Ok, so I implemented a password policy for our ~320 users today. The policy was approved by our director, and I listed various reasons why they should have their BlackBerrys locked.

Of course, now I have a bunch of backlash complaining that the time (10 minutes) is not nearly enough idle time before the lock occurs.

My policy is very simple (at this point), requires a 4-digit password, no password history, 10 minute timeout, users can specify a time lower than that if necessary.

What does everyone else use as a timeout? Are there any industry reports on what kind of havoc can be wreaked upon a company if a BlackBerry gets stolen?

The basic gist of my email stated that the current risks without having a BES-enabled BlackBerry locked down with a password:

A person who has posession of your BlackBerry can:

• View, delete, and reply to corporate email AS YOU.
• View, create, delete, change, Calendar, Contacts, Memos, and Tasks in your corporate mailbox.
• Above changes/deletes, etc. synchronize DIRECTLY with your mailbox.
• Access corporate Intranet and all resources immediately available to the BlackBerry browser.
• Access any data, personal or otherwise, that may be stored on your BlackBerry.

Our corporate workstation screen saver lock policy is 15 minutes, so me, I'm willing to go no more than that since I view the BlackBerry as a similar risk as a Laptop being stolen.

Frankly, I'm getting a bit upset, as I view a lot of this backlash as whining because users are being "inconvenienced" for the sake of protecting our corporate data.

Now, after the execs have made some noise, our director is saying "what about a 60 minute timeout?" - - *the sound you hear is me banging my head against the desk*.

So, if anyone has any Gartner or other industry stats that could help back me up here, I would be very appreciative.

...or am I being too security-conscience (I'm guessing that I'm not)...?

Regards,
Rob

I hadn't really thought about it. It is a huge vulerability, especially if mine were lost. SSH/Telnet, VNC, not to mention the core functionality...

Worst to admit, I instantly jumped up and said, yes! Passwords on the handheld...

Then i realized, oh, no locked handheld after 2 minutes. What a pain in the arse.

I am certain my users would freak out.

But it is an excellent point. I mean, the last two handhelds that were lost, were not reported to me until nearly 2 weeks after they had been lost...

sceeery

As of now, we've disabled MDS and have a 30 minute idle timeout policy and 60 minute mandatory timeout. In the desktop world, timeout is 10-15 minutes. Password are also initially mandatory but optional.

...I agree with you, sacrifices made in direct objection to corporate security policies is, without a doubt, quite upsetting. But at the end of the day, you aren't the one signing your own check, right?

In all honesty, your best defense against these sacrifices would be end-user education... but then again, you'll always have those that simply will never 'get it'. In the event of stolen/lost equipment, you may want to make sure that it's policy and procedure to make a call directly to someone who can access the BES user accounts... of course, that is one of those semi-enforceable procedures that will often be ignored and very hard to audit.

We have a 60 minute timeout, 4 character password, no history, no complexity requirments. Passwords are manditory.

We use a 30 min timeout with a 6 character with no complexity required. We also put the "Owner" message when the device is locked to show the users name, company name, and a msg saying if found please contact our 800 number for our helpdesk. I thought there was no way in hell we would ever get an honest person to call. But funny thing in 3 yrs we have had 5 devices lost that the person that found it called our helpdesk. But when if comes to password policy you have to consider your business. You have to think that financial firms would have a much more strict policy than your avg company. So I don't think there is any wrong answer on the timeout of the password policy....as long as you enforce it.

I would suggest that if you haven't already, you provide the security exposures (as listed above) to your director. Make sure that he/she actually knows what can happen if a Blackberry is stolen, and at that point let him/her make the call.

We have idle pwd at 10 minutes or so, 5 pwd history, complex pwd alphanum, however the user can change the timeout length at their leisure, up to 30 min, and we have allowed user to remove the "lock on holster" restriction

just my .02

-emb

Just another note, GET IT IN WRITING from the Director (or whomever the manager making the decision). This will CYOA/CYOB if you have evidence of the decision, in the event that data is lost/stolen and somehow hurts your bottom dollar. This is the purpose of our initial mandatory password requirement; the users are made aware of the risks, and if they choose to remove the password for convenience purposes, then it's on them.

I'm pushing for a 20 minute timeout as a hopeful best compromise between security needs and the usability issue, coupled with the lock when holstered option. I'm also trying to get a hard-coded policy in writing about reporting lost or stolen Blackberries ASAP for remote-initiated locks or wipes.

I agree 100% with you about the security need and empathize with the headaches caused by getting this past the user population.

Being a user myself, I'll take the inconvenience of having to type a simple password every 20 minutes vs. the considerably larger inconvenience of having proprietary company information exposed to a thief.

I think Jibi has posted a great idea of getting any denials in writing. That kind of accountability, especially with an executive, might be enough to bring reason to the forefront of this issue, and like Jibi said, it's a great CYA at bare minimum.

I think the lock when holstered is worse than even a 2 minute timeout. I always keep my BlackBerry in the holster. Can't tell you how many times I have holstered the BlackBerry only to have it go off. Because I work in a support role, I have to look. So now I need to unlock the BlackBerry again after just 10 seconds of inactivity.

5 mins and a 6 letter password we also enforce lock on holstering

I'm on the support side myself, and sure don't disagree that it can be annoying to type a short password everytime the bloody thing buzzes, but if you've ever seen a really good pickpocket at work, you know how easy it is for someone to nick even a holstered device. Again, IMHO, better for me to type the 2 second password, than to risk company data and server access (especially if a user has a Mobile Admin app onboard).

At least I can answer the phone while it's locked, which is the only time-critical function that a hostered lock could possibly impair.

However, I will concede that your daily video sig file, once again mightily rules! Very cool!

Glad I'm not one of your BES users. I would hate to have to enter my password every 5 mnutes. We have ours set to 60min

20 minutes time out (and they cry about that!) 5 to 14 character password - no forced lock on holstering -- still have MDS running (not by my choice) but we did stop all installing of 3rd party apps

This is exactly why I wanted to push this policy - we have had quite a few devices stolen or lost, and most of the time, the person has already spent a few days looking for it, only to come to the conclusion that yep, they don't have it any longer.

Typically by now, I can't send a kill command as the battery may have died or the device is out of range at that time.

Then, a new device gets deployed to the user, and once the PIN is associated with their email address, the old device can't synchronize with our BES, which is great - but then again, there is still data on the device. Those are the ones that are the biggest risk for us right now.

I would say out of all devices I've sent a kill command to because of a loss/theft, I've probably had 2 which processed the command completely.

I would love to have a feature in the Management tool that put our stolen/lost PINs in "the parking lot" - so we can repeat our kill commands on a schedule but obviously that would eat into client licenses...or perhaps a paid service that the carrier can provide to send out repeated device kill commands for a window of time.

In any case, because of various people complaining, and others caving, we are going to modify our timeout to 30 minutes (which seems to be slightly longer than the average response here of 20 minutes).

We'll see if the complaining continues...

I most definitely appreciate all your responses. I'm gladd I'm not the only guy in the boat.

Rob

grrr. There's always one guy...

Check out this response to my policy - from a user, mind you.

While I appreciate the comments, I do not appreciate the fact that this person thinks they can do our job for us.

As for the responses, I have a few on hand, but I wanted to put this past you guys for a more informed (and less heated) idea for feedback.

My response:

I didn't want to get into a techie battle with him, but wanted to go over the fact that this is not his choice, and it will in fact help us protect our data, since 99% of thefts are usually people concerned with the device, and have no care for the data.

What do you think?

Nice job, QC! It professionally defends your and your company's position, and is non-offensive while taking any ands-ifs-and-buts out of the equation. If it's not copy-righted, I'd likely steal it for replies to our user community.

If the patience and euphemisms in your reply were money, you could retire.

Go for it - Trust me, it took a lot to not be a little heated...!

hmm - we increased out lock time to 15 mins from 5 mins after massive user complaints - my personal favorite was that it was too difficult for a user to unlock his bb while driving to check his email (!). We have disabled MDS, 3rd party apps, all messenger services. The password has to be min 5 characters which is very easy compared to the strong password on the desktop, we enforce a change after 120 days, no patterns or repeats allowed. The device will self-wipe after 5 incorrect password attempts.

Yeah, I got that a lot too, "too difficult while driving" - why would anyone admit that?

Another person said "I almost got in an accident trying to enter a password while answering a call" - this was because she didn't update her OS when we told her to about 8 months back when we upgraded to BES 4.0...
*sigh* you can never win...!

We run 10 minute time out, 6 characters (alpha numeric) password and lock on holstering

Looks like its only the UK that take Secuirty Serious then

We run with a 30 minute idel timeout, 8-character complex password consisting of upper and lower case letters, numbers and special characters.

Our devices are encrypted with 3DES keys and the user cannot modify the policy in any way.

I am all for security, if the user doesn't like the policy.....too bad.

nvm. a little research and search function solved my problem. almost missed it though. thanks to the general bb community for having great knowledge over these great products.

We have an 8 Char. PWD. (lowercase w/ numbers), 5 minutes timeout, and 5 tries to get it right before wipe occurs.

I assume you're responsible for this lot - http://www.blackberry.com/products/pdfs/WYP_CS.pdf

therefore I'd hope you have a more restrictive password requirement than a regular business.

Same for us, except we don't force lock on holstering and we enforce a 7 password history and force passwords to be changed every 90 days.

We set a max of 20 minute timeout but passwords have to be 8+ characters and contain at least 1 number - although always complaints about 'too many characters'....

What I would do is use the same time period as the users desktop computer if they have one. Hard to complain about that one.

our BES IT policy is set to lock handheld after 2 minutes of inactivity. off course we have users who whine about but its in place for a reason.

i tell them sorry but there is nothing i can do as its IT policy. your users should be delighted as 10 minutes is pretty liberal.

My users (and myself) get 20 minute timeout, 8 character alphanumeric w/number password. wipe after 5 wrong tries. No lock on holstering. I got some complaints, but my boss is really cool and they gave up after I told them to take it up with him.

Of course I have one user who has wiped her device three times in the last six months trying to get her password right and then she wiped someone elses BB when she got them mixed up!! I suspect it might be retaliation on her part, but I am not sympathetic ;)

My favorite is when they think they've set a password with digits, and it is actually a password with alpha characters...they get confused when they try to tether the device and enter the password on their PC keyboard. This is one of the main ways my users were accidentally wiping their devices!

Guilty as charged

Mine is when users are typing their password instead of their PIN number, we then get complaints that the keyboard is not working as its only accepting numbers!

Because of the "executives get whatever they want" policy we seem to have at our company, we have our timeout set to 60 mins (of course they can go lower if they want..)
However - in reply to some of the earlier posts..
We have the policy set to allow them to answer and make calls without the password set. Sure - that means that anyone who steals the phone can look at their recent calls, but if they're concerned about that they can always change it themselves.
Plus I agree totally with the setting - by the time I actually FIND my BBerry in my purse, I wouldn't have enough time to enter the password and still accept the call!!


What a fabulous idea!! Thanks for sharing that tidbit of info..
However, as soon as the user calls to say that the phone is lost we're supposed to wipe the device, and with the test ones I've used I've never gotten that to work!!!
(Of course, that's a different thread - sorry!!)


hahaha!
In one of my previous jobs, we had a user send us a NEWSPAPER CLIPPING showing his car all crunched up when he hit a light pole.
He said it was TOTALLY OUR FAULT because he was talking to our helpdesk and getting all upset that we couldn't fix his printer!
(Which also leads to the question of WHAT could we do to fix his printer while he was driving? Oh - besides wave that magical techsupport wand. I suppose we could've fixed the problem with his dishwasher at the same time!)

Anyway - it's funny to hear that there are apparently many irrational people out there..