9 considerations for creating a rock-solid BYOD policy

This article was originally published on Technology.Info.
As part of our continuing strategy for growth, ITProPortal has joined forces with Technology.Info to help us bring you the very best coverage we possibly can.

Continuing our chapter on

managing & securing mobile devices

we look at considerations for developing a rock-solid BYOD policy.

Before any organisation implements technology to secure mobile devices, it should already have a full set of rules that it wishes that technology to enforce. After all, in the event that company information goes missing, the blame sits firmly with the employer and not the employee.

Make no mistake: if employees are bringing their own smartphones and tablets to work, with or without the IT department’s blessing, then, as an employer, “you have a legal obligation to do something about it, whether you have established industry guidance to draw or on not.”

That’s the view of David Johnson, an analyst with IT market research company Forrester Research - but an outright ban on personally owned devices seldom provides an adequate answer, he writes in a

blog posting

focused on '

Navigating the legal and audit initiatives of navigating a

BYOD

policy initiative

' from earlier this year.

“The more restrictions you put in place, the more incentive people will have to work around them and the more sophisticated and clandestine their efforts will be,” he warns.

Johnson is based in Denver, Colorado, but the general advice to UK employers isn’t much different. Earlier this year, the Information Commissioner’s Office (ICO), the body charged with enforcing data protection laws in this country, issued new guidelines on ‘bring your own device’ (BYOD) policies.

“As the line between our personal and working lives becomes increasingly blurred, it is critical employers have a clear policy about personal devices being used at work,” said Simon Rice, group technology manager at the ICO. Employers, he added, “should not underestimate the level of effort which may be required… Remember, it is the employer who is held liable for any breaches under the Data Protection Act.”

Visit Cyber Security EXPO co-located with IP EXPO Europe to learn more about managing and securing mobile devices.

But a “fair and reasonable” BYOD policy can go a long way to ensure that an employer is viewed more favourably by the authorities, should it run into legal problems further down the line, says Jo Davis, an employment partner at law firm BP Collins. “A reasonable, binding policy on BYOD [can] protect both businesses and employees, ensuring that all risks are addressed and managed effectively,” she says.
Technology can go a long way to help, with software such as mobile device management (MDM) offering a way to apply rules to how smartphones and tablets are used, whether they’re company issued or personally owned - but a clear BYOD policy is a prerequisite to knowing which rules should be applied and how. (For more information on the products and vendors available in this crowded market, see the first article in this series on Managing and Securing Mobile Devices.
Or, as management consultants at Deloitte put it: “An approach that starts with defining your BYOD objectives and assessing your risks can help you navigate the multitude of BYOD management pitfalls.”
They have identified nine BYOD policy considerations that should be agreed on, before the IT team gets to work on identifying and implementing the technology it needs to support the policy:
1. Activation: What is the process for enabling a new employee with a device?
2. Device management: How will devices be remotely managed? What level of centralised control will exist? What level of management will be done at the end-point (for example, containerisation)? How will devices be locked, wiped and restored?
3. Lost/stolen devices: What happens when a device is lost, stolen or damaged? What process should the employer follow for reporting the event and obtaining support? Will the device be remotely wiped?
4. Support: What kind of support, and how much, can a user expect from your organisation?
5. Acceptable use: What kinds of devices, platforms, applications, services and accessories are allowed under the BYOD programme?
6. Reimbursement: Who pays for the initial device? What level of stipend is available? Is it consistent across all eligible users? Is it available recurrently - in other words, is it refreshed every two years, for example? What will be reimbursed?
7. Privacy: How will employee privacy be protected? Will your support group have access to personal information?
8. Policy violations: How will policy violators be dealt with? Will BYOD policies contradict or conflict with other policies (for example, HR policies on employee responsibilities, overtime and so on)?
9. Eligibility: Who is eligible for the BYOD programme? What roles, levels and so on are eligible and in what way (for example, is there tiered eligibility)?
After all, technical controls are only one part of a viable BYOD strategy, as Johnson of Forrester Research makes clear. “Technology’s role is to help foster safe behaviours, control information access and verify ongoing compliance,” he writes - but, he adds, it should be able to achieve all that without “getting in the way of creativity, productivity, collaboration or other daily activities.”




Topics