7 steps to a BYOD Policy
If there were only 7 steps to a BYOD policy, would you have one in place? The consumerization of IT devices like phones and tablets has highlighted the need for bring your own device policies. Employees use their own devices for business tasks whether their IT department support them or not. A BYOD policy can help control their usage and mitigate the security risk to your organization.
Implemented properly a BYOD policy can reduce your costs while increasing productivity. Security however should still be the focus for you as well as your users.
If you think about any other piece of technology in your organization, it has rules. There are rules about how it can be used, by whom, and when. Devices aren’t really that different. You still need to create rules that will govern your policy. You can start to create those rules by identifying the risks that revolve around personal devices. Some of the risks you will want to think about are devices that are lost, or stolen. You’ll want to consider what could happen if a tablet or laptop is on WiFi without a good way to secure it. Encryption is another factor to consider – will your organization require it? Other things you’ll want to consider are the types of data you will allow on the devices. What effect it could have if it were lost, compromised or stolen.
Understand the Risks
Once you know what the risks are, you need to really understand them. We are going to use document sharing as an example. We have identified that we want employees to have access to documents on their devices. They will get those documents through a file sharing app like Dropbox or Sharepoint.
The risks here are all about what the user has access to. What have they put into Dropbox or Sharepoint? Think through the things they have access to. What do you want them to have access to on a device and then what haven’t you thought about? You’ll need to consider email and any other user added application that data could be stored in.
Deciding how to Enforce the BYOD Policy
Now that you know what your risks are and what you might be protecting, you need to decide how you’re going to protect it. You can start with the easy things like are the devices encrypted and password protected? There are mobile management tools out there that enforce that on the devices. Are you going to only put information that’s not worrisome in places like Dropbox and Sharepoint? You’ll need to think through each department in your organization to determine what information needs to be available and for what reasons.
As you think through all the ways people use their devices your policy will begin to take shape. It should include an acceptable use statement to give the user a reason for the existence of the policy. It should include a statement about what devices, or types of devices are allowed. Who supports the devices and what is supported on the device. Last thing you want is to be supporting someone’s Angry Birds game. What about reimbursement?
Then security will need to be addressed. That’s going to be the largest part of the policy and should include passwords, pins, what can and can’t be connected to the network, access to data and under what circumstances would someone’s personal device be wiped. The next piece to your policy would need to include are the risks, liabilities and disclaimers you need to make to protect the organization. Lastly, the policy acceptance from the employee.
Build a Project Plan
Your plan should at the very least contain a few key things, one of them being mobile device management (MDM). That will allow you to control updates to the device, so it stays secure as well as the applications that can be on it. Having some application control gives you peace of mind that users aren’t installing applications that are designed to steal data. MDM also allows for audits. It will tell you when users aren’t up to the requirements of your policy, and that includes if the data and the device is encrypted. If you have data stored in the cloud, evaluate the security on it. Enact more if you feel it isn’t enough. Finally, be sure you have the ability to revoke access to data or wipe devices remotely if the users refuse to follow the policy, or if the device is lost, stolen or compromised.
Evaluate a Solution
The next step to look at the options you have available to you. Depending on the security level of your data and what you are making available you may already have what you need. If you don’t have what you need, try out options to see what gives the best user experience while still giving you the security you need. With either options, you need to consider the impact to your existing network when you add the solution and what changes you’d need to make.
As you roll out the solution, employees should be getting training on the new policy and signing the policy as the training concludes. Roll the solution out one department at a time, so you can address any issues that come up, or issues you haven’t thought of. Expand slowly through the organization until all employees, or those you choose are onboarded to the BYOD program.
Periodically, or at least yearly, re evaluate your solution(s). Look at the different vendors that are available for the type of solution you have. In addition, you’ll want to determine if your needs have changed.
Now you know what the 7 Steps to a BYOD policy are. Once you lay the ground work, the policy almost writes itself since you’ve already defined what needs to be contained in the policy. All that is left from there is to actually follow through and control your devices through some management. Lastly, re evaluate periodically so you’re sure you always have the best options for policy and devices.