Enterprise Mobility Policy: One Size Does Not Fit All
We came across a discussion in a discussion board that we thought we would share as it covers some enterprise mobility best practices. The discussion starts with a user posing the question: How many of you have updated your acceptable use policy to encompass mobile devices? Anyone have any good examples they can share? Being the useful board that it is replies and ongoing interactions quickly began to filter in.
Folks began offering suggestions and examples of existing policies such as the following:
“Users may access the Company’s network system remotely from a home computer, smart phone or other compatible devices, provided they are authorized by [Insert Official] and comply with all applicable security procedures. Information accessed via home computers and other compatible devices are subject to federal and state laws and regulations, this policy, and other Company rules. While remote access may be permitted, User acknowledges that Company disclaims any and all liability for User’s personal equipment. Remote access is a privilege, not a right and is governed by the same acceptable use policy as Company equipment. Users are required to reasonably ensure that their personal devices maintain current and up-to-date security protections.”
Others chimed in saying that they only allow corporate devices to access company data and info but had set up segregated wireless LANs for customer/employee use that only routes to the internet and nothing internal. Some suggested keeping policies unified across all devices from laptops to smart phones to tablets, while others suggested the use of Mobile Device Management (MDM) solutions and creating completely separate policies to address mobile phones and tablets. A number of users stated that compliance with federal law and regulations have really determined what their policies look like.
To that point one user really gets into their policy outlining the does and don’ts of acceptable usage within their organization, and they are clearly not messing around. He writes that Devices must have device passwords, 5 character minimum, one non-alpha and changing every 90 days. There needs to be a 3 minute lockout with full device encryption with a password that is not the same as the device password. Feature that must be disable include NFC, browser, app store, camera, removable storage, USB storage, non-company disabled and Bluetooth needs to be limited to audio only. Furthermore IT will have the ability to remote lock and wipe after the device has been submitted for approval by IT. Devices will be wiped prior to implementation and IT will not backup the information on the devices. At any point devices must be submitted to IT or management upon request and phones can not meeting these require will be remotely locked and wiped. He writes that “Surprisingly nobody has opted to bring their own device.”
Clearly this commenter has set up their usage policy to deter any Bring Your Own Device troubles, but as he explains later compliance and regulation laws have defined this high level of policy. His work has him dealing with HIPPA compliance and regulation so the security of information is a top priorty. We wanted to highlight this discussion because it made on thing very clear. There is no silver bullet when it comes to enterprise mobility policy. Folks developing or amending mobility policies need to take a step back and really understand how the devices will be used, who will be using them, what will be accessed and the regulations that define how their organization operates. These are all viable suggestions and example and things that should be concidered, but you need to determine what works best for your organization and how you are going to utilize enterprise mobility.