BYOD (Bring Your Own Device) isn’t just a fad, it’s here and now and it’s not going anywhere. That’s why it is important to put BYOD policies into place as soon as possible. A secure BYOD policy is essential to making sure that questions of privacy, security and expectations are addressed in a manner that is acceptable to both employer and employee.
The details of any bring your own device (BYOD) policy will be specific to a given organization, but most policies cover many of the same basic questions. Use these tips as guidelines in creating your BYOD policy.
1. Determine the goals of your BYOD policy.
- Figure out your objectives and explain why you feel BYOD is a good fit for your organization. Some employees may need convincing and this is a good place to start.
2. Review your current web application security policies.
- For example: portals, email, CRM, VPN, and remote access.
- Make sure to especially take mobile devices into consideration. Most of these will apply to mobile devices as well.
3. Make a determination about what devices to support and what not to support.
- Survey employees and see what devices and applications they are currently using.
- State which devices, versions, and operating systems will be supported based on what they need to do their jobs.
4. Establish user roles and rules.
- Not everyone needs access to the same applications.
- For example: Marketing may need access to social media while accounting does not.
5. Whitelisting and blacklisting apps.
- Explain that IT has the authority to prohibit the use of certain apps.
- Provide users with clear lists of what apps are allowed and which ones are prohibited.
6. Explain exactly what charges the organization will and won’t reimburse.
- Some organizations choose to pay for the users’ device, cover a percentage of their monthly bill, or nothing at all. The important thing is to state this is the policy.
7. Define levels of support.
- Will your IT staff provide support to these devices?
8. Collaboration is key.
- Creating this policy is no the job of just one or two people.
- You should build a team including HR, IT Support, IT Security, legal, and other stakeholders.
9. Don’t try to force-fit a policy.
- There’s no one-size-fits-all solution for something like this.
10. Make sure you are protected legally.
- Include a liability clause for damage, data deletion, and corruption.
11. Have every mobile device user sign a written agreement.
-This will not only protect your organization but also prevent misunderstandings about the BYOD policy and expectations.
- When changes to the BYOD policy do occur, because chances are they will, be sure to have employees sign an agreement to the changes.
12. Consider anti-virus and anti-malware installations, encryption installation, updates and patches.
-You must have consistency in security software and applications installed on all personal and corporate devices.
13. Make a personal identification number (PIN) mandatory for all devices.
-Yes, you actually have to tell people to do this even though they should be doing so already.
14. Regular reviews of policies and agreements are essential.
-Working on your BYOD policy is not a one-time thing and then you’re done. As time goes by, amendments will need to be made.
- Plan on reviewing your policy at least once a year.
15. Make centralized management, reporting, and auditability in mobile apps required.
16. Create consequences for noncompliance.
- Consider denying the user access to the network, excluding them from the BYOD program, or even termination in a severe enough case.
17. Define ownership of information.
- Consider who owns the data that may be held on the employee’s device and whether the company has the right to access it directly from the device.
18. Determine an employee exit plan.
- Many companies disable emails or synchronization access before the employee exits, or even a mandatory wipe of the device.
- It’s important to make sure this is clearly stated in the BYOD policy so employees are fully aware ahead of time.
19. Encrypt sensitive data stored on personal devices with strong encryption.
-Lay out fully your enforcement of encrypted data and block devices that do not have encryption enabled from the network.
20. Create a strategy dealing with sold, recycled, lost, or stolen devices.
- A common strategy is to enable remote wiping of the device's data.
- Make sure this is also clearly stated and required for everyone participating in the BYOD program.
Research has shown BYOD will only continue its rapid proliferation. It’s not going anywhere whether you like it or not. Employees will only continue to bring more and more devices into the workplace. So, get smart and start building your BYOD policy and prepare and secure your wireless network appropriately.
If you need have any questions about BYOD or where to begin we can help. Here at SecurEdge Networks, we specialize in building completely secure wireless networking solutions and always plan for the future of mobile devices. Contact us here with any questions about BYOD or for a free consultation. Our goal is to be a resource for you!