Eight steps to ensure that mobile device policy is effective and secure

1, the formation of a mobile equipment guidance team.

To develop a sound mobile device strategy, organizations need to organize teams that represent multiple departmental experts. Of these, three departments play a particularly important role: IT, human resources, and lines of business. In some cases, specific discussions about mobile devices can bring new ways to collaborate with these departments, especially human resources and it.

Human resources are responsible for developing and publishing policies, but their work also involves creating a popular employee experience and balancing the benefits and risks associated with mobile devices. To address security and management risks, IT organizations can work to strengthen these policies, and enterprise managers can ensure that policies address the needs of users.

　　2, outline the objectives of the enterprise

Before delving into specific strategies, the guidance team must define the challenges that enterprises should address with modern mobile strategies.

The coaching team needs to consider issues from a number of aspects, from the CEO who has just bought a tablet computer to the end user who requires the enterprise to support the Android device. Also, business managers want to give company data to outgoing employees, which is also a realistic business model to consider. In addition, if the enterprise does not deploy a set of systems to support mobile platforms, will end users find their own way?

A variety of factors can motivate companies to act. These factors may include an increasing acceptance of the BYOD model by the enterprise, which is aware that BYOD can serve both as an opportunity to reduce IT costs and increase productivity, better secure enterprise data and applications, and ensure that employees need access to complete their work.

　　3. Define policy details

Don't expect a foolproof approach to all mobile devices, but all businesses, large and small, need to deal with Common Core requirements. This requires starting with the type of device involved in the specified policy.

In some cases, the enterprise may need to incorporate both the old and the new policies. For example, most businesses may already have rules for managing laptops. However, if these rules have not been updated recently, the policy may assume that the devices are enterprise-equipped. In this case, however, some companies could still extend byod from smartphones and tablets to laptops and supercomputers.

The key is to determine which device types and operating system platforms are allowed to access data, and to determine which devices and operating systems are restricted due to administrative and security issues.

Different areas require different infrastructure and control. We recommend that enterprises divide their employees into three categories. The first category is the user who accesses the enterprise database using the device and data services provided by the enterprise. For example, managers and administrators, and so on. For this type of person, the enterprise needs a sound policy and management infrastructure to control the device and protect sensitive information. This also means deploying mobile device management (MDM) capabilities and data encryption as well as moving virtual private networks (VPNs).

The second category of employees also use the enterprise's equipment and services, but they may only be authorized to access the enterprise's e-mail system, not directly access the database system. This type of user may not be strict, but the enterprise still needs mobile device management (MDM) to track the status and location of the device.

This type of user may not access the database through a mobile device, but it is still possible to access sensitive data in e-mail messages.

The third category of employees are BYOD users who use their personal devices for work, for example, when they use personal devices to send e-mail or text messages. Examples of such personnel include sales managers or individuals in the Human resources department (he may work primarily in the office but remain connected during or after work).

Different categories of people can decide whether to restrict certain users from accessing certain applications and data. For example, a policy might allow you to download approved software from a specific portal. However, any other software required by the user must also be located in the enterprise approved software list.

The user or user group's request for any other software must be licensed by the mobile device policy supervisor. The enterprise's mobile strategy should also show that the enterprise will not support users to increase unauthorized software.

　　4. Clarify the financial terms

Enterprises can adopt three basic financial models. The first is direct checkout, which means that the enterprise buys the equipment and undertakes all the expenses. The second model is that the enterprise provides a fixed amount of reimbursement for mobile devices on a monthly basis. The last one is that the enterprise is reimbursed according to the employee's expense report.

The choice of patterns depends on answers to several important questions. These issues include, but are not limited to, whether the enterprise or employee pays for all or part of the hardware, data access plans, support costs, and so on. Other financial issues to be clarified include the specific costs of BYOD equipment owners, even international calls and international roaming plans for voice and data communications.

　5. Solving the problem of responsibility

Accountability concerns data that is subject to government security and privacy requirements, as well as data that is subject to the best practices of the enterprise.

When it comes to accountability, companies may need to consider some thorny issues. For example, each enterprise has the right to control access to and use of data, but policy makers must decide how to handle the user's personal information, including the contact information stored on the device assigned by the enterprise. The mobile device's policy team must address how to build a system that minimizes exposure to personal information.

Finally, mobile users should have a clear understanding of the penalties for non-compliance with these mobile strategies, including the different penalties faced by different policy violations.

　6. Lock Security

Security issues may cost the most time and effort of a mobile strategy-setting team.

The influx of new mobile devices adds complexity to security operations, while affecting some of the strict controls it has implemented in the past.

The situation has changed. In the past, end users were constrained by the requirements of the IT department. However, today you want to install security software on mobile devices, first of all to obtain the user's consent.

Therefore, IT administrators must accept several basic principles. You can't do anything that messes with the local end-user experience. For example, employees purchase an Android device for specific reasons, and security controls should not compromise the user's interests.

Design security rules should start by setting the basic outline of how mobile devices access data. The Monitoring team of mobile devices should thoroughly analyze specific security technologies and usage strategies.

An important goal is that enterprises can implement protection when internal data is not within the physical boundaries of the enterprise. Sensitive information is especially vulnerable to network theft when it travels outside the network, and it is possible for illegal users to access the information if the device is lost or stolen.

Technology-based security measures include methods of authorizing users and devices, as well as device and data encryption, VPNs, and sandboxing (isolating certain data and applications so that they are not susceptible to intrusion). Other basic measures include device-side anti-virus software and the ability to manage configurations and patches.

The mobile team should also prepare contingency plans to control or reduce the extent of damage in the event of damage. Deleting data completely or partially from a missing device is a common method. If the enterprise retains the right to remotely clear data on lost or stolen devices, the policy should clarify whether personal data is purged or if only information in the company sandbox is cleared.

One way to implement this type of control is through the MDM (mobile device management) scenario, where the enterprise can focus on hardening the strategy. Some enterprises strengthen their efforts to control data through mobile application management system, and further enhance this method. Through mobile application Management (MAM), enterprises strengthen their policies for applications and data, rather than strengthening the device itself.

From a mobile device's policy perspective, mobile policies and rules can also require users to download a specified MDM or MAM system.

　　7, Management

The next step is to create a plan that determines how the strategy is communicated and what the employee strategy means to it.

The enterprise's mobile device Strategy team should first explain the main points to the department manager and then clarify it to the department members. Enterprises must pay attention to: by what means to inform the user, is sent by e-mail and tell the user "Please read important mail"? Or do users have to confirm that they have read and agreed to follow the strategy?

After the policy is finalized and all users are aware of the strategy, the next step is to implement the policy. The best starting point is often to test first, especially for new strategies. Start with an employee who is interested in using BYOD or has been quietly using it.

It is recommended that enterprises start with small departments representing different users within the enterprise, which helps the enterprise decide which policies are valid and which are not. This can also provide time to collect data to measure benefits and costs.

　8, to deal with the changing

An important step to ensuring that a mobile strategy works is to constantly review and update policies to ensure that policies continue to meet the latest technical and business needs.

　　Conclusion

In the mobile device control strategy issues, the pre-state, not the waste. Enterprises should be based on step-by-step steps to ensure that BYOD can not only improve the efficiency of employees, but also effectively ensure that the enterprise application and data security.