Mobiles/Smartphones/Handhelds

pma111
pma111 used Ask the Experts™
on
Can I ask what key issues/areas need to be reviewed into an IT audit of corporate mobile devices/smartphones?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Commented:
Hi,

Consider SmartPhones as an extension of the desktop in terms of the storage of information, security of that information and measures to prevent discolsure (e.g. encryption, PIN/passwords, security policies/lockdown).

Also consider over the air protection of any information sent/stored on the device.

Regards,


RobMobility.
1) Power to wipe device at any time (In case its stolen)

2) Possible transfer of sensitive data (Storage Device)

3) Perhaps a Lock timeout in case the phone is left open

Commented:
Hi,

What steps do you take to secure your other corporate mobile devices (e.g. laptops)? Always a good starting point.

Regards,


RobMobility.
Become a Microsoft Certified Solutions Expert

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

Author

Commented:
I was thinking of any misuse of corporate phones as well?
You wont stop an employee from playing solitaire :)

Commented:
Hi,

Please provide more details re. the device OS in use (Symbian, Windows Mobile 6.x, Windows Phone, Android, IOS etc.).

Are you looking for tools/solutions to help you meed the auditing requirements?

Regards.


RobMobility.

Author

Commented:
No not tools just areas to include in the audit, tools are worthwhile knowing about as they may form a recommendation if the company is lapse in doing x, y and z around handheld management/handheld security. But more the focus is on what should be reviewed to see if lapse pratice/policies are in place in the first place

Author

Commented:
We have some windows mobiles and blackberrys

Commented:
Hi,

You can consider the following:

Windows Mobile - Kiosk type applications are available - you can configure these to only support a few applications.

Both BlackBerry and Windows Mobile (via SCMDM or thrid party products) can enforce device functionality and application controls where you can disable non essential functions/applications, prevent use of Social networking apps etc.

Within BlackBerry, this is done via IT Policies and Application Control Policies.

What misuse are you referring to?

Regards,

RobMobility.

Commented:
OK.

Consider what you are trying to protect/prevent?

Exfiltration of corporate data via personal email accounts? Block access to non corporate email systems. Also prevent use of removable media cards or where used, enforce their encryption.

Protection of data on the device - force encryption of some or all of the device

Protection of data in transit - VPN, SSL or other secure connection - ensure it's at least 128 bit encryption and preferably AES.

Prevent misuse of device - configure PIN/Password policy - passwords need to be complex but not too onerous to enter onto the device. Add password expiry (say 60 days), password history, password pattern matching/disallowed passwords, password attempts (say 10 max) and wipe on failure to authenticate on the 10th try.

Regards,


RobMobility.
The blackberry connects to the BES which is part of the exchange server. The windows mobile are connected via exchange so you have all the power you need to secure your devices.

Author

Commented:
Misue would be excessive personal calls, calls to other countries, use of web in work time etc

Commented:
Hi,

The first one is difficult unless you monitor calls from bills and identify high bills?

International calling could be blocked via the mobile operator - presumably you manage the SIMs etc. centrally?

Web in work time - consider routing all web traffic via internal proxies etc. (if present) - same rules would apply as for desktop users with the same monitoring capabilities?

Regards,


RobMobility.
Top Expert 2009
Commented:
Just make sure you are aware of what your company policies are, and if the employees have been given such materials, as these will figure into constitutionally protecte areas of reasonable expectation of personal privacy (even on company issue phones!)

Employees must be given information regarding policies, expectations, what constitutes abuse, etc.

Not saying I agree with it, but there is some precedence in the courts that says just because the phone is company issue does not mean the company has 100% rights to monitor all communications, unless clearly agreed to.

http://www.avvo.com/legal-answers/employee-privacy-rights-on-company-issued-phone----203262.html

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial