Overview of Mobile Device Security Policies - dummies

Overview of Mobile Device Security Policies

By Rich Campagna, Subbu Iyer, Ashwin Krishnan, Mark Bauhaus

Security policies for mobile devices attaching to the business network can be split into two categories: policies for approved devices and policies for other devices.

Device policies.
Device policies.

Here is a rundown of the two categories of device policies that you need to communicate to users:

  • Policy for approved devices: This policy applies to all enterprise-issued mobile devices. Because these are enterprise assets, you are at liberty to set a strict usage policy as well as establish stringent penalties for misuse.

  • Policy for unapproved devices: An unapproved device in this case is a device that the enterprise neither endorses nor supports. This does not mean that you can summarily deny all connectivity to enterprise assets, but you can impose restrictions on what, how, and when these devices connect to enterprise resources.

Obviously, your policies will be largely applicable to the approved-devices list, because this is what will typically be the exposure that your employees are subject to.

There is going to be a rapid transition of devices from the unapproved list to the approved list based on user adoption of evolving mobile devices, so expect the list of approved devices to continue to grow. For instance, when the first iPhone was introduced in 2008, there was very little enterprise IT support for it. Fast-forward to today, and a large number of enterprises (a number that is ever increasing) support this device.

The unapproved devices policy will simply be one of two options:

  • Access denied: No access to the enterprise network altogether

  • Access restricted: A highly constrained set of privileges available to the user

    Unapproved device policy screens.
    Unapproved device policy screens.

The following are the key elements to consider when creating policies for approved devices. Note that there is further categorization in the approved device category: employee owned and corporate issued:

  • Policies for physical device protection

  • Policies for device backup and restore

  • Policies for device provisioning

    Subclassification of approved mobile devices.
    Subclassification of approved mobile devices.