Creating an effective security policy for personal devices accessing the corporate network
You probably already have a wireless security policy governing the use of corporately owned devices, but what about those employee owned devices?
If you don’t already have a good Bring Your Own Device policy, then your organization falls into one of two scenarios:
- Personal devices are being blocked from the corporate network and therefore your company is missing out on the free increased productivity associated with an employee making use of a mobile device.
- Personal devices are already accessing your corporate network, with or without your knowledge, and you aren’t doing anything to ensure that this is being done securely.
In either case your organization can likely benefit from a good corporate policy which allows a user to take advantage of the increased productivity in a safe manner. In general a good BYOD policy acknowledges that the enterprise doesn’t own the device but does, however, own the data. It is reasonable to require that this corporate data be effectively protected. Your policy should include specific points addressing each of the following:
- What happens to the data when an employee leaves the company?
- What about lost or stolen devices?
- How is a device configured to receive and transmit corporate data?
- What kind of passwords are acceptable to use?
- What kind of encryption standards are acceptable?
- What types of devices are allowed and what types are not?
- What about jailbroken, rooted or compromised devices?
In an effort to enforce these BYOD policies many corporations are looking to MDM software. This type of software has the ability to ensure the correct corporate policy is enforced based on the device type and employee job function.