In Part 1 of our Mobile Device Management Policy Workshop, we talked about the importance of having an MDM or BYOD policy and a few of the key considerations you must make when adopting an MDM policy for your own organization.
In Part 2 of our Mobile Device Management Policy Workshop, we were actually able to examine 3 legal MDM policies in order to discuss the legal language and different formats an organization could use when adopting an MDM policy.
If you're interested in a recap of the Mobile Device Management Policy Workshop Part 1, copy and paste the following into your browser:
http://www.redzonetech.net/2013/03/mobile-device-management-policy-things-to-consider-when-adopting-an-mdm-policy-for-your-organization/
If you're interested in talking to someone about ThunderDG, the Employee Policy Management tool mentioned in this presentation, please utilize the following contact information:
410-897-9494
rzsales@redzonetech.net
Finally, if you're interested in learning more about the CIO Executive Series, feel free to tweet us or join our CIO Executive Series Group on LinkedIn!
@TheRedZoneCIO
CIO Executive Series Group (http://www.linkedin.com/groups?gid=1986838&trk=hb_side_g)
Mobile Device Management Policy Workshop Part 2 | CIO Executive Series
1. Mobile Device Management Policy Workshop
Part 2
Presented by The CIO Executive Series
Moderators: Bill Murphy & James Crifasi
2. RedZone’s CIO Executive Series
TOP IT Executive Network specializing in bringing CIO’s together to
collaborate, network, and stay current on industry trends.
Just under 300 senior C-Suite IT executive members
Founded in 2000 | 13 years of experience bringing CIO’s together
Host a number of events – both virtual and physical – each year
Host a “Special Event” annually | Past events have included:
A Golf Outing, Dinner & Receptions
3. About Bill Murphy
President and Founder
• RedZone Technologies
• ThunderDG
• MA DR Solutions
• Beyond Limits Magazine
Keep In Touch With Bill:
@TheRedZoneCIO
CIO Executive Series Group
billm@redzonetech.net
Live Tweet from the event!
@TheRedZoneCIO
4. About James Crifasi
• CTO of RedZone Technologies
• Co-founder ThunderDG
• Co-founder MA DR Solutions
• University of Maryland Graduate | B.A. Criminology &
Criminal Justice | B.S. Computer Science – Algorithmic
Theory & AI | M.S. Interdisciplinary Management
• Keep In Touch With James: jcrifasi@redzonetech.net
5. Sponsors
RedZone Technologies
Assessment: IT Architecture and Design
Integration: Security | Disaster Recovery | Infrastructure
Managed Service Programs
Cloud Brokerage
(410) 897-9494
www.redzonetech.net
ThunderDG
Employee Policy Management, Education, and Awareness
www.thunderdg.com
7. Topics To Be Covered
• Remote Wipe
• Data Back Up
• Device & Carrier Coverage
• Organizational Processes & Protocol
• Education & Policy
• Company Issued Devices
• Mobile Device Use While Driving
• Signature Requirements
• Specifying Solutions
• Food For Thought
8. When To Remote Wipe
• ABC Company’s policy is very protective of company data
• Allows for remote wipe if the device is lost or stolen, the user is
terminated, or in the event that the company cannot reach the user
• Users need to be diligent in answering their phone or it could be wiped
• STRUCTURAL has a slightly more user-friendly approach than ABC
Company’s
• Similar to ABC Company’s but does not allow for remote wiping in the
event that the company cannot contact an employee
• Users need to only fear the notion of losing their device or having it
stolen, which people naturally fear regardless of the data being stored
on their devices
• The American Chemistry Council’s policy is the most simplistic
• Will only “Remote wipe (in the event a mobile device is lost or stolen)”
• Users need to only fear the notion of losing their device or having it
stolen
Under what circumstances would your org remotely wipe a device?
9. Company Data Only Wipe Vs. Entire
Device
• ABC Company specifies that all data will be wiped from the device
• STRUCTURAL specifies that only corporate data will be wiped, but
there is a chance some personal data may be lost in the process
• The American Chemistry Council doesn’t specify at all
*Note: the extent to which your organization wipes a device depends upon how your company data is set up to be viewed
and interacted with on the users’ mobile device*
STRUCTURAL
ABC Company
What type of remote wipe is your organization equipped to perform?
10. Data Backup
• ABC Company encourages data back up, but prohibits the backup
of corporate data
• STRUCTURAL encourages users to back up their personal data, but
does not address the backup of corporate data
• The American Chemistry Council doesn’t mention data backup
From a user standpoint, it’s important to know and understand your organization’s stance on data backup so you can
protect yourself against loss of your personal data without violating any of your company’s policies.
ABC Company
STRUCTURAL
What is your organization’s policy on data backup? What about company data?
11. What Exactly Are You Protecting
Against?
• ABC Company’s Remote Wipe Waiver seems to be written more to
protect the company against data loss
• Extra coverage to include wiping if employee goes MIA
• Specific mention of the prohibition of backing up corporate data
• STRUCTURAL’s Remote Wipe Waiver seems to be more directed
toward protecting the user against data loss
• Wipes only corporate data, unless otherwise requested by the user
• No mention of backing up corporate data
• Encourages users to back up their personal data regularly, just in
case
• Offers the option of a full wipe to protect personal data
• The American Chemistry Council simply states that it will wipe a
device in the event that it is lost or stolen
• Seems to be written more so to spell out which job roles are eligible
for company-issued devices vs personal devices used for business
What are your organizational needs? Need more company data
security, increased ability to protect personal data, or both?
12. Implied VS Expressed Approach
• ABC Company provided a summary before the signature line
that outlines what exactly the user is agreeing to by signing the
Remote Wipe Waiver
• STRUCTURAL & The American Chemistry Council simply
states the policy and has a line at the end of the document for a
signature – leaves more room for interpretation
Is it better to spell a policy like this out or leave some room for interpretation?
13. Remote Wipe Policy | The Different
Formats
• ABC Company & STRUCTURAL both have their Remote Wipe
Waivers as separate documents from their Mobile Device Policy
• The American Chemistry Council has mention of the remote wipe
waiver within their Mobile Device Policy
American Chemistry Council
ABC Company STRUCTURAL
What approach to a remote wipe policy applies best to your organization?
A separate document or a clause in the existing MDM Policy?
14. Explanation of Terms
• ABC Company & STRUCTURAL – policy & clarification
• State the purpose of a Remote Wipe Waiver & under what
circumstances a device would be wiped
• The American Chemistry Council – policy only
• simply says that by signing the policy, the employee allows IT to
remotely wipe the device
ABC Company American Chemistry Council
Which would be the most ideal way to present a Remote Wipe Policy to your
organization?
15. Device Coverage
• ABC Company & STRUCTURAL both provide a list of the types of
devices that their MDM policies cover (same items in both lists)
• The American Chemistry Council does not specify what mobile
devices are covered, but reads as though it is specific to
Smartphones (especially since it lists accepted wireless carriers)
What do you consider to be a “mobile device”?
16. Carrier Coverage
• ABC Company & STRUCTURAL do not specify what wireless
carriers are covered
• The American Chemistry Council specifically lists what carriers are
permitted to be connected to their network
Does your organization specify what carriers are covered on its network?
If so, which ones?
17. Organizational Protocols
• The length and content of this section could depend on…
• The size of your organization - Larger companies usually have
more finely tuned processes/protocols
• Whether or not your employees are allowed to opt-out of the
MDM Policy – some companies allow certain users to opt out of
an MDM Policy if they don’t understand or are not comfortable
with its’ contents
• The invasiveness of the IT department – Some IT departments
may use your device to track time spent performing work-related
tasks, while others may monitor usage to detect suspicious
activity. If this is your organization, you should disclose.
• The wordiness of the document – If there are multiple
paragraphs that essentially say the same thing in various different
ways, the contract is more open to interpretation and
is, therefore, subject to more scrutiny when being argued in a legal
setting
18. Organizational Protocols
• STRUCTURAL has the longest Organization Protocol section
• The longer and vague a policy, the more open to interpretation it
becomes, especially with respect to pursuing legal action
• ABC Company has a slightly shorter Organization Protocol section
• Not as long or as vague
• More concise, less room for interpretation
• The American Chemistry Council has no labeled “Organization
Protocol” section; rather, the organizational protocol considerations are
addressed in the “Security and Support” section
• Simply states what department to contact in the event that a users’
device is lost or stolen
Do you think the inclusion of organizational protocols in a different section of
the MDM policy is a good idea? Why or why not?
19. How Detailed is Your
Organizational Protocol?
ABC Company
American Chemistry Council
STRUCTURAL
20. Specify Eligibility for Company Issued
Devices
• If you offer company-issued mobile devices, unless all members of
your organization are eligible, the MDM policy should detail eligibility
Does your organization supply any of its employees with company issued
devices? If so, who is eligible?
21. Reimbursement & Stipends
• If your organization offers either of these, you will need to
specify amounts in this part of the MDM Policy document
Does your organization reimburse its employees (or offer stipends) for using
their personal devices for business use?
22. Mobile Device Use While Driving
• Major legal issue
• Want to be sure to address within the MDM policy somewhere;
Coca Cola didn’t and it resulted in a $21 million law suit
• The American Chemistry Council’s MDM Policy was the only one
of these three that mentioned mobile device use while driving
Is a section on mobile device use while operating a motor vehicle something
you’ve considered for your MDM Policy?
23. Signature Requirements
ABC Company
• ABC Company only requires the Employee Declaration at the bottom
of its’ Remote Wipe Waiver and Mobile Device Acceptable Use
Policies
• ABC Company is utilizing an Employee Policy Management
platform, so all signatures are electronic, rather than using the “sign-
on-the-line” format
24. Signature Requirements
STRUCTURAL
• STRUCTURAL, like ABC Company, only requires the Employee
Declaration at the bottom of its’ Remote Wipe Waiver and Mobile
Device Acceptable Use Policies
• ABC Company is utilizing a “sign-on-the-line” format
• More paperwork/less “green”
• More complicated tracking
25. Signature Requirements
American Chemistry Council
• The American Chemistry Council requires its employees to choose
whether or not they want a company-issued device or use their
personal device to access the network at the conclusion of its
contract
• ABC Company is utilizing a “sign-on-the-line” format
What type of signature requirements does your MDM Policy have?
26. Specifying Solutions
• STRUCTURAL’s Acceptable Use Policy states specifically that they
will utilize Airwatch’s mobile device management solution “to secure
devices and enforce policies remotely”
• What happens if Airwatch goes out of business or your financial
department decides it’s too expensive and you need to find
another vendor?
• Would this be legally enforceable if STRUCTURAL switched
vendors?
27. Food For Thought
• Use an Employee Policy Management web-based platform, like
ThunderDG, which allows employers to…
• Distribute the policies electronically, collect the e-signatures, and
easily track what employees have signed which policies
• Reinforce the policies through the Quiz Module so you can allow
users to interact with the policies, which increases their
likelihood of learning, understanding, and remembering them
28. Food For Thought
• Do you have a means for ensuring that all of your employees
have read, understand, and remember your organization’s
policies?
• What about BYOD for PC’s?
• If you protect your data and apps, why do MDM at all?
30. Continue The Discussion
Follow the CIO Executive Series Group on LinkedIn!
Follow @TheRedZoneCIO on Twitter!
31. Thank you for joining us for the
Mobile Device Management Policy Workshop
Part 2
Presented by The CIO Executive Series
We’ll email you a link to the recorded Virtual Roundtable, as
well as a written recap of what we discussed today, in the next
few days!
Notas del editor
How are we going to explain ABC company? Tech company? Credit Union? We need to at least define the industryLet each company give a brief description and intro their policy.
How are we going to explain ABC company? Tech company? Credit Union? We need to at least define the industryLet each company give a brief description and intro their policy.
ABC’s is strict because it specifies if the co can’t get ahold of you they can wipe your deviceSTRUCTURAL’s doesn’t include that clause, but still includes “termination” as a reason to wipe a deviceACC’s literally just says IT has the right to “Remote wipe (in the event a mobile device is lost or stolen)” – this may be because it’s more specifically related to those with company issued devices so termination isn’t an issue? ASK SAM WHY TERMINATION ISN’T MENTIONED. If need be, flip back to the last slide to show how it’s mentioned in the ACC contract.