How do we manage security when our users are integrating smart phones and other mobile devices into the workplace? This is a question we hear more and more from our customers as their employees are buying mobile devices such as iPads, iPhones, Blackberries, and Android driven products. The rising tide of usage of these devices is impossible to stop and they have become ubiquitous in a short period of time. This leaves IT departments and security teams trying to figure out how to back fill security, often when they have little control over the device configuration. This is especially important as most every enterprise has to deal with both protecting confidential data such as customer personally identifiable information (PII) and regulatory compliance, such as PCI, HIPAA / HITECH, FFIEC, NERC, etc.
To answer the question of how to manage mobile device security risk, we recommend developing a mobile device security policy. For those organizations that cannot quickly do a mobile device risk assessment to guide policy development and need to fast-track some policy guidance, you might consider reviewing your laptop security policy – after all, mobile devices could be considered just as capable in terms of network access and data storage, yet their additional mobility increases the risk of them being lost, stolen, or damaged.
Some of the things to consider when creating a mobile device security policy that can be borrowed from a laptop security policy include: unauthorized access, data loss prevention of any data stored on the device, network access / secure connectivity, and the security of the operating system itself. Minimizing the risk of data loss in these areas means both implementing technical controls and configurations on the devices themselves. However, mobile devices in many organizations present an additional challenge in that they are often owned and configured by the individual users who bought them. For this reason, the human side of the policy, such as acceptable use and training is a critical part of any mobile device policy.
Also, just like a laptop, issues of malware, viruses, application patches, OS updates, unauthorized software, and backup are all relevant for mobile devices. Whether you are using an Apple product such as an iPhone, iPad, or iPod, a Blackberry, or one of the myriad of Android based mobile devices, the very same issues developed for a laptop policy could provide some inspiration for a mobile device security policy.