Developing Acceptable Use Policies and Mobile Security Policies
The rapid deployment and adoption of mobile devices has led to a very real need for Acceptable Use Policies and Mobile Security Policies. In my first blog post in this series, I will be discussing key points in developing policies around mobile devices and will give specific examples of language that I have seen used in employee communication of these policies.
Consider the enforcement
Any policy written isn’t fully useful if it isn’t enforced and reiterated. All users should know the policies upon hire. Also, keeping the policies relevant by communicating them on a regular basis is important. These policies should be treated the same way that HR policies are developed and referenced.
Consider the devices
When we look at the new devices that have been introduced to the market – and in turn into your users’ daily lives – we see that these devices have much more in common with a computer than with the voice-and-SMS-only cellular phones of just a few years ago. These devices have the potential to connect to both your internal network as well as third-party data sharing sites. When developing policies, keep in mind the type of access a user will need to your network as well as any other networks they are able to connect to. Also, decide which devices will be supported. Consider the difference between personal devices and corporate issued devices.
In order to develop a comprehensive and effective policy, all capabilities of a device need to be considered. For example, you might want to start your AUP employee communication with a statement such as the following:
“This policy applies to any mobile device issued by <Company> or used for performing business on behalf of <Company>, which may or may not contain stored data owned by <Company>.”
Consider the data: Who owns it, who is responsible for it
Do your users need access to webmail only? Do they need to access your internal network via a VPN? Do you need to track and retain data for e-discovery? Before any policy can be written, all access needs to be accounted for and addressed. Maybe some users will only have access to email, while a VP will have access to the internal network.
The AUP will need to address the behavior that is expected and acceptable for each access method. Maybe deleting emails from a mobile device is expected, but deleting network-shared files from a mobile device is not acceptable. Device encryption is a good requirement to minimize any data leakage. Also, secure passwords with screen locks should be enforced. Here’s an example of how this can be documented in your AUP communication to employees:
“All employees are expected to assist in protecting any issued devices and any stored data belonging to <Company>. Encryption of your device is required, where available. Further, we will require a device password with screen lock. It is forbidden to take any action to avert these and any security measures required by <Company>.”
Consider the users
Users will need education on mobile security, any policies and expectations. Maybe you will expect that users will change their device password on a regular basis. Make sure the users know the access that IT has into their device. They will need to understand and acknowledge that attaching to your mail server will allow your IT staff to remotely wipe their device. When a user is terminated – or a device is lost or stolen – what action will the company take? This information will be critical to any policies, and can be communicated to end users as follows:
“The Company reserves the right to wipe all data from a device (personal or company issued) that is syncing with any systems belonging to <Company>. This wipe may or may not include personal data, applications, contacts, etc. This wipe will restore the device to factory settings.”
