Mobile device security: 5 questions to ask when creating policy (includes video)

Regardless of what mobile devices your employees use, without a policy, security disappears. Here are five questions to ask to cover your bases in a mobile security policy

By , Senior Editor

August 03, 2011CSO

While 69 percent of organizations have employees using personal devices to connect to their corporate network, more than one-fifth, or 21 percent, currently have no policy in place to govern the use of personal mobile devices on their network.

These new figures, released recently from security-products firm Courion, suggest many security leaders are still ignoring the need to address mobile device security among their employees.

But according to Chris Silva, Senior Vice President, Research and Service Delivery at security research firm IANS, having a mobile device security policy in place is the most important step to handling the risk inherent to personal mobile-device use.


[Also read a case study in controlling mobile access with device management policy]


"It's not the platform, it's the policy," said Silva. "The whole issue of how secure the device is comes down to what policy is in place. We can't say one device is secure and another is not. It's about who gets to use it and what can they do with it. "

So what goes into a comprehensive mobile security policy? Silva said it includes clear definitions of user-risk profiles, devices that can be supported and where to draw the line on what's allowed, among other considerations. He shared these suggested questions that organizations should consider when crafting their own mobile device security policy.

Which mobile devices will we support?
With so many employees using their own devices, these days Silva recommends organizations move beyond a server that supports just one platform.

"If you have just a Blackberry server, it's time to add something that supports several different platforms," he said. "The one guarantee in mobile is you are going to have at least two or three people will want supported."

But while supporting a variety of platforms may be important, he also suggests drawing a line in the sand and clearly defining what will be allowed and what will not. Too many organizations make the mistake of trying to accommodate any kind of personal device and platform that workers desire to use. This makes the task of supporting them all but impossible for an IT security team.

"They can only do a great job securing a handful of platforms," said Silva. "If you open things up to 57 different types of mobile devices, you can be guaranteed they will be spread so thin the policy won't be robust enough on all of those platforms."

And while some employees may not appreciate being told which type device to use, Silva recommends at least having some minimum standards for age and capabilities.

RESOURCE CENTER