Mobile security policy useless if not enforced

By Andrew R. Hickey, News Writer 11 Oct 2006 | SearchMobileComputing.com

News on networking, mobility and voice Digg This!     StumbleUpon     Del.icio.us

Ten steps to a successful mobile security policy 1. Determine the need for a policy, whether it's data leakage; malware prevention; unwanted use of enterprise resources, including bandwidth; or use of unwanted applications. 2. Determine how big the problem is today and how you can improve the situation in the future. 3. Get management buy-in to develop and enforce a policy. What happens when policies are not met? What happens when bad things occur? Who takes the remediation and punitive actions? 4. How will you enforce the policies? Remember, without enforcement they are useless. 5. Build up management concurrence on the policies themselves. 6. Discuss the policy with end users. They have the need and the right to know their responsibilities as an employee, contractor or other users. Policies are a contract with the end user. They need to agree and sign up. 7. Deploy some form of enforcement tool to monitor and report. From there, assess policies, tweak them or remediate severe violations. 8. Remind end users of their responsibilities and notify them that enforcement will be deployed. 9. Review violations with management on a periodic basis and note new technologies as they migrate into the enterprise. 10. Revise or update policies to meet new challenges with management's approval and direction.

"Policies are great, but you've got to enforce them," said Dennis Szerszen, vice president of corporate strategy at SecureWave, a mobile security vendor. "You can put the best policy together … but if you have no means to enforce it or no way of auditing, what the heck?"

There are a host of tools available now to implement and enforce mobile security policies, whether you do it from a device or an application angle. SecureWave's Sanctuary allows managers to secure devices such as smartphones, PDAs and even iPods and other devices to ensure they use the network for the right reasons.

But, Szerszen said, tools to enforce policy should only come into play once that policy is built and end users are informed. "Socialize the policy before and after it happens," he said. "Once you build a policy, let [users] know."

Mobile managers need to tell users why a policy is being implemented, what it means and how it will be enforced.

William Bell, manager of security operations for Tempe, Ariz.-based CWIE, a Web e-commerce company, agreed that "mobile computing policies are useless unless you enforce them."

Bell said CWIE has roughly 300 endpoints, 40 laptops and a host of devices running on the Windows Mobile operating system. He said his company's policy controls which devices can link to the network, sets permissions for what users can do online and offline and also restricts certain access. For example, if a user connects to the network in the building, that connection has to be wired. Wireless is not allowed.

"We have really fine-grained controls," he said. "Just being able to know exactly what's plugged in, that's big."

Bell said he also limits the use of mobile storage devices and Bluetooth, unless there is a strong business reason for it. "We want them to do it under our terms," he said.

Rob Israel, CIO at John C. Lincoln Health Network, agreed. When his company rolled out SecureWave, he was surprised at how many devices were linking to the network that he didn't know about.

"We found lots and lots of devices that we didn't know were there," he said. "Now, no one can just go out and link to the network."

These days, Israel said, the company has the insight to look at and approve which endpoints can be used on the network and for what purposes.

According to Szerszen, there are several steps involved in implementing and enforcing a mobile security policy, but first a company must realize why it needs a policy and know the extent of its mobile security problem. From there, network managers must tell end users about the policy and what can happen when it is not followed. After that, revising, tweaking and reviewing the policy at intervals is necessary to keep it fresh.

Szerszen said mobile security policies should be living and breathing things that grow, change and adapt along with the company that is charged with enforcing them. Mobile computing, he said, creates a drastic lifestyle change, that affects how, where and when users interact with enterprise applications and data.

For more information Find out how to build mobile security by starting with a strong mobile policy. Read our exclusive story on SMS phishing and the threat it poses.

"New technologies are not bad, they simply pose a new threat vector that can be readily understood and addressed on an ongoing basis," he said. "Security's job should be to mitigate risks to an acceptable level. Period. It should do that without imposing the need for administrators and end users to become security experts. Security should fit in with the rest of the administrative [and] management infrastructure. Security should not create new challenges to an already over-burdened enterprise."

Tags: Mobile Policies and Procedures,  Mobile Device Security,  Mobile Security Software and Tools,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Mobile Policies and Procedures Securing corporate data on your laptops Podcast: FAQs on mobile policies Developing and instituting corporate mobile device policies Mobile security: Asserting control over mobile devices Mobile security culture starts at the top Detecting rogue mobile devices on your network Mobile security policies Defining your mobile security policy Government regulations and mobile security policies Mobile security policies: Why a policy is important Mobile Device Security Fingerprint recognition and mobile security Traditional security threats coming soon to mobile device near you Securing your Windows Mobile devices Mobile security: Protecting your data, not just your devices Prevent mobile malware: Learn how to protect your enterprise and devices Podcast: The truth about network security and mobile device access Protecting data on your BlackBerry Going green: Recycling and energy saving tips for mobile devices -- podcast New challenges in mobile device discovery Quiz: Mobile Device Security -- Who else can hear me now? Mobile Device Security Research Mobile Security Software and Tools Sybase offers enterprise-ready iPhone solution on the App Store Fingerprint recognition and mobile security Traditional security threats coming soon to mobile device near you Prevent mobile malware: Learn how to protect your enterprise and devices In-the-cloud defenses for mobile malware On-device defenses for mobile malware Sybase adds antivirus and firewall to mobile management suite Detecting rogue mobile devices on your network Symbian: Protect your data, not just your device Mobile devices: Corporate security strategies

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary mobile VPN  (SearchMobileComputing.com) real-time location system (RTLS)  (SearchMobileComputing.com) screaming cell phone  (SearchMobileComputing.com) SMiShing  (SearchMobileComputing.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary