| iPhone on the Corporate Network |
|
From time to time I get interesting or pertinent questions from clients, colleagues and readers. I like to post the answers on my blog because I think more people may have the same question.
Here is a question from a colleague:
Should organizations allow iPhones on the corporate network?
It depends (That's always the right answer). The only question is, is there a business reason for having them on the corporate network? Typically there is not a compelling business reason.
What we are really talking about here is wireless access directly into the internal organizational network. Not access to email server or website from outside. For example, connect to Exchange via ActiveSync is perfectly acceptable because the connection is controlled and the iPhone is not on the organization's network, it connects from the Internet.
Organizations should not allow unmanaged systems (those computers or devices the organization's IT does not exercise direct control over) on their networks. Simply put, if the iPhone (or any other mobile device) is not under organizational control it should not be on the network. In addition, security standards require control of mobile devices on the organization's network.
"The organization: (i) establishes usage restrictions and implementation guidance for organization-controlled portable and mobile devices; and (ii) authorizes, monitors, and controls device access to organizational information systems." - AC-19, NIST SP 800-53 rev 2
If the organization wishes to provide wireless access to the Internet for mobile device they can setup a wireless network that is segmented from the internal organizational network with a firewall separating them.
Donald E. Hester
CISSP, CISA, CAP, PSP, MCT, MCITP, MCSE Security, MCSA Security, MCTS, MCDST, Security+, CTT+, MV
Brought to you by Maze & Associates, a leading Northern California Accounting Firm specializing in Municipal & Nonprofit Audit, Tax for individuals and all types of entities, Information System Audits, Security Reviews, as well as PCI Scans and certified training. Maze & Associates is a PCI ASV - Approved Scanning Vendor.
RSS Subscription: http://feeds2.feedburner.com/learnsecurityblog
Disclaimer: The views expressed here are those of the author and do not represent those of Maze & Associates.
|
Subscribe to LearnSecurity Blog using your favorite feed reader by 
Latest News
| New PCI Web Application Scanning! Helping your organization meet PCI compliance with PCI DDS § 6.6. |