Regulatory compliance: The impact of mobile devices on the enterprise

Reviewing regulations
The first step is to evaluate data security regulations and determine which are applicable to your business. When doing so, you will find that few regulations enumerate threats or measures specific to mobile devices. Instead, regulations define the types of data that must be protected, when and why, and related security processes like access monitoring and breach reporting. For example:

Understanding the impact on mobile data
GLBA, HIPAA, PCI, SB 1386 and SOX are perhaps the best-known regulations here in the U.S. but are just a few of the hundreds of regulations that apply across the world. If your company must comply with one or more regulations, the next step is to map the associated data-security standards or guidelines onto your business processes, network and systems. Part of this task is to consider the impact of those regulations on mobile data.

For example, SOX requires that organizations have effective internal controls. When mobile devices carry financial data (email messages, spreadsheets, database records), those internal controls could involve written policies governing acceptable use of mobile devices and data encryption to prevent loss of control if a mobile device is lost or stolen.

GLBA requires that PIFI be secured at all times. When applied to a mobile workforce, this could involve use of encrypted communication to prevent disclosure of data sent over wireless WANs or LANs that lie beyond com

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Mobile Management Mobile worker strategies Mobile user management: Mobile employees and team-building Mobile user management: Managerial styles Mobile devices: Upgrade checklist Mobile phones: Issued, authorized, or personal? Mobile device compliance and workforce management A crisis of architecture and process: Mobile management, Part III Mobile-specific management solutions: Mobile management, Part IV Carrier mobile device management approaches in the enterprise: Mobile management, Part V Best practices for corporate mobile device management: Mobile management, Part VIII Government Regulations for Cell Phones and Smartphones Verizon, AT&T to operate 4G on new 700 MHz spectrum wins Mobile trends: The big stories of 2007 Mobile device compliance and workforce management Compliance in the mobile enterprise Mobile Security - Limiting the Imminent Risks Wireless LAN deployment and federal regulations What encryption standard is becoming the most widely accepted for US Government use? Wireless LANs meet needs for compliance RFID I spy with my little eye ...something confidential Mobile Policies and Procedures Securing corporate data on your laptops Podcast: FAQs on mobile policies Developing and instituting corporate mobile device policies Mobile security: Asserting control over mobile devices Mobile security culture starts at the top Detecting rogue mobile devices on your network Mobile security policies Defining your mobile security policy Government regulations and mobile security policies Mobile security policies: Why a policy is important

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

pany control, as well as measures to preserve that data's integrity (e.g., avoiding transaction forgery, modification or replay).

PCI DSS requires companies to monitor their networks and use strong access controls to prevent unauthorized access to cardholder data. When merchants provide wireless access to mobile devices – handheld inventory checking or point-of-sale payment processing, for example – they must prevent that vector from being abused as a back door to reach stored data or implant trojans that could capture future payment transactions.

The bottom line
Clearly, there are many more potential impacts -- details differ depending on the regulations involved and the nature and location of your business. The most important thing to understand is that mobile devices simply cannot be overlooked when attempting to comply with data security regulations. Few (if any) companies remain untouched by mobile devices, whether owned by the employer or employee. Headlines repeatedly remind us of the potential costs, from last year's stolen VA laptop containing 26 million personnel records to this year's multi-billion-dollar wireless hack at TJX. Including mobile devices in your compliance strategy right from the start is far less expensive than dealing with the fallout from a major security breach.

About the author: Lisa Phifer is vice president of Core Competence Inc., a consulting firm specializing in network security and management technology. Phifer has been involved in the design, implementation, and evaluation of data communications, internetworking, security, and network management products for nearly 20 years. She teaches about wireless LANs and virtual private networking at industry conferences and has written extensively about network infrastructure and security technologies for numerous publications. She is also a site expert to SearchMobileComputing.com and SearchNetworking.com.