With the proliferation of mobile devices, many firms are struggling with how to best determine which devices to support, and which devices to avoid. During a friendly debate with technical staff over the relative strength of a particular mobile device’s encryption, it occurred to me that we were focusing on some of the common “techy” issues such as passwords, encryption, device wiping and Active Sync support, when we should have been considering larger Information Governance issues. So below is my attempt to combine both IT and Information Governance considerations into (the start of) a list of the issues a firm should consider when deciding to support a new mobile device or platform.
- Will work product be created on the device? If so, is there a secure, reliable way to get that information back to the document management system?
- Could the device contain work in progress, such that if the device is lost or broken, the firm could be at risk if the work can’t be recovered (for example, a deadline is missed.)
- Once working copies of information are no longer needed for business reasons, can they be securely deleted?
- Is it possible unique work product could exist on the device in question? If so, is there an effective way to implement a litigation hold on that device should such action become necessary?
- Can personal information and documents be segregated from firm information and documents?
- When the device reaches the end of its useful life or the person using the device no longer has a need to view certain firm information, or the device is leaving the organization, is there a reliable way to securely delete the firm’s information from the device, ideally without impacting the user’s personal information?
- Can the device easily be updated with security patches and O/S updates?
- Will the tools the firm uses (e.g. Mobile Device Management tools) to enforce security policies such as password length, inactivity time before locking, Remote wipe, encryption and similar work reliably on the device?
- Can the device be managed in the firm’s existing framework to help mitigate risks of unauthorized access to work product via, for example, a lost device or via exfiltration to an unsecure third party?
The answers to the above are typically a mixture of tech tools, policy, process, and risk tolerance. The right mix for one firm to support a device might be inadequate for a different firm. Additionally, this list is certainly incomplete, and I intentionally left out political issues such as who wants the device, and market issues such as the device's long term prospects.
What items are on your list?