Organizing your information security does not just cover devices that stay inside your office. We must take into account portable devices, BYOD’s and those staff that work from home. Most organizations have to plan for remote workers connecting to their systems, from travelling sales folk to people working from home we need to have policies in place to handle this securely. Likewise with smart wearables, laptops, mobile phones and a variety of other mobile devices brought into your organization every day we are confronted with a unique challenge keeping ourselves secure. Fortunately by applying these 2 controls in our organization we can better manage these risks.
6.2.1. Mobile devices policy.
In the modern organization, mobile devices are a given. Staff with laptops that move around, leave your organization’s premise; Uncontrolled iPads, Smartphones, smart wearables with incredibly accurate cameras and all with Wi-Fi, Bluetooth access and even GPS. The threat landscape is changing. All organizations, big and small, face risks due to these devices and this risk needs to be properly managed. The control recommends a Mobile Device Policy to address these concerns by imparting minimum standards and usage restrictions on these devices. The policy should include details on;
- registration of mobile devices so the organization can track device and identify owners in case of misuse,
- physical protection of mobile devices,
- restrictions on software installation,
- mobile device software versions and for applying patches,
- restriction of connection to information services,
- access controls,
- cryptographic techniques to encrypt the drive and for connecting the office from outside the organization,
- malware protection such as requiring a specific Anti-Virus version with up to date signatures,
- remote disabling, erasure, or lockout in case the device is lost so that any sensitive information stored on that device can be destroyed,
- use of web services and apps.
With mobile devices, there are times when it is the employee’s private property and placing restriction on what the employee sees as their own, can be a challenge but is necessary for the protection of the organization. Having a policy in place that an employee needs to read through and agree to can help staff understand where the boundaries of acceptable use are and the requirements to use a device at all. This easy to understand document can help improve acceptance of the organizations mobile device security.
Even just making an employee aware through security awareness training can reduce the risk of mobile devices such as by making the employee conscious of his or her surroundings when they open sensitive emails and can encourage an employee to question what wireless networks they use for business purposes.
The strictness of these restrictions should be tailored to your organization’s risk appetite. There are many Mobile Device Management platforms companies can make use of to better manage these assets.
When an organization allows its employees to work remotely it introduces risks that must be acknowledged and mitigated against. There are many things an organization should consider such as whether to provide an employee with equipment to work from home with, or to allow them to use their own personal devices. In general, the organization will provide company laptops to staff working from outside of the organization, who connect to the corporate network with a VPN. Organizations that allow employees to use their personal equipment should take additional steps to ensure threats are not introduced to your network, for example requiring software to be installed that monitors applications installed on the device, granting the corporate IT team with additional powers over the personal device and ensuring the security level of that device (such as requiring a patched OS, up-to-date antivirus etc).
Other controls can include controling the times employees can access the network to prevent abuse.