A company’s bring your own device (BYOD) policy is the end result of a series of analysis and planning to properly secure smartphones and tablets used by employees. When a company develops a BYOD policy, they are required to take a step back to really hone in on the potential risks that exist to allowing employees to use smartphones and tablets on the network of the organization. Companies that properly analyze and weigh all of the risks will be able to then develop controls built into the policy that mitigate those risks.
The 10-Step BYOD Policy Creation Process
There is a ten step process associated with the creation of a BYOD policy.
1. The first step is about gathering an appropriate team that will be able to develop the policy. The team should consist of individuals from the pertinent areas of the organization. This includes end users from all major departments, as well as users from IT, legal, finance, among others.
2. The next step is to provide every member of the team a task. They should be able to research and execute on BYOD policies to report back to the team to contribute to the overall development of the policy.
3. Once the research is completed, each member of the BYOD policy creation team needs to report to one another what they have found.
4. After compiling all of the research, it is time to figure out the best way to have a BYOD policy that acts to protect your corporate network.
5. Once a draft of the potential BYOD ideas is in place, it should be reviewed by the team and key stakeholders for review.
6. From these ideas, an outline of the actual BYOD policy should then be generated for review.
7. Based on the comments from the outline, develop the first pass at the BYOD policy.
8. The new BYOD policy should then be circulated again to key stakeholders, senior management, members of IT security, and any other pertinent member of the organization.
9. Wait for user commentary and implement opinions and review notes to an updated version of the BYOD policy that will become final.
10. Finalize and distribute the BYOD policy following final user sign-off.
The Recommended Template for a BYOD Policy
The template for a BYOD program should consist of three main areas, including a software application for managing all smartphones and tablets that hit the network, a policy to outline what employees and end users are responsible for, as well as a document for employees to sign to acknowledge that they have read and understand the policy. The main part of this program is the policy itself. Let’s take a closer look at what a BYOD policy should consist of.
The template for a BYOD policy should start by laying out what its employees have the right to do. This is basically going to say that they have the right to purchase and use smartphones and tablets at work for their own convenience. The company should, within the policy, retain the right to revoke this privilege at any point.
The main aspect of the policy is that it is to protect the security and integrity of all of the organization’s data and technology infrastructure. The terms agreed to by employees should include the following.
1. Acceptable Use – An acceptable use policy should be detailed as part of the whole BYOD policy. This is where the company defined out exactly what they consider to be acceptable business use with devices on the company’s network. Acceptable personal use must also be defined, typically stating that the use should be reasonable and limited in regard to using the devices for recreation while at work. The policy should also lay out that employees are blocked from using certain websites during work hours and that while on company premises, camera and/or video recording capabilities are disabled. Lastly, the acceptable use portion of the policy should restrict the use of devices to store or transmit any materials that may be detrimental to the organization in any way.
The BYOD policy should detail out which apps are allowed on devices as part of the program. These can include things such as weather apps, potentially apps like Facebook, apps for productivity, and so on. Apps that are not allowed, such as apps that are installed illegally outside of the Apple App Store, should be restricted.
2. Devices Supported – This section of the BYOD policy should list out all of the smartphones and tablets that are going to be allowed on the program. The details should be to the point where the organization is listing out model numbers, operating systems, versions, etc. It should be made very clear in the BYOD policy that any connectivity issues with the program should be worked out by the company’s IT department. Device manufacturers should not be contacted directly for these types of issues. The devices, finally, must also be presented to the IT department of the organization to be configured so that they can securely access the network.
3. Reimbursement for Device Use – Some employees think that because they have their device signed up with the BYOD program, that they are entitled to reimbursement of the cost of their device. This section of the BYOD policy will explain that employees will not be reimbursed for a percentage of the cost of the device. If an organization does intend to pay anything to employees, it should be noted here. It should also be detailed in terms of what the company’s policy is in regard to roaming charges, monthly access charges, and so on.
4. Security of the Device – The BYOD policy has to lay out what security requirements exist for a smartphone or tablet to be a part of the program. This means requiring devices to be password protected with as strong enough password to secure the device. A password policy of at least six characters with a c combination of upper and lower-case letters is key, along with numbers and symbols. If a password is entered incorrectly, it should lock.
5. Disclaimers – Finally, the BYOD policy needs to lay out that IT retains the right to wipe a device if they determine that confidential information may be compromised. It also should detail out things such as policies regarding lost devices, and notifications for disabling devices.
The importance of a BYOD policy should not be understated. It is the process of creating a BYOD policy that an organization can take a step back and really see what risks are prevalent to allowing employees to access the network on their own smartphone and/or tablet. This risk analysis process will allow controls to be developed and embedded into the policy to keep the organization’s network and data secure.