Assume you are tasked with designing a new policy that highlights information security best practices related specifically to mobile devices at RIT, including laptops, smartphones, and tablets. The new policy should supplement RIT’s Information Security Policy and Acceptable Use Policy (case Exhibits 4 and 5). What practices would you recommend? How could you make staff aware of the policy and encourage their compliance?
Reader Interactions
Comments
Leave a Reply
You must be logged in to post a comment.
Yusen Luo says
(1) Use multi-factor authentication (MFA) for accessing RIT systems and sensitive information.
(2)Install and maintain anti-malware software on all mobile devices.
(3)Use Virtual Private Network (VPN) services when accessing RIT resources over public or unsecured Wi-Fi networks.
(4)Regularly back up data stored on mobile devices to secure, RIT-approved storage solutions.
(5)Implement remote wipe capabilities to erase data on lost or stolen devices.
(6)Inform users about the risks of phishing and social engineering attacks.
As for policy awareness and compliance, we can:
(1)Distribute the policy through email, internal newsletters, and RIT’s intranet or highlight key points during staff meetings and orientation sessions.
(2)Conduct mandatory training sessions for all new employees and periodic refresher courses for existing staff.
(3)Establish channels for staff to provide feedback on the policy and suggest improvements.
Qian Wang says
For designing a new policy specifically addressing information security best practices for mobile devices at RIT, I would recommend the following practices:
(1) Data Encryption: All mobile devices should be equipped with full-disk encryption to protect sensitive data at rest.
(2) Data Deletion Policies: Develop clear policies on when and how data should be deleted from devices, especially after device reassignment or disposal.
(3) Remote Wiping Capabilities: In case of loss or theft, devices should have remote wiping capabilities to erase data quickly and prevent unauthorized access.
(4) Limited Access: Implement role-based access control to limit what data individuals can access via their mobile devices.
To ensure compliance with this policy, RIT could develop an online training module for employees that covers these topics in detail. Additionally, regular audits and spot checks could be conducted to verify adherence to these guidelines. The use of technology tools like secure access gateways and monitoring software could further enhance security measures and provide real-time alerts for suspicious activity.
Tongjia Zhang says
Recommended information Security Best Practices
1. Mandatory security configuration: All mobile devices must have the latest security patches and updates enabled. Set a strong password or biometrics (such as fingerprints, facial recognition) as a means of authentication. Enable remote lock and wipe in case your device is lost or stolen. Automatic connection to public Wi-Fi networks is prohibited, and employees should use RIT’s VPN for remote connection.
2. Data protection: Sensitive data should be stored encrypted and transmitted using secure protocols (such as TLS/SSL). Perform regular backups and ensure that backup data is also stored encrypted. Use RIT-approved mobile apps to access and store data.
3. User behavior: Educate employees on the means to identify phishing attacks and malware. Storing or transmitting RIT’s sensitive information in unauthorized applications is prohibited. Employees are encouraged to report any suspicious activity or security incidents.
4. Mobile Device Management (MDM):Deploy an MDM solution to centrally manage security Settings and policies for mobile devices. Monitor device health, including battery life, storage space, and application installation.
5. App Rights Management: Review and limit the rights of third-party apps to ensure they do not have excessive access to device or network data. Do not install applications that are not approved by RIT.
Improve employee understanding of and compliance with the policy
1.Training and education: Conduct regular online or in-person training seminars to educate employees about the content and importance of the new policy. Create training materials (e.g., videos, manuals) that are easy to understand and accessible to employees.
2.Publicity: Post information about the new policy on the company’s internal website, email and bulletin board. Use social media and internal communication channels to spread the word.
3. Policy Alerts: Displays policy summaries or alerts when employees log in to the RIT system. Displays prompts related to device security when the device is started or unlocked.
4.Feedback and rewards: Establish a feedback channel to encourage employees to report their views and suggestions on the policy. Recognize and reward employees who comply with the policy, for example through internal recognition or point systems.
5.Enforcement: Discipline employees who violate policies and take legal action if necessary. Conduct regular security audits of employees’ mobile devices to ensure compliance with policy requirements.
6.Continuous improvement: Periodically evaluate the effectiveness of policy implementation and make necessary adjustments based on employee feedback and audit results. Communicate with IT security experts in other departments to stay abreast of the latest security threats and best practices.
By implementing these recommended practices and policies, we can enhance the information security of RIT mobile devices and ensure that employees comply with relevant policies and regulations.
Menghe LI says
Recommended Practices for Mobile Device Security
To supplement RIT’s Information Security Policy and Acceptable Use Policy, the following best practices are recommended for securing mobile devices such as laptops, smartphones, and tablets:
Device Encryption:
Full Disk Encryption: Ensure all mobile devices are equipped with full disk encryption to protect data in case of theft or loss.
Encrypted Communication: Use secure, encrypted channels (e.g., VPNs) for accessing RIT networks and resources.
Access Controls:
Strong Authentication: Implement multi-factor authentication (MFA) for accessing university systems and sensitive data.
Biometric Security: Encourage the use of biometric authentication (fingerprint, facial recognition) where feasible.
Device Management:
Mobile Device Management (MDM): Utilize MDM solutions to manage and secure devices remotely, including the ability to wipe data on lost or stolen devices.
Regular Updates: Ensure that all devices are regularly updated with the latest security patches and software updates.
Data Backup:
Automatic Backups: Implement policies requiring regular, automated backups of critical data stored on mobile devices.
Secure Storage: Store backups in secure, encrypted locations to prevent unauthorized access.
User Training and Awareness:
Regular Training Sessions: Conduct regular training sessions on mobile device security, highlighting common threats and best practices.
Phishing Awareness: Educate users about phishing attacks and how to recognize and report suspicious emails or messages.
Physical Security:
Secure Storage: Encourage users to store devices in secure, locked locations when not in use.
Tracking Solutions: Use device tracking solutions to locate lost or stolen devices quickly.
Incident Response:
Reporting Procedures: Clearly define procedures for reporting lost or stolen devices immediately.
Response Plans: Develop and regularly update incident response plans specific to mobile device security breaches.
Promoting Awareness and Compliance
To ensure the effective implementation of this policy, the following strategies can be employed:
Policy Dissemination:
Clear Communication: Distribute the new policy through multiple channels, including email, university intranet, and printed materials.
Accessible Documentation: Make the policy easily accessible on the university’s website and ensure it is written in clear, understandable language.
Training Programs:
Mandatory Training: Implement mandatory training sessions for all staff and students, including new hires and incoming students.
Interactive Workshops: Conduct interactive workshops and simulations to reinforce the importance of mobile device security and practical implementation of the policy.
Regular Reminders:
Email Reminders: Send periodic email reminders highlighting key aspects of the policy and any updates or changes.
Awareness Campaigns: Run awareness campaigns using posters, flyers, and digital signage around campus.
Monitoring and Enforcement:
Compliance Checks: Conduct regular compliance checks and audits to ensure adherence to the policy.
Feedback Mechanism: Provide a mechanism for users to provide feedback on the policy and report any issues or concerns.
Dongchang Liu says
Policy Recommendations:
1.All laptops, smartphones, and tablets must be encrypted to protect data in case of loss or theft.
2. Regular Software Updates:Devices must be kept up-to-date with the latest operating system and software updates.
3.Devices must use strong passwords and enable two-factor authentication for accessing sensitive information.
4. Devices should have the capability to be wiped remotely in case they are lost or stolen.
5. Users must regularly back up their data to an approved cloud service or external storage.
6. Regular training sessions on recognizing and avoiding phishing attempts.
Ensuring Staff Awareness and Compliance:
1. Conduct regular training sessions and workshops on the new security policies and best practices.
2.Use emails, intranet postings, and physical posters to inform staff about the new policies and their importance.
3. Implement monitoring systems to ensure compliance with security policies and report non-compliance issues.
Yihan Wang says
We could designing a new policy to supplement RIT’s Information Security Policy and Acceptable Use Policy according to the material NIST.CSWP. It mentioned Framework Core Structure,which can be used to help identify and prioritize actions for reducing cybersecurity risk, and it is a tool for aligning policy, business, and technological approaches to managing that risk.We could use this framework to supplement the policy or even rebuild.
There are five Framework Functions:Identify, Protect, Detect, Respond, and Recover.
For this case,here are the supplementary of the policy.
ID.AM-3:Organizational communication and data flows are mapped. The department should backup every mobile devices at RIT every 24 hours.
In the case,the let the user themselves back up the data. So when they check the 9-digit and 16-digit numeric strings,it is the latest back up data, but not the latest data of the Dean’s device.
ID.AM-5: Resources (e.g., hardware, devices, data, time, personnel, and
software) are prioritized based on their classification, criticality, and business value. Device like computer with important data will not allowed to leave the collage. The data like PII should use and store on the desktop computer.
RS.AN-3: Forensics are performed. The manager who take the responsibility to handle the emergency. The should record their conversation with people who involved in the emergency.
As Manager of Technical Services for the College, Nick Francesco asked the Dean if there is PII in the computer. When he get the negative answer he preliminary decide that there is no need to take another round of monitoring. He should record the Dean’s words.
RS.IM-2: Response strategies are updated. Mobile devices with PII will not allowed to leave the school.
In the material we can know that two incidents in recent memory had also involved stolen laptops at RIT. Personally identifiable information (PII) was stored in various files on those laptops, exposing many people to a risk of identity theft. When this happened twice,they should make new policy ans alert all the stuff to take concern of it.
From my perspective, I think the college should make their stuff more familiar with their own information security policy. Maybe let person like Nick Francesco— Manager of Technical Services for the College,give a lecture once a month for all the stuff in the school. And let the stuff take the examination to check if they improve their awareness of the information security. If they can not pass the exam,or some incident caused by their mistake,reduce the salary might be a effective way to encourage their compliance.
Zhichao Lin says
Recommended Practices:
1. Require full disk encryption on all mobile devices to protect data in case of loss or theft.
2. Implement multi-factor authentication for accessing institutional data on mobile devices.
3. Prohibit the use of public Wi-Fi for accessing sensitive information. Encourage the use of VPNs when connecting to the institute’s network remotely.
4. Ensure that all mobile devices are equipped with remote wipe capabilities to delete data if the device is lost or stolen.
5. Mandate regular updates for operating systems and applications to protect against vulnerabilities.
Policy Awareness and Compliance:
1. Conduct mandatory training sessions that include practical demonstrations on securing mobile devices.
2. Perform regular audits to ensure compliance with the policy and provide feedback.
3. Implement a system of incentives for compliance and penalties for non-compliance to reinforce the importance of the policy.
4. Establish a feedback mechanism where staff can report difficulties in complying with the policy or suggest improvements.
Xinyue Zhang says
3. Improve the information security awareness of RIT (Rochester Institute of Technology) when using mobile devices (laptops, smartphones and tablets) to reduce the occurrence of data breaches and security incidents.
a. Device encryption: All mobile devices must enable full encryption to ensure that data cannot be accessed illegally if the device is lost or stolen.
b. Security Authentication: All devices must be configured with Multi-factor authentication (MFA) to access RIT networks and systems. Implement a strict password policy, change passwords regularly and prohibit the use of weak passwords.
c. Device management: Configure all mobile devices so that data can be remotely locked and erased if lost or stolen. Ensure that the operating system and all applications are automatically updated to prevent known vulnerabilities from being exploited.
d. Data backup: All important data must be backed up regularly to a secure cloud storage or RIT backup.
Ruoyu Zhi says
Here are some recommended practices to include in the policy:
(1)Password Protection: Mandate the use of strong passwords, passcodes, or biometric authentication methods on all mobile devices to prevent unauthorized access.
(2)Regular Updates and Patches: Require users to regularly update their mobile devices with the latest security patches.
(3)Device Encryption: Require all mobile devices used for RIT-related activities.
(4)Data Backup: Encourage users to regularly back up data stored on their mobile devices.
To make staff aware of the policy and encourage their compliance, consider the following strategies:
(1)Training Sessions: Conduct mandatory training sessions or workshops to educate staff about the new policy, its importance, and how to adhere to its guidelines.
(2)Policy Acknowledgment: Require staff to acknowledge receipt and understanding of the policy.
(3)Incentives and Recognition: Consider offering incentives or recognition to staff members who demonstrate exemplary adherence to the mobile device security policy.
Ao Li says
a)What practices would you recommend?
-Regularly update to ensure all mobile devices have the latest operating systems, applications and security patches.
-Restrict access to sensitive data and applications to authorized users and devices.
-Implement strong password policies that require users to change their passwords regularly and prohibit the reuse of the same password on multiple devices.
-Remote lock and wipe to prevent data leakage due to device loss.
-Establish a regular backup and recovery plan to restore data in the event of device failure or data loss.
-Mobile devices should have up-to-date antivirus software installed to protect against malware and other cyber threats.
b)How could you make staff aware of the policy and encourage their compliance?
-Include information security as part of employee appraisal evaluations
-Establish a system of rewards and penalties. Reward employees who identify security issues and penalize employees who trigger information security hazards.
-Provide regular training and education to employees on information security best practices for mobile devices. Examples include online courses, lectures.
-Disseminate the new information security policy through intranet sites, emails, posters, etc. to ensure that all employees are aware of and understand its content and requirements.
Yifei Que says
(1) Clearly define the scope and responsibilities of device use: Clearly define which RIT mobile devices fall within the scope of policy jurisdiction. Each employee using RIT mobile devices is required to sign a responsibility statement, confirming their understanding and agreement to comply with relevant policies and best practices.
(2) Strong password policy and regular updates: Force strong password policy to include uppercase and lowercase letters, numbers, and special characters. Encourage employees to regularly change passwords to reduce the risk of being cracked.
(3) Regular security audits and training: Conduct regular security audits on RIT mobile devices to ensure compliance with best practices. Provide regular information security training to enhance employee security awareness and skills.
(4) Establish a reward and punishment mechanism: Reward employees who actively comply with the new policy, such as commendation, bonuses, etc. Provide appropriate punishments, such as warnings, fines, or disciplinary actions, to employees who violate the new policy.
(5) Continuous monitoring and evaluation: Regularly monitor and evaluate the implementation of new policies to ensure their effectiveness and applicability. Adjust and improve new policies in a timely manner based on the evaluation results.
Jianan Wu says
My proposed new policy on information security best practices for RIT mobile devices should cover the following aspects: first, enforce device encryption to ensure that data will not be leaked even if the device is lost or stolen. Secondly, set complex and unique passwords, replace them regularly, and enable dual authentication to improve security. In addition, employees are required not to store or transmit sensitive data on unauthorized applications, and to install and regularly update security software.
To ensure that employees understand and comply with the new policy, we will take the following measures: communicate the policy content to employees through internal emails and meetings, and emphasize its importance in employee onboarding training. At the same time, regular information security training should be established to enhance employees’ security awareness and operational skills. In addition, we will establish a reward mechanism to recognize employees who comply with policies, in order to motivate more employees to actively participate in information security work.
Mengfan Guo says
To enhance information security on mobile devices at Rochester Institute of Technology (RIT), I recommend the following best practices: 1. Device Encryption: Requires that all mobile devices, including laptops, smartphones, and tablets, must enable hardware-level encryption to protect sensitive data stored on the device. 2. Strong Password Policy: Users on all mobile devices are required to set strong passwords and change them regularly. Passwords should contain letters, numbers, and special characters, and should be long enough. 3. Security updates and patches: All mobile device operating systems and applications must be promptly installed with security updates and patches to fix known vulnerabilities and weaknesses. 4. App Control: Users of all mobile devices are required to download and install apps only from the official app store, and unauthorized apps are prohibited. In order to make employees aware of and comply with the new policy, the following measures can be taken: 1. Training and Education: Organize regular information security training and education events to educate employees about best practices and security considerations for mobile devices. 2. Internal communication: communicate the new policy to employees through internal emails, employee newsletters and internal websites.
Wenhan Zhao says
Practices
1. Strong Passwords: Users should be required to set strong passwords, including a combination of letters, numbers, and special characters, and should be changed regularly. (like the temple’s website, it is required to be updated semi-annually)
2. Authentication: In addition to the password, additional security authentication is required, such as a fingerprint or a real-time dynamic password.
3. Remote Wiping: When a mobile device is lost or stolen, remote wiping should be enabled to prevent unauthorized access to sensitive data.
4. Encryption: All mobile devices should be encrypted to protect the data stored on them.
Practices
1. Reminders: Send periodic reminders via e-mail or internal messaging systems.
2. Training: Training periodically to educate staff on the policy of information security and how to do it.
Luxiao Xue says
Here are some of the recommendations I will include in the new mobile device security policy :1. Encryption: Require full disk encryption for all mobile devices issued by RIT or used to access RIT data. This prevents unauthorized access to the data. 2. Password protection: Enforce strong passwords and configure the device to automatically lock after a short period of inactivity, which can prevent unauthorized use. 3 Backup: The mobile device data is regularly backed up to a secure network location. 4. Remote tracking: Implement software to track the physical location of mobile devices owned by rit in case of loss.
I will help employees understand this policy in the following ways. 1. Make the policy easily accessible to all employees, for example through an Intranet or employee handbook, explaining the key points of the policy and its importance. 2. Send regular reminders or briefings highlighting key aspects of the policy. 3. Consider implementing an incentive system that rewards employees who perform well in complying with policies or reporting potential violations. 4. Clearly outlining the consequences of policy violations reinforces the importance of compliance.
The key is to make mobile security part of the corporate culture through multi-faceted training, clear policies, and user-friendly technology controls.
Fang Dong says
For RIT’s mobile devices, including laptops, smartphones, and tablets, I recommend the following information security best practices: 1. Device encryption: Require data on all mobile devices to be encrypted to prevent data from being accessed by unauthorized persons if the device is lost or stolen. 2. Strong password policy: Require all user accounts on mobile devices to use strong passwords, preferably including letter capitalization and special symbols, try to avoid using their birthday and phone number as passwords and change passwords regularly. 3. Multi-factor authentication: Encourage the use of multi-factor authentication to increase the security of devices and accounts. 4. Update the operating system and applications regularly: Users are required to regularly update the operating system and applications on their mobile devices to get the latest security patches and features. 5. Remote Lock and erase function: Require all mobile devices to have remote lock and erase function enabled to prevent sensitive data leakage if the device is lost or stolen. 6. Secure Wi-Fi connections: Remind users to only connect to trusted Wi-Fi networks and avoid using public wireless networks to transmit sensitive information. 7. Secure app downloads: Users are encouraged to download apps only from official app stores and avoid downloading apps from unknown sources. 8. Back up data regularly: Remind users to back up data on their mobile devices regularly to prevent data loss or damage.
In order to make employees aware of and comply with the new policy, the following steps can be taken: 1. Issue Policy Notice: Issue policy notice to all employees via email, internal website or other appropriate channels, clearly stating the content and requirements of the new policy. 2. Provide training and education: Organize information security training and education training.
Zijian Tian says
RIT Mobile Device Security Best Practices
1. Data Protection
Encryption: Use more safety encryption on all mobile devices.
Password Protection: Set strong passwords and enable biometric authentication.
2. Secure Access
Multi-Factor Authentication (MFA): Use of MFA for accessing RIT systems.
VPN: Connect the RIT through VPN on public networks.
3. Updates
Regular Updates: Keep operating systems and applications up-to-date with automatic updates.
Security Software: Install and update antivirus and anti-malware programs.
4. Backup and Recovery
Regular Backups: Regularly back up data to secure cloud storage.
Data Recovery: Follow IT guidelines for data recovery.
5. Lost or Stolen Devices
Reporting: Immediately report lost or stolen devices to IT.
Remote Wipe: Enable remote wipe to delete data on lost/stolen devices.
6. Training and Awareness
Regular Training: Conduct regular security training.
Awareness Campaigns: Promote security knowledge through various internal channels.
7. Compliance and Auditing
Compliance Checks: Regularly check for policy adherence.
Security Audits: Conduct regular audits to identify and fix vulnerabilities.
Promotion and Incentives
Promoting the Policy
Onboarding Training: Include security training in new employee onboarding.
Regular Updates: Communicate updates via emails and intranet.
Clear Guides: Provide clear policy documents and guides.
Incentives
Reward Program: Recognize and reward employees who follow security policies.
Competitions: Organize security knowledge competitions and drills.
Feedback System: Encourage suggestions for security improvements and reward valuable contributions.
These simplified practices will enhance mobile device security and ensure data protection at RIT.
Chaoyue Li says
1. Multiple login authentication: email and password authentication at the same time or other authentication methods together
2. Temporary password: After the equipment is clearly lost, the system administrator will set up a temporary suspension of the original password to give the user a new password, which is designed to enable the rapid replacement of passwords.
3.Continuing Education: Provide training for relevant employees on a periodic basis.raining for employees to develop a sense of confidentiality.
4.Inspection mechanism: Regularly check the implementation status.
Yucheng Hou says
Information security Best Practice Recommendations:
1. Improve user security awareness: First of all, strengthen the security awareness education of employees, so that they can identify and avoid phishing attacks and malware. At the same time, employees are encouraged to actively report any suspicious activity or security incidents and work together to maintain the safety of the organization.
2. Strict data protection measures: Security protocols such as TLS/SSL are used to encrypt the storage and transmission of sensitive data to ensure the security of data during transmission. At the same time, backup data is regularly backed up and encrypted to prevent data loss or unauthorized access.
3. Enhanced Mobile Device Management (MDM) : MDM solutions are deployed to centrally manage security Settings and policies for mobile devices. This includes monitoring the health of the device, such as battery life, storage space and application installation, to ensure that the device is always in top condition.
4. Control app permissions: Strictly review and limit the permissions of third-party apps to prevent them from accessing device or network data excessively. Employees are also advised to avoid installing non-RIT approved applications to ensure the security of the mobile environment.
5. Implement mandatory security configurations: Require all mobile devices to update to the latest security patches and updates, and enable strong passwords or biometrics (such as fingerprints, facial recognition) as authentication methods. In addition, remote lock and wipe functions are enabled in case the device is lost or stolen. At the same time, employees are not recommended to automatically connect to public Wi-Fi, but to use RIT’s VPN for remote connection for increased security.
To ensure that employees fully understand and comply with information security policies, the following comprehensive strategies are proposed:
1. Policy acquisition and education: Make policies easily accessible through internal web portals or employee manuals. Highlight key points of the policy and explain the importance of complying with the policy. Conduct mandatory training sessions or seminars to educate employees about the policy, its importance, and the guidelines for complying with it.
2. Regular reminders: Send regular notifications to employees, focusing on key policy points. Provide briefings to refresh employees’ memories on key aspects.
3. Policy Confirmation: Employees must confirm that they have received and understood the policy.
4. Incentives and recognition: Consider a reward program for employees who comply with policies or report potential violations. Reward employees for outstanding performance in mobile device security policies.
5. Consequences of violations: Clearly state the consequences of policy violations to emphasize the importance of compliance with the policy.
Weifan Qiao says
Suggest inclusion in policies:
1. Device Encryption:
Require all mobile devices used for RIT-related activities to enable encryption for data stored on the device. This includes full disk encryption for laptops and encryption for data at rest on smartphones and tablets.
2. Strong Authentication:
Implement multi-factor authentication (MFA) for accessing RIT resources from mobile devices. Require the use of strong passwords or biometric authentication methods to prevent unauthorized access.
3. Remote Wipe and Lock:
Enable remote wipe and lock capabilities for all RIT-issued mobile devices. In case of loss or theft, this feature allows administrators to remotely erase sensitive data and lock the device to prevent unauthorized access.
4. Secure Wi-Fi Usage:
Educate users on the risks associated with connecting to unsecured Wi-Fi networks and encourage the use of virtual private networks (VPNs) when accessing sensitive RIT data over public networks.
5. Data Backup and Syncing:
Encourage users to regularly back up data stored on their mobile devices to secure cloud storage or RIT-approved backup solutions. Discourage the use of personal cloud storage services for storing RIT data.
To make employees aware of this policy and encourage compliance, the following strategies need to be considered:
1.Training and Awareness Programs:
Conduct regular training sessions and awareness campaigns to educate staff about the importance of mobile device security and the specific practices outlined in the policy. Use real-life examples and scenarios to illustrate security risks and best practices.
2. Regular Communication:
Use multiple communication channels, such as email newsletters, intranet portals, posters, and digital signage, to reinforce key security messages and updates related to mobile device security.
3. Technical Controls and Enforcement:
Implement technical controls, such as MDM solutions, to enforce security policies and automate compliance monitoring. Regularly audit mobile devices for adherence to security standards and take corrective actions as needed.
4. Incentives and Recognition:
Recognize and reward staff members who demonstrate exemplary compliance with mobile device security best practices. Consider offering incentives, such as gift cards or commendations, to encourage positive behavior.
5. Feedback Mechanism:
Establish a feedback mechanism for staff to report any challenges or concerns related to mobile device security practices. Encourage open communication and address feedback promptly to improve policy effectiveness and user experience.
Baowei Guo says
When designing a new strategy, we should focus on the following aspects:
1. Regularly update and strengthen security awareness training: ensure that all employees, especially those who frequently use mobile devices, receive regular information security training to understand the latest threats and preventive measures.
2. Device encryption and security software: It is mandatory for all mobile devices to enable strong encryption and pre-install security software, such as anti-virus and anti-malware tools.
3. Remote erasing function: Implement remote erasing function to quickly erase sensitive data when the equipment is lost or stolen.
4. Access control and authentication: Implement strict access control policies, including multi-factor authentication, to limit unauthorized access.
5. The principle of data classification and minimum authority: ensure that employees only access the data needed for their work, and carry out classified management according to data sensitivity.
6. Mobile device management policy: formulate a clear policy, stipulate when and where personal devices can be used to handle work affairs, and stipulate the reporting process after the device is lost.
7. Incentive and punishment mechanism: encourage employees to abide by the policy by rewarding compliance behaviors and appropriately punishing violations.
In order to ensure that employees understand and abide by the policy, the following measures can be taken:
1. Release and communication: formally release the new policy through e-mail, internal communication and staff meeting, and explain its importance.
2. Interactive training: hold workshops and seminars to let employees participate in simulation scenarios and learn how to deal with security threats.
3. Regular reminder: Remind employees to pay attention to information security regularly through internal announcements, screen savers or login prompts.
4. Case study: Share real cases and show the possible consequences of non-compliance.
5. Feedback channel: Set up a feedback mechanism so that employees can easily report safety problems or make suggestions for improvement.
6. Audit and evaluation: conduct regular safety audits to evaluate the implementation of policies and make adjustments as needed.
Kang Shao says
In order to strengthen information security on RIT mobile devices, we need to establish a series of new policies on information security.
1. Strengthen and update the original security configuration, and add more mandatory security configurations, including but not limited to biometric technology. At the same time, establish remote locking and erasing programs.
2. Prohibit users from automatically connecting. When accessing resources through public networks, VPN services should be used.
3. Restrict third-party applications.
4. For sensitive data, encrypted security should be used for transmission. Perform regular backups.
In addition to formulating relevant safety policies, it is also necessary to enhance the safety awareness of employees and their understanding and compliance with policies.
1. Regularly provide safety education to employees.
2. Establish a reward and punishment mechanism for mutual supervision.
3. Strengthen safety awareness promotion within the unit.
Yimo Wu says
Assume you are tasked with designing a new policy that highlights information security best practices related specifically to mobile devices at RIT, including laptops, smartphones, and tablets. The new policy should supplement RIT’s Information Security Policy and Acceptable Use Policy (see the case’s Exhibits 4 and 5). What practices would you recommend? How could you make staff aware of the policy and encourage their compliance?
Yimo Wu says
When designing a new policy that highlights information security best practices related specifically to mobile devices at RIT, the following practices should be considered:
1.Implementing strong passwords and multi-factor authentication for all mobile devices.
2.Encrypting all sensitive data stored on mobile devices.
3.Implementing remote wipe capabilities for lost or stolen devices.
4.Providing regular security updates and patches for all mobile devices.
5.Implementing mobile device management (MDM) solutions to manage and secure mobile devices.
6.Providing training and awareness programs to educate staff on mobile device security best practices.
7.Implementing policies that restrict the use of unapproved mobile devices for work purposes.
8.Implementing policies that require staff to report lost or stolen mobile devices immediately.
To make staff aware of the new policy and encourage compliance, the following steps could be taken:
1.Providing training and awareness programs to educate staff on mobile device security best practices.
2.Distributing the policy to all staff members and requiring them to sign an acknowledgement form.
3.Providing regular reminders and updates on mobile device security best practices.
4.Implementing a system to monitor compliance with the policy and take corrective action when necessary.
5.Providing incentives for staff who comply with the policy and take extra steps to secure their mobile devices.
Yuqing Yin says
There are some of the recommendations of the new mobile device security policy:
1. Device Encryption: Requires that all mobile devices, including laptops, smartphones, and tablets, must enable hardware-level encryption to protect sensitive data stored on the device.
2. Strong Password Policy: Users on all mobile devices are required to set strong passwords and change them regularly. Passwords should contain letters, numbers, and special characters, and should be long enough.
3. Security updates and patches: All mobile device operating systems and applications must be promptly installed with security updates and patches to fix known vulnerabilities and weaknesses.
4. App Control: Users of all mobile devices are required to download and install apps only from the official app store, and unauthorized apps are prohibited.
Here are spme measures which can make employees aware of and comply with the new policy:1. Conduct mandatory training sessions that include practical demonstrations on securing mobile devices.
2. Perform regular audits to ensure compliance with the policy and provide feedback.
3. Implement a system of incentives for compliance and penalties for non-compliance to reinforce the importance of the policy.
Jingyu Jiang says
I would recommend the following: 1. Set strong password requirements,require all RIT mobile device users to set strong passwords and change them regularly. The password shall include letters, numbers, and special characters, and shall be long enough.2. Encrypted data storage: It requires that all sensitive data stored on the RIT mobile devices must be encrypted. This can be done by using encryption software or by enabling the encryption capabilities of the device itself.3. Regular backup of data,all RIT mobile device users are required to back up their data regularly. This can be done through cloud storage services or other backup solutions.4. Install security software,all RIT mobile device users are required to install and regularly update security software, such as antivirus software and firewalls.5. Cultivate employees’ awareness of the security and protection of encrypted data, and provide regular training.
Ziyi Wan says
3.For RIT’s mobile devices, we can: 1. Device encryption: Require data on all mobile devices to be encrypted to prevent data from being accessed by unauthorized persons if the device is lost or stolen. 2. Strong Password policy: Require all user accounts on mobile devices to use strong passwords and change them regularly. 3. Multi-factor authentication: Encourage the use of multi-factor authentication to increase the security of devices and accounts. 4. Update the operating system and applications regularly: Users are required to regularly update the operating system and applications on their mobile devices to get the latest security patches and features. 5. Remote Lock and erase function: Require all mobile devices to have remote lock and erase function enabled to prevent sensitive data leakage if the device is lost or stolen. 6. Secure Wi-Fi connections: Remind users to only connect to trusted Wi-Fi networks and avoid using public wireless networks to transmit sensitive information. 7. Secure app downloads: Users are encouraged to download apps only from official app stores and avoid downloading apps from unknown sources. 8. Back up data regularly: Remind users to back up data on their mobile devices regularly to prevent data loss or damage. In order to make employees aware of and comply with the new policy, the following steps can be taken: 1. Provide training and education 2. Set up a reward system
Yi Zheng says
The new policy should include the following core elements: Data Encryption and ensuring that all mobile devices use full encryption. Implement two-factor authentication to enhance access control. Use MDM tools to remotely manage and protect devices, including data cleansing capabilities. KEEP device software and security patches up to date. Back up data regularly and use a secure storage solution. Educate employees about the risks of phishing and social engineering attacks, provide mandatory information security training, and update regularly. Establish feedback channels and involve employees in policy improvement. Promote policies and awareness through multiple channels such as e-mail, internal newsletters, and training courses. Implement policy alerts to alert employees when they log on. In addition, periodic audits and spot checks should be conducted to check compliance
Ao Zhou says
Several ways to incorporate recommendations into policy are presented below.
password protection: all mobile devices shall use powerful passwords, passwords, or biometric identification methods to prevent unauthorized access.
regular updates and patches: users should regularly install security updates for mobile devices.
Device encryption: all mobile devices are required for appropriate routine activities.
data backup: it is recommended that users regularly copy mobile device data.
The following rules may be taken into account to inform staff of such policies and encourage compliance.
Educational courses: convene mandatory educational courses or seminars and inform staff on how to adhere to the new policy principles and their importance.
policy confirmation: staff members are required to confirm that they agree and understand the policy.
promotion and certification: consider whether to award or certify a model employee who follows a mobile equipment safety policy.
Yifan Yang says
Information security policy
1. Enforce full encryption of mobile devices to prevent data leakage if lost or stolen.
2. Add more mandatory security configurations and establish remote lock and erase procedures.
3. Force regular updates to the operating system and applications
4. Prohibit the use of public Wi-Fi to access sensitive information and encourage the use of VPNS to connect to the agency’s network.
5. Set up some training to avoid online fraud.
To ensure that employees understand and comply with the new policy, I will take the following steps:
1. Hold regular training courses on new security policies.
2. Strengthen safety awareness publicity and inform employees of the new policy and its importance.
3. Implement monitoring systems to ensure compliance with safety policies and report non-compliance issues.
Yahan Dai says
A policy about information security best practices related to mobile devices at RIT:
1.Remote Access: The ability to remotely access and control mobile devices, allowing administrators to perform tasks such as wiping data, locking devices, or updating software.
2.Security Policies: The ability to set and enforce security policies on mobile devices, such as password requirements, encryption settings, and access controls.
3.Regular Updates: Mobile devices should be updated regularly with the latest security patches.
4.Access Control: Access to sensitive data on mobile devices should be restricted to authorized personnel only.
5.Public Wi-Fi Avoidance: Staff should be discouraged from accessing sensitive data over public Wi-Fi networks.
To make staff aware of the policy and encourage their compliance, the following steps can be taken:
1.Communication: The new policy should be communicated to all staff members through email, intranet, or during team meetings.
2.Training: Staff should be trained on the new policy and its implications. This can be done through online training modules, webinars, or in-person training sessions.
3.Reminders: Regular reminders about the policy and its importance should be sent to staff members. This can be done through newsletters, posters, or pop-up messages on the college’s intranet.
4.Compliance Checks: Regular compliance checks should be conducted to ensure that staff members are following the new policy. This can be done through audits or spot checks.
5.Incentives: Incentives such as rewards or recognition can be given to staff members who comply with the new policy. This will encourage others to follow suit.