So what does this have to do with mobile security? Well, everything. Mobile security is not an absolute -- it is a mode of operation. If you have the right processes, technical controls and people smarts, this mode of operation is something that can be managed to serve as a way of reducing business risks. So properly setting and managing your mobile security goals is good for business -- and as a nice side benefit, it is good for your job and your career.
Goals to consider
It would be nice just to say all hard drives are encrypted, all wireless communications are locked down, and no one ever installs or connects to unsupported mobile environments. But we all know that reality has a much different plan for mobility. When it comes to keeping the mobile enterprise protected from the elements, it is essential to have clear and concise goals. Trying to achieve mobile security in any other way is just a delusional exercise in futility.
Here are some examples of specific and reasonably attainable goals that
- We conduct an in-depth security assessment on all mobile systems.
- All laptop hard drives are encrypted with strong passphrases.
- All electronic information is classified into specific categories that suit our business needs (i.e., public, private, sensitive).
- All 802.11-based networks are configured to use a minimum of WPA-PSK encryption using 20 random characters as the passphrase.
- All wireless hosts have personal firewall software installed, configured and tested.
- Technology is installed for monitoring and blocking unauthorized 802.11 wireless devices.
- All employees are trained and tested on mobile security policies each year.
- A 25% sampling of laptops, PDAs and smartphones is tested for security vulnerabilities every three months.
- All 802.11 wireless infrastructure systems are tested for security vulnerabilities every three months.
- Management is consistently made aware of the mobile security threats and vulnerabilities our organization is up against.
Of course, you'll need to tweak these, based on your business needs. But by agreeing or disagreeing with these goals, it is easy to see where your business currently stands with its mobile security system.
Making your goals a reality
Goal setting is more than just saying "All mobile devices are locked down" or "Everyone knows what not to do with their mobile devices." There is actually a science to it, and it is very specific. It involves the following seven steps.
- Determine what you want (such as one of the 10 sample goals listed above).
- Write your goal down on paper or in your word processor -- this creates a record and helps commit your goal to memory.
- Set a specific deadline, such as in six months or by year's end -- this creates accountability.
- Document everything you are going to have to do to accomplish each goal -- this creates the roadmap and outlines the specific steps to follow.
- Prioritize each goal and task -- this outlines what you need to focus on first to accomplish the goal, what needs to be done next, and so on.
- Get started on your plan -- this gets your momentum going, shows others that you are taking it seriously, and programs your subconscious mind with what to focus on.
- Revisit your goals every day -- even if it is just for five minutes -- and do something that contributes to accomplishing each goal (such as research laptop encryption vendors or determine whether existing wireless APs support WPA encryption). This keeps the momentum going, keeps your goals on the top of your mind, and moves you that much closer to each goal every single day.
Short of having management that does not care about IT and security, if you follow these steps for each of your mobile security goals, there is absolutely no reason you cannot eventually accomplish them.
There is a saying that if you do not have goals for yourself (or in this case, for the mobile systems you are responsible for), you are doomed forever to achieve the goals of someone else. It happens a lot in the workplace and relates directly to IT and mobile security. This is why it is important to have a solid set of goals that can help you -- and the business -- get to where things need to be. Any way you slice it, making your mobile security goals a reality will minimize vulnerabilities and keep your organization out of the headlines and off the Privacy Rights Clearinghouse Chronology of Data Breaches "honor roll."
While doing all of this, it is important to remember that everything you do counts toward mobile security. Not just the components you want to count but everything you do related to mobile security. Every choice you make, every control you implement and every process you put in place is either moving you closer to your mobile security goals or moving you away from them. The responsibility and leadership associated with goal setting will undoubtedly bleed over into other areas of security and business too -- ultimately benefiting everyone involved for the long term.
About the author: Kevin Beaver is an independent information security consultant, speaker, and expert witness with Atlanta-based Principle Logic, LLC. Kevin has authored/co-authored six books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley), as well as The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He is also the creator of the Security on Wheels information security audio books, providing security learning for IT professionals on the go. Kevin can be reached at firstname.lastname@example.org.
This was first published in November 2007