Westminster College recently drafted its first formal mobile device policy, which covers smartphones and cell phones. Although we've had loose ad hoc policies in place before, the new mobile device policy includes key provisions designed to protect the organization and codifies de facto standard processes.
This article highlights the primary areas that we considered when drafting the policy, as well as the solutions that we came up with for each topic. (I do not cover the technological means by which these policies are enforced.)
How to handle mobile device and service requests
As the mobile device revolution has gained momentum, it's been easy to say, "We need a phone for this person," perhaps without giving a lot of thought to the upfront device cost, the ongoing monthly costs (which can be significant), and the ongoing support. Every mobile device policy needs to address the process by which new devices and services are procured.Solution: When someone requests a device, whether it's a smartphone or a cell phone, the request has to be approved by the division VP as well as the CIO to provide two layers of authorization. There needs to be a clear business justification for the request. (Be very careful when providing mobile devices to non-exempt/hourly employees. I discuss this in more detail in the next section.)
Legal risks to the organization
iPhones started making their way into organizations via personal cell phone plans, but now iPhones are often officially supported devices. If you allow access from uncontrolled personal devices, this can raise some challenges, including:Fair Labor Standards Act issues related to overtime. There have been some documented cases in which employees have claimed overtime related to use of mobile email after hours. While this is not related only to personal devices, if non-exempt employees connect to servers with personal devices, it might go unnoticed by the person's manager. Solution: Do not allow non-exempt staff to connect personal devices to systems without the approval of their immediate supervisor, and make sure the policy clearly delineates potential organizational risks. Remote wipe provisions/data liability. If you're going to allow people to connect personal devices to company servers, make sure you include a provision indicating that making this connection allows the organization to remotely wipe the device in case it's lost or stolen or the employee leaves the organization. The goal here is information security. Mobile devices can contain sensitive information but aren't always considered as seriously as other portable devices, such as laptops. Here's sample language:
Confidential electronic information, including personally identifiable information (PII), that is off the physical premises of <company> must be protected in such a way as to prevent it from being exposed if the device upon which the information is stored were to be lost or stolen. In order to protect PII, the company retains the right to delete data and/or applications from any device that contains the company's information.
Please note that in certain situations a device may have its data wiped in order to ensure that the company can protect its interests. If given enough notice, IT staff can work with you to avoid such action. If you find yourself in such a situation, please reach out proactively to the IT Help Desk.Distracted driving. A number of U.S. states have passed laws that require the use of hands-free kits when driving, so you need to be ahead of the curve for more than just the legal aspect of using a mobile device while driving. In some cases, drivers that are using company-owned phones or doing business on personal phones while driving may be putting their companies at risk for lawsuits.
Mobile devices can present unique security challenges. When a mobile device is lost or stolen, it may not be considered as serious as losing a laptop, but it can be depending on how the device is used.Solutions
These security-related items should be included in a mobile device policy:
- Use of a PIN-based lockout. At the very minimum, your policy should include some provision for requiring that a device be locked after a certain amount of time. You might also consider requiring additional levels of security; for example, set a policy that automatically wipes the device after a certain number of failed password attempts.
- Use of device encryption. A PIN-based lockout is a minimal requirement, but for organizations that have not had any formal policies in place, it's a great first step. A next step might involve requiring that all mobile devices (laptops included) be fully encrypted so that loss of the device doesn't equate to loss of information.
- Report a lost or stolen device. Whenever a device is lost, it must be reported as quickly as possible to the IT Help Desk so that it can be remotely wiped to prevent data loss.
More mobile resources on TechRepublic
- Sanity check: Should IT support user-owned smartphones?
- 10 things you should know about supporting mobile devices
- Five tips for securing mobile data
- Mobile devices and security: Plug the leaks, then encrypt
Keep up with Scott Lowe's posts on TechRepublic
Since 1994, Scott Lowe has been providing technology solutions to a variety of organizations. After spending 10 years in multiple CIO roles, Scott is now an independent consultant, blogger, author, owner of The 1610 Group, and a Senior IT Executive with CampusWorks, Inc. Scott is available for consulting, writing, and speaking engagements and can be reached at firstname.lastname@example.org.