A BYOD Policy is a policy on bringing your own device to work or school. BYOD management is becoming important as more and more employees bring their own devices to work. In January 2013, SAP stated in an article on their blog that “89% of IT departments worldwide support bring your own device (BYOD) practices!”. In May 2013 Gartner predicted that by 2017 “half of employers will require employees to supply their own device for work purposes.”. We’ll explain what it is, help you get a BYOD Policy, and help you implement it.
What is BYOD?
According to Wikipedia, BYOD is “a term that is frequently used to describe the policy of permitting employees to bring personally owned mobile devices (laptops, tablets, and smart phones) to their place of work.” Instead of the employer providing the employee with the device, the employee is permitted to bring their own electronic device to work and then use it for work purposes.
Concerns around BYOD
The range of the devices is very wide. It includes any device that is able to record, store or transmit data, voice, video, or photo images. It can therefore include a laptop, desktop, personal digital assistants(PDA), netbook, digital tablet (for example an Apple iPad), cellular phone (for example Android phone, RIM Blackberry and Apple iPhone), satellite phone, smartpen and portable storage media (memory sticks, USB drives, external HDDs, digital voice recorders, CD writers, cameras or any device that can store data).
Most of the concerns raised by BYOD revolve around information security, privacy and monitoring: employees use the same devices they use for work to engage in personal activities. For example, surfing the web, sending personal email, storing photos, music and passwords. BYOD sometimes puts a different gloss on these issues. For example with monitoring companies generally monitor employee activities while working on the company’s network (regardless of the type of device connected to that network). For company-issued devices, additional monitoring of employee usage may occur at the device level (e.g. key-stroke logging or mobile device management software that tracks the location of mobile devices). However, the same types of monitoring may not be appropriate when it comes to personal devices.
Do you need a BYOD policy?
Where the employee owns the device, the organisation loses the ability to control their own hardware and data. This poses security and privacy risks: For example it looses the ability to implement minimum system requirements and configurations; install security-related software to the device; encrypt company data on the device; monitor the use of the device to detect misuse, hacking or malware and dictate how the device connects to the company’s network.
With a BOYD policy, the organisation can secure their systems and sensitive data in order to achieve a level of “reasonable and legally defensible security” through controls in the policy that the organisation determines sufficient to reduce its security risk to an appropriate level.
In just the same way a Computer Usage Policy regulates how company owned electronic devices are (a) used and (b) access the company company computer system or company email system, a BYOD regulates how personally owned electronic devices access the company company computer system or company email system. As the company does not own the electronic devices, it is not too concerned with how users use them (only what they do with them when accessing the company systems). The BYOD policy must therefore dovetail companies other information security policies, in particular to determine how they relate to and impact their employees’ use of their personal devices for business purposes. Policies that may be relevant, include (without limitation): mobile device security policies, password policies, encryption policies, data classification policies, acceptable use policies, antivirus software policies, wireless access policies, incident response policies, remote working policies, privacy policies, and others.
What you get?
A BYOD policy and a Guide to the policy. The policy is seven pages long and the Guide four pages long. The BYOD policy deals with things like:
- permissible types of devices
- employee device reimbursement rights, if any
- the right to wipe the device
- employee obligations (including security responsibilities),
- the rights of the company (including monitoring)
- incident response
The Guide to the BYOD policy explains many of the concepts mentioned in the policy to enable the organisation to make the right choices.
We also supply you with useful articles to enable you to make the right decisions.
What makes us different?
- Combined ICT Law and Labour law skills: Our policies are crafted with the input of ICT lawyers and labour lawyers thus ensuring that the critical related IT issues and people issues are covered
- Decades of experience: the Online Legal team have spent years developing these policies in practice as attorneys working with thousands of organizations such as yours. We know what works and what doesn’t.
Easy to Read
In the fast paced information economy in which we live, people are pressed for time and will generally only read things that are relevant to them. A good policy focuses on particular audiences (typically employees, management and technical staff) addressing only those issues that are absolutely needed and that focus only on the essentials.
Easy to Manage
We group together various issues in a policy. Problems that arise do so in relation to an issue. It is therefore easy to update our issue specific policies when reviewed by you (which should be at least annually).