The two smartphone platforms have different malware profiles, both make use of open Wi-Fi hotspots, and both will store sensitive product data. But a flat-out "no" won't go over well, and just granting access with no controls could lead to disaster. Brace yourself as smartphones continue their march from high-end perk to wildly successful consumer product, and tablets take a similar path.
Our InformationWeek 2011 End User Device Management Survey found companies warming to consumer-centric technologies, including employee-owned devices. But before you incorporate mobility into your line-of-business apps, you need a policy that covers the bring-your-own-device (BYOD) option. Here are seven questions you must answer:
1. Who gets what? Probably not everyone gets a company-provided device. This decision should be based on roles and spelled out clearly. The policy should specify what device and service plan are authorized for each job title and who has the authority to overrule the policy.
2. Who pays? Specify if BYOD is allowed, and if so, what the reimbursement policy is.If it's a corporate-paid phone, are personal voice and data use allowed, and how much? If employees are reimbursed, setting the rate too low can cause disgruntlement.
3. Which ecosystems? Not all mobile operating systems are created equal, and their capabilities improve on an erratic schedule. For example, BlackBerry is still the standard for mobile security, while the Android 2.x releases and Windows Phone 7 don't support on-board encryption, creating a security threat if a device is lost or stolen.
Evolving environments mean IT should specify both the operating systems and version levels allowed, and define a procedure for testing and certifying new devices, platforms, and releases.
4. How will you provide support? This is where mobile device management systems such as those from AirWatch, MobileIron, and Zenprise come in. MDM capabilities vary, but you'll generally find policy enforcement and remote wipe and lock standard. Many systems also feature internal app stores and troubleshooting tools. Most require a client be installed on the mobile device, so you need to define procedures to install the client and activate the user..You'll also need to determine how to get the client off the device when the user leaves the company.
5. Who controls phone numbers? Consider whether you need to retain the mobile phone numbers of employees in customer-facing roles when they leave. The easiest approach is to issue corporate-provided phones. Another option is to use a PBX client so business calls go through the PBX.
6. How about noncompliance? Users are the weak link in any security plan, so identify how they'll be trained in mobile device use, how IT will let them know what isn't acceptable, their role in securing company data and minimizing liability, and the consequences for not complying. Employees should sign a document acknowledging they know the rules; that should be repeated with each policy update.
7. When will you revisit policies? Spell out how often you intend to re-evaluate your mobility policy--we recommend one year as the maximum.
Michael Finneran is a consultant specializing in mobile technologies. Write to us at [email protected].