Smartphone Security Basics for Information Officers | Page 2
Then you'll want to make all the users aware of those security policies, and publish them on the company intranet where they will always be available for reference. Don't forget that smartphones have the ability to greatly enhance communications and work productivity. The type of security policies that you create for smartphones should be a balance between keeping confidential information secure, and enabling user productivity. Examples of smartphone security policies are the following:
Users may only connect corporate owned smartphones to the corporate network
All corporate documents stored on smartphones must be encrypted
All files stored on smartphone media cards must be encrypted
All encryption products used on government smart phones must be FIPS 140-2 certified and validated
Users shall not connect corporate owned smartphones to non-corporate owned equipment or networks
All Wi-Fi capabilities on corporate smartphones must be turned off
All company data sent through a smartphone web browser must be protected by session encryption
Before a smartphone is issued to a new user, it shall be inspected to ensure that all prior documents and data from previous users have been cleanly and permanently erased from the device
Bluetooth shall be disabled on all corporate smartphones
All smartphones shall be tracked in an inventory that is updated annually
Users shall not email documents marked "Proprietary and Confidential" in the clear, over the Internet
Corporate security policies should also include information on consequences for non-compliance. Will warnings be issued? Will disciplinary action be taken? What would be grounds for termination of employment? These are all things that should be considered. Security awareness and training regarding smartphones is often not given much credence. However, awareness and training does create an impact, and serves as both a deterrent from insider threats as well as a viable educational opportunity for abiding corporate citizens that are simply unaware of the dangers that lurk in cyber space.
According to Microsoft MVP Brien Posey who has worked in IT operations for over 17 years of information technology experience "Security awareness and training are absolutely essential given today's security threats and the seemingly endless stream of security related federal regulations that companies are being required to comply with". Something that's important to address in security training is to explain any policy that you think users may not understand. For example, the last bulleted item in the above list of policies may not make sense to some users. Not all users have been working in information technology for years, and new users may not know what it means to send something "in the clear" over the Internet. Some users may not even know the difference between Wi-Fi, IrDa, Bluetooth, and the 3G wireless network capabilities that their phones use. A mistake that many businesses make is assuming that their staff is already aware of the security exploits that can take advantage of smartphones. With new and junior staff joining your company all the time, you cannot be sure that they really understand your corporate security policies unless you train them. Including smartphone training in your annual security awareness and training program is one of the best investments you'll make in safeguarding your corporate information.