Lack of an effective mobile security policy is a fundamental root cause for many failed security efforts. The policy must be risk-based, covering all identified risks on mobile devices, both organization-issued and individually owned, and all user groups, including regular employees and temporary contractors.

The policy development process should determine which applications are to be made available to which mobile user group and on what types of devices. Typical mobile applications may include email, sales force automation, field service applications, dispatching, extended CRM, etc. These applications can drive productivity and revenue growth if deployed and managed securely.

An effective security policy needs to clearly translate regulatory compliance requirements into organization's risk management processes and procedures to protect data from loss or compromise. It also needs to speak clearly on user's responsibility for device configuration, its usage, data backup and protection. The information stored on a mobile device should be limited to what is required while on the move.

In addition, the policies must be enforceable via active IT monitoring and software tools. Organizations should regularly review the policies to take into account of any new security threats associated with business environment changes.