Whether or not your organization allows employees to use their personally owned devices to access corporate resources, you need to have a written policy that covers the acceptable use of mobile devices. This policy should clearly communicate to all employees what is, and is not, acceptable use of their smartphones, tablets and other mobile devices as it pertains to access to the company’s networks, applications and/or data.
If someone handed me the assignment to write such a policy, I’m not sure I’d even know where to start. It’s not easy to develop a comprehensive corporate policy from scratch. So…don’t. In this case, it’s OK to copy from someone else.
There are several public resources that provide either templates or full sample policies that give you ideas of what to include in your own policy. The first sample comes from Wisegate, the social network for IT professionals. Wisegate has published a report that is a Fortune 1000 company’s actual BYOD policy. This report gives you an inside look at what another company is doing pertaining to mobile devices in the enterprise. Your company’s policy will differ, of course, but you get to see the span of topics this company felt compelled to cover.
A post by Will Kelly on the TechRepublic blog leads you to 4 BYOD policy templates that can serve as models for your own policy. This article also provides step-by-step instructions on how to create your policy and advice for ongoing management of the policy.
Your organization will have a unique BYOD policy tailored to your own needs, but in general, here are the kinds of things to include:
- Acceptable use
- User responsibilities / corporate IT responsibilities
- Network access requirements
- Types and brands of devices that are supported as well as those that are not supported
- The company’s right to monitor the appropriate use of the devices and the user’s right to privacy
- The policy regarding device reset and data deletion
- Policy enforcement and the consequences of violation of the policy (up to and including termination)
- Secure configurations and security controls
- Application restrictions
- And, perhaps most important, acceptable use and treatment of corporate data
What’s great about copying off a sample policy or template is that it helps you think of things you may not have thought to discuss with employees, such as why the policies are written as they are. For example, the policy in the Wisegate report explains why the company has chosen not to support devices that run the Android operating system—presumably to head off protests from employees who already bought an Android-based device.
One more thing that experts recommend about your BYOD policy: have workers read it and acknowledge it in writing, and do this at least once a year or more if you update the policy. This is especially important if you spell out the ramifications of violating the policy, such as potential termination for misuse of corporate resources. A signed statement proves that a worker acknowledged awareness of the policy, and this can help to head off any protests if you are forced to discipline an employee over policy violations.