Policy Workbook: Mobile and Wireless

Fifty-seven percent of North American executives think setting mobile and wireless strategies and policies is important to their firms' IT/telecom initiatives, according to a March 2006 Forrester Research survey. We see that statistic as a stinging indictment of the current state of affairs. When more than half of those surveyed are only now thinking about setting policy, we're way behind the curve.

Let's get real: The smartphones many end users carry are more computer than phone. Every organization has at least a few mobile devices in the wild, and their popularity is growing at every echelon. Although deployment levels vary, nearly three-quarters of firms have deployed wireless e-mail to support mobile workers, according to the Forrester survey.

Fortunately, enterprises across the country are starting to take mobile and wireless policy seriously. If yours isn't among them, take heed: If a mobile policy isn't in place to manage growth, the full benefits of mobility will erode, falling victim to haphazard and inefficient device-provisioning procedures, higher support costs related to a lack of standardization, and security breaches due to mishandling of confidential information and unsecured/unmanaged devices. One employee might check her e-mail using a built-in application such as Palm OS' VersaMail, while another may use a service-provider-hosted version of Intellisync's Wireless Email Express, and the executive staff may already be using RIM BlackBerry devices and servers.

Policies are proactive. Some employees will be apathetic, but others will struggle to make good mobility choices. Help them, help yourself. A wireless and mobile policy benefits the company as it relates to security, support costs and productivity, and benefits employees as it relates to liability as a result of data loss. The intellectual property on a lost device could be used for extortion, to gain a competitive advantage or to poach customers, and PII (personally identifiable information) may be used for identity theft.

Post hoc assessment by a mobility task force may not be terribly difficult, but the actual implementation of policy will challenge the reigning laissez-faire approach to mobile devices. Organizations with small installations that are preparing to launch a mobile solution are in a prime position to set a high standard.

What's In ThereA mobile and wireless policy must encompass much more than best-practice security procedures--specifically, provisioning, device selection, application deployment and device management, usage guidelines and support.

Before you can decide what should be provisioned, it's important to know to whom a device should be provisioned. A mobile audit or assessment of the workforce will document the mobility environment, usage patterns and costs, and help identify the different types or categories of mobile workers and their needs. Once categories have been established, provisioning issues such as requisition procedures, how devices are configured and delivered, as well as device payment and service-plan selection should be addressed (for more on categorizing users, see "10 Steps to Mobilization").

A mobile policy must speak to device selection. Without hardware support, a replacement inventory to deal with lost or damaged devices, and application compatibility checks, the hottest and latest device on the market may end up costing the company many times its retail value in frustration as helpdesks struggle to support unfamiliar features. One-off smartphones with unique screen sizes may not display applications properly.

A mobility policy doesn't need to dictate specific models. It should describe how devices are chosen by the organization and approved for employee use. Unless an application requires a specific device or functionality, give employees a few choices so the policy is perceived as enhancing organizational productivity and the mobility experience as opposed to a personality stranglehold. If Windows Mobile 5 is the required OS, for example, offer the Motorola Q and Palm Treo 700w in addition to more affordable devices.

A smartphone's value is in the applications it provides, be they as simple as an address book with voice or as complex as a live interface into the corporate ERP system. A mobility policy must address application access (which ones, what kind of access) and device management. Decide whether users will be allowed to install new, unsupported software on their devices. Establish guidelines to review and approve applications. Security settings, such as idle time-outs, power-on passwords, password lockouts, virus protection and local storage encryption should be addressed; profiles may vary by worker category. An oft-touted feature, remote device "kill" capability, must be tied to specific escalation and approval procedures so it can be performed quickly, but with proper oversight.Usage policies are often forgotten and extend beyond good etiquette. Because mobile devices by definition move around, policies that describe where, when and how they should be stored and cared for are an important part of secure mobile computing. Usage policies should also discuss how mobile users access the corporate network from their devices, describing minimum levels of host-based security (antivirus, antispyware) and link security (Wi-Fi with WPA and IPsec, cellular with IPsec VPN). Security usage policies should be automated, or at the very least, resources should be available to assist end users with compliance. Agents that reside on the device and enforce policies may be necessary to satisfy your security group or regulatory auditors (we cover mobile device security in more depth in "Security on the Road").

Finally, your policy should identify hardware sources and assign responsibility for application support. While this can become tricky when physical devices are locally provisioned, managed by corporate IT, with application support found at another helpdesk, the gaps must be identified so users in the field know where to go for help. Sometimes, mobile providers can be enlisted for local support.

Finally, a wireless policy cannot remain static in light of this field's rapidly developing technology. Annual reviews will ensure the mobile policy remains contemporary. Provide a mechanism for employees to share feedback. Demonstrate flexibility for unusual circumstances, but demand accountability. Spot checks and regular audits will confirm the organization's commitment to mobility and substantiate the value it has to the organization when well-executed.

Frank Bulk is an NWC contributing editor and works for a telecommunications company based in the midwest. Write to him at [email protected].