peshkova - Fotolia

Manage Learn to apply best practices and optimize your operations.

Planning, follow-up required to ensure mobile compliance and security

In this tip, learn why best practices such as continuous monitoring and third-party vetting are vital to long-term mobile compliance and security.

One way or another, most organizations have to deal with user and IT strategy changes stemming from mobile applications and data. These efforts may range from simple development and support of mobile applications to developing detailed bring your own device (BYOD) programs that allow employees to choose their own end-user computing devices.

As data becomes increasingly mobile and exceeds the boundaries of the traditional corporate network, maintaining compliance and security can be challenging. In the past four or five years, I have been involved in numerous IT leadership discussions about making data and applications more mobile and accessible. In many of those cases, however, I was surprised to find that IT leaders didn't actually have a well-defined goal or concept to adapt to the mobility trend. Without these goals, privacy, security and compliance all potentially suffer.

As with any technology decision, being able to maintain security or privacy compliance is highly dependent on knowing the type and scope of the information involved. Key questions to ask your business leaders should include the following:

  • What type of information are we trying to make mobile?
  • What technology changes will be required to make this data or application mobile?
  • Who is going to be accessing this mobile data or application?
  • How critical is this data or application to our organization, especially if it were to become unavailable, corrupted or hacked as a result of being mobile?

Additional questions are likely useful as well, but these four queries are a good place to begin identifying what needs to be protected, how the organization and third parties expect to protect it, and what the consequences might be if it is not adequately protected. Clarifying this information also makes it much easier to decide which types of security technologies or procedures will be necessary. Possibilities include the following:

  • When creating a new mobile application, companies may consider additional application code scanning products or possibly extra penetration testing.
  • For a BYOD initiative where personally owned devices are allowed access to corporate systems and data, companies may need a mobile device management (MDM) product, a network access control solution and possibly even DLP technology.
  • Moving applications or data to the cloud may also result in personally owned devices having access to your organization's data, so businesses should consider whether potential cloud providers provide the security options listed above.

Vet your vendors

In some cases, mobilizing data involves moving it to a cloud provider -- whether that means simply using a third party to host your network and servers or employing a provider that manages everything from hardware to the application or data itself. To maintain compliance, it is important to have a strategy for vetting any outside parties that you might use as part of your mobile data strategy.

The Cloud Security Alliance (CSA) provides valuable resources for companies that are vetting cloud vendors and providers. The CSA is a not-for-profit group that has developed guidelines and assessment document templates so that organizations can vet cloud providers using a standardized set of questions mapped to common security standards such as PCI DSS, ISO 27001, and the Federal Risk and Authorization Program.

For scenarios where your organization may simply be mobilizing data via an internally managed application or technology, the company should conduct some extra research on the vendors to see if they have had any security or privacy issues. In addition to using some of the more popular product research firms such as Gartner and Forrester, utilize peer networks to hear their experience with vendors and their products. LinkedIn and other common business forums can be used to inquire about any specific negative experiences that your peers might have experienced. It is also sometimes useful to ask penetration-testing firms about a particular product or provider, because if a vendor has a data protection weakness, a good penetration-testing firm has likely already discovered it.

Lastly, companies should develop a strategy to continuously monitor the security of its mobile data or environments. If your company implements some of the technologies, such as DLP or MDM, you may want to also consider a good security incident and event management, or SIEM, tool to make sense of the various alerts and notifications. At a higher level, it might also make sense to look at possibly engaging a threat intelligence service to gain insight into any underground networks that may be targeting your systems, or even those of your third-party providers.

The increased demand for mobile data and systems is an inevitable part of IT and security these days. The most successful security and compliance programs will be those that proactively set the stage for mobile data enablement. The key to creating those favorable conditions is clearly defining the intended scope of the mobile data strategy, then implementing the appropriate controls according to that scope. Your company should also pay close attention to vetting providers and vendors and keep a close eye on the compliance and security of your data once it's actually mobilized. After all, the benefits of mobility will become null if it only makes data more vulnerable to security and compliance concerns.

About the author:
Jeff Jenkins is a regulatory compliance, information security and risk management expert and currently the director of cybersecurity at Travelport LTD. Prior to his role with Travelport, Jeff served in security executive/leadership roles for a number of private and public sector organizations including Cbeyond, Equifax, The First American Corporation, S1, the state of Georgia's Department of Human Resources, and Cobb County Public Schools. Jeff currently holds CISSP, CISA, CISM and CGEIT certifications.

Next Steps

Keep mobile devices regulatory compliance-ready

The data governance challenges of wearable tech

Mobile risk assessment: The 10 questions you need to answer

Dig Deeper on Information technology governance

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What steps does your organization take to ensure information security and compliance in its mobile data strategy?
As a one-person shop that often deals with different clients and partners, I defer to the systems these folks use. That said, I shy away from bringing much outside documents, software or other assets onto my systems for fear that my stuff might be compromised. So much of my value comes from being a content creation source that if I lost my drives or the info on it, I'd be sunk.
The company considers additional application code scanning services or products as part of the creation of new application for penetration testing. A network access control solution, as well as the DLP technology is important for the application of BYOD application considering the company has embraced mobile device management. Enterprises should be keen enough to consider cloud services that provide security options for personally owned devices that are allowed to access the organization’s data.
I think that is the biggest problem with mobile data compliance and security - there are just so many variables that developing an all encompassing mobile GRC policy/procedures is very difficult. Add the potential for user error to the mix and it makes mobile security/compliance even more difficult. This is also why user training is essential - they must know their role in the data protection process because company security departments can't track how employees are using their personal devices for work use at all times. 
So much of security is common sense. I believe that if any system is to be secured against threats, there must be procedures in place to monitor, respond to, and proactively search out threats. Good piece. Solid points.