As BYOD continues its accelerating proliferation, so does the need for a BYOD policy. If you are implementing BYOD, creating a BYOD policy is a must! It is essential to make sure you are securing all those mobile devices and educating users on policies and best practices.
Having a BYOD policy that covers all the right bases not only covers your rear, but also makes the whole BYOD implementation process much easier.
Here are the BYOD policy considerations and best practices that top my list.
1) OS Versions and Device Platforms
Consider what device platforms and OS versions you want to support. You need to make sure the mobile devices you are allowing are equipped with the features you require. In your BYOD policy you should clearly state which mobile device platforms and OS versions you will support.
2) Device Enrollment Process
Establish what criteria you will use to block devices from connecting to your network. Make sure it is clearly stated in your policy that mobile devices must be registered and authenticated before they connect to the company network. This allows network administrators to detect unauthorized devices on the network.
Consider how complex passwords should be and how often you should force users to change their passwords. Passwords should be enforced for all mobile devices accessing your network. So in your BYOD policy the required password length, complexity, required frequency of change, failed attempts consequences, and penalties of not following these regulations.
4) WLAN Access
Think about whether you will enforce company WLAN access when on-site. Doing so can save data cost and device battery, as well as speed up network access.
There’s also the benefit of added security and authentication. In your policy set and specify enforcement of your organizations WLAN access.
5) Confidential Content
Will you be distributing sensitive content to your users on their mobile devices? Consider whether you will let your users save, print, email, etc. certain kinds of content. The important thing here is control.
You want to set mobile data leakage prevention policies and monitor your users compliance. Make sure you lay out every detail about how sensitive data will be handled e.g. requiring the use of a secure content container on the mobile device.
There’s a lot to consider when it comes to apps. You need to decide and list which apps your organization allows and bans. You don’t want to go too crazy with the blacklisted apps list since these are personal devices, try and focus on banning apps that are truly harmful.
Make sure these are all laid out along with what users should expect if they are violated. Also, make sure your critical business apps are secure and segregated on the devices.
7) Lost Devices and Theft
Think about the type of data your organizations users will be downloading. There is always that possibility of theft or losing a mobile device. This is why it’s important to lay out a process in your policy for users to follow if they lose their device or it’s stolen.
Users need to be aware that they are required to notify IT when this happens so the device passwords can be remotely reset or wiped. You can even have an auto-wipe of certain apps after a certain number of failed login attempts. Either way, this process needs to be laid out, and the users need to be aware of the specifics.
8) Encryption of Data
Encrypt sensitive data stored on personal devices with strong encryption. Full device encryption is best, but if that isn't feasible, all sensitive data should be stored in encrypted folders on the device. Lay out fully your enforcement of encrypted data and block devices that do not have encryption enabled from the network.
Suggested Article: "20 BYOD Policy Creation Tips"
9) Employee Departure
If there is likely to be any sensitive data on a users’ mobile device, you need to provide a plan for your employee's departure. State whether your organization will require total device wipe or a selective wipe of certain apps and data. This needs to be understood by the employee during the BYOD enrollment process for compliance purposes.
10) User Agreement
I listed this one last because it’s the final step and a very crucial part of every BYOD policy. You’ve stated all the regulations, processes, rules, expectation, etc. in your BYOD policy, now it’s time to communicate that policy.
Users need to be aware of everything in the policy and and sign an agreement of their acknowledgement of the terms before their enrollment into BYOD. Apply this process consistently for BYOD all devices.
There’s certainly a lot to consider when creating a BYOD policy, but it must be done. Use these 10 policy considerations and best practices to get started on the right track. Here at SecurEdge Networks, we specialize in building completely secure wireless networking solutions and always plan for the future of mobile devices. Contact us here with any questions about implementing BYOD or creating a BYOD policy or for a free consultation. We are always happy to help!