Develop a Mobile Device Security Policy

The National Institute of Standards and Technology (NIST) recently developed a Special Publication report entitled “Guidelines for Managing the Security of Mobile Devices in the Enterprise” [122] which offers organizations good recommendations about developing a complete strategy for securing both corporate-owned as well as personally-owed mobile devices in large organizations. The recommendations offer a rigorous five-phase model, which NIST has identified as a “Security for the Enterprise Mobile Device Solution Life Cycle”. The five phases are discussed as being: (1) Initiation; (2) Development; (3) Implementation; (4) Operations and Maintenance and; (5) Disposal.

Within this first initiation phase, which involves developing a “…vision for how mobile device solutions support the mission of the organization” one of the first steps which are detailed is developing a mobile device security policy. The policy details which organizational resources may be accessed by mobile devices, the degree of access, and the various mobile platforms which are allowed to access these business resources. NIST recommends that the policy should be included in the overall security strategy of the organization. What the NIST document does not specify, but indirectly implies, is that before the mobile security policy can specify “…which types of the organization’s resources may be accessed via mobile devices”, the organization first needs to have a data classification policy in place. Data classification views institutional data as digital assets and groups this data based on the level of sensitivity and value to the organization. Examples of the types of data assets in universities were discussed in Chapter 2 of the literature review. Once the data classification policy has been established, this will not only aid in development of the

mobile device policy, but also various other security policies and controls that the organization needs to implement in future.

As discussed in the survey results, only 27 percent of South African university institutions that took part in the survey had partially-implemented mobile device policies. However, even though the organizations had not yet established the policies, the majority of respondents viewed the BYOD policy as critical. This is in line with NIST’s view, as it is listed as the very first part of the Enterprise Mobile Device life-cycle.

7.1.1.

Policy Content

While there are many important components to include in the organizational mobile device policy and each organization should make its own decision on what these are, a very important recommendation for universities is to stipulate the different access levels allowed between user groups such as academic staff, administrative staff, research associates and students. This element should originally be stipulated in the organizations overall information security policy and is essential for universities because it is largely the differentiating factor between corporate business environments and university business environments. Students do not need access to sensitive information stored by university registrar or finance divisions and therefore should not be granted permissions to these resources. This should be communicated and enforced through policy. For example, students could be allowed restricted Internet-only access from their devices, whereas administrative staff, depending on their identity could be allowed to access more sensitive digital information from their mobile devices. As stated by Steiner [123], “…with BYOD, it is more important than ever to control which individuals have access rights to the network from their personal devices”.

It is evident that having both a general information security policy as well as mobile device specific policy is essential as these documents would contain references to the other. In other words, it is worthwhile to keep in mind that the mobile device policy should be consistent with and supplement the information security policy for non-mobile systems. According to Souppaya [122]. It is in the mobile device policy where the organization establishes the rules such as, employee responsibilities, which devices and associated software are permitted or restricted, required

configurations for devices, explanation of technical support and consent to certain practices such as allowing the organization to remotely wipe the device if it is lost or stolen to prevent data leakage. If the organization feels that mobile devices increase their data leakage risks by too great a degree, the policy should communicate that personally-owned mobile devices are completely restricted, however it must be kept in mind that having a policy such as this that is unreasonably strict will foster user backlash and non-compliance. It is important to always keep in mind while developing the policy that anytime anywhere access is what makes BYOD so appealing in the first place [123]. Conversely, having no policy at all means the organization has no standing in legal arguments with regards to loss of data resulting from the loss of a mobile device. Additionally, any organization that does not have a policy has no means of enforcing any form of desired control.

It is therefore important to establish a policy which clearly explains all the desired practices and regulations.

7.1.2.

Policy Enforcement

Once the policy has been developed and finalized, it is important to remember to enforce the penalties of non-compliance on a regular basis. Similar to maintaining that motorists require a driver’s license when driving a vehicle on public roads, the policy will only be of value if the consequences of not adhering to policy are enforced. For example, in a scenario where a user removes the device PIN configuration on his/her mobile devices. Consider soft penalties like banning the device from network use for a reasonable time period. If the user actually had any productivity benefits from using their personal mobile device for work purposes, they would hereby feel restricted without its use. The user will soon learn the importance of adhering to the policy.

All of these policy restrictions will however need centrally managed technical mechanisms to assist with the enforcement. Software products such as Mobile Device Management, Mobile Application Management and Network Access control become useful which are discussed further in Section 7.3.