With Adriano Gonzalez, research director, BPM Forum.
Question: As high-speed Internet access options multiply and flexible work environments become more the rule than the exception, companies are turning to various mobile devices to enable their employees to work from their homes, their cars or coffee shops. What are some of the compliance challenges associated with mobile devices?
Gonzalez: First, protecting data on lost or stolen devices. Mobile devices are usually small, portable and can be easily misplaced. Corporations must demonstrate that any data on the device can be protected in the event a device is misplaced, lost or stolen.Second, archiving all regulated messages. Many regulations, particularly Sarbanes-Oxley, require corporations to archive all corporate messages, including e-mail, text messages and instant messages. As a result, any messages sent or received via a mobile device must be stored and made available in the event of investigations and other inquiries. Third, securing network access. Compliance auditors require businesses to demonstrate "due care" in protecting sensitive information that resides on corporate IT infrastructure. Any wireless device that accesses this data must ensure data is protected on the device and during any transmissions between the device and the corporate network. Finally, ensuring every device, PC, laptop, etc., complies with compliance and security policies. Compliance auditors may review whether corporations can demonstrate due care in ensuring all computers and devices that access network resources have all relevant patches and updates installed and comply with all compliance and security policies.
Question: How should companies approach meeting those challenges?
Gonzalez: Assess the use of mobile devices in your organization to determine:
- Who uses mobile devices for business purposes, whether personal devices or provided by the business?
- How are these handsets being used? (Wireless e-mail, voice, mobile access to business applications)
- Why are these mobile devices being used? (Mobile access to sales data, stay in touch while traveling, improve ability to serve customers, etc.)
Perform a risk assessment that defines the risk factors associated with existing devices, assesses the associated impact on the organization from a compliance, operational and security perspective, and determines the potential for a significant incident.
Develop and define a corporate-wide mobile policy that supports all required regulatory compliance guidelines for security, archiving and data backup.
Develop a mobile compliance plan that should include the following elements to be able to enforce the mobile compliance policy and corporate security policy:
- Mobile device management solutions to protect data on lost or stolen devices, including the ability to lock, wipe and/or kill lost or stolen devices
- Backup and archiving of all messages, whether e-mail, SMS/text or IM, sent and received using a mobile device
- Encryption and secure access solutions, which can include a mobile VPN, wireless data encryption, etc.
- Network access control solutions that ensure every device accessing the corporate network, whether remotely or internally, complies with all compliance and security policies, preventing any device that does not include all required patches, updates and all required security and management applications from accessing the network.
Question: Obviously forbidding all mobile devices is not a practical option, but would there be circumstances in which banning a particular device or a particular set of devices would be preferable or even necessary? What would those be?
Gonzalez: It may be necessary to prohibit certain devices. One important element of a compliance and security policy should be to define requirements for mobile devices in the workplace. Any mobile device used for business e-mail or access to corporate information must have the capability of supporting the corporate compliance and security policies. Consumer-grade feature phones may not have the security features necessary to meet compliance and security requirements, therefore those devices should not be allowed.
This 3 Questions originally appeared in a weekly report from IT Business Edge.
This was first published in December 2006