Mobile policies: Secure your corporate data with acceptable use policies

Think about this, Mr. or Ms. IT manager: we occasionally talk about all of our assets walking out the door each evening. This saying most certainly refers to employees, who are clearly the most valuable assets any business has, of course. But there's another asset to consider in the era of mobile computing, and that's the data stored on the notebooks and other mobile computing devices. As we've recently seen from so many reported incidents regarding potentially compromised data on notebooks (can you imagine how many incidents were not reported?), the enterprise needs to take a very proactive look not just at the technologies of mobile computing, but also the policies regarding their use.

In general, there are two key components to any mobile computing policy: acceptable use, and security. Both of these policies need to be written and distributed per your organization's practices, and it's a good idea to get sign-off from anyone who will be issued a mobile computer or similar dev...

RELATED CONTENT Mobile Security Mobile security threats Two-factor authentication: Mobile security at your fingertips Securing your Windows Mobile devices In-the-cloud defenses for mobile malware On-device defenses for mobile malware Is malware coming to a smartphone near you? Protecting data on your BlackBerry Defining your mobile security policy Government regulations and mobile security policies Symbian: Protect your data, not just your device Mobile Policies and Procedures Mobile device security policies: Asserting control over mobile devices Securing corporate data on your laptops Podcast: FAQs on mobile policies Developing and instituting corporate mobile device policies Mobile security culture starts at the top Detecting rogue mobile devices on your network Mobile security policies Defining your mobile security policy Government regulations and mobile security policies Mobile security policies: Why a policy is important Mobile Policies Mobile device management strategy for diverse mobile devices Mobile device management checklist Future proofing mobile device management Managing mobile device diversity Ensuring mobile data protection for smartphones is critical Mobile device management: What can it do for your organization? Mobile device governance Employees using their own mobile devices are a growing challenge Podcast: FAQs on mobile policies Developing and instituting corporate mobile device policies

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

ice. Putting both into action requires customization to the needs of your particular enterprise, industry, and regulatory environment, but the broad requirements for each are as follows:

• Acceptable Use: We always recommend that it be clear that the mobile computer belongs to the company, not the user. Any software loaded on the machine must be so loaded by an appropriate IT person; users may not install software themselves. Centralized management tools are essential with more than about ten PCs, but such are widely available and, in general, easy to use. Users must be cautioned about changing key system settings, primarily with respect to security, but also any others that might compromise integrity. Virus, spyware, and firewall settings must all be centrally controlled and monitored. I always recommend that a company-issued computer be used only for company business, and that personal files must never be stored on the machine.

  Users must be cautioned to connect only to authorized networks, although the use of firewalls and VPNs somewhat lowers the risk associated with using intermediary networks, like public-access wireless LANs and networks located in hotels and other public facilities. But I still find it useful to reinforce the message of downloading ActiveX controls and similar potential dangers. One problem we clearly still have as an industry is that the computer is still too much of, well, a computer, and ease-of-use is still an abstract theoretical concept for too many users. It is still too easy to make a mistake and end up with a corrupted configuration. There is some hope that future operating systems (i.e., Windows Vista) will improve this situation, but I'm not counting on it. I suggest a written user's guide that explains policies in terms of operational procedures, as well as a Help Desk and occasional refresher classes in how to use the computer and key software.

• Security: As it turns out, so much work has been done on wireless and mobile security, in recent years, that the technologies required to implement good information security strategies are now plentiful and effective. But we also need to begin in every case with a good security policy, which is simply a document that describes what information needs to be protected, who will have access to it and under what circumstance, what techniques will be used to protect it, and what to do in the event of compromise. There are two key technical elements here: encryption and authentication. All sensitive data stored on any mobile computer must be encrypted – no exceptions. And users must authenticate when accessing this data, at a minimum with a password, and ideally with two-factor encryption (a hardware token, biometrics, etc.). VPNs are quite effective in securing communications channels, be they wired or wireless – no sensitive data must ever appear in the clear, anywhere, except to an authorized user. Do not, however, rely on 802.11/Wi-Fi encryption and authentication alone. They secure only the wireless airlink; the VPN provides end-to-end encryption. Ditto, by the way, for wireless-WAN links.

The key to success in enforcing policies isn't, however, in technology; rather, it's in developing a culture of compliance. Think along the lines of those "loose lips sink ships" posters from World War II. Mobile computing isn't all that different from the desktop in that key respect.

About the author: Craig Mathias is a principal with Farpoint Group, an advisory firm based in Ashland, Mass., specializing in wireless networking and mobile computing. The firm works with manufacturers, enterprises, carriers, government, and the financial community on all aspects of wireless and mobile. He can be reached at craig@farpointgroup.com.

Rate this Tip To rate tips, you must be a member of SearchMobileComputing.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.