Your device policies might seem like an area that doesn’t require much thought, but I frequently encounter clients with major gaps in their device policies. If you don’t take the time to get nitpicky with your device policies, you run the risk of exposing your organization to a crippling data breach.
It doesn’t take much to create a dangerous scenario where a device is used with innocent intent. Without the proper policies and precautions in place, you invite your employees to take those kinds of risks every day.
Are your device policies watertight? Check your policies against these best practices.
Rethink Inventory Management
The notion of inventory may not be as cut-and-dry as you think. It includes everything from physical equipment to virtual devices such as virtual firewalls and virtual servers. It can even include services that run on devices.
Physical equipment includes laptops and tablets, but it also includes devices like key fobs for 2FA, external hard drives, and USB sticks.
Many organizations limit their inventory to the production environment. It’s important to expand your notion of inventory management to include all of your devices, of every sort.
The purpose of inventory management is to understand and control the various elements of hardware and software across your organization that are either directly or indirectly involved in movement of sensitive information — names, addresses, phone numbers, SSNs, intellectual property, medical data, credit card information.
If it’s directly involved in the movement of sensitive data or supports the movement of the data, it needs to be tracked and managed in your inventory.
A little RSA token doesn’t store any sensitive information, but it’s used to gain access to the environment that houses sensitive data. It supports the movement of data, so it’s a critical piece of something you want to control — therefore, it needs to be included in your inventory. It’s one of the elements of authentication that could be leveraged to access sensitive data.
You should constantly be asking yourself, what are the elements of hardware and software within your environment that you ought to be controlling?
The Rock Solid Business Case for Compliance Management Software
Discover How to Get a “Yes” from CFOs That Love to Say “No”
Establish Mobile Device Management Policies
Think through the data that exists on tablets and mobile devices. Each of those devices could have sensitive data stored on it. Are employees using company devices or their own? Do you have the capability or the right to take action on employees’ mobile devices?
Consider whether to deploy devices to your employees or allow them to use their own personal devices. If you allow them to use their own devices, what agreements do you need to have in place? Should you have software in place that allows you to clear sensitive data off of employees’ devices without impacting their personal information? When someone leaves the company, how will you ensure that your sensitive data doesn’t go with them?
Control External Storage Devices
Do your device policies allow external storage devices to connect to corporate machines? Have a mechanism in place that allows you to control external storage devices, such as external hard drives and USB sticks. Maintain the inventory of any devices that exist within your organization and who they’re deployed to.
It’s important to be able to control the tech to manage any external devices that get plugged into your corporate machines. This tech should be able to make sure the device is approved, that it’s in your inventory, and that it’s controlled in terms of where it sits.
If you allow external storage devices to be connected, your policy should define the type of data that can be transferred. At the very least, make sure the data is encrypted at rest. You don’t want a device to fall into the wrong hands with unencrypted data on it. Otherwise, this issue poses a substantial risk to the organization.
Provide Secure Storage Locations
Determine where data can be stored in the cloud. Virtual storage options range from Google Drive to Sharepoint sites to One Drive sites — and countless others. Make sure you have oversight and control over the various locations where company data is stored.
When I’m doing a client’s assessment, it’s fairly common that I discover the company has no idea that So-and-So has been storing critical files on their personal Google Drive. They needed to do some work on a Sunday but no one gave them a place to store the files, so they solved the problem themselves.
Meanwhile, the company now has an uncontrolled Google Drive where there is no organizational oversight with sensitive information sitting on it.
Set policies in place that define where corporate information can be securely stored. Give personnel a place to store their company data. Actively encourage employees to ask questions and to raise their hand if they don’t have the resources they need.
Also have detection and monitoring capabilities in place so you can see if someone goes rogue.
Go the Extra Mile
Your company’s device policies may be one of the simpler aspects of security and compliance management, but that doesn’t mean you can afford to take a half-hearted approach to them. Like everything else in cybersecurity, device policies are only as effective as the effort you put into them.
Get equipped with insider expertise
Subscribe to the TCT blog