With so many different kinds of mobile devices, applications and users, many companies try to minimize abuse by writing a policy statement providing rules and guidelines. This document is usually three to five pages, starting with a statement of purpose and indicating who the policy applies to. This might be worded as follows:
The purpose of this mobile device policy is to protect company data and ensure the availability of company computing resources. This policy applies to all salaried employees, outside consultants, partners, and anybody representing a partner. This policy applies to use of company-provided mobile devices and any other mobile device accessing the company network.
The policy might cover some of these areas:
Personal phone calls: One way to keep costs down is to prevent users from making international phone calls. To make this rule clear, you might include a statement such as this:
Outgoing international phone calls may only be made by certain categories of employee with jobs specifically requiring communication with people outside North America. In no case shall these outgoing calls be made for reasons other than those related to company business.
Social media, personal Web browsing and personal email: To make company policy clear, you might include something like this:
Company-provided devices and network services may not be used to access personal social media services.
Storing sensitive data on the device: Many companies protect themselves by requiring that company data be encrypted. To ensure users follow this policy, you might write:
Sensitive company data isn’t allowed on mobile devices except for certain cases. Where these cases apply, the data must be encrypted using approved encryption techniques.
This statement doesn’t enumerate the exceptional cases, nor does it say how the data is to be encrypted. It simply states the company policy knowing that job roles and technology tools may change.
Physically securing mobile devices (never leave them unattended): To minimize loss or theft of devices, write a rule stipulating users physically lock their device. You might also include a policy that requires users to report missing devices promptly. For example:
Unattended company-provided mobile devices must be physically secured. In the event a company device is lost or stolen, the user must notify the IT department immediately.
Remote wipe: When devices are lost or stolen, the IT department might execute a remote wipe to remove all data. It’s wise to warn users of this by including mention in the mobile device policy. For example:
To protect the company’s interest, all data—or any subset thereof—may be deleted by the IT department from a company-provided device if the device appears to be lost or stolen, or if the user terminates employment with the company for any reason.
Backup: State whether users are required to perform backup functions. If your IT department has an automatic backup facility, this is even better, as it frees users from having to perform this function themselves. You might also forbid back up to data stores not owned by the company through a statement like this:
Data may not be backed up or copied from the device to non-company equipment.
The mobile device policy should include three other sections:
Responsibility: Indicate what the company is responsible for and what users are responsible for: The company IT department is responsible for providing support for company-owned devices and ensuring access to network services. Each user is responsible for ensuring the mobile device is used primarily for company business, immediately notifying the IT department if a mobile device is missing, and keeping sensitive company data off the device.
Enforcement: To be clear on how the policy will be enforced, include a statement like this: Users found in violation of this policy will be subject to disciplinary action up to and including suspension of mobility computing privileges or termination of employment.
Acceptance: The last page might be a statement that the user understands and accepts the policy. This page is to be signed, dated, and returned to the IT department.