Managing all of the devices that access your organizational data can be challenging, especially now in our "Work from Anywhere" world.
What used to be accessible only from a PC in the office is now accessed from personal devices such as tablets, phones, and even watches!
A BYOD Policy will enable you to ensure that your corporate and client data remains safe, and the devices accessing that data are as secure as possible.
From user expectations to physical device requirements, a thorough and complete BYOD Policy covers every facet of your digital landscape, This gives you the confidence you need to ensure your data is safe, as well as maintain regulatory compliance and withstand any legal challenges, should they arise.
We've put this BYOD Policy together with the knowledge that comes from managing IT services for thousands of clients, large and small, all across the country. This includes deep knowledge of cyber security practices for companies of all types and sizes.
We hope you'll find this policy useful, and can use it as a guide to creating your own, one-of-a-kind BYOD Policy.
Let's dive in.
Sample BYOD Policy
Disclaimer: The information contained herein has been obtained from sources believed to be reliable. Ntiva, Inc disclaims all warranties as to the accuracy, completeness, or adequacy of such information. Ntiva, Inc shall have no liability for errors, omissions, or inadequacies in the information contained herein or for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice.
SummaryThe bring your-own-device (BYOD) movement has helped streamline IT operations by allowing employees to connect personal devices such as laptops, smartphones, and tablets to organizational resources. Businesses have saved money by reducing or eliminating the need to purchase devices for their workers, and workers have benefited from the familiarity of using their own electronics to do their jobs. Of course, this flexibility comes with another sort of price: the need to establish proper guidelines for usage and control of these devices, as well as what they can access and what steps should be followed in the event of loss, theft, or employment termination. Since employees use their devices for personal and/or recreational activities, this can pose more risk for the organization than the exclusive use of business-owned devices. This policy describes the steps that the company and its employees will follow when connecting personal computers and devices to organization systems and networks.
"This policy describes the steps that the company and its employees will follow when connecting personal devices to organization systems and networks."
This policy outlines requirements for BYOD usage and establishes the steps that both users and the IT department should follow to initialize, support, and remove devices from company access. These requirements must be followed as documented to protect company systems and data from unauthorized access or misuse.
This policy covers all full-time and part-time employees, contract workers, consultants,temporary workers, and other personnel granted access to organizational systems,networks, software, and/or data.
Equipment covered by this policy includes (but is not limited to)
- Desktops, laptops, and tablet computers
- Smartphones (defined as any cellular telephone that connects to the internet via Wi-Fi or a mobile provider network)
- Flash, memory, and/or thumb drives
- External hard disks
- iPods, iTouches, and similar entertainment and portable music devices that connect to WiFi networks
- Entertainment and gaming consoles that connect to Wi-Fi networks and are used to access organization email and systems
- Wearable devices such as watches, VR headsets, and augmented reality glasses with WiFi or Bluetooth
All users must understand that whenever a computer device is connected to the organization’s network, systems, or computers, opportunities exist for:
- Introducing viruses, spyware, or other malware.
- Purposefully or inadvertently copying sensitive and/or proprietary organization information to unauthorized devices.
- Introducing a technical or network incompatibility to the organization that the user is not even aware of.
- Loss of data that may adversely affect the organization if it falls into the wrong hands.
As a result of any of these circumstances, a user connecting their own device to organization resources, systems, or networks could interrupt business operations, cause unplanned downtime for multiple users, and/or cause a data breach releasing organization,client, and/or partner data to unauthorized parties. In worst-case scenarios (and in events entirely realized at other organizations), civil and criminal penalties for the user and/or substantial costs and expenses to the organization could arise.
IT Department Responsibilities
Where applicable, the IT department will ensure the following to facilitate BYOD access as requested for a user device:
- The device does not have a static IP address that could introduce network incompatibilities.
- The device does not have a virus, spyware, or malware infection.
- The device does not have any third-party software or applications that pose a threat to the systems and networks or that could introduce application incompatibilities (any such findings should be removed before proceeding). The IT department reserves the right to make judgment calls regarding which applications (current or future) are appropriate ford evices associated with company systems, networks, and data.
- The device is properly protected against viruses, spyware, and other malware infections and that the system has properly licensed anti-malware software, when appropriate.
- If this involves a mobile device that will be associated with company systems, a security policy should be applied to this device (such as via an Exchange server) to enforce a password/biometric policy that will automatically lock the device after one-minute period of inactivity and erase the contents of memory and storage after a maximum of 10 failed authentication attempts. The policy should also include the ability to remotely erase(wipe) these devices in the event of loss or theft.
If such a company-wide policy does not exist, the above screen lock/password settings should be individually applied.
- The device has all critical and security patches installed.
- The device is properly encrypted if the potential exists for the device to save, cache, or even temporarily store organization data.
- The device is properly configured to access resources remotely and that it does so in the most secure fashion possible, such as through a VPN connection.
- When a device is to be decommissioned, the IT department will remove any required encryption, VPN, and anti-malware licensing from the user’s device. It will also confirm that the user’s device does not contain any traces of protected, sensitive, corporate, or proprietary information and will delete any that remains on the device.
- The IT department reserves the right (and should proceed) to remotely wipe a device if it has been lost or the employee has been terminated and has not brought their device to the IT department for decommissioning
- The user should not attempt to change or disable any security settings applied to the device by the IT department.
- The user should consult the manufacturer/vendor/carrier for support of their device before requesting assistance from the IT department.
- In the event that a user believes a personally owned or personally provided device that is authorized to connect to the organization’s resources, systems, or networks might be infected with a virus, spyware infection, or other malware threat or might be somehow compromised, they must immediately notify the IT department in writing of the potential security risk.
- If a user loses or misplaces a personally owned or personally provided device that is authorized to connect to the organization’s resources, systems, or networks, they must immediately notify the IT department in writing of the potential security risk.
- Whenever a user decommissions, prepares to return, or otherwise ceases using a personally owned or personally provided device that the IT director has authorized for organization use, the user must notify the IT department that the device will no longer be used to connect to organization resources, systems, or networks.
- Users may not discard previously authorized devices until the IT department approves the device for disposal.
Utilizing this BYOD Policy for Your Business
An official Bring Your Own Device (BYOD) policy will have a final page requiring each employee to sign and date, indicating their acknowledgement, understanding, and acceptance of the guidelines in the policy. If you'd like the print-ready version of this file, including the signature page, click here to download the PDF!
This page is not a substitute for legal advice. If you have legal questions related to this policy, please speak with your lawyer.