How to Enforce Your Mobile PolicyExpert Insights on Ensuring Security Compliance
Key components of an enforcement strategy include: Use a mobile device manager application to monitor devices, enter legal agreements with those using personally-owned devices, and repeatedly communicate security expectations.
Mobile Device Manager
Effective enforcement of a mobile device security policy requires the use of a mobile device manager application that closely monitors the devices and enforces security controls, says Stephen Warren, principal deputy CIO at the U.S. Department of Veterans Affairs. The VA, which provides healthcare to veterans, is in the process of acquiring an enhanced mobile device manager, he adds.
See Also: Top 50 Security ThreatsRoger Baker, the VA's CIO, noted in October that the VA expects to accommodate the use of more than 100,000 iPads and iPhones within 18 months, including a mix of government-owned and personally-owned mobile devices.
"We certainly will ... exercise the ability to [remotely] wipe devices if we determine ... that we don't know that [a device] is with its authorized user," Baker said. "And that's part of the mobile device manager's [function]. The mobile device manager, in particular, will manage which devices have been authorized to connect to our network. It will verify that no software that we believe causes any kind of compromise to the device is there."
The mobile device manager "is going to play a pretty critical role for us," Baker stressed. "Every device, before it's allowed to connect to the network, will go through the MDM, and the MDM will verify that the device is only running software that we have approved and that all the policies on the device are still implemented as they're specified to be for access to the network."
A key to enforcing security policies for those using personally-owned devices, Baker said, is having the users sign legal documents "that will ensure, for example, I have the right to wipe any VA information off the device at my discretion. It will also ensure that if the device needs to be looked at for some reason, we will have access to it."
The VA also will use its mobile device manager application to monitor personally-owned devices just as it does for VA-owned devices.
Like the VA, the state of Delaware requires employees who want to use their own devices for work to sign a detailed agreement in advance.
First, employees go to a website to complete an online form requesting their managers' approval for access rights. "We want to know that there is a true business need for that connection," says Elayne Starkey, the state's chief security officer. Once their use of a personally-owned device to access the state network is approved, employees must digitally sign an agreement to have seven security controls placed on their devices - the same controls that are used on corporate-owned mobile hardware. Those controls include agreeing to allow the remote wiping of data from the device if it's compromised.
"We don't need to physically touch the device," she says. "We can configure that device remotely and push the seven security controls out to their device. Then, the next time they connect, all of the new security controls are in place."
The state of Delaware does not yet have a mobile device manager application, although it hopes to eventually implement one if funding becomes available, Starkey says. It uses Microsoft Active Sync protocol to help administer security controls.
Information security consultant Rebecca Herold says education and ongoing awareness training play key roles in ensuring that a mobile device security policy is actually followed by the rank and file. She stresses that a practical, enforceable mobile policy must cover "the use of both entity-owned and personally-owned mobile devices."
At Intel Corp., ongoing communication is an important component of mobile policy enforcement efforts, says Malcolm Harkins, chief information security officer. Policies and security expectations, which are the same for corporate-owned and personally-owned devices, are communicated:
- When employees sign up for particular services;
- When staff connect a new device to the Intel network;
- On a regular basis through security awareness articles and notices;
- In an annual security refresher for the entire staff.
(Howard Anderson, Eric Chabrow, Tracy Kitten and Upasana Gupta contributed to this story.)