CYBER SECURITY Page 36
account numbers, passwords, confidential E-Mails and strategic information about
organization, merger or takeover plans and also other valuable information that could impact
stock values in the mobile devices. Imagine the business impact if an employee's USB,
pluggable drive or laptop was lost or stolen, revealing sensitive customer data such as credit
reports, social security numbers (SSNs) and contact information.
Operating Guidelines for Implementing Mobile Device Security Policies
In situations such as those described above, the ideal solution would be to prohibit all
confidential data from being stored on mobile devices, but this may not always be practical.
Organizations can, however, reduce the risk that confidential information will be accessed
from lost or stolen mobile devices through the following steps:
1. Determine whether the employees in the organization need to use mobile computing
devices at all, based on their risks and benefits within the organization, industry and
regulatory environment.
2. Implement additional security technologies, as appropriate to fit both the organization
and the types of devices used. Most (and perhaps all) mobile computing devices will
need to have their native security augmented with such tools as strong encryption,
device passwords and physical locks. Biometrics techniques can be used for
authentication and encryption and have great potential to eliminate the challenges
associated with passwords.
3. Standardize the mobile computing devices and the associated security tools being
used with them. As a matter of fundamental principle, security deteriorates quickly as
the tools and devices used become increasingly disparate.
4. Develop a specific framework for using mobile computing devices, including
guidelines for data syncing, the use of firewalls and anti-malware software and the
types of information that can be stored on them.
5. Centralize management of your mobile computing devices. Maintain an inventory so
that you know who is using what kinds of devices.,
6. Establish patching procedures for software on mobile devices. This can often be
simplified by integrating patching with syncing or patch management with the
centralized
7. Provide education and awareness training to personnel using mobile devices. People
cannot be expected to appropriately secure their information if they have not been told
how.
Organizational Policies for the Use of Mobile Hand-Held Devices
There are many ways to handle the matter of creating policy for mobile devices. One way is
creating distinct mobile computing policy. Another way is including such devices existing
policy. There are also approaches in between where mobile devices fall under both existing
policies and a new one.In the hybrid approach, a new policy is created to address the specific
needs of the mobile devices but more general usage issues fall under general IT policies. As a
part of this approach, the "acceptable use" policy for other technologies is extended to the
mobile devices.
Companies new to mobile devices may adopt an umbrella mobile policy but they find over
time the the they will need to modify their policies to match the challenges posed by different
kinds of mobile hand-held devices. For example, wireless devices pose different challenges
than non-wireless Also, employees who use mobile devices more than 20%% of the time will
have different requirements than less-frequent users. It may happen that over time, companies
may need to create separate policies for the mobile devices on the basis of whether they
connect wirelessly and with distinctions for devices that connect to WANs and LANs .