While much of the argument about the iPhone data centers on whether Apple should comply with an order to break their own protections, companies which own phones should note that the real failure is that of San Bernadino County’s information security policies and procedures. They permitted their property ( the iPhone ) to be used in such a way that they no longer had control of it. In effect, they provided their employee with a safe, a cyber space safe, and they did so without maintaining their own key to the safe. Now that they want access to their own property (the iPhone ) , they find that their information security policies and procedures have failed. In cases where an organization provides a safe (especially a safe inside a phone) they should consider carefully what will happen if the employee does not provide access to the safe, whether that’s because the employee has won the lottery, been terminated, or passed away.
Thinking about such events may not always be easy or comfortable, but considering such risks is critical to a complete, mature information security stance. In this case having a plan in place would have made it possible to provide assistance to law enforcement in a potentially serious matter, and that would have been better San Bernadino County, the families of those affected, and indeed all good people who want to prevent such cowardly attacks in the future. Have a tested plan in place. Hope you never need it, but have it in place ahead of time. It makes all the difference.