What makes a good BYOD policy? What advice would you give to CSOs that have to make one?
The foundation for effectively controlling mobile devices, like almost all other IT services, is the development and implementation of a thorough and easily understandable set of policies and guidelines. Training is also a mandatory component as employees must understand the risks associated with the privilege and convenience of being allowed to use mobile devices.
Fortunately, mobile devices in the corporate environment have become sufficiently common that best practices are developing to assist a CSO in identifying the provisions that should be in their mobile device policy. These include:
- Security awareness training/education
- Acceptable use
- Operating system security
- User responsibilities
- Access control
- Data handling
- Individual responsibility if co-mingling personal and organization data on the mobile device
- Constituent accountability
- Secure disposal of device at end of life
- Vulnerability management
- Responsibility for ensuring mobile device operating system is updated
- Responsibility for ensuring mobile device applications are updated
- Reporting information security incidents in the event of loss or theft
- Prohibit sharing a mobile device with other users, including family and friends
- Ownership of data on the device
- Legal ownership and rights of the mobile device
- Specific actions that organization may take in the event of a lost/stolen or compromised mobile device (e.g., remote disable, remote wipe, confiscation)
- Data sanitization of (organization) data, settings and accounts on the mobile device at end of life
- Creation and use of mobile hotspots on an organization's premise (BYON - Bring Your Own Network)
- Consequences for non-compliance with mobile device policy
- User authentication on the device
- Device encryption.
Nonetheless, CSOs should consider the development of a thorough and robust mobile device policy at the very core of their ability to manage the risks associated with these devices. Of equal importance is implementing the business practices and procedures which are necessary to support these policies.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.