How to Plan for Smartphone Security in the Enterprise

One of the major challenges CIOs face is the deployment and security of smartphones in the enterprise. It's important for CIOs to assess how their organization should secure the smartphones employees use to access corporate resources. Here, Knowledge Center contributor Chris De Herrera explains how CIOs can deal with some common security concerns regarding smartphones deployed in the enterprise, including Apple iPhone, RIM BlackBerry, Windows Mobile, Google Android and Palm Pre devices.


If you are a CIO, you face several challenges when it comes to deploying smartphones in your enterprise. Among the most important, you must determine the security requirements of your organization. Just like laptops and notebooks used in the enterprise, smartphones often contain corporate data and can access internal corporate resources. Since these devices are used as an extension or replacement of the desktop or laptop, they need to be secured and managed at the same level of security.

In most companies, IT security policies are already addressing mobile security for laptops and notebook PCs. The security policies applied to those computers should be used as a basis for creating policies that specifically address smartphone configuration and use in the enterprise. After you have thoroughly defined your security requirements, you need to apply the typical "who, what, where, when and how" approach to securing your organization's smartphones.

One of the initial steps requires defining who owns the devices your organization's employees use to perform their jobs, and who is responsible for their cellular contracts. Then you need to determine what data is (or is likely to be) stored on the device. With that information, you can determine what level of security should be configured on it.

Today, about half of the smartphones deployed are "individual-liable" devices, meaning their users acquired them and are responsible for their service contracts. The other half are "corporate-liable" devices. When individual users acquire their devices, the company accepts responsibility to secure users' data on those devices, as well as any corporate data stored on them (because security is applied to the smartphone as a whole). The situation becomes more complex when the company does not own the devices or phone numbers used by employees.

Security concerns can arise when the user of one of those devices leaves the company, retaining both the phone and the number. Keep these issues in mind as you decide which approach would work best for your organization. With corporate-liable devices, you control all aspects of the acquisition, cellular service and security of the smartphone.