In short, the Mobile Guidelines provides six high level recommendations that enterprises should address to securely deploy and manage mobile devices. NIST recommends that organizations:
- Have a mobile device security policy that defines the types of devices permitted, the resources that may be accessed and how provisioning is handled.
- Develop system threat models for mobile devices and the resources that are accessed through mobile devices.
- Consider the merits of each provided security service, and determine which services are needed for the specific environment, and then design and acquire one or more solutions that collectively provide the necessary security services.
- Should implement and test a pilot of their mobile device solution before putting the solution into production.
- Should fully secure each organization-issued mobile device before allowing a user to access it.
- Should regularly maintain mobile device security.
Sounds simple when put in a list, but each item mushrooms into a host of connected and overlapping issues, which the Mobile Guidelines and other NIST Special Publications probe in detail. Beyond the technical issues, the legal issues are likewise non-trivial. To discuss the Mobile Guidelines or your own mobile or BYOD programs, feel free to contact me.