Of 36 states surveyed, 14 said they have enterprise policies for securing the powerful portable devices. Six states reported that smartphone policies are set by individual agencies, not the enterprise; six are currently reviewing such policies; and 10 states don't allow workers to connect their smartphones to government networks at all.
"With so many smartphones coming onto the market, and so many personally owned devices, there seems to be -- all of a sudden -- a rush to figure out how to adjust to this," NASCIO Policy Analyst Chad Grant told Government Technology on Wednesday.
Of states that let government workers use smartphones in the workplace, Grant said, some allow only government-issued phones, while others permit an employee to use his or her personal smartphone with a government-installed security package.
"So if there's an incident where someone loses a phone or it's stolen, the device can be wiped remotely, and that seems to be one of the major concerns for state networks to protect their data. Also, any other software that's added onto the device is state-issued," he said.
Delaware is among the leaders in smartphone security, Grant said. The state has 150 registered users who use their personally owned smartphones, which are protected by strong passwords, password expirations, lockouts and encryption, inactivity timeouts and remote wiping. The state's official date for compliance is July 2010. "They're already using the system and it's working for them," Grant said.
Based on its research, NASCIO believes the best smartphone policies are enterprisewide because they set a single standard, Grant said. "It's a [matter of] finding the right amount of risk adjustment and mitigating that risk so states have secure networks and a convenience level for employees," he said.
The findings, released Wednesday, March 31, are available for free download in a brief titled Security at the Edge: Protecting Mobile Computing Devices Part II: Policies on the Use of Personally Owned Smartphones in State Government.
