A mobile security policy plays a key role in ensuring that an organization's work environment is adequately protected against data breaches and other security incidents by defining all the potential risk factors for employees. But mobile security policies are more than just delivering legal contracts and educational material to each employee. And it's more than just about access to corporate resources and what's permitted and prohibited on mobile devices used within an organization.
As cyber attacks increasingly target mobile devices, the need to refresh mobile device management security policies is more important than ever. So, what should IT departments know about mobile policy enforcement and what should they include if they need to refresh their existing mobile security policy?
What are mobile security device and BYOD policies?
Corporate IT policies can address several technology and usage issues for employees, including internet use, data retention, corporate mobility policy, BYOD policy, social medial use policy and change management. IT is generally responsible for defining which security policies are needed, but HR also plays a key role in highlighting additional technology policies that are needed.
Absence of a mobile security policy can lead to security incidents and other potential costly problems that may lead to data breaches if employees aren't aware of the risks when using technologies improperly. Incidents such as sharing a patient's protected health information data with unauthorized users via text message or on a social media app is a clear violation of HIPAA rules and can lead to serious legal and financial ramifications.
What should these policies include?
Mobile security and BYOD policies are getting a lot more attention from corporate IT due to the growing concerns surrounding smartphone use. As a result, IT finds itself fine-tuning existing corporate policies to adjust to the changing threat landscape and technologies. In general, mobile security and BYOD policies should include the following documents:
- acceptable use policy for mobile devices;
- BYOD, CYOD (choose your own device), COPE (corporate-owned, personally enabled), and COBO (corporate-owned, business-only) policies; and
- mobile security policy.
Example of mobile security and BYOD policy templates
The content of mobile security and BYOD policy documents can vary based on an organization's requirements and mobile device security strategy. A typical BYOD policy template should contain several sections that are customized by IT.
Short introduction of the policy. Highlight the purpose of the policy, what it covers and the consequences of not meeting its requirements. For example: "Sample Company grants its staff and employees the opportunity to purchase or use their personal smartphones and other mobile devices at work and for work purposes for their convenience. Sample company reserves the right to revoke the provided privilege of using personal devices at work and for work-related activities if the user violates and does not abide by the outlined procedures and policies."
Acceptable use. Describe what's expected of employees when using their devices to interact with corporate data or connect to the network, including:
- Users are required to always maintain their apps up to date when accessing work content and resources.
- The mobile device should have basic protections such as passcodes, and encryption must be enabled.
- Employees should not access websites and content deemed to be illicit, proprietary or illegal.
- Employees should not use their device for work-related tasks during activities such as driving or operating machinery or to host and share content in the corporate network.
Device restrictions and security requirements. Include requirements concerning mobile application management tools to ensure corporate apps and data are properly protected on the device. The document can also address expected security configurations required by IT to permit the device to be used for work-related activities and to interact with corporate data. These specific details can include the following:
- Ensure that employees keep the device up to date with the latest firmware and operating system and adopt antivirus protections on their mobile device.
- Require employees to use strong passwords on their devices with the minimum number of characters.
- Forbid employees to install illegal or pirated software on a mobile device used to access company data.
Approved devices and available IT support. IT typically allows only those devices that are considered safe and meet corporate policy compliance requirements. A list of approved device models and operating systems can be included. IT generally defers to the mobile device vendor for phone support outside of the business apps used to connect to corporate network traffic. But support expectations should be clarified to employees.
Disclaimers and liabilities. Describe the risks employees may encounter when using their personal devices for work-related activities. Emphasize that employees may face disciplinary action, including termination, if they fail to meet the company's mobile security policy.
BYOD versus corporate-owned devices. Stricter controls are placed on CYOD, COBO and COPE devices used by employees versus BYOD. Include the ramifications of using corporate-owned devices in terms of mobile device management and control, restrictions on apps and content access, and employee cost liabilities if the device is damaged.
How to implement and enforce a mobile security device policy
BYOD and other mobile security policies help promote best practices for employees who rely on mobile devices to connect to corporate data. These policies can also help companies boost productivity and reduce costs.
In most organizations, corporate policies and documents are reviewed with employees during the onboarding process. But since BYOD issues don't apply to all employees, IT should track user registrations and plan to make timely updates to the company's mobile security policy.