Smartphones have become widespread in both the consumer and business realms. More importantly, employees expect they can hold just one device for their everyday use thus the boundary between personal and business usage is diminishing. The companies should have clear set of policies, requirements and standards that cover usage of smartphones to conduct business activities, writes Vladimir Jirasek, director of alliances, Cloud Security Alliance UK & Ireland.
There has been a lot of research about mobile device threats and vulnerabilities. At the same time, smartphone hardware and software is evolving rapidly and organisations should keep reviewing their policies and standards to address this.
I believe the policy should foremost define what types of the data can or cannot be processed on smartphone operating systems. For example, the policy may state that PCI DSS data and applications cannot be stored and accessed from smartphones.
The next level of detail should distinguish between personal and business owned devices, whether these are managed or un-managed, and address the compliance with configuration standards.
Finally, the policy should define what the delivery model of the applications and data is, based on application types, employee role, location and the type of the smartphone. This is not an easy task and requires pragmatic approach, which includes threat assessment at the very least.
Managed devices are those linked to organisation’s central device management system. If the device belongs to an employee the employee must give his/her consent for the remote management.
Compliant devices should be defined, at the very least, as those that have not been jail-broken/rooted (thus retain original operating system security controls), have proper access control enabled (such as PIN or password), have encryption enabled (this varies between operating systems and vendors). Such a policy might rule out certain smartphone operating systems as non-compliant by default (for example, Windows Phone does not support whole device encryption).
The policy also needs to clearly articulate what happens when the device is lost or required for a forensic investigation. However, forensic investigations on privately owned smartphone might be unlawful in some countries, regardless of what the policy says.
The smartphones offer great advantages to business to improve productivity, timely access to data and better interaction with customers. Furthermore, the smartphone operating systems are evolving rapidly and improving security controls every year. However, different types of threats apply to smartphones as opposed to traditional end user computing devices and the policy needs to address this in detail.