Wednesday, October 6, 2010

Article on setting effective consumer IT security policies

Good article on what to consider when allowing staff to use their own IT to undertake work away from their corporate environment, i.e. their own laptops, smart phones, use of hotel IT, etc.

Article taken from WindowSecurity.com

Some points to consider.

Security concerns.

  • Security threats presented by consumer applications ie webmail, social networking, by employees on company-owned computers.
  • Security threats presented by consumer devices (laptops, smart phones, tablets/slates) owned by employees but used to connect to the corporate network.

Security Threats

  • Introduction of malware into the corporate network
  • Leakage of company data if consumer device is lost or stolen
  • Leakage of company information from inside corporate network from consumer apps, i.e. webmail, social networking, instant messenger

The article had some good recommendations, including
  • Mandatory encryption of any company data stored on employee-owned devices.
  • Mandatory encryption of communications in transit between employee-owned devices and the company network via VPN, DirectAccess, etc.
  • Mobile devices used for business should have the capability of being remotely wiped.
  • Health checks of laptops connecting to the corporate network, via Network Access Protection (NAP) or Network Access Control (NAC) to ensure that they meet company standards as to virus protection, firewall, service packs/security updates and so forth.
  • Enforced sync parsing/protocol filtering and content filtering (DeviceLock) to control what types of data users can synchronize between their mobile devices and company computers.
  • A virtual desktop infrastructure whereby virtualized operating systems and/or applications are delivered to employee-owned laptops for work purposes, allowing the company to control the hosted image and isolate it from the local operating system on the laptop.
  • Policies that specify what consumer software can be used on corporate computers (for example, social networking web sites vs. iTunes, multi-player games or personal VoIP accounts such as Skype) and enforcement of those policies with Software Restrictions Policy.
  • Use of agent-based security configuration management tools to enforce usage policies.
  • Develop a comprehensive usage policy that addresses employee use of social networking
Well worth a read as it may cover either issues such as contractors and what they can do with their own laptops in an organisation.
Posted by simon at 1:31 PM

0 comments:

Post a Comment

 
Copyright 2009 Security Monkey. Powered by Blogger Blogger Templates create by Deluxe Templates. Sponsored by: Website Templates | Premium Themes. Distributed by: blog template