Keep devices regulation ready with compliant mobile data management

In this tip, learn how to prepare and implement a mobile data management policy that protects your organization against compliance violations.

Enterprises have had to make a fast and furious adaption to the mobile age, as the latest and greatest technology allows employees to work from anywhere at any time. Benefits such as increased employee productivity and customer satisfaction can be measured easily. Of course, the potential negative results of mobility are easily determined as well, including the loss of intellectual property, sensitive material, personally identifiable information and financial data.

Mobile management tools help tackle BYOD security concerns

That being the case, enterprises must prepare mobile data management policies and procedures to facilitate compliance with internal rules and regulatory standards. With regard to compliance and risk assessment, which mobile technology will be deployed is of less concern, at least initially. The first step is to understand the data and content that reside on enterprise servers, then determine how this data will be transferred from point to point and who will have access to it.

Regulations like the Health Insurance Patient Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS), the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act provide minimum data management standards for company operations in a variety of industries. The type of business and the kind of data it uses in company processes determine the regulation standards that must be met.

Fifty percent of employees use a personal device that is unmanaged by their company for daily work. This is perhaps the greatest mobile data risk of all.

The next -- and more complicated -- part of mobile data compliance is detailing an Information architecture. Companies must locate all server farms used for storage and the access points used to transfer the data. This is a very daunting, but critical, task, and also a great way to understand which changes can make data more accessible and easier to control.

Adding data loss prevention, or DLP, and new identity management technologies can help mitigate the risk of exposure by attaching new mobile devices to a legacy-based network. And don't assume that all of your data is already under control. Adding mobile devices to the network can quickly expose data leakage opportunities that no one knew were possible.

Review, revise current mobile policy

Once companies have detailed and documented the data landscape, they must update and create new access policies. Again, don't assume that data access policies for employees using desktop or laptop computers provide necessary coverage to govern mobile device use on your network. Review and revise every policy that details data access, appropriate use of the data by employees and the mobile technologies that will be used to access data in the network. It is imperative to detail the minimum requirements for allowable mobile devices and operating systems, as well as device ownership, approved applications, which employees are allowed to use mobile devices, acceptable levels of data access and various device security standards.

This is also a great time for house cleaning. Legacy standards often do more harm than good when it comes to compliance, because they are no longer up to date with the minimum requirements set by government-mandated data compliance rules.

Managing mobile technology governance policies and procedures can be made easier by implementing an enterprise mobility management (EMM) suite. There are currently several very good solutions in the EMM marketplace right now, and the Gartner Magic Quadrant for EMM providers is a great place to start your investigation. The typical EMM vendor will provide tools to manage the following:

  • Various devices, including determining which are company-appropriate based on vendor, operating system, version, etc.
  • Security, including such steps as password protections, jail-broken/rooted detection and quarantine, on-board management policies, and access rights
  • Whitelisting and blacklisting of specific applications

The main benefit of an EMM solution is rapid and systematic response to issues when they occur. Quality EMM vendors also have the ability to adapt quickly as mobile technologies inevitably evolve.

Beware employee fallibility

Fifty percent of employees use a personal device that is unmanaged by their company for daily work. This is perhaps the greatest mobile data risk of all: Despite leaders' best efforts to determine access points, make policy updates to remain compliant and implement technology to manage it all, mobile data compliance will remain difficult unless employees are aware of and play their role in these efforts.

In every bring your own device program implementation, success is determined by how well the company communicates the changes to its employees. They must understand the importance of compliance with the mobile use policies. Once tools are in place, productivity increases can be measured and the risk of noncompliance can be mitigated.

Otherwise, the enterprise and the employees are using these new technologies blindly, and courts no longer accept the "I didn't know" defense for noncompliance. More importantly, customers have a long memory after falling victim to identity fraud due to personally identifiable information being exposed. Take the initial steps during mobile data management policy development to ensure your information is governed properly to avoid compliance -- and bottom-line -- repercussions.

Next Steps

Clear usage rules essential to mobile data management

Mobile management tools help tackle BYOD security concerns

Wearables create new obstacles for BYOD, GRC policies

Dig Deeper on Managing governance and compliance