Driven by employee demand and the perception of better efficiency, the use of mobile devices in the workplace continues to grow. So, not only must today’s IT security managers determine how to manage these devices in their own environment, they must also determine if their third party service providers’ are allowing employees to access their data and/or systems through the use of a mobile device as well. This is particularly important if your vendors’ follow the Bring Your Own Device “BYOD” approach to mobile device implementation.
Unfortunately only the most recently executed vendor contracts will tend to address the issue of mobile devices. Even if your vendor agreements do cover the use of mobile devices to access your systems and data, you must be able to determine if your vendor can meet your contract’s requirements for a secure mobile device environment.
The foundation for effectively controlling mobile devices, like almost all other IT services, is the development and implementation of a thorough and easily understandable set of policies and guidelines. Keep in mind that what you are looking for is how your vendor allows their employees to use mobile devices to access your data and/or systems. How they choose to allow employees to perform other tasks unrelated to the execution of their contractual obligations (like accessing company email accounts) may reveal their understanding of mobile device risk, but it is not directly relevant to how they discharge their obligations to protect your data and systems. When assessing your vendor you should determine if their mobile device policy contains at least the following provisions:
While a vendor may be unwilling to provide you with the full content of their mobile device policy, they should be agreeable to providing you with the policy’s table of contents, or other documentation to confirm all of the areas addressed by their mobile policy. Ultimately, the adequacy of your vendors’ mobile device policy, and the provisions it should include, will be determined by what your vendors’ allow their employees to do with mobile devices, your company’s risk tolerance, and, to a large extent, the regulatory environment in which you operate.
Santa Fe Group Consultant and Shared Assessments Program Director, Brad Keller, has more than 25 years of experience developing and leading risk management and third-party risk assessment programs. Brad is responsible for the development of the Shared Assessments Program’s Tools and key partnerships.