Three mobile device security policy lookouts from ISF

Advice from Information Security Forum (ISF) on how to draft a comprehensive mobile device security policy, given the evolving mobile device environment.

Consumer mobile devices are an omnipresent fact of everyone’s life today. These devices come with their own baggage, in the form of their susceptibility to information security risks. This assumes importance from an organizational perspective, and one must consider handling the implications of consumerization when framing a mobile device security policy for the enterprise.

Organizations today have little or no control over the consumer devices existing within their business ecosystems. Lack of visibility of usage and penetration, coupled with poorly defined ownership, makes governance an uphill task.

Adherence to a mobile device security policy and compliance being the challenge, organizations need to start with an end-goal pertaining to what the organization expects these devices to achieve from a business perspective. To meet the challenge of rapid consumerization, mobile device security policies need to be comprehensive yet comprehensible, and always in sync with business requirements. A typical situation is when employees bring in iPhones and iPads and ask the IT departments to make the devices work, even though they don’t fall under the existing IT policy. This potentially exposes the organization to risks.

The solution is a clear, forward-looking mobile device security policy, with provisions for restructuring wherever gaps exist, and the ability to incorporate new devices, as and when required. Policy review needs to be continual, given the fast pace of device evolution. An understanding of the extent of consumer device penetration and forming different device groups is essential to identify support requirements for these devices and the attendant risks. The issues in this context are broadly spread over four areas, as detailed below:

1) Users: The weakest link

Since there is a lack of control over working practices, there is no consistent usage method. Problems arise when users decide to combine work and personal tasks. Inappropriate usage within the corporate environment or access from unsuitable or insecure locations can magnify exposure and risk.

Users need to be educated about risks and best practices. Drafting an acceptable use policy for these devices is essential. This is a key policy area for which monitoring device usage may be necessary to enforce a robust mobile device security policy.

Given that organizations are moving into a consumer-based environment, one must distinguish between genuine mistakes and inadvertent ones, from the point of view of disciplinary action.

2) Devices: Trojan horses?

Most consumer mobile devices were never designed to be enterprise computing tools. They are thus not the most robust from a mobile device security viewpoint. Unattended, they are vulnerable to a host of infosec threats.

Organizations need to put in place solutions for securing mobile device access within the corporate environment. This includes enabling functionality such as malware protection, firewalls, mobile device management systems, and so on.

A key area is the issue of ownership. Clarity needs to exist in terms of actions on the device such as storage encryption, remote access and remote wipe, when the device itself does not belong to the organization.

When the organization owns the device, the task of compliance and adherence to a mobile device security policy becomes easier. In reality, employee-owned devices are the norm.

3) Applications and data: Regulating risk

Apps are probably the easiest way to infect devices with malware. Organizations cannot depend on vendors or app-stores to screen applications for malware.

One way to ensure security of mobile consumer devices is to host the app-store in-house, distributing only those apps that have been tested to meet organizational compliance standards. Alternatively, the mobile device security policy can specify the list of permissible apps.

Data classification is another important aspect to consider when drafting a mobile device security policy, in terms of defining the restrictions on the type of data that can be accessed on consumer devices. With a robust mobile device security policy, organizations can maximise the advantages that mobile consumer devices bring to the workplace, while minimizing risks.

https://cdn.ttgtmedia.com/rms/security/steve durbin_2600lowres.pngAbout the author: Steve Durbin is Global VP at the Information Security Forum. His focus areas include cyber security in managed services, outsourced cloud security, consumerization and social media. He was previously a senior VP at Gartner.

(As told to Varun Haran.)

Please send your feedback to vharan at techtarget dot com. You can follow our twitter feed at @SearchSecIN

Read more on IT risk management