Depending on what type of industry you are involved in, a BYOD (bring your own Device) policy may or may not be an option. It can be very beneficial to companies that are growing rapidly or want to strive for employee satisfaction. There are also a lot of downfalls that could occur as well. You need to be well prepared with this policy so that you can cover all aspects that could arise from a security perspective.
First step you will want to specify what types of devices are allowed. One problem with this that may occur is employees not liking placing a pin or password setting not only on their device but also having to enter a second method of authentication as well. You may get a little push back on this but this is one of the most important parts of this policy. There is simply too much information available and it would be too easy with mobile phones to have an unnecessary leak or breach of data without a form of secondary authentication.
Each device type must have its own security policy in place and support as well to efficiently implement a successful BYOD policy. In each device policy you need to specify the following:
- What OS systems will you support? What versions?
- What permissions will users have to install applications
- What type of monitoring will be around the devices
- What separations will be between personal and work data
- What type of support will you have? Wipe and restore or more in-depth
- Will you provide loaner devices if personal ones break?
- Will you reimburse for internet or phone use?
These are several questions you will have to answer within the BYOD policy.
Next is making it very clear who owns any apps and data. Things can get very sticky if the employee believes that they can do anything on their device because it is “their” device. They need to have a clear understanding that the information held on their device is not theirs and is only borrowed. An easy way to kill two birds with stone here is to integrate this with your acceptable use policy. This way there is no confusion to what a user can and cannot do with company information. This policy integration will help establish the following:
- Transmitting of information
- Browsing the internet
- VPN tunneling
Lastly when all else fails, you will need an exit strategy for those that must leave your company. This could possibly be the most important part of the BYOD policy. This should insure that when someone is let go that they are cut off of all information ties to their personal device. This can also be an awkward part of the policy as well. Some companies will incorporate a device wipe as part of the exit interview or it could be as simple as disabling the email from syncing. A BYOD policy is a great policy to have implemented at your company, especially in today’s ages where everyone has several of their own devices. This policy could make it beneficially to both employee and employer if done correctly.