Here’s a great question – one that I have been asked a few times;-
What should our BYOD policy say ?
I am not going to produce one here, as it has many different ways in which it can be answered, what follows is what I would suggest you need to include.
I was visiting a University in Singapore a few years back and they were about to let students use their own device as part of the IT degree. The discussion started about all the things that the faculty didn’t want them to do with their device and the IT they had access to.
My suggestion was to turn that around – explain the purpose of allowing students (in this case) to use their own device, and state that anything outside this purpose was not permitted.
I suggest this is the way your start any BYOD policy statement.
Who is entitled to BYOD, what can they do with it.
Next is who can bring their own device – there will be some users in any enterprise where BYOD is not appropriate, and this should be stated as who can BYOD.
In conjunction you will need to state what a BYOD can be used for – it will probably not be everything,
e.g. a Trader in a Treasury department – you want them to use the enterprise provided device for their core work as the security requirements will be stringent.
So making a statement of the classification of systems and data that can be accessed is critical so that your user know the boundaries.
It is voluntary
Every one of your staff will have different personal circumstances and different reasons why they can, or cannot participate in a BYOD program, there must be an emphasis that the program is voluntary.
You do not want any staff member to feel or be disadvantaged because of their personal circumstances.
The obligations on the user
This unfortunately seems to make it’s way to the top of the list, it should appear somewhere in the middle or towards the end, and say something like;-
By <acme corp> agreeing to the use of your personal device for business purposes at <acme corp>, you understand that …
and then go on to state a reasonably short list of T&C’s.
BYOD T’s & C’s
Which gets to the sort of things the T’s & C’s should state.
From the user
a) The user is to keep the device compliant to the enterprise security standards at all times.
b) to assist the user, they agree to have installed on their device an agent licensed by the enterprise, that will monitor and enforce the security compliance.
c) The user will inform the enterprise immediately when the device is no longer being used for business purposes, and will remove all enterprise data and applications when they do so. This includes when the user leaves the enterprise. and
d) The user will report as soon as possible if the device is lost or stolen. (Here you will need to publish the process to use).
From the Enterprise
a) the Enterprise will use agent installed for collection of data to ascertain and enforce the security compliance of the device and the installation &/or updating enterprise applications and for no other reason.
b) If the device is lost and not recovered within a reasonable amount of time the enterprise will attempt to wipe it’s applications and data off the device, and will do so only after consultation with the user of the device.
There will be few enterprises that will not, in the long term, permit BYOD. It is important as you make this inevitable transition, you do so in a positive and inclusive as possible manner. The elements I stated above should get you a long way to making that transition as hassle free as possible.
One last element, which is not in the policy but helps you get there, involve your users in the creation of your policy.
Thanks for reading.