New with Version 1.3 - Best Practices for mobile devices including the latest tables and smartphones and FTC guidleines
Every organization needs to identify and develop mobile security policies to be deployed which will provide adequate protection. The level of protection has to be aligned with the level of risk that your organization is willing to accept. These policies should ensure that the many regulatory or compliance concerns that might be applicable are addressed. The mobile security policy should be integrated within your overall information security policy framework. Key elements to address in the mobile device security policy are:
- Physical security of the device
- Address lost or stolen devices
- Acceptable uses of the device
- Password protection
- Access Control
The purpose of this policy is to define standards, procedures, and restrictions for end users who have specific and authorized business requirements to access enterprise data from a mobile device connected via a wireless or unmanaged network outside of ENTERPRISE’s direct control. This policy applies to, but is not limited to, all devices and media that fit the following device classifications:
- USB applications and data
- Laptop/notebook/tablet computers
- Ultra-mobile PCs (UMPC)
- Mobile/cellular phones
- Home or personal computers used to access enterprise resources
- Any mobile device capable of storing corporate data and connecting to an unmanaged network
The policy applies to any hardware and related software that could be used to access enterprise resources, even if the equipment is not approved, owned, or supplied by ENTERPRISE.
A growing number of enterprise employees using mobile devices - ranging from ad hoc work from home due to temporary family situations to full-time telework/home work arrangements. In fact, a recent survey found that 23% of the North American and European enterprises (companies with 1,000 or more employees) responded that a significant portion of employees spend 20% or more of their working time working away from the office.
- More North American than European enterprises support regular telecommuting. On average, 17% of employees at North American enterprises report having employees who spend at least 20% of their work time away from their normal work desk or work from home. This compares with an average of 14% of employees at the European enterprises.
- European employers are more conservative than others about use of mobile devices.
- Size doesn't play a big role in an enterprise's decision to support mobile devices. At companies with between 1,000 and 4,999 employees surveyed last year, an average of 16% of employees telecommute one or more days per week, compared with an average of 14% of employees at firms with between 5,000 and 19,999 employees, and an average of 18% of those working for organizations with 20,000 or more employees.
- Firms with regular telecommuters have even more frequent travelers.
Mobile Device Access and Use Policy Template - This policy is 14 pages in length. It contains everything that an enterprise needs to implement a functioning and compliant mobile device and use process. Included are forms defining the mobile device environment.
Elements of Mobility Security
As the traditional enterprise boundaries begin to fade, it is paramount that mobile devices and the sensitive information they contain be managed and protected. As a result, security perimeters must also expand beyond the internal network to these numerous critical endpoints.
Mobile Device Management
Mobile Device Management within organizations becomes more complex and important as both the number of devices and the amount of sensitive data stored on the devices increases. A lost or stolen device may compromise the critical data stored on it, unless there are processes and tools in place to protect it.
Mobile Device Asset Discovery and Inventory
The first step in securing your mobile organization network is the identification of the current inventory of mobile devices and OS clients that exist within your infrastructure. Next, you must integrate the mobile devices that have been identified in this process into your existing asset inventory database. Consider the following as you develop or update your mobile device asset inventory:
- How will you identify the mobile assets?
- What are the related assets to this mobile device, for example, additional memory cards?
- How do you identify the asset owner and the business purpose of each device?
See also Mobile Device Security
Other Individual Policies
All of the policies that are provided here are contained within one or more of the templates that are on this site. These policies have been added as individual documents in WORD format (WORD 2003 and WORD 2007) for those clients who just need this particular policy. All policies are Sarbanes-Oxley, HIPAA, PCI-DSS, and ISO compliant.The policies have just been updated to comply with all mandated requirements and include electronic forms that can be Emailed, filled out completely on the computer, routed and stored electronically -- a total solution.
- CIO IT Infrastructure Policy Bundle (All of the policies below are included as individual MS Word files and a single PDF file. Electronic forms are all individual documents that are easily modifiable)
- Backup and Backup Retention Policy
- Blog and Personal Web Site Policy (Includes electronic Blog Compliance Agreement Form)
- BYOD Policy Template (Includes electronic BYOD Access and Use Agreement Form)
- Incident Communication Plan Policy (Updated to include social networks as a communication path)
- Internet, e-Mail, Social Networking, Mobile Device, Electronic Communications, and Record Retention Policy (Includes 5 electronic forms to aid in the quick deployment of this policy)
- Mobile Device Access and Use Policy
- Patch Management Policy
- Outsourcing Policy
- Physical and Virtural Server Security Policy
- Record Management, Retention, and Destruction Policy
- Sensitive Information Policy (HIPAA Compliant and includes electronic Sensitive Information Policy Compliance Agreement Form)
- Service Level Agreement (SLA) Policy Template with Metrics
- Social Networking Policy (includes electronic form)
- Telecommuting Policy (includes 3 electronic forms to help to effectively manage work at home staff)
- Travel and Off-Site Meeting Policy
- IT Infrastructure Electronic Forms