Security Policies for Mobile Devices
Originally published in August of 2011 on the NPower blog, this post was written by NPower consultants seeking to provide some helpful information regarding security policies and mobile devices. For more tech-related tools and best practices, check out our Technology Knowledge Center.
As we keep adding new applications, programs, and features to our phones, it’s important to remember that these devices now have much more in common with your laptop or desktop computer than they do with the rotary dialer that we may have had years back. This progression also means that each time an employee loses their cell phone, they can potentially be losing your organization’s data as that device could have access to work emails, files, and even databases (many common databases have “apps” available to provide persistent mobile access). As our staff members are more and more likely to carry these miniature computers in their pockets, we as nonprofit leaders are wise to create and enforce similar security policies for them as we have for our regular computers and networks. Here are a few high-level areas to consider and help you get started in creating policies for both phones and mobile devices like iPads and tablet PCs:
Consider which staff members need full mobile access:
Does every staff member need to access your database or even email on their phone or mobile device? Probably not. The fewer devices that are carrying your sensitive data, the better off your data will be. When choosing which staff will be either using an organization-owned phone or accessing your organization's data on their personal phone or device, make sure to evaluate whether this is a person or staff group who actually needs mobile access rather than wants the convenience. To do that, identify reasons why mobile access will help them work more effectively. These can be whether or not the individual or group regularly receives urgent messages that require an immediate reply, or if they regularly work off-site.
Policies for personal devices:
If we are discussing phones or devices owned by your nonprofit and provided to certain staff, then it feels relatively straight-forward to enforce the security policies that you create. There are more questions that arise when staff may want to access organizational data on their personal items. A good policy is to require that all staff ask permission before adding any organization data to their phone or device – whether through email access, file storage, or information accessed through apps. It’s good to control who has access and which devices they are using – some devices have better security options than others, and you want to make sure that staff will be trustworthy with your data. If a staff person does not agree with your policies, they should not be allowed to access work information on their phone – if they do not want to follow your policies they can opt out by not using their personal devices for work reasons. If they are in a position where it is vital that they have access to this data, you may consider if it’s worth the organization paying for a phone for them to use rather than placing that data on their personal device.
In addition to agreeing to your security policies, there are other items to consider when allowing employees to use their personal phones for work purposes:
- Will they be reimbursed for their used minutes or data usage? Talk with your HR team to decide how to compensate staff in these cases.
- Not all phones and devices will connect to your network with the same level of ease. If a staff member is purchasing a new phone with the intention of using it for work purposes, make sure they know enough to make a good purchasing choice. Check out our presentation on "Get Smart about Smartphones" for more information
Enforce Screen Locks and Secure Passwords:
Every mobile device connected to your network needs to follow the same security policies on your network, and the easiest to start with are screen locks and passwords. Our "Security and Privacy" presentation covers tips and polices surrounding secure passwords, and it is important to choose similarly good passwords for your smartphone and mobile devices.
In addition, make sure to use the screen lock function that is standard on most devices. These functions require you to re-enter your password if your phone has been idle for a few minutes, which will prevent the average person from using your phone should they find it. We recommend that you have the screen lock after 3 minutes of inactivity, if not sooner.
Create a good policy tailored to your organization:
Below are some key points to include when you create a mobile device security policy for your nonprofit. These are only broad areas of concern, and you should work with your HR, tech support, and possibly your legal team to expand this for your nonprofit. When you have your policy finished, it should be addressed with new staff members and kept with other HR and/or technology policies for reference.
Sample Mobile Security Policy
In order to protect the network and data of ORGANIZATION NAME, all staff members must abide by these mobile security policies.
- Any phone or mobile device that stores any data owned by ORGANIZATION NAME, whether owned by ORGANIZATION NAME or an individual staff member, must have the following security measures put in place:
- A screen lock (may be known by other names on different devices) must be implemented to require a password or code to be entered after being idle for 2 minutes or more.
- Staff members must not use the default passwords provided by their phone or voicemail service, but must create a new one.
- No staff may add any data owned by ORGANIZATION NAME to their personal phone or other device without the express permission of management. Data includes, but is not limited to, email, files, and database access through applications or web browsers.
- In addition to the items outlined above, an individual who is given a phone owned by ORGANIZATION NAME or granted permission to add data owned by ORGANIZATION NAME on their phone or mobile device, agrees to the following:
- They will report any loss or theft of their phone or mobile device to management within 24 hours.
- They consent to having their phone’s or mobile device’s data wiped by our network support staff in the event of loss or theft to protect any data stored on the device.
- They agree to abide by best practices as outlined in this and other technology policies, which can be amended by management at any time.
Provide Security Education to Staff:
The best constructed policy is little more than a slip of paper if you don’t provide education on it, it’s details, and the reasoning behind it. Make sure to go over your policy with new staff when they are hired, and it’s a good idea to go over the policy regularly with all current staff as well. Make sure to include staff that aren't going to be receiving mobile access, so that they are reminded of why they should ask permission before adding information or access on their own.
- Elaina Buzzell