Driven by employee demand and the perception of better efficiency, the use of mobile devices in the workplace continues to grow. So, not only must today’s IT security managers determine how to manage these devices in their own environment, they must also determine if their third party service providers’ are allowing employees to access their data and/or systems through the use of a mobile device as well. This is particularly important if your vendors’ follow the Bring Your Own Device “BYOD” approach to mobile device implementation.
Unfortunately only the most recently executed vendor contracts will tend to address the issue of mobile devices. Even if your vendor agreements do cover the use of mobile devices to access your systems and data, you must be able to determine if your vendor can meet your contract’s requirements for a secure mobile device environment.
The foundation for effectively controlling mobile devices, like almost all other IT services, is the development and implementation of a thorough and easily understandable set of policies and guidelines. Keep in mind that what you are looking for is how your vendor allows their employees to use mobile devices to access your data and/or systems. How they choose to allow employees to perform other tasks unrelated to the execution of their contractual obligations (like accessing company email accounts) may reveal their understanding of mobile device risk, but it is not directly relevant to how they discharge their obligations to protect your data and systems. When assessing your vendor you should determine if their mobile device policy contains at least the following provisions:
- Security awareness training/education
- Acceptable use
- Operating system security
- User responsibilities
- Access control
- Data handling
- Individual responsibility if co-mingling personal and organization data on the mobile device
- Constituent accountability
- Secure disposal of device at end of life
- Vulnerability management
- Responsibility for ensuring mobile device operating system is updated
- Responsibility for ensuring mobile device applications are updated
- Reporting information security incidents in the event of loss or theft
- Prohibit sharing a mobile device with other users, including family and friends
- Ownership of data on the device
- Legal ownership and rights of the mobile device
- Specific actions that organization may take in the event of a lost/stolen or compromised mobile device (e.g., remote disable, remote wipe, confiscation)
- Data sanitization of (organization) data, settings and accounts on the mobile device at end of life
- Creation and use of mobile hotspots on an organization’s premise (BYON – Bring Your Own Network)
- Consequences for non-compliance with mobile device policy
- User authentication on the device
- Device encryption
While a vendor may be unwilling to provide you with the full content of their mobile device policy, they should be agreeable to providing you with the policy’s table of contents, or other documentation to confirm all of the areas addressed by their mobile policy. Ultimately, the adequacy of your vendors’ mobile device policy, and the provisions it should include, will be determined by what your vendors’ allow their employees to do with mobile devices, your company’s risk tolerance, and, to a large extent, the regulatory environment in which you operate.
Santa Fe Group Consultant and Shared Assessments Program Director, Brad Keller, has more than 25 years of experience developing and leading risk management and third-party risk assessment programs. Brad is responsible for the development of the Shared Assessments Program’s Tools and key partnerships.