Going mobile: Ten best practices for managing mobile devices – Canadian Government Executive

NEWS

SEARCH

Security
July 9, 2012

Going mobile: Ten best practices for managing mobile devices

Technology adoption cycles are fairly consistent in today’s fast-paced, knowledge-driven business environment. Government agencies and companies initially acquire technologies because of the benefits they deliver and only later begin to understand the real burdens of ownership. This scenario is being played out once again in the mobile arena.
 
The widespread adoption of mobile devices as enterprise-level tools is occurring as compliance is becoming an ever-increasing concern. Many compliance and regulatory drivers, including the Personal Information Protection and Electronic Documents Act (PIPEDA) and Personal Information Protection Act (PIPA), govern laws related to personal data privacy and require governments, agencies and sometimes industry groups to protect and secure customer information and manage access to confidential data.

For many government IT groups, it’s common to perceive controls used to comply with these laws as applying only to traditional assets including servers, desktops, firewalls, routers, and even the data centre itself. What then happens with these devices that are more and more becoming the equivalent of PCs in the amount of sensitive data and degree of network access they offer, yet are rarely on the risk and compliance radar of IT?

Mobile devices are an enterprise-level asset and tool. They require an enterprise-level solution, such as a mobile device management (MDM) solution, designed to address the fundamental management issues of exerting control, while offering broad functionality to govern and secure the platform. Traditionally, IT tends to hone in on server components, but that approach doesn’t fit in an ecosystem that extends to third parties such as the device manufacturers, cellular network carriers and device users. Further complicating an organization’s compliance posture, these devices are by design beyond the physical control and access of the IT group on demand.

Management and security advice
The benefits of mobile access are compelling but the increasing sophistication of devices – and their potential vulnerabilities – are putting pressure on IT organizations. There are 10 best practices that every government IT department should follow to mitigate the risks and cost associated with the growth and management of mobile devices:

1. Own every device
Whether issued to employees or employee-owned, each mobile device within an organization stores sensitive information that can put an organization at great risk if not controlled. Proactively take ownership and manage data, such as customer contact information and e-mails with proprietary and confidential data, just as you would with servers, desktops and laptops.

2. Secure your assets
Accurate, complete and up-to-date ownership information is the foundation of an MDM strategy. As mobile devices provide immediate access to the web, social media tools and e-mail, it’s essential to be informed of which software versions and updates employees are running. It is only a matter of time before IT audits will include an organization’s mobile devices.

3. Build trust with employee self-management
As critical and sensitive information travels within an organization, an environment of trust with device users must be maintained and strengthened. A management model that requires the IT administrator to control the system will not scale; instead, device users must be engaged and empowered to perform certain self-management tasks. To reduce administrator and help-desk workloads, offload less critical issues to the device user in a secure and sensible way. Users are likely to be more satisfied if they are allowed to solve some of their own issues, rather than having to always wait for the help desk.

4. Prepare a verification policy
The ability for key employees to walk around with their “office on their hip” provides powerful privileges. Unfortunately, there is a significant amount of time these devices and the data stored on them are beyond an organization’s immediate control. Small, cool devices are easily lost or stolen, so it is essential to be prepared for these situations. The mere existence of a password policy is not enough. Whether there is only one or several policies managing password strength and expiration timelines, an enforcement mechanism is needed. For example, IT organizations need tools not only to initially apply password policies to devices, but also to periodically monitor them for compliance and automatically implement proper policies, including termination to any devices that are out of compliance.

5. Prepare a loss-event action plan
Murphy’s Law stipulates a mobile device is most likely to be lost at 2 a.m. by the user with access to the most sensitive data. Similar to a verification policy, an action plan for managing data stored on a lost or stolen device is needed. This might include remotely locking devices or performing a complete data wipe; organizations must be armed with the tools and resources to complete this operation at all times. It is imperative for authorized IT staff to have the ability to execute over-the-air (OTA) commands to any device from any available browser.

6. Plan for lifecycle events
Not only is it important to manage non-compliance, mobile devices travelling from employee-to-employee should also be managed through an automated lifecycle system. A mobile device once used by a senior manager should not end up in the hands of a new hire without verifying it has been completely purged. Whether putting a device into available inventory or ensuring a privately owned device is cleansed and returned to its original state, these actions should not be left to manual interventions. IT organizations must implement a solution that can connect several OTA commands as part of a business process that automatically launches when these events occur.

7. Develop strong configurations aligned with an organization’s needs
Mobile devices should be configured to ensure they are used in accordance with the organization’s policies. For example, public servants with access to confidential financial data might need to be prohibited from sending e-mails with a blind-copied recipient. This configuration restriction may be necessary to ensure compliance with privacy policies or legislation. Or, it may be necessary to disable voice calling for users who are given devices for data access, but are not signed up for a voice plan to avoid costly bills. As evaluating and building configuration settings that meet an organization’s needs is an ongoing task, a robust MDM tool will prove valuable. Management systems can free IT administrators from dealing with typical and predictable issues and allow them to focus their time on more valuable strategic tasks.

8. Integrate with authoritative sources to manage change
Because configuration settings are generally contingent upon user profile or rights, the management of mobile devices can often be optimized through integration with an organization’s identity and access management (IAM) system directory. This is not only useful for the original provisioning of a device but also for dealing with the changes that inevitably occur such as employee promotions and transfers or as changes in the organization require many users to be granted new rights or have exiting ones withdrawn. Government IT departments need an MDM tool that immediately recognizes rele

About this author

0 comments

There are no comments for this post yet.

Be the first to comment. Click here.

Security
 
Earlier this month I had the privilege of testifying as an...
 
Canadian Government Executive Media, (CGE) publisher of Canadian Government Executive magazine...
 
In the last few years, we’ve seen various federal governments warning...
 
Canadian Government Executive is excited to announce the agenda for TechGov...
 
In the wake of the WannaCry outbreak, corporate executives, IT professionals,...
 
Facebook Pages can be an essential tool for businesses and charities,...
 
Cybersecurity professionals have sounded the alarm for years, and they are...
 
CBC deserves full credit for exposing the presence of IMSI catchers...
 
Security professionals have an obligation to communicate risks and recommendations to...
 
Over the decades, technology has been grafted into governments around the...
 
In this episode, J. Richard Jones talks about being candid about...
 
Criminals have reportedly threatened to take over 250 million Apple accounts...
 
In this episode, hear more about how Canada is a prime...
 
While the incoming administration of President-elect Donald Trump is being buffeted...
 
In the world that we are living in today, free and...
 
The RCMP adopted a new media strategy earlier this month by...
 
What would tomorrow’s cybersecurity look like? That’s an intriguing question to...
 
Terrorism operates with deadly regularity. In June 2016, a gunman who...
 
Just as the federal government has begun consultations on cyber security,...
 
Efforts by the government to counter the radicalization of young Canadians...
 
Canadian healthcare organizations and businesses in the financial industry are the...
 
Please to view this Content. (Not a member? Join Today! )...
 
Please to view this Content. (Not a member? Join Today! )...
 
Please to view this Content. (Not a member? Join Today! )...
 
Please to view this Content. (Not a member? Join Today! )...
 
Please to view this Content. (Not a member? Join Today! )...
 
The challenge is clear: a fast-paced industry pressures organizations to simultaneously...
 
As populations grow and age, the demand for services increases. As...
 
By Michael Murphy Not all assets can and should be equally...
 
Please to view this Content. (Not a member? Join Today! )...
 
Please to view this Content. (Not a member? Join Today! )...
 
Now more than ever, organizations in both the public and private...
 
Please to view this Content. (Not a member? Join Today! )...
 
Please to view this Content. (Not a member? Join Today! )...
 
Please to view this Content. (Not a member? Join Today! )...
 
Please to view this Content. (Not a member? Join Today! )...
 
As the battle between the FBI and Apple continues to escalate,...
 
Please to view this Content. (Not a member? Join Today! )...
 
Meet Bob Heart.  He is an outstanding employee who works hard...
 
A new study released yesterday, Securing the C-Suite, Cybersecurity Perspectives from...
 
Please to view this Content. (Not a member? Join Today! )...
 
Please to view this Content. (Not a member? Join Today! )...
 
Yesterday, Ontario Supreme Court Justice John Sproat ruled that the Peel...
 
I wrote about accountability more than a year ago. Recently, a...
 
Intelligence agencies have had widespread and long-running programs to gather, analyze...
 
What concerns me is whether or not we’ve got the balance...
 
One of the consequences of the Information Age in which we...
 
In March of 2011, the east coast of Japan was rocked...
 
BYOD is hot! But is it for you? If yes, which...
 
Protecting critical infrastructure from cyber threats is the shared responsibility of...
 
In numerous interviews with senior military commanders over the past several...
 
In early February, James R. Clapper, the U.S. director of national...
 
The widespread adoption of mobile devices as enterprise-level tools is occurring...
 
CGE Vol.13 No.2 February 2007 Public security, once a task relegated...
 
CGE Vol. 14 No.4 April 2008 In recent years, policy makers...
 
L’univers de la sécurité des TI évolue rapidement. À mesure que...
 
The world of IT security is rapidly evolving. As quickly as...
 
Cyber attacks don’t have to look highly sophisticated. Hackers are purposely...
 
The announcement regarding the establishment of Shared Services Canada (SSC) was...
 
There was probably a day in spring of AD 72 that...
 
The changing face of public and personal privacy in the face...
 
What role should governments and public servants play in safeguarding personal...
 
Some title Some author
Some excerpt
 
Some title Some author
Some excerpt
Earlier this month I had the privilege of testifying as an...

Member Login

Forgot Password?

Join Us

Password Reset
Please enter your e-mail address. You will receive a new password via e-mail.