Do You Have A Mobile Security Policy?: Page 2

(Page 2 of 2)

Finding a Balance

For those companies in the process of drafting a mobile security policy, the key is to strike a balance between productivity and security. “There’s a tradeoff,” observes Egner. “CIOs like the productivity of personal equipment, but they don’t like the security.”

Forrester’s Maribel Lopez notes that the best practices policy is for companies to restrict users to a few devices. “But let’s be realistic,” she writes. “Huge backlashes occur when IT won’t allow executives who got the latest Treo or Motorola Q for their birthday to connect to the network. Rather than forcing employees to circumvent the system, an employee who purchases a device on the approved list should be able to register with IT to get it connected. However, they need to understand that IT will provide only limited support.”

Related Articles
The Many Myths of Endpoint Security

IT, Security and the Legalese of Compliance

Restoring Online Privacy

Security Flaw Could Ground Wi-Fi Users

FREE IT Management Newsletters

Lopez recommends that a mobile security policy address three elements:

• Mobility Framework
Who can have a device? And which devices, operating systems, and applications will be supported?

• Security
How will devices be secured? How often should users reauthenticate? When and how will devices be neutralized if lost?

• Device management and support
How will devices be procured, managed and supported?

Making Enforcement a Priority

Unfortunately, the greatest mobile security policy in the world won’t protect a company if the policy is not enforced. In an August 2006 study, The Ponemon Institute reported that 41 percent of the companies surveyed did not believe that they effectively enforced data security policies.

Ironically, the problems with enforcement start right at the top.

“The members of the executive team are the worst offenders,” observes Egner. “They have the most sensitive information, and they are the most likely to be gadget freaks.” He’s seen cases where companies end up with a double standard—one mobility policy for executives and one for everyone else.

However, by taking a few relatively simple steps, IT can help reduce the number of employees at every rung on the corporate ladder from using unauthorized PDAs and other devices.

First, they can lock down corporate PCs to prevent users from installing their own software. This makes it harder for employees with rogue personal devices to sync their handhelds. Second, they should disable the USB ports on company PCs. This prevents employees from plugging in docking stations and also prevents the use of portable memory keys that can be used to take sensitive information out of the building.

Finally, one of the most effective strategies isn’t a technical solution at all. A growing number of companies make it a policy to provide employees with top-of-the-line gadgets at company expense. That way, the IT department controls which devices employees are using, and employees are less tempted to use personal gadgets for work.


Page 2 of 2

Previous Page
1 2
 





0 Comments (click to add your comment)
Comment and Contribute

 


(Maximum characters: 1200). You have characters left.