Government regulations and mobile security policies

We'll start this column with the final major influence on an enterprise security policy -- the impact of governmental and industry-specific regulations. I want to provide a little additional motivation to create and maintain your security policy -- and regulation across all major industries most certainly serves that purpose. Major, widely publicized security breaches have in recent years provided significant incentive to both the regulatory community and major corporations to upgrade their security postures. Dealing with a failure in IT security can have costs far beyond the obvious need for security policy and technology improvements -- the loss in customer and shareholder confidence, legal expenses, erosion of goodwill and reputation, and just the sheer volume of time that management teams must devote to damage control are major drains on market stature, competitive position and, of course, the bottom line. All of this makes getting one's security policy (and implementation) right the first time of critical importance.

The regulatory environment has become much less tolerant of IT security failures over the past few years. Here are just three examples:

• Sarbanes-Oxley (SOX) -- SOX was passed during the era of the Enron and WorldCom scandals, primarily to address public-company accountability and openness. Interestingly, SOX does not address the issue of IT security directly, but various sections of the Act do contain wording that has been broadly interpreted to mean that organizations which do not take appropriate steps to protect sensitive information may face significant legal woes.

• PCI -- The Payment Card Industry has set up its own standard and a set of procedures (including a detailed self-assessment) for its members. Credit-card data has been the source of a good deal of trouble for retailers in recent years, with a number of notable thefts of cardholder information. Anyone involved in retail needs to be familiar with this set of standards and guidelines; more information can be found here: https://www.pcisecuritystandards.org/.

• HIPAA -- The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is designed to provide individuals with a high degree of privacy with respect to their healthcare records. IT security is of paramount importance here, and the penalties for compromised security can be severe.

But even if your ...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Mobile Security Mobile security threats Two-factor authentication: Mobile security at your fingertips Securing your Windows Mobile devices In-the-cloud defenses for mobile malware On-device defenses for mobile malware Is malware coming to a smartphone near you? Protecting data on your BlackBerry Defining your mobile security policy Symbian: Protect your data, not just your device Mobile security policies: Why a policy is important Mobile Policies Mobile device management strategy for diverse mobile devices Mobile device management checklist Future proofing mobile device management Managing mobile device diversity Ensuring mobile data protection for smartphones is critical Mobile device management: What can it do for your organization? Mobile device governance Employees using their own mobile devices are a growing challenge Podcast: FAQs on mobile policies Developing and instituting corporate mobile device policies Mobile Policies and Procedures Securing corporate data on your laptops Podcast: FAQs on mobile policies Developing and instituting corporate mobile device policies Mobile security: Asserting control over mobile devices Mobile security culture starts at the top Detecting rogue mobile devices on your network Mobile security policies Defining your mobile security policy Mobile security policies: Why a policy is important BlackBerry usage policy and agreement

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

business is not directly subject to these or similar security regulations, it's not a bad idea to conduct your business -- and set your security policy -- as if it were. The key, again, is deciding which information is sensitive, who should have access to it and under what circumstances, and what to do if this information is compromised for any reason -- the core elements of any good security policy.

And once the policy is in place, most functional security solutions will consist of establishing procedures and tools for authenticating users of devices, networks and applications; authorization to use specific services; accounting to keep track of access and what was done; establishing wireless (airlink) security and network (VPN) security; and the encryption of sensitive data wherever it is stored -- even on mobile devices. Strong authentication, ideally two-factor and mutual, is the best solution, and authentication deserves special attention regardless. And no matter which tools you select, be sure to review your security policy at least every six months. Unfortunately, constant awareness is essential in IT security -- this is one area of IT where no one is ever "done."

Finally, you'll note here that we focused in this series on the policies and, to some degree, the techniques of mobile information and network security, but I must confess we left out what might be the most important of all the pieces of the security puzzle: building a culture of security. And this element is so vital that we'll be devoting a series of columns to the topic in a couple of months. Stay tuned!

About the author: Craig Mathias is a principal with Farpoint Group, an advisory firm, based in Ashland, Mass., specializing in wireless networking and mobile computing. The firm works with manufacturers, enterprises, carriers, government, and the financial community on all aspects of wireless and mobile. He can be reached at craig@farpointgroup.com.

Rate this Tip To rate tips, you must be a member of SearchMobileComputing.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.