Medical records management chapter 14 answers

271

Information Governance for Mobile Devices*

C H A P T E R 14

* Portions of this chapter are adapted from Chapter 7 , Robert F. Smallwood, Safeguarding Critical E-Documents: Imple- menting a Program for Securing Confi dential Information Assets , © John Wiley & Sons, Inc., 2012. Reproduced withs permission of John Wiley & Sons, Inc.

The use of mobile devices is ubiquitous in today’s society. According to CTIA (the Wireless Association), over 326 million mobile devices were in use within the United States as of December 2012. 1 This is a more than 100 percent penetra- tion rate, since many users have more than one mobile device, and usage continues to grow. Citizens of China, India, and the European Union (EU) have even greater mobile phone usage than those in the United States.

Mobile computing has vastly accelerated in popularity over the last decade. Sev- eral factors have contributed to this: Improved network coverage, physically smaller devices, improved processing power, better price points, a move to next-generation operating systems (OSs) such as Google’s Android and Apple’s iOS, and a more mobile workforce have fueled the proliferation of mobile devices.

Mobile devices include laptops, netbooks, tablet PCs, personal digital assistants (PDAs) such as BlackBerries, and smartphones such as Apple’s iPhone and those based on Google’s Android platform. What used to be simple cell phones are now small com- puters with nearly complete functionality and some unique communications capabilities. These devices all link to an entire spectrum of public and private networks.

Gartner has estimated that “by 2016, 40 percent of the global workforce will be mobile , with 67 percent of workers using smartphones” 2 (emphasis added).

With these new types of devices and operating environments come new demands for information governance (IG) policies and unknown security risks. 3 The Digital Systems Knowledge Transfer Network, a UK think tank, found: “The plethora of mo- bile computing devices fl ooding into the market will be one of the biggest ongoing security challenges [moving forward].” “With mobile devices connecting to Wi-Fi and Bluetooth networks, there are suddenly many more opportunities [for hackers] to get in and steal personal information.”4

Due to this rapid shift toward mobile computing, companies with mobile person- nel, such as salespeople and service technicians, need to be aware of and vigilant toward these impending security threats, which can compromise confi dential information.

Securing mobile devices is critical: A survey by Aberdeen Group, an IT research and analysis fi rm, estimates that that data leakage or loss can cost an organization anywhere from $10,600 to over $400,000 . 5

272 INFORMATION GOVERNANCE

The reality is that most mobile devices are not designed with security in mind ; in fact, d some compromises have been made to enable new smartphone operating systems to run on a variety of hardware, such as the Android OS from Google. This is analogous to the trade-offs Microsoft made when developing the Windows OS to run across a variety of hardware designs from many PC manufacturers.

Smartphone virus infections are particularly diffi cult to detect and thorny to remove. Users may be unaware that all their data is being monitored and captured and that a hacker is waiting for just the right time to use it. Businesses can suffer economic and other damage, such as erosion of information assets or even negative goodwill from a damaged image.

The smartphone market is rapidly expanding with new developments almost daily, each providing criminals with a new opportunity. An International Data Corporation report indicated that “ smartphone sales outpaced PC sales for the fi rst time ever in the fourth quarter of 2010 , with 100.9 million smartphones shipped versus 92.1 million PCs” (em- phasis added). 6 The growth in smartphone sales and new services from banks—such as making deposits remotely by snapping a picture of a check—means that there are new and growing opportunities for fraud and identity theft.

Awareness and education are key. The fi rst line of defense is for users to better under- stand cybercriminal techniques and to become savvier in their use of information and commu- nications technologies. s

A large part of the battle will be won when biometric authentication technolo- gies (those that use retina, voice, and fi ngerprint recognition) are mature enough to positively identify a user to ensure the correct person is accessing fi nancial or confi dential accounts. Application suppliers are fi rst concerned about functionality and widespread adoption; security is not their top priority. Users must be aware and vigilant to protect themselves from theft and fraud. On a corporate level, organi- zations must step up their training efforts in addition to adding layers of security technology to safeguard critical electronic documents and data and to protect infor- mation assets.

Social engineering —using various ways of fooling the user into providing privategg data—is the most common approach criminal hackers use , and it is on the rise. Machines do their job, and software performs exactly as it is programmed to do, but human beings are the weakest link in the security chain. As usage trends in the direction of a more mobile and remote workforce, people need to be trained as to what threats exist and constantly updated on new criminal schemes and approaches. This training is all part of an overall IG effort, controlling who has access to what information, t when, and from where.

With more and more sensitive business information being pushed out to mo- bile devices (e.g., fi nancial spreadsheets, business contracts, strategic plans, etc.) and advancing and evolving threats to mobile the mobile realm, IG becomes an imperative; and the most important part of IG is that it is done on an ongoing basis, con- sistently and regularly . Policies must be reviewed when a new mobile device starts to be utilized, when new threats are uncovered, as employees use unsecured public Wi-Fi networks more and more, and as business operations change to include more and more mobile strategies. Information technology (IT) divisions must ensure their mobile devices are protected from the latest security risks, and users must regularly be apprised of changing security threats and new criminal approaches by hackers.

INFORMATION GOVERNANCE FOR MOBILE DEVICES 273

Mobile device management (MDM) is critical to secure confi dential informa-t tion assets and managing mobile devices. Some available technologies can wipe devices free of confi dential documents and data remotely, even after they are lost or stolen. These types of utilities need to be deployed to protect an enterprise’s information assets.

Current Trends in Mobile Computing

With the rapid pace of change in mobile computing, it is crucial to convey an under- standing of trends, to better know what developments to anticipate and how to plan for them. When a new mobile device or operating system is released, the best thing may be to wait to see what security threats pop up. It is important to understand the direction mobile computing usage and deployment are taking in order to plan and develop IG policies to protect information assets.

From CIOZone.com, here are the top trends in mobile computing:

1. Long Term Evolution (LTE). The so-called fourth generation of mobile computing (4G) is expected to be rolled out across North America over the next several years [2013–2015], making it possible for corporate users to run business applications on their devices simultaneously with Voice over IP (VoIP) capabilities.

2. WiMax [Worldwide Interoperability for Microwave Access]. As LTE andx WiMax networks are deployed in the U.S. through [2013 and beyond], expect to see more netbooks and laptops equipped with built-in radio fre- quency identifi cation (RFID) and wireless support. [WiMax is protocol for communications that provides up to 40 megabits/second speeds (much faster than Wi-Fi) for fi xed and mobile Internet access. The next IEEE 802.16m update will push the speed to up to 1 gigabyte bit/second fi xed speeds.]

3. 3G and 4G interoperability. Sprint has developed a dual mode card which will enable mobile device users to work on both 3G and 4G networks. Other carriers are expected to follow suit.

4. Smartphone applications. Third-party software vendors will increasingly make enterprise applications available for smartphones, including inven- tory management, electronic medical records management, warehousing, distribution and even architectural and building inspection data for the construction industry.

5. GPS. Global Positioning Systems (GPS) will increasingly be used to iden- tify end users by their whereabouts and also to analyze route optimization for delivery workers and service technicians.

6. Security. As new and different types of mobile devices are introduced, cor- porate IT departments will fi nd it increasingly challenging to identify and authenticate individual end users. As such, expect to see a combination of improvements in both Virtual Private Network (VPN) software and hard- ware-based VPNs to support multiple device types.

274 INFORMATION GOVERNANCE

7. Antivirus. As more third-party business applications are made available on smartphones and other mobile devices, CIOs [chief information offi cers] will also have to be cognizant about the potential for viruses and worms.

8. Push-button applications. Let’s say a waste disposal truck arrives at an indus- trial site and is unable to empty a Dumpster because a vehicle is blocking its path. Smartphones will increasingly have applications built into them that would make it possible for the disposal truck driver to photograph the impeding object and route the picture to a dispatcher to document and time-stamp the obstruction.

9. Supplemental broadband. As carriers implement LTE and WiMax networks, companies such as Sprint and Verizon are looking at potentially extending wireless broadband capabilities to small businesses which don’t have fi ber optic or copper connections on the ground. Under this scenario, a small packaging company in New Jersey could potentially be able to receive T-1 level (high-speed) broadband capabilities in regions of the U.S. where it has offi ces but doesn’t have wireline broadband connections.

10. Solid State Drives (SSDs). Corporate customers should expect to see contin- ued improvements in the controllers and fi rmware built into SSDs in order to improve the longevity of the write cycles in notebooks. 7

Security Risks of Mobile Computing

Considering their small size, mobile computing devices store a tremendous amount of data, and storage capacities are increasing with the continued shrinking of circuits and advancement in SSD technologies. Add to that the fact that they are highly portable and often unsecured and you have a vulnerable mix that criminals can target. Consid- ering how often people lose or misplace their mobile devices daily, and what valuable targets they are for physical theft (this author had a laptop stolen in the Barcelona air- port, right from under his nose), and it is clear that the use of mobile devices represents an inherent security risk.

But they do not have to be lost or stolen to be compromised, according to Stan- ford University’s guidelines, which are intended to help mobile computing device us- ers protect the information the devices contain. “ Intruders can sometimes gain all the access they need if the device is left alone and unprotected, or if data is ‘sniffed out of the air’ during wireless communications” s 8 (emphasis added). The devices can be compromised with the use of keystroke loggers that capture every single entry a user makes. This can be done without the user having any knowledge of it. That means company passwords, confi dential databases, and fi nancial data (including personal and corporate credit card numbers) are all at risk.

Securing Mobile Data

The fi rst and best way to protect confi dential information assets is to remove confi dential, un- necessary, or unneeded data from the mobile device. Confi dential data should not be stored on the device unless explicit permission is given by the IT department, business unit

INFORMATION GOVERNANCE FOR MOBILE DEVICES 275

head, or the IG board to do so. This includes price lists, strategic plans, competi- tive information, photo images of corporate buildings or coworkers, and fi nancial data such as tax identifi cation numbers, company credit card or banking details, and other confi dential information.

If it is necessary for sensitive data to be stored on mobile devices, there are options to secure the data more tightly, using USB drives, fl ash drives, and hard drives that have integrated digital identity and cryptographic (encryption) capabilities.

Mobile Device Management

MDM software helps organizations to remotely monitor, secure, and manage devices such as smartphones and tablet PCs. 9 MDM improves security and streamlines enterprise management of mobile devices by providing ways to contact the remote devices individually or en masse to add, upgrade, or delete software, change confi guration settings, and “wipe,” or erase, data, and make other security-related changes and updates. More sophisticated MDM offerings can manage not only homogenous company-owned mobile devices but also those that employees use in the workplace in a bring-your-own-device (BYOD) environment.

The ability to control confi guration settings and secure data remotely allows or- ganizations to better manage and control mobile devices, which reduces the risk of data leakage and reduces support costs by providing more uniformity and the ability to monitor enforce company-dictated IG policy for mobile devices.

Key vendors in the MDM marketplace include AirWatch, Apple (Profi le Man- ager) AppSense, BoxTone, Centrify, Citrix, Good Technology, IBM (Endpoint Man- ager for Mobile Devices), LANDesk, MobileIron, SAP (Afaria MDM), and Symantec (Mobile Management Suite).

Rapid growth is expected in the MDM marketplace, with Gartner projecting that nearly two-thirds of organizations will deploy MDM software by 2018. 10 And Frost & Sullivan projects that “the market for enterprise MDM will grow from $178.6 million in 2011 to $712.4 million by 2018.” 11

Trends in MDM

Six key trends in the MDM marketplace are discussed next.

1. MDM software expansion and maturity. Many experts believe that MDM will develop and reach beyond just mobile endpoints to include deep integration with mobile infrastructure and applications (apps). 12 What is important is securing and authenticating data. To ensure that, MDM must expand beyond remote device locking, tracking, and wiping. A more comprehensive life cycle management approach will emerge beginning with the acquisition or introduction of the device into the enterprise network until its retirement or destruction. In addition, monitoring and controlling costs through integrated expense management will likely occur.

2. Consolidation of MDM major players. Acquisitions by Citrix, Good Technology, TT and others signal that fewer but stronger market leaders are likely to emerge.

276 INFORMATION GOVERNANCE

3. Cloud-based MDM. This will become the norm, not the exception, and it will happen quite rapidly.

4. Emphasis on mobile device policy. Technology can do only so much—an orga- nization must have its IG policies, processes, and audit practices formalized, tested, and monitored. The IT department must have clear direction on which data and devices to monitor and secure, and employee rights and responsibili- ties must be clearly delineated and communicated.

5. Diversifying and expanding mobile monitoring and security. This means that MDM may go beyond today’s mobile devices and include remote instruments and machines that are churning out data in applications, such as process man- agement, transportation management, and enterprise resource management.

6. Infrastructure consolidation. The currently disparate pieces, including social computing, mobile computing, and cloud computing, may consolidate and become the new construct for the infrastructure paradigm. This means that tools will emerge to manage all these pieces in a centralized and holistic way.

IG for Mobile Computing

Stanford University’s guidelines are a helpful foundation for IG of mobile devices. They are “relatively easy to implement and use and can protect your privacy” and safeguard data “in the event that the device becomes compromised, lost or stolen.” 13

Smartphones and Tablets ■ Encrypt communications. For phones that support encrypted communication

(secure sockets layer [SSL], virtual private network [VPN], hypertext transfer protocol secure [https]), always confi gure defaults to use encryption.

■ Encrypt storage. Phones approved to access confi dential information assets must encrypt their bulk storage with hardware encryption.

■ Password protect. Confi gure a password to gain access and or use the device. Passwords for devices that access confi dential information assets should be at least seven characters in length and use upper- and lowercase letters as well as some numerical characters. Passcodes should be changed every 30 days.

■ Timeout. Set the device so that it is locked after a period of idleness or timeout, perhaps as short as a few minutes.

■ Update. Keep all system and application patches up to date, including mobile OSs and installed applications. This allows for the latest security measures and patches to be installed to counter ongoing threats.

■ Protect from hacking. Phones approved to access confi dential and restricted data must not be jailbroken (hacked to gain privileged access on a smartphone us- ing the Apple iOS) or rooted (typically refers to jailbreaking on a smartphone running the Android OS). The process of rooting varies widely by device. It usually includes exploiting a security weakness in the fi rmware shipped from the factory. “‘Jailbreaking’ and ‘rooting’ removes the manufacturer’s protection against malware.”

■ Manage. Phones approved to gain access to confi dential information assets must be operating in a managed environment to maintain the most current security and privacy settings, and monitor use for possible attacks.

INFORMATION GOVERNANCE FOR MOBILE DEVICES 277

Portable Storage Devices These include thumb drives or memory sticks, removable hard drives, and even devices like iPods that are essentially mobile disc storage units with extra bells and whistles.

■ Create a user name and password to protect the device from unauthorized ac-d cess—especially if lost or stolen.

■ Utilize encryption to protect data on devices used to store and/or transport con- fi dential information assets.

■ Use additional levels of authentication and management for accessing the device,t where possible.

■ Use biometric identifi cation to authenticate users, where possible.

Laptops, Netbooks, Tablets, and Portable Computers ■ Password protect. This is the most basic protection, yet it is often not used. Cre-

ate a user name and password to protect the device from unauthorized access; require that they are entered each time the computer is used.

■ Timeout. Require that the password is reentered after a timeout period for the screensaver.

■ Encrypt. Laptops, notebooks, or tablets used to access confi dential information assets should be required to be encrypted with whole disk encryption.

■ Secure physically. Physical locks should be used “ whenever the system is in a station- ary location for extended periods of times.” s

Building Security into Mobile Applications

While it is a relatively new channel, mobile electronic commerce (e-commerce) is growing rapidly, and new software apps are emerging for consumers as well as business and public sector enterprises. These apps are reducing business process cycle times and making the organizations more agile, more effi cient, and more productive. Some key strategies can be used to build secure apps.

As is the case with any new online delivery channel, security is at the forefront for organizations as they rush to deploy or enhance mobile business apps in the fast- growing smartphone market. Their priorities are different from those of the software developers churning out apps.

In the banking sector, initially many mobile apps limited customers to a walled-off set of basic functions—checking account balances and transaction histories, fi nding a branch or automated teller machine location, and initiating transfers—but “a new wave of apps is bringing person-to-person payments, remote deposit capture and bill pay to the mobile channel. Simply, the apps are getting smarter and more capable. But with those capabilities comes the potential for greater threats”s 14 (emphasis added).

Security experts state that the majority of the challenges that could result from mobile fraud have not been seen before. Mobile e-commerce is relatively new and has not been heavily targeted—yet. But industrial espionage and the theft of trade secrets by targeting mobile devices is going to be on the rise and the focus of rogue competitive intelligence-gathering organizations. User organizations have to be even

278 INFORMATION GOVERNANCE

more proactive, systematic, and diligent in designing and deploying mobile apps than they did with Web-based apps.

Software developers of mobile apps necessarily seek the widest audience possible, so they often deploy them across multiple platforms, which forces some security trade- offs: Enterprises have to build apps for the “strengths and weaknesses intrinsic to every device, which adds to the security challenges”15 (emphasis added).

A side effect of mobile app development efforts from the user perspective is that it can reshape the way users interact with core information management (IM) applica- tions within the enterprise.

The back-offi ce IM systems, such as accounting, customer relationship manage- ment, human resources, and other enterprise apps that are driving online and mobile, are the same as before, but the big difference comes in how stakeholders (employees, customers, and suppliers) are interacting with the enterprise. In the past, when deploy- ing basic online applications for browser access, there was much more control over the operating environment; with newer mobile applications running on smartphones and tablets, that functionality has been pushed out to end user devices.

Real Threats Are Poorly Understood

The list of threats to mobile apps is growing, and existing threats are poorly under- stood, in general. They are just too new, because mobile commerce by downloadable app is a relatively new phenomenon—the Apple iTunes App Store and the Android Marketplace debuted in the second half of 2008. “But that doesn’t mean the threat isn’t real—even if the app itself is not the problem.” 16 The problem could be the unsecure network users are on or a device infection of some sort.

For mobile apps, antivirus protection is not the focus as it is in the PC world; the security effort mostly focuses on keeping malware off the device itself by addressing software development methods and network vulnerabilities. Surely, new types of at- tacks on mobile devices will continue to be introduced. That is the one thing that can be counted on.

There already have been some high-profi le examples of mobile devices being compromised. For example, in 2010:

New York–based Citibank’s iPhone app was found to be storing customers’ [private] data on their phones, with obvious privacy implications [and expos- ing it to theft and fraud]. Meanwhile, Google (New York) has had to pull a number of apps from the Android Marketplace built by an anonymous [crim- inal] developer who was creating fake bank apps [with realistic and usable features] that attempted to exploit information on users’ devices to commit banking and [credit] card fraud.

There are many more examples, but the cited incidents make it imperative to understand the mobile app marketplace itself in order that effective IG policies and controls may be developed, deployed, and enforced. Simply knowing how Google has approached soliciting app development is key to developing an IG strategy for Android devices. Google’s relatively open-door approach initially meant that almost anyone could develop and deploy an app for Google Android. Although the policy has evolved somewhat to protect Android users, it is still quite easy for any app developer—well

INFORMATION GOVERNANCE FOR MOBILE DEVICES 279

intentioned or malicious—to release an app to the Android Marketplace. This in itself can pose a risk to end users, who sometimes cannot tell the difference between a real app released by a bank and a banking app built by a third party, which may be fraudulent. Apple has taken a more prudent and measured approach by enforcing a quality-controlled approval process for all apps released to its iTunes App Store. Sure, it slows development, but it also means apps will be more thoroughly tested and secure.

Both approaches have their positives and negatives the companies and for the de- vice users. But clearly, Apple’s curated and quality-controlled approach is better from a security risk standpoint.

Understanding the inherent strengths and, perhaps more important, weaknesses of specifi c mobile hardware devices and OS—and their interaction with each other— is key when entering the software design phase for mobile apps.

The development environment is altogether different. Windows programmers will experience a learning curve. Mobile apps under Android or Apple OS operate in a more restricted and less transparent fi le management environment.

Bearing that in mind—regardless of the mobile OS—fi rst ensure that data is secured, — and then check the security of the application itself. That is, practice good IT governance to ensure that the software source code is also secure. Malicious code can be inserted into the program; once it is deployed, hackers will have an easy time stealing confi dential data or documents.

Innovation versus Security: Choices and Trade-offs

As organizations deploy mobile apps, they must make choices, given the limited or confi ned software development environment and the need to make agile, intuitive apps that run fast so users will adopt them. To ensure that a mobile offering is secure, many businesses are limiting their apps’ functionality. So stakeholder users get mobile access that they didn’t have before and a new interface with new functionality, but it is not possible to offer as much functionality as in Web apps. And more security means some sacrifi ces and choices will need to be made versus speed and innovative new features.

Some of the lessons learned in the deployment of online Web apps still apply to mobile apps. Hackers are going to try social engineering like phishing (duping users into providing access or private information) and assuming the identity of an account holder, bank, or business. They will also attempt man-in-the-middle attacks. (More on that topic soon).

With mobile applications, typically the app is operated directly on a mobile de- vice, such as a smartphone. This is a key difference between apps and traditional PC-based interfaces that rely on browser access or using basic mobile phone text messaging. Connect- ing to a business via app can be more secure than relying on a browser or texting platform, which require an additional layer of software (e.g., the browser, texting platform, or Wi-Fi connection) to execute sensitive tasks. These security vulnerabili- ties can compromise the safety of information transmitted to a secure site. Thank- fully, if the app is developed in a secure environment, it can be entirely self-contained, and the opportunity to keep mobile data secure is greatest when using the app as opposed to a browser-based platform.

This is because a mobile app provides a direct connection between the user’s de- vice and the business, governmental agency, or e-commerce provider. Some security experts believe that mobile apps potentially could be more secure than browser-based

280 INFORMATION GOVERNANCE

access from the desktop because they can communicate on an app-to-app (or comput- er-to-computer) level.

In fact, “a customer using a bank app on a mobile network might just be safer than a customer accessing online banking on a PC using an open Wi-Fi connection” that anyone can monitor.

How do you combat this browser-based vulnerability if it is required to access an online interface? The most effective and simplest way to counter security threats in the PC- based browser environment and to eliminate man-in-the-browser or man-in-the-middle r attacks is to use two different devices rather than communicate over a standard Internet s connection. This approach can be built into IG guidelines.

Consider this: Mobile apps actually can bring about greater security. For exam- ple, do you receive alerts from your bank when hitting a low-balance threshold? Or a courtesy e-mail when a transaction is posted? Just by utilizing these types of alerts—and they can be applied to any type of software application beyond bank- ing—tech-savvy users themselves can serve as an added layer of protection. If they receive an alert of account activity regularly, they may be able to identify fraudulent activity immediately and take action to counter it and stop it in its tracks, limiting the damage and potential exposure of additional private data or confi dential infor- mation assets.

Best Practices to Secure Mobile Applications

Mobile computing is not going away; it is only going to increase in the future. Most businesses and governments are going to be forced to deploy mobile apps to compete and provide services customers will require. There is the potential for exposure of confi dential data and e-documents, but this does not mean that organizations must shy away from deploying mobile apps. 17 Some proven best practice approaches can help to ensure that mobile apps are secure.

Some steps can be taken to improve security—although there can never be any guarantees— and some of these should be folded into IG guidelines in the policy de- velopment process. BankTech magazine identifi ed six best practices that can shape an organization’s app development process:

1. Make sure your organization or outside development fi rm uses seasoned application developers who have had secure-coding training and use a se- cure software development life cycle (SDLC).

2. [Developed for banking apps, this approach can be applied to other vertical apps too.] Follow the guidance suggested by the Federal Deposit Insur- ance Corp. (FDIC FIL-103-2005) regarding authentication in an Inter- net banking environment. The guidance describes enhanced authentication methods, such as multifactor authentication, that regulators expect banks to use when authenticating the identity of customers using the bank’s online products and services.

3. Make sure that the customer (or employee) is required to re-enter his or her credentials after a certain time period to prevent someone other than the mo-d bile device’s owner from obtaining access to private account information.

INFORMATION GOVERNANCE FOR MOBILE DEVICES 281

4. Hire an information security expert to assess the security around your mobile t application servers. Unfortunately, an organization’s servers are often over- looked during a risk assessment, as they require a specialized skill set to test d them.

5. Encrypt sensitive data that is stored on a mobile device and account data that travels from the handset across the Internet. Ensure that the encryption is implemented properly.

6. Hire a security expert to test the security of a mobile application before you implement it across your customer base. 18 (Emphasis added throughout.)

Developing Mobile Device Policies

Where do you start? Developing a comprehensive mobile strategy is key before you craft your mobile device policies. You will need input from a variety of stakeholders, and you will need to understand where mobile devices fi t in your overall technology infrastructure and strategy. Here are some best practices for developing your mobile device policies.

1. Form a cross-functional mobility strategy team. You will need the input of primary stakeholder groups, including IT, fi eld business units, and human resourc- es (for policy creation and distribution). Your strategy development process should also tap into the expertise of your risk management, compliance, re- cords management, and legal departments. The aim will be to balance risks and benefi ts to improve employee productivity and guard against risk while focusing on the goals and business objectives of the organization. 19

2. Clarify goals for your mobile strategy. Start your discussion with the big picture, the “30,000 foot view” of the business drivers, challenges, threats, and op- portunities that mobile computing provides in today’s technology context and your business context. Draw a direct line from your mobile business needs to your planned mobile support strategy and infrastructure. Keep your business goals in mind and link them to the discussion.

3. Drill down into policy requirement details. You may want to survey other exist- ing mobile device policies to inform your mobility strategy team. Those from peer organizations and competitors will be most relevant. Then start with the basics: which types of devices and OS make sense for your organization to support, what changes and trends are occurring in the technology market- place, which sensitive e-documents and data you must protect (or disallow) on mobile devices, and what available security technologies (e.g. MDM, mobile VPNs, encryption, information rights management) you might deploy. It may be helpful to segment your mobile users into broad categories, and break out a list of their specifi c business needs related to mobile computing. Your strategy and policies for executives will be somewhat different than those for users in fi eld business units. And you will need BYOD policies if your organization opts to go this route.

4. Budgeting and expense control. Is the organization going buy devices and pay all mobile expenses through direct billing each month? What cost controls need

282 INFORMATION GOVERNANCE

to be in place? Or will mobile device use expenses be reimbursed by a fl at rate or by processing expense reports? What about BYOD? Roaming charge limits? Decisions on the fi nancial and cost control aspects of mobile comput- ing use must be made by your mobility policy team, under the guidance of an executive sponsor.

5. Consider legal aspects and liability issues. Consult your legal counsel on this. What key laws and regulations apply to mobile use? Where could users run afoul? What privacy and security issues are most prominent to consider? What about the private data that users may hold on their own (BYOD) devices? An overarching consideration is to maintain security for private information and to have a policy in place for data leaks and lost or stolen devices. That includes your policy on remote “wipes” of sensitive data or perhaps all data.l

6. Weigh device and data security issues. Since most mobile devices—especially smartphones—were not designed with security as a foremost consideration, you must take steps to protect your sensitive data and to secure the devices themselves without impeding business or making operation too diffi cult for the end user. The world of mobile computing presents new challenges that were not present when IT had full control of endpoint devices and internal networks. Clear mobile security policies and controls must be in place.

7. Develop your communications and training plan. Users must be apprised and re- minded of your mobile device policy if they are going to adhere to it. They also need to know the consequences of violating your policies. Your commu- nications and training plan should be creative—from wall posters to text and e-mail messages, from corporate newsletters to group training sessions. You may want to fi rst pilot your new policy with a small group of users. But com- munication and training are key: A perfect mobile device policy will not work if it is not communicated properly and users are not trained properly.

8. Update and fi ne-tune. There will be some misses, some places where after your deploy your mobile policy you fi nd room for improvement. You will receive user feedback, which should be considered too. And there will be changes in the technology marketplace and user trends. A program must be in place to periodically (every six months, perhaps) review your mobile device policy and any audit information to make improvements in the policy.

If your organization sanctions the use of mobile devices, you must have a clear, updated IG policy for their use, and you must be able to monitor, test, and audit com- pliance with the policy. Bear in mind that mobile devices are inherently unsecured and have many vulnerabilities, and you will have to consider possible security threats. If your organization plans to utilize a BYOD approach, your support for mobile de- vices will be more challenging and complex. Critical to success in leveraging mobile devices is training employees on your IG policy and policy updates and consistently reinforcing the message of cautiousness with confi dential company data. If you are us- ing mobile devices to conduct business, there will be business records that are created that must be captured and archived with their integrity and authenticity intact. All information on an employee’s smartphone or tablet is potentially discoverable in legal proceedings, so you must include your legal team in policy development and periodic updates. Mobile device use can allow for great productivity gains, but the gains come with associated risks.