Writing Mobile Code Policies
The last time I had a discussion with a client on writing mobile code policies, they were ready to ban all High Risk and Medium Risk technologies, allowing only those classified as Low Risk. This was fine until I showed them that this would exclude Java applets and would prevent many of their applications from being used. My first suggestion was to create four categories of policies based on access:
Intranet Usage. These policies would cover the usage of mobile code only on the organization's intranet.
Internet Server Usage. These policies would cover the usage of mobile code served via the Internet by the organization's servers.
Internet Client Usage. These policies would cover which categories of mobile code a client or user could access via the Internet.
Mobile Device Usage. Similar to an Internet client, these policies were for mobile devices accessing various mobile code resources.
Once access categories were decided, I suggested that for each access category, the policy be written based on the risk level. In this scenario, my client was able to create policies that allowed them to capture the nature of the acceptable controls to allow High Risk mobile code technologies within the organization's intranet. This continues until the policy is defined for all access categories.