Bring Your Own Device Policy

Some employees feel comfortable to use their own devices for their own contentment and ease of operations. Also, employees working from remote locations or from home tend to use their own devices. While the company recognises the need to permit the same, there are certain guidelines which need to be followed by employees.

This policy template is available for download in Word format.

With this Bring Your Own Device Policy Template, you can:

• Convey the proper procedure to avail BYOD facility
• Suggest appropriate approvals and permissions required for BYOD devices
• Permit levels of access to be given
• Fix limits and obligations of the company with respect to BYOD devices

In just a few minutes, you will be able to create a bring your own device policy. This policy covers rules to be followed with respect to:

• Types of devices allowed to be used for official purposes
• Periodic risk assessment
• Protection against loss of device or company data and information
• Controls and risks to be managed in terms of data security

Bring Your Own Device Policy

Objective

Most companies allow employees to use their personal smart devices like laptops, desktops, mobiles, dongles, networks, etc., for official purposes. The objective of this policy is to establish guidelines and controls in order to mitigate the security risks associated with access to corporate networks and information.

Scope and Applicability

This policy applies to all employees availing the ‘BYOD’ facility to access corporate networks. Devices that are within the scope of this policy are:

• Any device that is provided by the Company for official use
• Any device that is employee-owned but used for official use

Policy / Process

BYOD Access

User access to Company’s network and infrastructure shall be granted through a Device Management (DM) agent installation process. Access shall be granted based on business requirements and shall be limited to employees or contract employees and designated external parties such as visitors, vendors and suppliers only.

Such designated external parties will be provided with “Guest” network access till their stay or engagement only. Specific BYOD access will also be permitted with Internet access only through a separate networking profile.

Employees’ access to corporate data shall be limited and subjected to User profiles, post formal approval. Level of corporate data access shall be authorised by the Business Unit / Department Head and permitted by IT after careful inspection of the request.

BYOD program shall be subject to periodic risk assessment.

Use of Security Settings

• Users enrolling their devices for BYOD usage shall agree to the conditions of this policy, as well as terms of usage while accessing Company’s data information
• All registered BYOD devices must comply with the following settings:
  • Device shall be password protected to prevent unauthorised access
  • The device must lock itself with a password or PIN if it’s idle for five minutes
  • The device shall be locked out after 3 unsuccessful login attempts
  • Devices that are rooted or jailbroken are strictly forbidden from accessing the network Devices accessing Company resources shall be on the latest OS/ patch version
• Remote wipe will be enforced in the following situations, but not limited to:
• If the device is lost, stolen, tampered or misplaced
• If the employee terminates his or her employment
• Business Units / Departments detect a data or policy breach or a virus or similar threat to the security of the Company’s data and technology infrastructure
• Company will not be liable for any damage or loss of personal data or hardware / software failures of the devices or any such incident due to the execution of remote wipe
• All BYOD devices are required to have standard anti-malware defences
• Remote access connections to BYOD devices shall be restricted, and access rights shall be granted as per Access control policy

Administration and Usage

• By default, the Company does not trust any alien device to be connected to its network
• Corporate data can only be created, processed, stored and communicated to the extent of access permit granted
• Legacy devices that find issues in connecting to Company network through the established process may have exceptions, and the IT Team will follow necessary procedures needed to operate the device correctly
• By default, BYOD devices will not be granted automatic access to the corporate LAN
• Employees must apply for BYOD facility through their Reporting Manager with proper justifications
• Reporting Manager will, in turn, forward the request with further recommendations to the IT team for approval
• IT team has the right to inspect the device before granting approval
• Once approval is granted, IT teams have the right to install / uninstall any programs or apps from BYOD to ensure Corporate IT compliance
• Segregation of company data and personal data on devices availing the BYOD facility shall be enforced using DM (Device Management) process and Identity Services Engines
• Users must not mix up accessing their personal data and official data simultaneously on permitted BYOD devices
• Users must refrain from accessing personal sites (ex: personal e-mail or any social media) when performing official duties on BYOD devices
• Official data must be accessed only within permitted access modes or Company VPN
• Each user has the responsibility to notify through established incident management process immediately of any evidence of security violation involving the use of BYOD facility with regard to:
  • Unauthorised access to network, telecommunications or computer systems
  • Apparent spread of virus or bug via networking facilities
  • Back up of personal data shall be the responsibility of user
• Company will not be responsible for loss or destruction of device or data while using BYOD for official purpose
• Maintenance, upgrades, enhancements and any installation of programs necessary for official work shall purely be the responsibility of the User

Acceptable Use

• All users shall ensure the usage of BYOD services in an ethical and lawful manner to avoid any legal issue or litigation for the Company
• Acceptable use of Internet access for mobile devices will be allowed as per the appropriate Company policy
• BYOD devices must be treated as Company assets during official work and precautions must be taken to ensure confidentiality and data security

Logging / Monitoring

• Event logs of all BYOD devices connected to the corporate network shall be monitored and reviewed on a periodic basis by IT teams
• Periodic security reviews shall be conducted
• Suspicious events detected through monitoring activities shall be reported through the incident management procedure

User Privacy

User’s personal data such as phone contacts, messages, media or information stored on BYOD devices shall not be accessed by IT teams while monitoring devices for compliance assurance.

BYOD Awareness

BYOD compliance awareness programs shall be conducted by IT teams regularly. All BYOD users are required to attend the program on a periodic basis.

Non-compliance and Consequences

The IT team(s) shall verify compliance with this policy through various methods, including but not limited to periodic walkthroughs, business tool reports and internal & external audits and provide feedback to the policy owner. Any non-compliance shall lead to strict disciplinary action, including termination of employment.

Special Circumstance and Exception

All exceptions to this policy/ procedure will require a waiver explicitly approved by < Company >’s IT Manager / Officer.