Home / Blog / General / Creating a BYOD policy? 8 points every policy must contain

May 12, 2017

Creating a well-considered BYOD policy (Bring Your Own Device) for your organisation’s employee-owned mobile devices is now more critical than ever. Full-time and temporary employees, contractors and other stakeholders possess an array of powerful smartphones and tablet devices, frequently used as a preference to corporate laptop and desktop PCs.

With the increased frequency of cyber attack (and the resulting data loss), as well as increased compliance requirements from GDPR and the need to protect PII (Personal Identifiable Information) – taking control of BYOD is more important than ever.

BYOD

When it comes to your company’s data, there can be no ambiguity. You have a duty to keep all information safe. The best way to do that, is to create a policy which puts your data security first, with clear, unambiguous guidance to provide answers to all the relevant questions.

A well-crafted BYOD policy should be understood by employees of all computer literacy levels, who will then have a clear of idea of what they can and cannot do. But what are all these questions?

To make things simple, we’ve compiled this handy list of 8 things every BYOD policy must contain, which are:

1. Introduction

As with any policy, it is important to introduce the intended use, key framework guidelines, as well as any limitations and terms of use. In particular, you should also introduce current threats to data security, risks of loss of corporate information, as well as the consequence to both the employee and organisation.

Understanding the importance of, as well as the reasons for the policy will maximise employee buy-in.

2. List of permitted devices (hardware & firmware)

Today, personal mobile devices are not just limited to smartphones, but also includes tablet devices and laptops. With such a wide variety of hardware and firmware available, it is important to specify the supported devices – to firstly ensure only secure and supported firmware is in use (e.g. Android KitKat v4.4.4 or later), but also to limit the management and administrative workload.

Hardware and firmware outside of the supported devices should not be permitted. You wouldn’t allow a Windows XP machine, or even a Windows 7 laptop with unpatched critical security updates onto your network, so why would you have a different policy for mobile devices?

Android mobile device hardware

3. BYOD security policy

An effective BYOD security policy is essential for securing your mobile environment and should require (but not be limited to):

Enrolment to the MDM platform

  • Without an effective mobile device management (MDM) platform, you have no method of policy management and security oversight – your devices and users are outside of your control. Swift enrolment to the corporate MDM platform ensures you can enforce your BYOD policy, control undesirable behaviour and minimise mobile security threats.

Installation of supported security software

  • Additional protection is advised to protect devices from malware, malicious apps, or data loss – whether accidental, or from rogue user behaviour.

Screen lock password protection

  • You would have to call it negligent not to mandate and enforce the most basic of security protections. Screen lock passwords provide a high level of security protection to prevent data loss from lost, or stolen devices. All MDM platforms will provide comprehensive security management features to maintain device integrity.

Secure connection methods (VPN)

  • Device-level VPN connections between the device and the corporate network should be mandated, as standard, while application-level VPN connections ensure secure data transmissions.

Device firmware to be regularly updated and patched

  • To help protect from mobile security threats, you should require and enforce the update of device firmware to fix security vulnerabilities. This can be enforced, deployed and managed via your MDM platform

Periodic user re-authentication

  • As well as being good security practice, periodic re-authentication maintains device integrity and user authenticity. Regular re-authentication after a set time period is advised.

Separation between corporate and personal data

  • With BYOD, both corporate and personal data is stored on the same device. Separation of data is required firstly for corporate data security purposes, but also for effective management, as corporate data must be wiped from the device when an employee leaves the organisation. Data separation is achieved through good data management processes, as well as policy enforcement.

Encryption of corporate data

  • All data should be encrypted to maintain security, should a device be compromised. Some MDM platforms, such as IBM’s MaaS360 include a secure encrypted container for the most sensitive corporate documents.

Blocking of offline access to secure corporate documents

  • Permitting offline access to sensitive corporate documents would provide access to documents and data, whether downloaded or cached. Only permit access to sensitive data when connected to the corporate network.

Blocking of jailbroken and compromised devices

  • Jailbroken and rooted devices pose a high security risk, exposing devices to security vulnerabilities – malware, viruses, hacks etc.

BYOD data security

4. Data ownership

Any company data remains the property of the organisation. You should retain the right to wipe devices brought onto the network, though it is advisable to provide guidance to users on backing up personal data. An effective MDM platform will be able to separate company from personal data in a secure container.

5. Specify required, permitted, or prohibited apps

This will partly depend on policy, but also on risk profile of the organisation and employee. With malware-infected mobile apps on the rise, it is important to exercise a degree of control.

6. Acceptable use

Although broadly forming part of your general IT policy, there are specific requirements of a BYOD acceptable use policy, to ensure for example, employees are not accessing undesirable or illegal content, or disseminate inappropriate material – while using the corporate VPN. You should therefore consider what monitoring tools are in place to enforce such policies.

7. Device decommissioning

Employees leave, devices are lost or stolen. How do you remove access to e-mail or wipe and remove data and other proprietary applications and information? It is important to have a clear methodology to maintain data security and compliance, retaining the right to remotely wipe data if an employee has not made arrangements with IT, or if personal devices are lost.

8. Disclaimer (with signature section)

There should of course be a place for the employee to sign and agree to all these terms, before device enrolment by your IT team.

Device monitoring and policy enforcement

So, you’ve set-up your policy, but now how do you manage your devices and ensure your policy is enforced and data integrity is maintained?

With the ever-increasing power and popularity of tablets and smartphones, more and more sensitive data is mobile – accessed from anywhere. Managing and securing your mobile fleet is today’s critical challenge.

Comtact Ltd - Expert MDM UK partner reseller MSP