security question

[pchenry]

We have a BES environment and have some people that want to use their personal blackberries on the BES. In order to maintain the same unlimited functionality on their devices, they would need to be omitted from IT policies previously established. They are not happy with this and are working very hard to override the policies put in place. I have been reading up on the security of the blackberry and BES and understand the vulnerabilities of bluetooth, and also understand that if the person downloaded a problem application, the file could be sent via email and cause potential vulnerabilities in that manner. I would like to know if anyone has any further input on potential vulnerabilities to the environment by putting non-locked down devices into said environment. For instance, one of the policies locks down the browser to the blackberry browser and the policy also prevents going to many malicious sites. So if the policy is opened up, and the person goes to a malicious site and downloads malware or whatever (because of not being locked down via policy), are there other risks involved that could extend to the environment, or would they be restricted to the device itself? Thank you.

[SevereDeceit]

Quote:

Originally Posted by pchenry

We have a BES environment and have some people that want to use their personal blackberries on the BES.

In my world this is a huge No No, and also a security risk...

[pchenry]

Exactly, I understand that, but I am looking for some kind of verbage or something so that when we are asked why, we can give a better response than, "it's a policy violation and a security risk". These people want to know WHY it's a security risk, and so far I have not found any specifics other than what I already listed. I am looking for specifics, not just pat answers. thanks.

[murialita]

1. You would be placing proprietary company data on these phones. You have every right to restrict access to that data.

2. If you do not force the IT policy on the BlackBerry, you are then relying on the user to provide security. This is a BAD thing, as corporate spys or disgruntled employees can use the lack of enforced security to distribute, delete, or manipulate important proprietary company information.

3. By not distributing policies and allowing users to do whatever they want to the phone, they may install applications that are not compatible with company data/applications. This can cause corruption in the data, or the device to stop functioning.

4. If you place security in the hands of the user, they may not set a password, or set one that does not match company standards. If they then lose the device, any Joe Schmo can pick up the phone and have access to proprietary company information, or represent themselves as the owner of the email account synched to the phone.

5. If policies are not applied to the phone, most of the monitoring goes out the window.

6. New versions of operating systems are able to access network resources besides just email and contacts. This poses a huge security risk if security policies are not placed on the phone, and the user choses not to use security.

[CanuckBB]

7. You don't want to go through the legal quagmire of your ability to wipe th phone if the user leaves the company

8. You are giving customers a contact number that will not remain with the company.

[pchenry]

thank you. that is helpful. another thing would be if we had to wipe the device for any reason, it would wipe all the personal stuff as well. i just think personal and business devices should be kept separate.

[bbwitch]

We always get numerous requests for personal devices to be added on our BES, and we have implemented a policy which lets a user know that if he/she is actually approved to have their device on the BES (we don't allow everyone to do this), they will be faced with the same policies as those who have business-issued devices. Most aren't happy about it, but that's the way it works. They aren't given a choice.

Some don't mind and add it to the BES anyway - others do, and decide against it.