It’s commonplace to use a mobile device in your day-to-day business life. Most companies have a mobile offering. And just like any business tool – especially one that has online capabilities – it’s important to assess the risks that mobile devices pose to your business, and then implement controls that can help mitigate those risks. From there, you should create a mobile device policy.
The governance and oversight of mobile device management includes:
- Policy and Agreements
- Administrative Tasks
Once you’ve determined your business’ mobile device management strategy, it’s time to address policy. First, you need to decide how mobile fits into the existing policy set of your information security program. It already contains policy language that is going to cover much of what mobile users are going to do. So the question is, what new policies will you put in place specifically for mobile devices? Consider specifically calling out mobile policies, so they are easy to parse. Or create a separate mobile device policy to make it easy for users. Then there is no doubt to what the expectations are.
What's covered in your mobile device policy will vary depending on whether you have a BYOD (bring your own device), CYOD (choose your own device), or COPE (corporate-owned, personally-enabled) mobile device strategy. In general though, here’s what your mobile device policy should address.
- Which devices or operating system versions are included?
- Who is allowed to use the phone?
- Who is allowed to install applications?
- What is the list of approved applications and / or application sources?
- Will you prohibit the use of “jailbroken” phones?
- What are your data use restrictions?
- Is encryption required?
- Is segregation of personal and company information required?
- What is the process for provisioning and de-provisioning devices? What happens when a person joins or leaves the company?
- How will the data be backed-up?
Next, you need to think about how your policy will be extended into a user agreement, which is the document you will put in front of your employees and expect them to sign. Remember you may require things in your policy that you can’t technically enforce (i.e., no other person may use the device). You’re going to be relying on paper policies, training, and agreements to make sure people are following the rules. That's why a user agreement is very important, especially if you have limited control over your employees' devices.
When discussing mobile device user agreements with employees, here are a few important things to include in the conversation:
- Use limits, if applicable – Who will pay for how much?
- Connection to wireless networks and personal “Hotspots" – Are they allowed to connect to unknown wireless networks?
- Device backup restrictions – Can they back-up their device? If so, where?
- Loss and/or theft – What happens when there is an event that relates to a mobile device? Your agreement should include incident response procedures.
- Password/passcode strength requirements.
- Device lock-out requirements – How long should the device be inactive before the screen locks?
- Software and OS updates – This is probably one of the most critical aspects because patch management is one of the best security controls.
- Corporate and/or personal email use – You want to ensure that corporate and personal emails are kept separate.
The final step is to deal with a few administrative tasks.
- Device provisioning – Who does it and how is it done?
- User account review – Who is allowed to use mobile devices and whose account exists in whatever device management platform you’re using? Who ensures that all accounts are authorized accounts?
- Administration of the user agreements – Who is going to have the agreements signed, keep those agreements on file, and be sure they are signed every year?
At Tyler, we recommend that even unregulated organizations make mobile device user agreements a best practice. Get a process in place that you can track, and ensure that the agreements are signed at the time of hire, and then, at least annually. Why not coincide agreement signing with training? This is great because people sometimes find agreeing to these things onerous. But, if you spend time training someone on the risks of using mobile devices, they are far more understanding, and willing to agree to a policy that takes those things into consideration.
Free Download: Ransomware Survival Guide
We’ve all seen the headlines. Ransomware attacks are escalating. It’s essential that your organization has the proper controls in place to defend your organization against an attack. But defense strategies are not enough. With some ransomware strains touting success rates of 40% or higher, it’s even more important that your organization is prepared to confidently respond to, and survive, a ransomware attack. This survival guide will arm you with the knowledge you need to defend against and prepare for an attack.