Security Policy in Five Steps

The proliferation of bring your own device (BYOD) has brought on a lot of security concerns. Most corporations have not even had a chance to come up with policies or guidelines for how to use BYODs. Now add to this the fact that we need to keep everything secure.

A recent report from research firm Forrester (News – Alert) shows that about 29 percent of the workforce is information workers. This group uses three or more devices, work from multiple locations and use several apps. This is needed in order to achieve their work goal. The report shows that this is going on all over the world.

Neohapsis is a provider of adware or ad removals and cloud security services. CSO provides news, analysis and research on a broad range of security and risk management topics. The two recently discussed five steps that all organizations should take in order to develop corporate security policies that focus on mobility.

Image via Shutterstock

Aaron Rhodes, senior security consultant at Neohapsis, suggests the following;

1. Set a strategy:

“Start mobile initiatives with a fully fleshed-out out plan; your strategy should take a holistic view of security with an overarching security framework. Inventory the types of data your mobile workforce accesses on phones and tablets, and treat smart phone and device security just like you would internal systems on the network. Simply, a section of the policies and process decisions should be devoted to mobile devices. Consider the mobile IT footprint of your organization in the context of the rest of your assets.”

You have to figure out what type of access do all the mobile devices need and have. You have to know what data you want each device to store. You have to treat smartphones and tablets as if they are internal systems.

2. Plan well:

“Set a specific timeline, with goals and milestones along the way. Put aside time for research, too. If you’re getting new products such as MDM/MAM (Mobile Device/Application Management) systems, consider which is the easiest to integrate with your current IT architecture. One thing to look for when considering your mobile management strategy is to determine if you already have existing tools that fit the bill for managing your mobile devices. Get involvement from the technical leadership on your IT staff, and determine what capabilities you may already possess.”

3. Establish policy:

“Creating and administering guidelines will help prevent confusion about how company data and email can be used on mobile devices, and this in turn will encourage users to exercise caution. More importantly, if there’s a problem, they can’t claim ignorance. Additionally, there is a user awareness component to computer security that should be remembered as well. Building good habits in your users through awareness training and reminders can help improve your organization’s security as well.”

Rhodes also suggested that:

• Mobile devices must be password protected
• Mobile devices must use device encryption before accessing corporate E-mail
• Mobile devices may not be “rooted” or “jailbroken”
• Mobile devices must be managed by the corporate IT department using the corporate approved MDM system

4. Train:

“Most people simply aren’t aware that their actions on mobile devices (company-owned or not) can have dire consequences for the entire organization. Teaching your employees about the risks and how to mitigate them can help avoid catastrophe. The phrase ‘if you see something, say something’ comes to mind. Simply telling employees that there are risks, and giving them good contact points to call in case they have a security-relevant event (lost device, malware, etc.) is critical. Prevention is important but not foolproof, so having proper response processes in place is essential.”

5. Comply:

“Keep compliance requirements in mind when deciding company policy. Remember, all company data housed on mobile devices is subject to the same regulatory mandates as other IT systems. Compliance rules do tend to drive security requirements in organizations that fall under them. Some MDM/MAM offerings have special features of their products which support legal requirements. Using existing infrastructure is definitely important as well. If a system is put in place that fits well into your infrastructure, it is more likely that operators will use the system to its full capability to improve security.”

These are Aaron Rhodes’ top five picks of what the enterprise needs to keep in mind when it comes up with mobile security policies. Corporations definitely need a tangible mobile security plan. BYOD is bringing about as many questions as it is making work more convenient. It will be very interesting to keep an eye on this issue and see what direction it goes in.