Creation of mobile security policies has become a dominant focus of many companies of late. And while few will
argue against the fact that devising a mobile security policy is necessary, the policy itself means nothing if it is not enforced.
There are a host of tools available now to implement and enforce mobile security policies, whether you do it from a device or an application angle. SecureWave's Sanctuary allows managers to secure devices such as smartphones, PDAs and even iPods and other devices to ensure they use the network for the right reasons.
But, Szerszen said, tools to enforce policy should only come into play once that policy is built and end users are informed. "Socialize the policy before and after it happens," he said. "Once you build a policy, let [users] know."
Mobile managers need to tell users why a policy is being implemented, what it means and how it will be enforced.
William Bell, manager of security operations for Tempe, Ariz.-based CWIE, a Web e-commerce company, agreed that "mobile computing policies are useless unless you enforce them."
Bell said CWIE has roughly 300 endpoints, 40 laptops and a host of devices running on the Windows Mobile operating system. He said his company's policy controls which devices can link to the network, sets permissions for what users can do online and offline and also restricts certain access. For example, if a user connects to the network in the building, that connection has to be wired. Wireless is not allowed.
"We have really fine-grained controls," he said. "Just being able to know exactly what's plugged in, that's big."
Bell said he also limits the use of mobile storage devices and Bluetooth, unless there is a strong business reason for it. "We want them to do it under our terms," he said.
Rob Israel, CIO at John C. Lincoln Health Network, agreed. When his company rolled out SecureWave, he was surprised at how many devices were linking to the network that he didn't know about.
"We found lots and lots of devices that we didn't know were there," he said. "Now, no one can just go out and link to the network."
These days, Israel said, the company has the insight to look at and approve which endpoints can be used on the network and for what purposes.
According to Szerszen, there are several steps involved in implementing and enforcing a mobile security policy, but first a company must realize why it needs a policy and know the extent of its mobile security problem. From there, network managers must tell end users about the policy and what can happen when it is not followed. After that, revising, tweaking and reviewing the policy at intervals is necessary to keep it fresh.
Szerszen said mobile security policies should be living and breathing things that grow, change and adapt along with the company that is charged with enforcing them. Mobile computing, he said, creates a drastic lifestyle change, that affects how, where and when users interact with enterprise applications and data.