Currently, most enterprises mold their mobile security strategies around compliance measures—such as US requirements like the Health Insurance Portability and Accountability Act (HIPAA)—relating to how personal information, both stored and in motion, is protected by businesses. Government regulations, the lawsuits, fines, and reputational damage that can result from noncompliance, and security breaches are all significant motivators, of course, but companies need to think beyond these requirements if they want to embrace mobility fully as a way of working and exchanging information.
Compliance does not equal security—nor does it take into account all sensitive information that an enterprise may want and need to protect.
Step 1: Discovery.
Find out how mobility is happening in the corporate environment—and why—to build appropriate security parameters. Understand what the business value of mobility is for the enterprise. The approach will vary by company and industry (for example, an educational institution’s security concerns around mobility are likely to be quite different from those of an energy company with a nuclear facility).
Step 2: Identification.
Create an acceptable-use policy that outlines the devices that are supported by the enterprise. Outline what disciplinary actions may result due to noncompliance with corporate policies relating to the use of mobile devices. Explain why certain devices are not permitted in the enterprise (and if/when that policy might change).
Step 3: Keep it Flexible.
When crafting a policy, keep in mind that it should be flexible enough to cover both immediate and future security concerns. Take into consideration what the organization might need to compete in the future and attract top talent—particularly from the very mobile, very connected Generation Y.
Step 4: Education.
Communicate—and enforce—the policy across the organization. But keep in mind that secure mobility is not just about enforcing acceptable-use policies from a human resources or legal standpoint: It’s also about the safety of the network.
Step 5: Manage the device life cycle.
You may not be able to manage every mobile device in the enterprise, but you can inventory every device you do control. Note the level of access of the user. Can the user access sales figures, personnel files, or customer data? Through this process, create a record of who is accessing what information, with what device (or application), and for what reason.
In addition, make sure you have the ability to lock and/or wipe clean a device automatically and remotely after employment termination or if a device is lost or stolen—a critical security measure. Consider the example of an HR department staff member who loses a device with employees’ personally identifiable information saved on it. That data, once exposed, could be used inappropriately by identity thieves and can create serious legal and disclosure woes for the company.
Mobile security also needs a system-level approach that goes beyond setting acceptable-use policies. Enterprises should implement tools that allow visibility into wireless environments and detect security threats as they emerge so they can take swift action.
Excerpted from the Cisco 2010 Midyear Security Report. Download your copy here.