its guidelines for securing mobile devices.  ”Guidelines for Managing and Securing Mobile Devices in the Enterprise” (SP 800-124) recommends using a centralized mobile device management tool to secure all mobile devices, regardless of who owns them. The SANS Institute also offers various templates and sample policies on mobile device security covering employee responsibilities, encryption, and storage devices.

While creating strong security policies are important, they remain ineffective if IT doesn’t apply existing policies to mobile devices or enforce all policies. For example, if your general security policy requires users to have a 15-character password to log on to the corporate network, that has to apply to mobile devices as well. Most importantly, administrators have to create, and regularly update, an inventory of all mobile devices in the enterprise. Understanding what devices are on the network, and how many of them there are, is a critical first step towards identifying which users aren’t meeting mobile security policy requirements.

About the Author

Fahmida Y. Rashid is a contributor to EnterpriseEfficiency.com, a UBM Tech community.

Fahmida Y. Rashid
Fahmida Y. Rashid is an analyst for networking and security at PCMag.com. She focuses on ways businesses can keep their data and networks secure without going bankrupt chasing after the wrong kinds of protection. Prior to landing at PCMag, she was a senior writer covering security, core Internet infrastructure, and open source at eWEEK. She was also a senior technical editor at CRN Test Center reviewing open source, storage, and networking products from 2007 to 2008. Before setting out her journalism shingle, she was a technology consultant, first at PricewaterhouseCoopers, and later with the Business Consulting Services group in IBM Global Services. She has worked in the trenches as help-desk, QA tester, software and Web developer, and network administrator.
Fahmida Y. Rashid
Fahmida Y. Rashid
Fahmida Y. Rashid
Tags: BYOD,IT Security,Technology