It is vital for corporations to establish thorough
policies for managing data on mobile and portable
devices. If that information needs to be collected
as digital evidence for forensic analysis or electronic discovery, it is the company’s responsibility
to know where their data is.
Here are some tips for safeguarding your data in a
1. Only allow devices that will actually be used
for corporate items. Just because someone has a
personal iPad does not mean they should be able to
connect it to the corporate environment. Unless
there is a legitimate business usage for the device, it
should be excluded from access.
An argument can be made that it’s reasonable
to allow access to some groupware services, such as
e-mail or a company calendar, on a personal device.
After all, that data is stored somewhere in the cloud
and only viewed (not housed) on a phone or tablet.
That may be true for some companies, but I caution
you against it. Once the door is open, it can be easy
to let other things out.
2. Devices must be able to be controlled from
within the organization. Corporate IT resources must
be able to remotely lock and wipe a device. This ensures that corporate data can be deleted remotely if a
device is lost or stolen or an employee is terminated.
A data ownership agreement between the employee and the company should fully disclose the
policy and ramifications. In addition to being able
to remotely lock or wipe the device, it should grant
authority to the company and establish procedures
for creating passwords, accessing company resources, installing updates and applications, tracking
usage, and backing up the data.
3. Define device types and make sure support
exists for their inclusion into the corporate landscape. It is critical for devices that are provided
access within the corporate environment to meet
established security and policy requirements. For
a phone or tablet, this may include measures such
as requiring that users enter a PIN code or use an
SSL certificate for connecting. For portable hard
drives or flash drives, it may require that devices be
inspected before leaving the premises to ensure no
data is being removed from the building, or, in fact,
that they not be allowed onto the premises at all.
allowed—only blackberry phones, for example—to
ensure that you can fully maintain support.
Of course, these safeguards are for employees who
bring in personal devices. The best security measure
would actually be to not allow personal devices to be
intermingled in company business. If an employee
needs mobile access or a flash drive or any other of
these new media, it should be the company’s place to
provide that device. Perhaps it can still be used for
personal applications, but the company would retain
full control. Owning the device means you can
format it for your environment and install controls.
Having 100% authority ensures you can monitor,
view, access, or delete any of the files or applications
on any of the devices at any time, and you can even
revoke the device itself at will.
An additional security measure may be to establish a policy to ensure that no electronically stored
information can be removed from the corporation’s
environment at all. For example, one large corporation with multiple offices has an information management policy that requires all data be saved on
the company’s servers, not on individual computers.
To help implement this policy, there are also no
USB ports, CD burners, or any other data removal
devices on any terminal. A secure mobile access
system allows users access to their data on the
servers from anywhere, anytime, so they can work
off-site or after hours, if the situation requires it.
Are these security steps a burden to the company? Possibly. Are they a burden to the employee?
Definitely. And that’s the goal: that data within the
corporate environment is monitored and policies
created to ensure only approved data transfers are
The rise of modern media can be exciting, but
there is an element of the unknown. It can be fun
to discover new things and establish new procedures and best practices. Yet, it also makes sense to
protect yourself and your data and ensure that you
maintain control. It’s good for digital forensics and
it’s just good for business.
Gary Torgersen is Vice President of Technology at
DSi (formerly Document Solutions, Inc.). A Certified Computer Examiner (CCE) and member of the
International Society of Computer Forensics Examiners (ISCFE), he has worked on hundreds of digital
forensics and e-discovery cases. DSi, 414 Union Street,
Suite 1210, Nashville, Tenn. 37219; 877-797-4771;