security of mobile technologyThe mobile world is undergoing explosive growth. Luckily, enterprises are beginning to realise the potential gains and losses this technology offers, enabling them to act appropriately.
In this article, I will explore some principles of good governance in the following key points based on the Information Systems Audit and Control Association (ISACA) Certified in the Governance of Enterprise IT (CGEIT) domains.
1 – Define, establish and maintain a governance framework. This consists of the leadership and organisational structures and processes that would help ensure alignment with enterprise governance, installation of good practices and assurance of compliance with external requirements. Is there a corporate standard for the purchase of mobile devices with a focus on one type of device and operating system? Enforcing one brand and operating system might help ensure easier compliance to existing corporate security standards.
2 – Consider how mobile technology will assist in delivery of key business objectives. Is it considered in strategic planning efforts? Aligning IT initiatives with business objectives and associated security efforts, and determining how the mobile environment might be used to assist, are key aspects of strategic alignment.
Will mobile applications be a defined strategy or will it occur regardless in an ad-hoc fashion? Whether it is a considered implementation or ad-hoc, applications will migrate to these platforms. Will mobile technology function as an enabler or a utility? Or, put another way, will it help deliver some new business function or help run an existing business system?
3 – Value delivery involves optimising expenses and proving the value of IT. Many enterprises already perceive the value of mobile technology, if at all, as merely a tool for e-mail and phone conversations. This does it a great injustice and certainly minimises the value proposition to the enterprise. With informed leadership and defined processes, mobile technology can emerge as a conduit for increased performance and decreased costs. Leaders can ensure that mobile technology use is perhaps built into new applications, thus supplying information more readily and securely or in a more useful format to the end user.
4 – Risk management is undoubtedly familiar to all. Ensuring continuity of operations and the security, confidentiality and availability of information and IT assets is a fundamental requirement of all enterprises. If mobile technology follows the same policies and standards as other IT assets that will help manage risk. Enforce encrypted data on mobile devices, using IronKey or SanDisk Cruzer-encrypted USB devices or one of the myriad of encryption vendors for implementation on smartphones. Ensure effective disposal processes that wipe data on old phones that are discarded for newer models.
5 – The success of IT performance through optimal investments and use of IT resources, including people, technology, applications, facilities and data is the primary concern of resource management. Are staff appropriately trained in the use and security of mobile technology? Are procurement policies effective in offering economies of scale and do they provide the necessary level of technology to keep up with the security needs of the enterprise?
6 – Performance management involves ensuring that the necessary measures and management is in place to eliminate surprises and ensure optimal performance. Measurable targets for mobile technology security must be set, monitored and evaluated. Defining how mobile technology will be used to contribute to the enterprise's security posture, financial, customer and operational areas (the strategic IT objectives) will help in evaluating optimal performance.
Of course, there are many more things to consider than this article could discuss and implementing even these small ideas can take time.
Barry Lewis is a security expert with more than 30 years experience. He is to present IT Governance for Mobile Technology at ISACA's EuroCACS conference, 20-23 March 2011, Manchester. Contact him at firstname.lastname@example.org