Steps for achieving proper mobile security governance

How do you keep mobile security intact as devices proliferate? Consultant Robert Zhang breaks down the keys to success

Developing an Effective Mobile Security Policy

Lack of an effective mobile security policy is a fundamental root cause for many failed security efforts. The policy must be risk-based, covering all identified risks on mobile devices, both organization-issued and individually owned, and all user groups, including regular employees and temporary contractors.

The policy development process should determine which applications are to be made available to which mobile user group and on what types of devices. Typical mobile applications may include email, sales force automation, field service applications, dispatching, extended CRM, etc. These applications can drive productivity and revenue growth if deployed and managed securely.

An effective security policy needs to clearly translate regulatory compliance requirements into organization's risk management processes and procedures to protect data from loss or compromise. It also needs to speak clearly on user's responsibility for device configuration, its usage, data backup and protection. The information stored on a mobile device should be limited to what is required while on the move.

In addition, the policies must be enforceable via active IT monitoring and software tools. Organizations should regularly review the policies to take into account of any new security threats associated with business environment changes.

Ensuring Employees' Responsibility and Awareness

The employee is a great factor for both good and bad in mobile security. In a recent CSO survey, 28% of all mobile users use their mobile devices to access the Internet, and 86% of them admitted to having no mobile security. A careless or security-unconscious user can easily put an organization's confidential information at risk.

Lack of mobile user training and awareness is a major factor that contributes to many user errors and incidents. A less-trained user may not even know a procedure to handle security. In some cases, a mobile user may simply bypass any required configuration procedures in order to get a job done.

Employee education and awareness should become a valuable corporate culture. A well trained employee can help an organization to greatly minimize mobile security risks. [See also Security Awareness Programs: Now Hear This!] It is critical that all security policies should get buy-in from lines of business leadership, end users and support team across the organization.

Organizations should put employees in a driver seat for an effective security governance effort. They can become a most critical layer of security defense in any risk mitigation strategy.

Establishing a Baseline Security Configuration

As the use of mobile technologies in business increases, more and more critical business and sensitive personal information is being collected, processed and transmitted over shared wireless networks. Mobile devices need to be configured adequately to protect the device itself and data on it from unauthorized use, data disclosure and malicious attacks.

During a planning phase of mobile device deployment, all devices should be considered to meet a baseline requirement in terms of corporate security policy. A baseline security configuration may include:

* Password protection at power-on

* File or directory encryption

* VPN for email and internal network access

* On-device firewall

* AV software

* Latest security patches

Enforcing the baseline security configuration for all devices can help an organization to establish a bottom-line of defense from each device. Similar to an Internet facing device hardening, on-device resources, wireless interfaces, e.g. WiFi, Bluetooth, RFID, wireless printer, and application functions should be minimized to reduce the likelihood of wireless attacks.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags governancemobile security

More about BlackBerryetworkIMSISM

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Robert Zhang

Latest Videos

More videos

Blog Posts

Market Place