Most companies have a desktop computer usage policy in place, but with many workers using mobile computers, forward-thinking organisations have already developed a similar policy for mobile device usage.
Companies should use this policy to make users aware that security is important on their mobile devices and to raise awareness that they have sensitive company data on their devices.
John Engels, principal product manager of enterprise mobility at Symantec, suggests that any usage policy should include some basic rules.
“They should ensure people are keeping passwords safe, that they are using VPN if it’s configured for company business, that they do not leave the phone lying around, that they contact the corporation immediately if their device is lost, and that they are responsible for using the right applications for work correctly.”
But every organisation will also have its own specific needs. Here are some of the topics that might be covered in a company-wide policy.
1 Cameras in sensitive locations:
Some organisations want to prevent pictures being taken at certain sites.
If there are proprietary procedures or equipment that allow your company to produce the best widgets in the world, you won’t want people to walk in and take pictures.
To protect against this you can include a statement such as the following, restricting people from bringing camera-equipped mobile devices into those areas:
To protect sensitive information, company security reserves the right to sequester mobile computing devices including smartphones upon entry into research and development centres. All such devices will be returned upon departure.
2 Recording meetings:
If you want to avoid the recording of meetings, include the following:
Making audio recordings of meetings is forbidden in all cases, unless an audible approval from each participant is recorded at the beginning. Employees found using mobile devices in violation of this rule will have their mobile device privileges revoked.
3 Personal phone calls:
One way to keep costs down is to prevent users from making international phone calls. To make this rule clear, you might included a statement like this:
Outgoing international phone calls may only be made by employees with jobs specifically requiring communication with people outside the UK.
In no case shall outgoing calls be made for reasons other than those related to company business.
4 Text and instant messaging (IM):
You might prevent outsiders from using internal IM resources with a statement like the following:
Internal IM may only be used by company employees to communicate with other employees.
5 Social media, personal web browsing and personal email:
To make company policy clear you might include something like this:
Company-provided devices and networks may not be used to access personal social media services.
6 Storing sensitive data on the device:
Many companies protect themselves by requiring that company data be encrypted. To ensure users follow this policy, you might write:
Sensitive company data is not allowed on mobile devices except in certain cases, where the data must be encrypted using approved encryption techniques.
This statement doesn’t detail the exceptions, nor does it say how the data is to be encrypted. It simply states the company policy knowing that job roles and technology tools may change.
7 Transmission of sensitive data from the device over the air:
Similarly, you can restrict the communication of company data as follows:
Sensitive company data must not be transmitted over public wireless networks except for certain cases. Where these cases apply, the data must be encrypted using approved techniques before being transmitted.
8 Which devices are supported:
You might list devices supported by the company as follows:
The company supports Dell laptops, BlackBerry devices and Apple iPhones. Special permission must be granted by the IT department for the use of any other type of device.