In this column, I’ll tell you how one Big IT Shop solved the problem of how to enforce the email information security policy in the Bring Your Own Device (BYOD) era when 95% of their employees access corporate email via smartphones, tablets, and company-issued laptops.
One ISO’s “Good” solution for enforcing email policy
I recently consulted on information security governance with the Information Security Officer (ISO) for a company that provides professional services in the financial consulting industry. The firm’s experts travel all over the place and use all sorts of devices to get their work done, and the ISO needed a way to secure sensitive information transmitted via corporate email on the approved devices.
The ISO implemented the mobile content management solution from Good Technology (“Good”). For the record, I don’t have any affiliation with Good, and I wasn’t involved in the process of selecting Good as this company’s third-party service provider. I’m writing this plug of their system based on my review of reports that come out of the Good system, and they’re impressive.
In a nutshell, the solution helps enforce information security policy in two important ways:
1) It monitors all outgoing email messages and attachments for sensitive information.
2. It generates a report that goes to the Information Security Department showing which users have violated company policy regarding the use of sensitive information.
Here’s one cool thing about the Good solution. You can configure it so that only work email – email that goes through the company’s email gateway – is monitored by the Good app. So if someone forwards confidential information from the corporate email account to a cloud-based account, that violation of policy will show up in a report.
Suppose one of your employees with a smart phone leaves the company? In that case, you can use the Good solution to remotely wipe all of the business email messages and contacts from the phone, without deleting any other data or apps.
Sensitive information, you say?
In this case study, the definition of sensitive information is very clearly stated in this company’s information security policies. The problem is, the people who needed to know what the rules are – the mobile device users – weren’t reading the information security policies. My recommendation to this ISO was to add the rules about sensitive information in email to the bring-your-own-device (BYOD) policy.
If you don’t want people forwarding corporate email messages to their cloud-based email addresses, you need to tell them.
If you don’t currently have a formal program in place to manage your BYOD users, ToolKit Café’s BYOD Toolkit can help. The BYOD toolkit contains standardized templates and sample policy documents you can quickly customize for your organization.
Try before you buy
If you’d like to look at the type of material available in the BYOD toolkit, you can download a free sample BYOD audit program. This sample audit program provides step by step instructions to help you figure out what you have and what you need in the way of policies and procedures related to managing your BYOD users.
Talk Back to ToolTalk Weekly
If you liked this column, please post a comment below. Follow this link to read another ToolTalk Weekly software review: Recuva saves the day when files get deleted.