Remote Access and Mobile Device Security Policies: Best Practices

Updated September 10, 2020: This post was originally published on June 14, 2011, and has been updated to reflect technology and industry changes.

As our network security architectures have improved, so too have the threats that they face from would-be intruders.

With the consumerization of IT and the subsequent dramatic uptick in personal mobile devices being brought onto our corporate campuses, organizations must create a sustainable mobile risk management policy in order to keep their data and people safe. Managing the risk posed by smart-phones and other mobile/wireless devices will help to curb your threat profile, as well as reduce your exposure to data hacking, and is paramount for your strategy moving forward.

What is a mobile device security policy?

A mobile device security policy, sometimes called a Bring Your Own Device (BYOD) policy, is a way for organizations to protect themselves from potential data security incidents. It can include everything from carrier activation and encryption technologies to security certificates and procedures for taking inventory of mobile device data. As our workplaces and organizations are flooded with more personal and company-issued devices, there is a lot to consider when it comes to implementing a mobile device security policy.

Here are some best practices to follow within the wireless infrastructure to create a safe transmission space. You can use these guidelines as a check list to start securing your data.

Remote Access and Mobile Device Security Policy Guidelines

1. Establish and post non-employee wireless device use policy within your facility.
2. Pre-designate mobile device rights and privileges for all job positions within your organization. Limit System Administrator rights.
3. Inventory each access point within your network, including those that are wireless or remote, both inside and outside of the firewall.
4. Ensure that all external communications with internal networks must pass through a firewall.
5. Employ a network access control solution for all devices.
6. Laptops, tablets and mobile devices need to have power-up passwords and must be set to automatically lock if left idle for a significant period of time (e.g. 10 minutes).
7. Encrypt data on any mobile devices - specifically data at rest and external memory devices.
8. All secure areas shall be governed as secure wireless zones wherein devices shall have limited functionality in accordance with security policy.
9. Dynamic/location-based policy management shall exist for all mobile devices both on campus and off campus.
10. Mobile devices shall have an application white-listing capability and also block the installation of non-approved software.
11. Maintain the capacity to remotely "wipe" any data contained on mobile devices.
12. Maintain the capacity to control under what circumstances sensitive data may be downloaded to an employee's laptop, tablet or any other mobile device.
13. Prohibit users from remotely accessing your network through an insecure connection.
14. External access to sensitive data shall be encrypted using a minimum of SSL and preferably AES.
15. Limit session lifetimes.
16. In secure locations or circumstances, have all unnecessary services and applications on each device disabled.
17. Establish policies around the use of social or collaborative networks. Review these semi-annually and inform your employee of these updates when the update affects them or involves their activities.
18. Encrypt sensitive data being sent by e-mail.
19. Employ data leakage or data loss prevention software.
20. Keep logs and enforce real-time alerts based on rules or heuristics for suspicious activities both physical and cyber.
21. Monitor physical and wireless activities when accessing secure areas. Continuous monitoring of any radio frequency service like Wi-Fi, Bluetooth or cellular is paramount to limit espionage.

Learn more about securing your corporate spaces today.