8 Elements of an Effective Mobile Policy

Organizations worldwide are embracing mobile technology because it offers a competitive advantage. By enhancing productivity and efficiency, mobile devices transform the way users approach work and accomplish tasks.

According to a survey conducted by Enterprise Mobility Exchange, an online community for global mobility professionals, the main drivers behind planned mobility solution investments include increasing productivity, improving opperational efficiency, boosting profitability and improving customer service.

Mobility is a powerful resource that should never be approached on an ad hoc or piecemeal basis. Simply allowing users to employ any type of mobile device, for whatever purpose they choose, opens the door to poor performance, wasteful spending, security vulnerabilities and other serious concerns. Every organization that utilizes mobile devices should have a comprehensive, formal written mobile policy document. The essential elements of a mobile policy include the following.

Device specification: The mobile security policy should define which types of mobile devices are permitted to access the organization’s resources and the degree of access for the various classes of mobile devices (such as organization-issued devices versus personal devices).

Device use and access: Users need to know when and where it is appropriate to use a mobile device and which type of device (smartphone, tablet or notebook) to use in specific situations.

Applications: The mobile policy should specify the required applications for specific tasks as well as who should supply the application (the organization or the user). The policy should also specify how and when applications are to be upgraded. According to a survey of 160 IT professionals conducted by the Spiceworks online community, the most common types of applications that organizations allow mobile devices to access are web apps (84 percent), intranet apps (61 percent) and extranet partner apps (40 percent).

Access to organizational data: The mobile policy should clearly specify which employees are allowed to access which types of data, from where and using what kinds of devices. As long as established security procedures are followed, mobile device data access rights can safely mirror office desktop computer clearance levels. According to the Spiceworks survey, most organizations (84 percent) now allow mobile users to access their systems via an onpremises local area network.

Mandatory security controls: The policy should outline the minimum mandatory security measures (such as encryption, PIN codes or remote wiping) that must be implemented on each mobile device in the organization. An organization may decide to disallow some types of inherently unsecure devices from accessing internal networks.

Financial terms: There are three basic approaches to funding a mobile device program: direct billing, in which the organization buys the device and assumes all expenses; fixed monthly reimbursement for device support; and reimbursement based on staff expense reports. A growing number of organizations are using their existing travel and expense reporting systems to manage mobile expenses. IT leaders should communicate the approach being used in the mobile policy.

Liability and ramifications: The mobile policy should include security, privacy and other guidelines that will help limit potential liability if information is lost or stolen via a mobile device. Particularly important are stipulations that affect how users obtain, utilize and communicate information on their devices. Mobile device liability is a complex and rapidly evolving area of law. This part of the mobile policy should be developed in close consultation with an attorney.

Penalties for noncompliance: A mobile policy usually includes several levels of noncompliance penalties. The policy should specify simple reprimands for users who fail to follow a particular use or security rule, or who engage in excessive use of mobile services over an extended period of time after being warned by a supervisor. Fines and restitution may be imposed on users who employ organization-owned devices to purchase nonessential or personal services. Employment termination may even be specified for a user who fails to promptly report a lost or stolen device that contains customer or employee information. Downloading software or content that is obscene, offensive or in violation of the organization’s tolerance policy, particularly to an organizationowned device, may also be specified as a cause for dismissal.

Learn more about mobile security, management and applications by downloading the white paper "Building an Effective Mobile Policy."