Need Opinion on a NO BIS POLICY
 

Hello All,

The title might be a bit misleading, sorry for that. We are on a BES (4.1.4) and currently are looking at implementing a no BIS policy. Here's the skinny...

My Network Manager has decided that users that bought their own BB and won't pay the additional 15 bucks/month to get a data plan that would allow BES functionality, we won't support them with BIS configuration. His issue is this, when a user goes to configure their email, they have to hardcode their network password to their phone. Sounds bad, yes.

So question is this. What is your policy with this? If a user gets a BB, do you support BIS to your exchange? Could you explain your reasoning? Thanks!

NM: I totally misread your post.

**waves hand** I was never here.

We don't disallow it here and it's not blocked on the BES. We have all of the mobile stuff disabled on the exchange server so I guess it's sort of a non issue. We buy BB for everyone who needs one. the only people who are irritated are the ones who want to use some crappy winmobile device.

I'm not sure what the issue is with the password. It should all be encrypted. It's not like it is entered plain text and anything transmitted by a BB is point to point encrypted.

Right, that is what I am trying to explain to the NetAdmin Manager. I don't see any potential security risk with typing in a password to a BB. I think HIPAA has everyone up in air. Anyways, thanks for the comments, can't wait for the riding season to commence! My VFR is lonely...

Us:
We are on a BES.
We do not allow personally owned devices on our BES.
We do not allow external service books for Web browsing or email on our handhelds.
We require all handhelds to be password protected with a maximum of a 30min timeout.

Why BIS is bad:
It is not so much that the password is being stored on a third party server (the BIS). Which, by the way, makes the paranoid hairs on the back of my neck stick up. It is mostly because if you use it to get your corporate email, that email is no longer transmitted over a secure connection. For lack of a better word, it is scrambled, not encrypted.

I am surprised that in regards to HIPPA you even allow users to access their email via BIS. The big thing with HIPPA and SOX is making sure that you log all communications. If the user is on BIS you have absolutely no logging once the message is sent to their device. They could forward it from a different account that they configured. You have no idea what they could do with the messages.