The mobile world is undergoing explosive growth. Luckily, enterprises are beginning to realize the potential gains and losses this technology offers, enabling them to act appropriately. Smart phones, such as iPhones and BlackBerrys, as well as USB memory sticks, netbooks and tablet computers are forcing a quantum change in our computing paradigm.
This is the Third Wave of Computing. For those old enough to remember, the First Wave included the large mainframes of the 1960s and 1970s, which gave way to the second wave—the client server model of the 1980s and 1990s. The client server model is now giving way to the mobile world of the 21st century.
Over the next few years, we will see mobile devices that are more powerful than ever. As a result, it is critical to ensure that good governance is in place over these devices, before we wind up in the same conundrum we have with the client server world, re-inventing the security wheel. This article explores some principles of good governance in the following key points based on the ISACA’s Certified in the Governance of Enterprise IT (CGEIT) domains.
1. Define, establish and maintain a governance framework. This framework consists of the leadership and organizational structures and processes that help ensure alignment with enterprise governance, installation of good practices and assurance of compliance with external requirements. Mobile technology needs to be considered in the enterprise’s business strategy and, hence, in the IT strategy. Is there a corporate standard for the purchase of mobile devices with a focus on one type of device and operating system? Enforcing one brand and operating system might help ensure easier compliance to existing corporate security standards and allow for easier data wiping on lost or stolen devices. Governance committees such as the IT strategy or business needs committee should be actively involved in the future of secure mobile technology in the enterprise.
2. Consider how mobile technology will assist in delivery of key business objectives. Is it considered in strategic planning efforts? Aligning IT initiatives with business objectives and associated security efforts, and determining how the mobile environment might be used to assist, are key aspects of strategic alignment. How can applications be securely modified to fit into the mobile world? Will this be a defined strategy or will it occur regardless in an ad-hoc fashion? Whether it is a considered implementation or ad hoc, applications will migrate to these platforms. Will mobile technology function as an enabler or a utility? Or, put another way, will it help deliver some new business function or help run an existing business system? Can you tie direct, incremental, cost avoidance or intangible benefits to the use of your mobile technology? For example, can it provide application help to front line staff or sales staff as they deal with customers? Can it be used to enhance user awareness and security policies or ensure that the traveling sales staff have secure information at their fingertips so they can instantly respond to a client’s query? What key objectives will mobile technology assist with in the enterprise?
3. Value delivery involves optimizing expenses and proving the value of IT. Many enterprises currently perceive the value of mobile technology as merely a tool for e-mail and phone conversations. This does it a great injustice and certainly minimizes the value proposition to the enterprise. With informed leadership and defined processes, mobile technology can emerge as a conduit for increased performance and decreased costs. Leaders can ensure that mobile technology use is built into new applications, thus supplying information more readily and securely or in a more useful format to the end user. For many enterprise users, a smart phone can easily suffice to get e-mail, answer a few calls and update the occasional spreadsheet, without the need for a laptop. Mobile devices could also assist in the delivery of security training, with specialized mobile applications minimizing the need for expensive off-site training.
4. Risk management is undoubtedly familiar to all. Ensuring continuity of operations and the security, confidentiality and availability of information and IT assets is a fundamental requirement of all enterprises. To help manage risk, mobile technology should follow the same policies and standards as other IT assets. Ensure that mobile technology is an integral part of the enterprise risk program. Enforce encrypted data on mobile devices, using, for example, IronKey or SanDisk Cruzer encrypted USB devices or one of the myriad encryption vendors for implementation on smart phones. Ensure effective disposal processes that wipe data on old phones. The average person in Europe replaces his/her phone every 27 months (or 7 months in South Korea ). What happens to the data on that phone? It often remains on the device for anyone to peruse due to poorly considered mobile technology implementations.
5. The success of IT performance through optimal investments and use of IT resources, including people, technology, applications, facilities and data, is the primary concern of resource management. Are staff appropriately trained in the use and security of mobile technology? Are training programs available to them on an annual or regular basis? Are procurement policies effective in offering economies of scale and do they provide the necessary level of technology to keep up with the security needs of the enterprise?
6. Performance management involves ensuring that the necessary measures and management are in place to eliminate surprises and ensure optimal performance. Measurable targets for mobile technology security must be set, monitored and evaluated. This is easier to write than to perform. Defining how mobile technology will be used to contribute to the enterprise’s security posture and financial, customer and operational areas (the strategic IT objectives) will help in evaluating optimal performance.
While this article focused on using ISACA’s CGEIT domains, other governance methodologies, such as COBIT or ISO/IEC 27001, will also help. Of course, there are many more things to consider than this article could discuss, and implementing even these small ideas can take time. Start now to ensure that your enterprise achieves integration with the business and a sound, effective security program over its mobile technology.