Presentation on theme: "To the ISSA Las Vegas Chapter April 13, 2011. Definition People Technology Policy."— Presentation transcript:
To the ISSA Las Vegas Chapter April 13, 2011
Definition People Technology Policy
A cellular telephone with built-in applications and Internet access. Smartphones provide digital voice service as well as text messaging, , Web browsing, still and video cameras, MP3 player, video viewing and often video calling. In addition to their built-in functions, smartphones can run myriad applications, turning the once single- minded cellphone into a mobile computer. Source: PC Magazine Encyclopedia
What do they want? Only carry one Anywhere access Any device supported Transparent security
What does management want? Lower cost Low support overhead Increased Productivity Any device supported Transparent security
Is the business willing to securely support a mix of personal/business data and smartphones/tablets? Remote access - to how much? Authority over data? Is the value worth the cost?
What are your organizations compliance requirements? Which rewards does management want to balance against risk and cost? –Compliance –Strategic mobility –Employee productivity/creativity/retention
Is confidential data allowed on mobile devices? Are personally-owned mobile devices allowed access? Who has authority/responsibility for… –Who gets company-issued smartphones –Who gets access from smartphones, and to what? –Purchasing smartphones –Provisioning smartphones –Securing/monitoring smartphones? –Support of Organization-owned (O)? Personally- owned (P)?
What are O mobile devices allowed access to? Is it different for P? Will you list specific devices supported, or just OS versions? Who is going to test all the new devices? How often? What about application maintenance? (how) Do you wipe a P phone at term? Crawl/Walk/Run or Flash Cut?
Review others policies for ideas Review your laptop policy Involve stakeholders in requirements and design Communicate early and often –Stakeholders –IT (they have to make the tech work) –Finance (our buddies with the budget) –Users (they hate change too – be nice)
Pure Monolithic – typically BES –Organization (O) owned only Mixed Monolithic –O or Personally (P) owned Mail System w/Supported Security –O, O/P, limited to native OSs 3 rd Party Mgmt Software (in-house, hosted, managed) – multiple device types
From Most to Least Complete Options –Blackberry –Windows Mobile (6.1 and 6.5 only) –iPhone –Android –Windows Mobile 7 –Symbian? –Nokia?
Passwords not pins Remote wipe Secure /Calendar sync Device and storage card encryption
Source: Microsoft - comparison-table.aspx#cite_note-3
Android 2.2 supports all the basic security requirements except encryption Android 3.0 (Honeycomb) provides encryption, but is currently only on tablets and one phone Carriers modify Android, sometimes badly NitroDesk Touchdown (Android Market or direct, $20) adds device and storage card encryption (3DES) to 2.2
Mobile Device Management (MDM) –Not just security – can have operations management and deployment capabilities Asset management Application whitelist Deploy in-house apps Deploy patches/upgrades
–Which one fits your organization better? In-House In-House with external comm center Hosted Managed Service
Good Technology Encrypts Android 2.1 and above, and iPhone 3G and above Separation of data and apps from OS in encrypted sandbox Can control transfer of data to personal side (contacts typically) Onsite servers transmit through Good telecomm datacenters – no ActiveSync
Mobile Iron Suite of applications for security, asset management, and expense Self-service portal for apps, communications search/history, and usage Encrypts iPhones, Androids (with integrated Touchdown), integrates with BES
Air-Watch Can be purchased as a cloud service, appliance, or software Encrypts iPhones but not Android 2.x
Verizon Managed Mobility Service 750 employee accounts minimum Based on Sybase solutions Services include inventory & expense mgmt, provisioning and logistics, and Sybase (policies, security, app store) Note: Sybase did not support iOS4 or Android until Oct 2010
Employee and management requirements often conflict Consumer-grade products = security an afterthought or non-existent Proprietary OS = complexity, inequality, lack of standards Immature market = rapid change
Perform constant market research Provide non-technical executive management enough information to make informed risk decision(s) regarding mobile devices –Immature market = limited choices, constant change –Set realistic expectations – no Holy Grail –Communicate risks in business terms –Crawl/Walk/Run