Creating a BYOD Policy
Regardless of whether or not your company permits employees to use their personal devices for work, some people are going to do it anyway. So rather than try to outlaw the inevitable, it makes more sense to establish a sensible “bring your own device to work” (BYOD) policy. Here are the steps to follow.
As a starting point, you should recognize that information, rather than the device, is the critical issue in the BYOD debate. Therefore, your risk assessment should begin by determining what information you are trying to protect and what information you would need to be able to access in any given situation. Organizing your business information into clear and recognizable categories is essential to any document management policy, especially one related to BYOD.
Ownership of Information
Consider who owns the data that may be held on an employee-owned device and whether the company has the right to access it directly from the device.
Ownership and Registration of Assets
Since assets can be numerous and varied, it is a good idea to consider the extent to which only registered devices may be used. If an employee chooses to use a non-approved device, it may be possible to detect its use through monitoring and auditing the registry of a computer’s hard drive (depending on the type of device connected). This can be used to identify whether foreign devices have been used and whether information has been copied to the device.
|The Risks of BYOD|
|Read more in our series on managing the risks of employees using their own devices for work.
Managing the Risks of BYOD
Creating a BYOD Policy
Technology Isn’t Your BYOD Problem, People Are
Right to Audit Devices
Make sure that the right to audit and access information is clearly understood by the employee. Discovering that you are unable to examine an employee-owned device could be highly problematic if the information is needed in a time-critical situation (such as to support a leniency application or to prevent fraud).
Using part of the memory of an employee-owned device to store business information is a problem because the remainder will contain personal and private information. Some of the measures that can be adopted to keep business information secure could be helpful in keeping it separate from private information and centrally accessible.
Security of Business Information
For BYOD to work, employees must agree to some controls designed to safeguard the company information stored on their devices. At a basic level, encryption can be used to prevent unauthorized access to information. However, the emergence of business-developed apps and cloud-type solutions can be used to ensure that business information is only accessed through the employee’s device, never stored on it.
If business information must be stored on an employee-owned device, then companies may consider the usefulness of applications to wipe the device remotely in the event of a potential data breach. The ongoing security of confidential information should also be protected post-termination, prompting the inclusion of BYOD issues in HR exit procedures.
Sensible curfews to the permissible use of employee-owned devices should be issued. For instance, employees should know never to plug an unrecognized device into a business network computer. Similarly, it may be helpful to devise rules that govern the use of webmail from a home PC or a public wireless connection.