ISF: Consider an amnesty on mobile device use before you rewrite user policies

IT managers should consider an amnesty for personal devices in the consumerisation challenge.

Adrian Davis, principal research analyst at the Information Security Forum (ISF), said that consumerisation will not go away and will become more prominent as time goes on. Also, some organisations will have a blanket ban but it rarely stops personal devices being connected to the corporate network.

“IT managers are struggling to find the right approach. It is like Instant Messenger, years ago organisations did not know who was using it so they shut everything down and waited for demands from users, it is the same now as organisations do not know what is going on and the organisation is disjointed,” he said.

Davis suggested that an amnesty is an option as a means of carrying on through the challenge while you decide what to do. He said: “You can say you know that users are using devices, but please tell us when and where you are connecting so that you can formulate a response.

“You have to say no but be serious about knowing what is going on so you can get the user policy right. That will be difficult to write if a device has personal and corporate data on it, as do you have the right to remote wipe it? This is when you have to step out of the CISO role to work with legal and the business or devices will proliferate and you may be breaking the law without knowing it.

“You may demand that every user has to sign an acceptable use policy and once you have the framework in place and roll things out, then you need mobile device management. Only by classifying the data can you tell people what is moving around, as you do not want to breach policy and regulatory rules.

“Consumerisation is not going away. If you say no as a CISO you will get shoved out of the way. You have to do this as a whole and work at all four elements: governance; users; devices; and applications and data.”

Asked if the idea of an amnesty was a practical one, Davis said that there is still a need for CISOs to be looking to the future, as something will come along that will catch IT managers out, just as the influx of tablet devices has.

“You have to be informed at the table and have to be able to say ‘yes' and ‘I know what that is'.”

Attend the SC Conference ‘Mobile Device Management', held at One Drummond Gate, London on 23rd June. www.scmobiledevicemanagement.com

Sign up to our newsletters