In my previous posts, I discussed the Platforms and Procurement components of mobile technology strategy. This time, I will be covering a very important section of a successful plan: Policies. As I said in the last post, these pieces all work together to help build your strategy, and the choices made in one area influence the others. Your Policy choices are perhaps reflected in the other pieces most of all.
There are some parts of a mobile strategy that are similar to traditional technology policies in your organization. For example, the University Information Technologies department at Villanova University has a Mobile Device/PDA Policy that covers the purchase, deployment and support guidelines for mobile devices. The initial section of this policy states that users are expected to follow the existing Acceptable Use and Network Security policies that were already in place. Since mobile devices are accessing your organization’s network the same as any other computing device, it is important that you make your users aware that the same policies apply for those devices as well.
In some ways, certain parts of a mobile policy are actually determined before you reach this point in your planning. By choosing a mobile platform (or multiple platforms), a policy for what devices can be used on your network was established. The procurement method that was selected helps determine the policy on how those devices can be provided. One additional piece that may need to be added to your organization’s policy is if you have elected to allow a Bring Your Own Device (BYOD) plan. In this situation, there will likely be policy differences between company-supplied devices and user-owned devices. Some recommendations for creating user-owned device policies include limiting what devices will be allowed, requiring management rules to be applied to user-owned devices, and limiting support offerings to those devices.
At the root of your organization’s mobile policy is a decision on what information can and will be on mobile devices and how securely that information needs to be protected. Since mobile devices, by their very nature, can leave the physical location and network that you have secured, they pose a significant risk to your information being lost or stolen. In your organization’s policies, you will have to decide what information is allowed on mobile devices, and furthermore, how that data should be protected. Do you require devices with encrypted file systems to protect the data at all times? What about during transfer of the data? In order to protect the data, you may define a policy that requires users to use an encrypted data network at all times. This can range from requiring WPA secured wireless connections to using secured VPN connections anytime a device is outside the network. Beyond these more apparent security policies, additional technologies such as configuration profiles, SAML authentication or various other domain authentication practices should be considered at this time as part of the overall mobile technology policy you are crafting.
Some policies will also need to be considered for legal reasons to protect your organization. One issue that has occurred involves hourly or non-exempt employees using personal mobile devices to access their email. In a well-known case, one employee claimed and was paid for 800 hours of overtime in four months for viewing and replying to emails outside of business hours. Another issue involving smartphones and mobile devices involves distracted driving laws. Setting aside the obvious safety risks involved, there have been cases where the company that provided the phones was found liable in accidents involving their employees. Some state laws banning the use of cell phones while driving explicitly state that an employer can still be held responsible for an employee who is negligent. As a side note, Float does work with a couple of organizations that have actually made mobile device usage while driving a terminable offense. Because of these types of issues, it is crucial that your organization set policies for potential issues with legal implications.
Another part of your planning will involve your organizations mobile support policy. It is not enough to simply provide a list of approved devices, you will also need to determine what apps are supported, who will service issues with the devices, and replacement procedures. When phones are involved, there are also issues to consider in dealing with the service providers. If a phone needs to be serviced or replaced, a new device may need to be assigned and the number will need to be transferred. There needs to be a policy for replacement and upgrading of devices as well. New devices come out faster than ever, and your organization will need a plan for moving to newer devices, including how to transfer applications and data to those new devices.
If you have allowed users to bring in their devices with a BYOD policy, your organization will also have to determine how much support to provide for user-owned devices. It may be as simple as stating that support personnel will provide a best-effort attempt, but that results are not guaranteed. A time limit on support for user-owned devices could be listed, or the policy could be to only support software on the device that is required by your organization. Placing limits on supporting user-owned devices can help limit the liability of supporting those devices.
A very important part of your support policy covers your organization’s response to lost devices. Due to the potential for your data being lost or exposed, a remote wipe process needs to be considered. You will need a procedure for reporting lost or stolen devices, and a policy and when and how devices are wiped. This policy is also helpful in a BYOD policy when employees leave your organization. A part of your BYOD policy would be to issue a a remote wipe command to all user-owned devices when they leave to prevent unauthorized data removal. If you choose to implement this policy, your users may complain, but it is necessary for the protection of your organization.
It is easy to see that defining policies for your mobile technology strategy is a must, however, those policies don’t help your organization if they cannot be monitored or enforced. There are ways to monitor and require compliance with almost any policy, including some that seem unenforceable, such as distracted driving policies. The important thing is finding a way to implement those configurable policies. The best way to do this is to use a Mobile Device Management (MDM) solution. An MDM system that supports multiple mobile platforms will allow your organization to create profiles that configure and enforce your device policies. It is also possible to create multiple profiles to allow for some variances in your policies. Some users can have fewer restrictions than others due to job requirements. Using an MDM can allow you to quickly assign a device to a category that receives the appropriate profile and policy settings. If you use an MDM solution, it is important to inform your users that the BYOD policy requires them to have their device added to the MDM system. It may be intrusive to your users, but it is a must to be able to enforce your policies and protect your organization’s network and data.
Creating mobile device policies for your organization can be a long, and sometimes tedious, process. As you can see, though, it is a must to properly secure your data and protect your organization and your employees. The policies that you create are another block in building your mobile technology strategy.
What issues and concerns are you coming up against in forming your mobile device technology policies? How are these policies impacting your users and ability to deliver content to them? Float welcomes your comments on this very important topic. Continue to check back here next week for our next article in this series.