Ok, so I implemented a password policy for our ~320 users today. The policy was approved by our director, and I listed various reasons why they should have their BlackBerrys locked.
Of course, now I have a bunch of backlash complaining that the time (10 minutes) is not nearly enough idle time before the lock occurs.
My policy is very simple (at this point), requires a 4-digit password, no password history, 10 minute timeout, users can specify a time lower than that if necessary.
What does everyone else use as a timeout? Are there any industry reports on what kind of havoc can be wreaked upon a company if a BlackBerry gets stolen?
The basic gist of my email stated that the current risks without having a BES-enabled BlackBerry locked down with a password:
A person who has posession of your BlackBerry can:
- View, delete, and reply to corporate email AS YOU.
- View, create, delete, change, Calendar, Contacts, Memos, and Tasks in your corporate mailbox.
- Above changes/deletes, etc. synchronize DIRECTLY with your mailbox.
- Access corporate Intranet and all resources immediately available to the BlackBerry browser.
- Access any data, personal or otherwise, that may be stored on your BlackBerry.
Our corporate workstation screen saver lock policy is 15 minutes, so me, I'm willing to go no more than that since I view the BlackBerry as a similar risk as a Laptop being stolen.
Frankly, I'm getting a bit upset, as I view a lot of this backlash as whining because users are being "inconvenienced" for the sake of protecting our corporate data.
Now, after the execs have made some noise, our director is saying "what about a 60 minute timeout?" - - *the sound you hear is me banging my head against the desk*.
So, if anyone has any Gartner or other industry stats that could help back me up here, I would be very appreciative.
...or am I being too security-conscience (I'm guessing that I'm not)...?