make a good business better

Blog Information Security

Print Divider Print Divider Branding
 

Data Security: Building a Good Mobile Device Security Policy

12/13/2016  |  By: Mark Fulford, CISSP, CISA, ABCP, HITRUST, Shareholder, Information Security

Share

Social Logo Social Logo Social Logo Social Logo

Finders keepers. Depending on your place in the pecking order, you either heard or recited that adage at recess. It was written somewhere in the playground Magna Carta. Usually the “lost” item wasn’t really lost at all, but more likely lifted by an instigator during a moment of opportunity.

So, fast forward. Now that we’re all grown up, the list of things we lose or misplace has changed. For me, in no particular order they include my car keys, sunglasses, umbrella, smart phone, etc. Though I often accuse my spouse, it’s usually my poor memory that is to blame. Hey, it’s human nature, with some of us being a lot more “human” than others.

Unfortunately, when it comes to items like smart phones, laptops, and tablets that have access to, or contain data belonging to our employers and/or their customers, patients, etc., the stakes are a good bit higher. While it’s true in terms of the total number of breached records, on-line breaches still account for the majority of the risk. The ease with which a laptop or cell phone can go missing is big cause for concern.

Having to report a data breach due to laptop loss or theft can be a big blow to the organization’s reputation. Start talking about banning these devices however and your get the look that says you can have it, but you will have to pry this iPad from my cold dead hands! There are a number of technical solutions that provide varying degrees of protection for mobile devices.

Let’s discuss establishing a good set of organizational policies related to mobile computing devices.

Why worry with a mobile device security policy?

Ask your IT staff and they will tell you that without one, it’s a free for all. Many organizations allow their employees to connect to corporate networks (especially for email) with their personally owned laptops and cell phones. This creates huge issues in terms of managing and securing the corporate data that ultimately can find its way onto these devices.

A good policy serves to educate the workforce and set boundaries for what is acceptable in terms of equipment and behavior. One of the first questions to be answered is, “Are we going to allow our employees to access corporate systems with their personal laptops and/or smart phones?” Every business is different as are the risks. However, there are some significant benefits to allowing only corporately issued devices to connect. They include:

  • Device tracking and monitoring including retrieval of the device upon termination.
  • The ability to have standard configurations that include security controls such as encryption, passwords, etc. (you can sometimes enforce these with non-corporate devices, but it’s      easier if they are provisioned by the IT group).
  • Fewer compatibility issues.
  • Reduced support burden for the helpdesk.

Regardless of your decision related to the use of personal equipment, there are some universal considerations. If your organization houses sensitive data or data that is “protected” such as patient records, personal financial information, or information that could be used by identity thieves, you will want to take a more proactive approach to securing mobile devices.

For laptop computers, this means at a minimum the use of unique user IDs and strong passwords. With the ubiquity of the technology, full disk encryption should also be strongly considered. While not necessarily a regulatory requirement, encryption provides a “safe harbor” from having to report a breach under some data breach laws, including HIPAA/HITECH. For smart phones, consider mandating the following technical security controls in your policies:

  • Encryption of data stored on the device
  • Requirement for a password for access to corporate systems (e.g. email, VPN, etc)
  • Screen timeout with password required to re-access the device
  • Remote wipe feature enabled after a specified number of failed login attempts
  • Remote wipe feature if the phone is lost / stolen

From an administrative standpoint, there are also things that are important to include or reference in your mobile device policy. Some of these include:

  • Appropriate use
  • Download of unauthorized software
  • Procedures to report a lost/stolen/found device
  • Use in public Bluetooth and wireless environments

It is worth saying that it’s not if someone will lose their laptop or phone, but when. Since we know at some point we’ll be on the losing end of the old playground adage, with a little work we can cut out the weeping.

Business IT Policy for Mobile DevicesData Security: Business IT Policy for Mobile Devices
Read more about IT policies for mobile devices and download our checklist to start your business conversation.