Organizations concerned with Mobile Device Security have new guidelines from the National Institute of Standards and Technology (“NIST”), which released an update of its 2008-era special publication to reflect the tremendous growth of mobile devices since: Guidelines for Managing the Security of Mobile Devices in the Enterprise (SP 800-124r1))(the “Mobile Guidelines”). The Mobile Guidelines are designed to go hand-in-hand with another recently released NIST draft: SP 800-53 Rev. 4, Security and Privacy Controls for Federal Information Systems and Organizations.
The Mobile Guidelines provides six high level recommendations that enterprises should address to securely deploy and manage mobile devices. NIST recommends that organizations:
- Have a mobile device security policy that defines the types of devices permitted, the resources that may be accessed and how provisioning is handled.
- Develop system threat models for mobile devices and the resources that are accessed through mobile devices.
- Consider the merits of each provided security service, and determine which services are needed for the specific environment, and then design and acquire one or more solutions that collectively provide the necessary security services.
- Should implement and test a pilot of their mobile device solution before putting the solution into production.
- Should fully secure each organization-issued mobile device before allowing a user to access it.
- Should regularly maintain mobile device security.
Beyond the technical issues, the legal issues are likewise non-trivial. To discuss the Mobile Guidelines or your own mobile or BYOD programs, feel free to contact The Law Office of Dondi West.