The way we use technology and store sensitive data in our business changes frequently. Personally, I read emails on my mobile device throughout the day whether I’m near my desk or not. In fact, I probably read the majority of my emails on the go compared to the days when I was only responding to emails while sitting at my desk.
Working for a professional services firm, where the confidentiality of client information is paramount, I am required to sign our business IT policy. Our IT policy must be updated regularly to keep pace with the ever changing data security landscape.
IT Policy Checklist
If you can’t remember the last time you were asked to sign your business’ latest and greatest IT policy, perhaps this checklist will spur conversation about your business’ data security.
- Do employees at your business access email on their mobile devices?
- Is a password required to access your mobile device?
- If your mobile device is unused for a certain period of time, does it time out and require a password to log back in?
- What is the maximum length that should be allowed on your mobile device before the screen automatically locks?
- If the mobile device is personally owned but the business’ data is accessible, can other members of the employee’s family also use this mobile device?
- If the mobile device is owned by the business, are employees also allowed to use it for personal use? If yes, how liable is your organization as it relates to the employee’s personal usage?
- Is the data on your mobile device encrypted?
- If your mobile device is lost or stolen, can sensitive data be remotely deleted from your mobile device?
- Is your mobile device operating an intrusion detection/prevention system?
- Does your mobile device have anti-virus and/or malware scanning?
- If owned by the business, are there limitations as to what applications can be installed and from where they are installed?
Regardless of who owns the device that stores corporate data, is there a requirement to report lost or stolen devices to the employer? Even if you have certain internal controls in place related to data security on your mobile device and can answer “yes” to some or all of these questions, does the same hold true for the other individuals in your business? If the answer to that question is “no,” then that highlights the need of a business-wide IT policy related to such internal controls.
It is quite possible that organizations may receive some reluctance from employees regarding security measures implemented on their personal mobile devices. This is understandable. However, in our extensive experience in forensically analyzing mobile devices in numerous situations, it is obvious that individuals also store very sensitive personal information on their devices. Therefore, employees should understand that these measures not only protect sensitive corporate data, but also their sensitive personal information.
Businesses vary drastically on the level at which they use mobile devices and the sensitivity of data that is accessed and stored on such devices. The checklist items are obviously not all requirements, but there may be some items that would likely be prudent to add to your business’ internal control structure. As with any internal control system, you have to weigh the benefits received from these items against the cost of implementation.
There is a universal risk in your business regarding sensitive data falling into the wrong hands, but your personal risk tolerance might not be the same as the other individuals in your business. Incorporating mobile devices into your business’ IT policy can be a highly effective way to make sure that everyone is on the same page regarding data security.
Whether your business just needs to dust off its IT policy or if it feels it is necessary to implement a robust mobile device management system, the changes your business implements will be an appropriate level of response in relation to how individuals are using technology to access business data and the sensitivity of such data. Then, the next time that you or a colleague loses a mobile device, the impact of that loss will reach no further than the cost to replace the device.
Bill Dean is a Senior Manager in LBMC’s Information Security Services division and is responsible for incident response, digital forensics, electronic discovery and overall litigation support. Bill has more than 20 years of information technology experience with a specialty in information security and digital forensics for the past 10 years.