The National Institute of Standards and Technology (“NIST”) is at it again. This past Monday it released an update of its 2008-era special publication to reflect the tremendous growth of mobile devices since: Guidelines for Managing the Security of Mobile Devices in the Enterprise (SP 800-124r1))(the “Mobile Guidelines”). The Mobile Guidelines are designed to go hand-in-hand with another recently released NIST draft: SP 800-53 Rev. 4, Security and Privacy Controls for Federal Information Systems and Organizations, which we previously covered earlier this year.
In short, the Mobile Guidelines provides six high level recommendations that enterprises should address to securely deploy and manage mobile devices. NIST recommends that organizations:
- Have a mobile device security policy that defines the types of devices permitted, the resources that may be accessed and how provisioning is handled.
- Develop system threat models for mobile devices and the resources that are accessed through mobile devices.
- Consider the merits of each provided security service, and determine which services are needed for the specific environment, and then design and acquire one or more solutions that collectively provide the necessary security services.
- Should implement and test a pilot of their mobile device solution before putting the solution into production.
- Should fully secure each organization-issued mobile device before allowing a user to access it.
- Should regularly maintain mobile device security.
Sounds simple when put in a list, but each item mushrooms into a host of connected and overlapping issues, which the Mobile Guidelines and other NIST Special Publications probe in detail. Beyond the technical issues, the legal issues are likewise non-trivial. To discuss the Mobile Guidelines or your own mobile or BYOD programs, feel free to contact me or any of the attorneys at the InfoLawGroup.