Mobile Device Policy

A full service stock-broking firm wanted to publish their Mobile Device Policy as part of their Information Security initiatives. They had recently implemented a specific MDM (Mobile Device Management) tool. The brief was that the policy had to cover both company provided mobile devices, as well as BYOD (Bring Your Own Device). The policy also had to mention exceptions, and cater to devices where the MDM tool was not implemented. The policy had to list down provisions that covered all these aspects, while at the same time remained relatable to end-users in view of the specific provisions and functionalities of the MDM tool implemented.

The broking firm required a Mobile Device Policy to meet its regulatory and information security requirements. I created one from scratch, on the basis of specific requirements, and taking into consideration key aspects unique to the organization.

Goals/Requirements: The following dependencies and requirements had to be satisfied as part of this exercise: • Coverage across both company owned and BYOD devices. • Incorporation of unique functionalities of the MDM solution implemented in the organization. • Mention of specific provisions for devices where the MDM solution was not implemented.

I started with researching generic templates of information security policy documents, but had to quickly start customizing them to meet the unique requirements of the client. Further research was required to understand the MDM tool implemented and to discuss with the implementation and maintenance team of the client to get a deeper insight into the specific idiosyncrasies of how the tool was implemented at this client's place.

I made three lists - provisions specific to company owned devices, provisions specific to BYOD devices, and common provisions that applied to all devices. While doing this, I had to be conscious of the MDM functionalities, and use terms that the end-users would be familiar with.

A fresh new process had to be discussed with the client when I discovered that there were devices that did not have the MDM tool implemented in them. I helped design the contours of this process, and incorporated the same into the policy document.

The biggest success of this project was demonstrated by the fact that the very first draft was accepted as the final draft, after review by three departments of the client, and directly incorporated and published as policy. This enhanced the faith that the client had in me, and ensured a continuing engagement with them.

<Name withheld> Chief Operating Officer

My key takeaway from this project was that sometimes even when the scope appears crystal clear, there would be a certain section or process that may not have been thought through - which in this case was the provisions required for devices without MDM. I was happy to add value to the project as it went along, and managed to deliver the end result well within timelines.