- Security awareness training/education
- Acceptable use
- Operating system security
- User responsibilities
- Access control
- Data handling
- Individual responsibility if co-mingling personal and organization data on the mobile device
- Constituent accountability
- Secure disposal of device at end of life
- Vulnerability management
- Responsibility for ensuring mobile device operating system is updated
- Responsibility for ensuring mobile device applications are updated
- Reporting information security incidents in the event of loss or theft
- Prohibit sharing a mobile device with other users, including family and friends
- Ownership of data on the device
- Legal ownership and rights of the mobile device
- Specific actions that organization may take in the event of a lost/stolen or compromised mobile device (e.g., remote disable, remote wipe, confiscation)
- Data sanitization of (organization) data, settings and accounts on the mobile device at end of life
- Creation and use of mobile hotspots on an organization's premise (BYON - Bring Your Own Network)
- Consequences for non-compliance with mobile device policy
- User authentication on the device
- Device encryption.
Nonetheless, CSOs should consider the development of a thorough and robust mobile device policy at the very core of their ability to manage the risks associated with these devices. Of equal importance is implementing the business practices and procedures which are necessary to support these policies.
What BYOD-related issues can we expect to grab the spotlight in the future?
As criminal enterprises continue to target mobile devices as their vehicle to access company systems and data, incidents related to mobile devices will continue to grow. One of the biggest issues in addressing this problem is the constant evolution of mobile technology. CSOs will be required to allocate a growing amount of their budget to develop and maintain the resources necessary to keep pace with changes in technology and increased threats.