Mobile security policy useless if not enforced

Article

Mobile security policy useless if not enforced

Andrew R. Hickey, News Writer
Creation of mobile security policies has become a dominant focus of many companies of late. And while few will argue against the fact that devising a mobile security policy is necessary, the policy itself means nothing if it is not enforced.

    Requires Free Membership to View

    Login

    SearchMobileComputing.com members gain immediate and unlimited access to expert guides for mobile deployment, management and security, industry trends, and more-- all at no cost. Join me on SearchMobileComputing.com today!

    Kate Gerwig, Editorial Director

    By submitting your registration information to SearchMobileComputing.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchMobileComputing.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

Ten steps to a successful mobile security policy
1. Determine the need for a policy, whether it's data leakage; malware prevention; unwanted use of enterprise resources, including bandwidth; or use of unwanted applications.

2. Determine how big the problem is today and how you can improve the situation in the future.

3. Get management buy-in to develop and enforce a policy. What happens when policies are not met? What happens when bad things occur? Who takes the remediation and punitive actions?

4. How will you enforce the policies? Remember, without enforcement they are useless.

5. Build up management concurrence on the policies themselves.

6. Discuss the policy with end users. They have the need and the right to know their responsibilities as an employee, contractor or other users. Policies are a contract with the end user. They need to agree and sign up.

7. Deploy some form of enforcement tool to monitor and report. From there, assess policies, tweak them or remediate severe violations.

8. Remind end users of their responsibilities and notify them that enforcement will be deployed.

9. Review violations with management on a periodic basis and note new technologies as they migrate into the enterprise.

10. Revise or update policies to meet new challenges with management's approval and direction.
"Policies are great, but you've got to enforce them," said Dennis Szerszen, vice president of corporate strategy at SecureWave, a mobile security vendor. "You can put the best policy together … but if you have no means to enforce it or no way of auditing, what the heck?"

There are a host of tools available now to implement and enforce mobile security policies, whether you do it from a device or an application angle. SecureWave's Sanctuary allows managers to secure devices such as smartphones, PDAs and even iPods and other devices to ensure they use the network for the right reasons.

But, Szerszen said, tools to enforce policy should only come into play once that policy is built and end users are informed. "Socialize the policy before and after it happens," he said. "Once you build a policy, let [users] know."

Mobile managers need to tell users why a policy is being implemented, what it means and how it will be enforced.

William Bell, manager of security operations for Tempe, Ariz.-based CWIE, a Web e-commerce company, agreed that "mobile computing policies are useless unless you enforce them."

Bell said CWIE has roughly 300 endpoints, 40 laptops and a host of devices running on the Windows Mobile operating system. He said his company's policy controls which devices can link to the network, sets permissions for what users can do online and offline and also restricts certain access. For example, if a user connects to the network in the building, that connection has to be wired. Wireless is not allowed.

"We have really fine-grained controls," he said. "Just being able to know exactly what's plugged in, that's big."

Bell said he also limits the use of mobile storage devices and Bluetooth, unless there is a strong business reason for it. "We want them to do it under our terms," he said.

Rob Israel, CIO at John C. Lincoln Health Network, agreed. When his company rolled out SecureWave, he was surprised at how many devices were linking to the network that he didn't know about.

"We found lots and lots of devices that we didn't know were there," he said. "Now, no one can just go out and link to the network."

These days, Israel said, the company has the insight to look at and approve which endpoints can be used on the network and for what purposes.

According to Szerszen, there are several steps involved in implementing and enforcing a mobile security policy, but first a company must realize why it needs a policy and know the extent of its mobile security problem. From there, network managers must tell end users about the policy and what can happen when it is not followed. After that, revising, tweaking and reviewing the policy at intervals is necessary to keep it fresh.

Szerszen said mobile security policies should be living and breathing things that grow, change and adapt along with the company that is charged with enforcing them. Mobile computing, he said, creates a drastic lifestyle change, that affects how, where and when users interact with enterprise applications and data.

For more information
Find out how to build mobile security by starting with a strong mobile policy.

Read our exclusive story on SMS phishing and the threat it poses.
"New technologies are not bad, they simply pose a new threat vector that can be readily understood and addressed on an ongoing basis," he said. "Security's job should be to mitigate risks to an acceptable level. Period. It should do that without imposing the need for administrators and end users to become security experts. Security should fit in with the rest of the administrative [and] management infrastructure. Security should not create new challenges to an already over-burdened enterprise."