Here are some tips for what to include in your IT policies regarding Smartphones and laptops.
I have seen IT organizations that exercise great control over what road warrior employees have access to and I have seen the exact opposite. I've also seen many variations in between. I've spent long periods of time thinking through all of these policies and processes and have come up with some pretty simple solutions.
Companies love to standardize on smart phones. Treo, Blackberry, and now the iPhone. For small and midsized business, my advice is: who cares? Many times, our companies are too small to get any real purchasing power. Pooling minutes helps, but to find a carrier that has consistent coverage in every market where you have a branch office is a challenge. Sometimes, though, a carrier carries all three and then that argument goes away. Additionally, Treo and iPhone can be managed at the Exchange server. The main things to keep focused on are:
- Productivity: What tools are the users most productive with? Answer: The ones they like to use.
- Security: All three (and I'm sure there are more) can be remotely disabled or have e-mail deleted if it is reported lost or stolen. All three can utilize VPN clients, although I've heard that Cisco is having some challenges outfitting the iPhone with all of their corporate-required wares, I'm sure they'll work it out eventually.
- Support: How difficult is it to provision several at a time? What tools are available? Blackberry Enterprise Server and Microsoft Active Sync make it pretty easy to distribute standardized configurations with minimal hassles. Most phone support and application support outside of e-mail can easily be handled by providers, so specialized knowledge is not required.
- Application Support: If you have specialized applications that need to be accessed via a mobile device, that would probably be a factor in deciding on a platform and may negate the whole freedom of choice argument. But do your workforce a favor and develop platform agnostic code or insist that your vendors do the same.
Notice I did not mention cost. The latest and greatest toys (translated: the most productive smartphones) are all around the same price. Service plans vary, but not by much. User productivity gains are what matters when we start talking about nickles and dimes. From a support standpoint, you can say that IT will support the Blackberry for application issues and anything else; For Treo and iPhone, IT will configure e-mail and PIN protect policies, but the user is responsible for support outside of that. Really, the calls to the helpdesk are minimal regarding how to use these devices. The calls that I received most were in regard to lost or damaged phones.
I banged my head against a wall for way too long on this one. The challenge was giving high-level employees the capabilities of mobile computing, but at the same time protecting the organization from data leakage, stolen property, and security compromises.
Virtualization has made this job a little easier, but not entirely foolproof. I found myself having to make exception after exception for allowing USB thumb drives, CD burning, and local databases. Road warriors have many requirements for transferring files (contracts, terms and conditions, non-disclosure agreements, etc.). In an SMB, these road warriors typically serve in more than one role. There are tools out there to make this easier, but they always tended to be a bit on the expensive side. When I say expensive, I mean that in a couple of ways.
First, the obvious one: Money. It's always a challenge to get budget money for IT systems that prevent things that "might" happen. Secondly, productivity expense. RSA-secured thumb drives get lost, multiple log-ins become challenging and even some VPN clients introduce more hurdles than many road warriors can stand. They complain to the VP of sales, he goes to the CEO, the CEO reminds you that it is these guys that are paying your salary. Ouch!
If you're running into these hurdles, I would suggest having management agree to enforce a one- to two-hour training session to all employees that require a laptop. This session should focus on the responsibility these employees have to protect the company's data using real (and as dramatic as possible) examples of the impact of data theft, identity theft, e-mail archiving, and security breeches. Also explain accountability. Laptops are never to be left in cars or hotel rooms.
Also, customer data is never to be stored on the laptop. Password saving for auto-login should be disabled.
What are some of the pearls of wisdom you have to share in regard to mobile policies?