|
Some specific questions need to be answered first.
1. The first critical question to ask is what information classification(s) will pass through, be processed on, or reside on the wireless or handheld device? If the information passing through, being processed on, or residing on the device is non-critical, such as Public or Internal Use Only, the policy can be less stringent. If the information passing through, being processed, or residing on the device is mission critical, such as Restricted or Confidential, stringent controls need to be implemented. Your company's information classification policy may dictate much of this policy.
2. Your selection of terminology in this rapidly changing area could save you from potential liability and having to update the policy numerous times to reflect technological enhancements in this area. It would be most advantageous to NOT SPECIFY devices (i.e., PDAs, HPC, two-way pagers, WAP, Internet phones, wireless LANS, mobile radio systems, ham radio networks, smart phones, wireless packet networks, satellite / VSATs, alphanumeric pages, barcode readers, handwriting recognition readers, PC to computer, phone to PC, etc.). Instead use terminology such as "portable electronic devices" so current devices as well as future devices will be covered.
3. You will also need to address potential problem areas such as:
Is the device company owned/supplied or personally owned? If company owned, the company has control over the device and can dictate use. Will you allow personally owned use or information on the device? To what extent? If personally owned, the company cannot exercise the same control as with a company owned device. Will you allow corporate information on the device? To what extent?
Can employees lend their devices (whether company owned or personally owned) to another? (This may be critical when the employees have separate "need-to-know" classifications.)
And most importantly, DO YOU HAVE SUPPORTING POLICIES ON THESE SITUATIONS? Hint: What do your Privacy Policy and Information Classification Policy say?
Do the devices have to meet certain standards, including security? Does the device have to be approved by your Information Security Department (or any other department) prior to acquisition or use? Some devices are more secure than others, with some even offering security packages.
Will you (or under what circumstances) allow device synchronization? This could be a major vulnerability depending upon the circumstances.
Make sure your policy address verbalizations. Keeping information under lock and key (be it physical control mechanisms or password controls) is ineffective if employees are talking about sensitive information in public places (be it on cell phones, pay phones, over speakerphones, restaurants or Internet).
The policy should address the physical security of the devices, particularly since the device is generally small and easily concealed by a thief.
Thought for the Day: It's 2001, do you have a Search and Seizure Policy?
Information contained herein is to be used as general reference and not to replace legal guidance regarding your specific situation.
|
