Security Policy Enforcement
For security policies to work, they must be enforced. Enforcement capabilities for password protection may include requiring the use of a password, controlling the minimum and maximum length of passwords, mandating special characters or numerals in passwords, governing the frequency with which passwords are changed, and controlling if or when passwords can be reused.
Enforcement of permissible applications policy can involve either warnings or actions if a user is found to have application not authorized by the enterprise or to have authorized applications missing. The least invasive action that can be taken is to send the user a notice that he or she is out of compliance. A more active approach is generally more effective. Taking an active approach involves removing any unauthorized applications and restoring any authorized applications that might be missing.
Enforcement of security elements is an extension of enforcement of permissible application for a particular class of application, namely security applications. With security applications, it is not only necessary to confirm that the appropriate software is on the device, but it is also important that the software is configured correctly and has not been disabled. Security enforcement management gives administrators the capability to set policies and to have them enforced remotely.
Configuration management involves making sure that the proper APN and dial strings are used, and that peripheral devices and ports are off or on as dictated by policy. Some devices lose their setting if the battery dies. If a user is utilizing a custom dial string or a custom APN, and a device goes dead, configuration management tools can be used to restore the correct values. The other role of configuration management is to disable device features that the enterprise considers security risks; these features may include the camera, Bluetooth, IR, and Wi-Fi.
Users should understand, at least in general terms, some of the security threats that your enterprise faces, and what employees can do to help to minimize those threats. Users who are aware of the importance of security are less likely to take actions that may result in a breach. Many enterprises choose to implement a security awareness program to educate all employees who use IT systems.
The effectiveness of a security awareness program, like an advertising campaign, is a function of the number of impressions—the more users hear and see security messages, the more likely they will be to remember those messages.
A comprehensive security awareness program may include the following components:
- Posters and pamphlets
- Training sessions
- White papers
- A repository for security awareness documents
- Security Awareness Day
Also like an advertising campaign, the messages or central themes of your security awareness program should be consistent. For example, posters and pamphlets should reinforce the messages employees hear in training sessions.
TIP: When you create a mobile security awareness program, make sure that much of the relevant content is available on the mobile devices you deploy and that users know how to access the content.
Posters and Pamphlets
Posters keep security visible and remind users how important security is as they go about their day-to-day work. Posters are also useful for announcing changes in security policy and for promoting security training or security awareness day. When promoting security events, make sure that the posters provide details on times, dates, locations, and topics.
Pamphlets can be used like posters to reinforce good security practices or to announce security changes and events. Pamphlets should be short and to the point, and they should address only one or two security subjects. If a pamphlet is long or complex, users may not read all of it. Keep language in the pamphlets clear and simple and make sure that they reinforce the program's central messages.
Presentations can be presented live, by teleconference, or by webcast and should be recorded for users who are unable to attend or who need refresher training later. Target the presentation to the intended audience, making a special point to adjust the language and technical depth to the level of the audience's expertise. Instead of creating one long presentation that covers many topics, try to create several presentations that clearly focus on one or two areas, such as policy or theft and loss prevention.
Security videos are a useful and user-friendly way to deliver information on security policies and practices. Make full use of the medium by discussing not only the facts, but also by providing examples through demonstrations and reenactments.
Videos are particularly cost-effective because they can be reused. They can be streamed from a Web site and easily advertised by e-mail.
Mobile security videos should be made available through your enterprise's mobile devices. This is especially true for mobile users who are rarely in the office.
Security training should be required for new mobile users, and existing users should be recertified annually to make sure that their security knowledge is up to date. Because security can be a rather dry subject, it may be better to break the training into multiple sections, each addressing a different aspect of mobile security. Like presentations and videos, mobile security training sessions can be recorded and made available through mobile devices.
Security white papers are useful for employees who need detailed information about a particular topic, especially technical employees who may be responsible for implementing security measures. If possible, make the contents of your white papers viewable through your company's mobile devices.
Repository for Security Awareness Documents
Creating a central repository for documents related to security awareness—including pamphlets, presentations, videos, training sessions, white papers, and security policy documents—makes it easier for mobile users to find the security information they need. The repository also becomes a historical record of how your mobility security awareness program has improved and expanded over time.
Security Awareness Day
AT&T suggests scheduling a security awareness day during which your enterprise can remind users of their security obligations and how to meet them. A security awareness day is a good time to launch new security initiatives and to host activities that reinforce good security practices.
To take advantage of external resources, you may want to plan the enterprise security day so that it occurs on either Cyber Security Day (October 31 and April 4), or on International Computer Security Day (November 30).
Security Awareness Summary
Security awareness is critical to achieving the best possible compliance with security policies and practices. The best way to ensure that users know and accept these policies and practices is to periodically reinforce key security messages. No single communications medium provides a "silver bullet," so combine several security-awareness components and activities for the most effective mobile security awareness campaign.