Tip

Government regulations and mobile security policies

We'll start this column with the final major influence on an enterprise security policy -- the impact of governmental and industry-specific regulations. I want to provide a little additional motivation to create and maintain your security policy -- and regulation across all major industries most certainly serves that purpose. Major, widely publicized security breaches have in recent years provided significant incentive to both the regulatory community and major corporations to upgrade their security postures. Dealing with a failure in IT security can have costs far beyond the obvious need for security policy and technology improvements -- the loss in customer and shareholder confidence, legal expenses, erosion of goodwill and reputation, and just the sheer volume of time that management teams must devote to damage control are major drains on market stature, competitive position and, of course, the bottom line. All of this makes getting one's security policy (and implementation) right the first time of critical importance.

The regulatory environment has become much less tolerant of IT security failures over the past few years. Here are just three examples:

  • Sarbanes-Oxley (SOX) -- SOX was passed during the era of the Enron and WorldCom scandals, primarily to address public-company accountability and openness. Interestingly, SOX does not address the issue of IT security directly, but various sections of the Act do contain wording that

    Requires Free Membership to View

  • has been broadly interpreted to mean that organizations which do not take appropriate steps to protect sensitive information may face significant legal woes.
  • PCI -- The Payment Card Industry has set up its own standard and a set of procedures (including a detailed self-assessment) for its members. Credit-card data has been the source of a good deal of trouble for retailers in recent years, with a number of notable thefts of cardholder information. Anyone involved in retail needs to be familiar with this set of standards and guidelines; more information can be found here: https://www.pcisecuritystandards.org/.
  • HIPAA -- The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is designed to provide individuals with a high degree of privacy with respect to their healthcare records. IT security is of paramount importance here, and the penalties for compromised security can be severe.

But even if your business is not directly subject to these or similar security regulations, it's not a bad idea to conduct your business -- and set your security policy -- as if it were. The key, again, is deciding which information is sensitive, who should have access to it and under what circumstances, and what to do if this information is compromised for any reason -- the core elements of any good security policy.

And once the policy is in place, most functional security solutions will consist of establishing procedures and tools for authenticating users of devices, networks and applications; authorization to use specific services; accounting to keep track of access and what was done; establishing wireless (airlink) security and network (VPN) security; and the encryption of sensitive data wherever it is stored -- even on mobile devices. Strong authentication, ideally two-factor and mutual, is the best solution, and authentication deserves special attention regardless. And no matter which tools you select, be sure to review your security policy at least every six months. Unfortunately, constant awareness is essential in IT security -- this is one area of IT where no one is ever "done."

Finally, you'll note here that we focused in this series on the policies and, to some degree, the techniques of mobile information and network security, but I must confess we left out what might be the most important of all the pieces of the security puzzle: building a culture of security. And this element is so vital that we'll be devoting a series of columns to the topic in a couple of months. Stay tuned!

 

About the author: Craig Mathias is a principal with Farpoint Group, an advisory firm, based in Ashland, Mass., specializing in wireless networking and mobile computing. The firm works with manufacturers, enterprises, carriers, government, and the financial community on all aspects of wireless and mobile. He can be reached at craig@farpointgroup.com.

This was first published in May 2008

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.