How to say yes to (almost) any smartphone

Employees want iPhones, Androids, and other devices beyond the BlackBerry; here's how to safely welcome them

Page 2 of 7

Saying yes to smartphones: What security category fits your needs?
Although scare stories about smartphone security often try to hold these devices to the standards of military and financial services firms, most companies don't require those levels of security. Besides, many defense and financial services firms have already figured out how to support iPhones despite their higher security needs.

Many companies will require a blend of the four broad categories outlined below. After all, you likely support employees who are involved in sensitive negotiations, as well as those who have little to no access to vital corporate data. As such, your "say yes" strategy should reflect that internal diversity. The universal truth of mobile is that it is not one-size-fits-all.

[ Keep up to date on important mobile developments and issues with InfoWorld's Mobilize newsletter and Mobile Edge blog. ]

One final note: If you're not treating employee use of personal and provisioned PCs and laptops with the same level of security requirements you're placing on mobile devices, then something's wrong. Doing so would mean a more immediate security gap to fix at the PC level.

Security iGuide
Category 1: Routine business information. Truck drivers, sales reps, sales clerks, graphics designers, Web developers, repair and maintenance staff, personal coaches, restaurateurs -- people in these professions deal with routine information that is rarely personally or legally sensitive.

Truck drivers, sales reps, sales clerks, graphics designers, Web developers, repair and maintenance staff, personal coaches, restaurateurs -- people in these professions deal with routine information that is rarely personally or legally sensitive.

If their smartphone is lost or stolen, the resulting hassle amounts to reconstructing some data, ensuring the cell service is discontinued, and buying and re-outfitting a replacement device. There's a risk of a thief accessing your email, so you do need to immediately change passwords at the server.

Required security includes a PIN to use the device. Good, but not essential, security and management capabilities incorporate password expiration and complex-password requirements, remote wipe, in-transit SSL encryption of email and other data, and a "wipe contents after x failed attempts" policy.

Category 2: Important business information. Sales managers, veterinarians, personal assistants, management consultants, IT administrators, teachers, editors, videographers, programmers, most midlevel managers -- people in these professions and positions have access to some personal and financial information that won't make or break the company but could cause economic or PR damage worth preventing. They may also have access to some internal systems via passwords that could be abused by a bad actor who gets the device.

If their smartphone is lost or stolen, the cleanup effort goes beyond the individual's information and may require changing shared passwords, informing business partners, and losing short-term competitive advantages.

Required security and management capabilities include a complex password to use the device, password expiration, remote wipe, in-transit SSL encryption of email and other data, and a "wipe contents after x failed attempts" policy. Good, but not essential, security and management capabilities include VPN and/or second-factor access to sensitive systems and data stores, and on-device encryption.

Category 3: Sensitive business information. Finance staff, auditors, bankers, medical professionals, HR staff, lawyers, regulators, product managers, researchers, division managers, lead IT admins, marketing and sales chiefs, chief executives in most firms, and all of their assistants -- people in these impressions work with significantly confidential information (legal, financial, product, and personal) and usually have significant access to key internal data stores and systems.

If their smartphone is lost or stolen, there could be serious financial consequences, such as the notification costs if personally identifiable information is unprotected and the competitive losses if details on business negotiations, staff salaries, and the like are revealed.

Required security and management capabilities include a complex password to use the device, password expiration, remote wipe, in-transit SSL encryption of email and other data, a "wipe contents after x failed attempts" policy, VPN and/or second-factor access to sensitive systems and data stores, and on-device encryption. Good, but not essential, security and management capabilities include the ability to control access to specific networks, to turn off the built-in camera, and to control application installation.

Category 4: Top-secret information. Military contractors, spies, police, senior diplomats, military personnel, congressional chairmen and their aides -- people in these professions work with confidential information, the exposure of which could jeopardize individual's lives or compromise the public at large.

Required security and management capabilities include a complex password to use the device, password expiration, remote wipe, in-transit military-grade encryption of email and other data, a "military-grade wipe contents after x failed attempts" policy, VPN access to sensitive systems and data stores, physical second-factor authentication support, military-grade on-device encryption, support for S/MIME and FIPS 140 standards, and discrete "lockdown" control over accessible networks and allowable applications.

| 1 2 3 4 5 6 7 Page 2
From CIO: 8 Free Online Courses to Grow Your Tech Skills
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.