by Jonathan Hassell

7 Tips for Establishing a Successful BYOD Policy

How-To
May 17, 20127 mins
Consumer ElectronicsData and Information SecurityMobile Security

If you haven't developed a corporate Bring Your Own Device policy, or if the one you have is out of date, these tips will help you address device security, IT service, application use and other key components of an effective BYOD policy.

The number of smartphones in use across the globe will reach 2 billion by the end of 2015, according to many estimates. If you haven’t been encouraged to establish a program to allow employee-owned devices to access, at the very least, corporate email, calendar and contact systems, it’s a virtual certainty you will be now. (In fact, in many companies, your hand is forced by the C suite, because CEOs and other executives often find tablets and smartphones useful in their frequent travels and meetings.)

This pressure might leave you wondering the keys to developing a BYOD policy and how best to implement it. These seven core ideas should be a part of any good Bring Your Own Device program. Each idea comes with many important questions to ask yourself, your IT associates and your executive team while developing a BYOD policy.

1. Specify What Devices Are Permitted.

It was simple and clear in the old days of BlackBerry services—you used your BlackBerry for work, and that was it. Now there are many device choices, from iOS-based phones and tablets and Android handhelds to Research in Motion’s Playbook and many others.

It’s important to decide exactly what you mean when you say “bring your own device.” Should you really be saying, bring your own iPhone but not your own Android phone? Bring your own iPad but no other phones or tablets? Make it clear to employees who are interested in BYOD which devices you will support%mdash;in addition to whatever corporate-issued devices you continue to deploy—and which you won’t.

2. Establish a Stringent Security Policy for all Devices.

Users tend to resist having passwords or lock screens on their personal devices. They see them as a hurdle to convenient access to the content and functions of their device. However, this is not a valid complaint—there is simply too much sensitive information to which phones connected to your corporate systems have access to allow unfettered swipe-and-go operation of these phones.

If your users want to use their devices with your systems, then they’ll have to accept a complex password attached to their devices at all times. You need a strong, lengthy alphanumeric password, too, not a simple 4-digit numerical PIN. Check with your messaging administrators to see what device security policies you can reliably enforce with your software.

3. Define a Clear Service Policy for Devices Under BYOD Criteria.

It’s important for employees to understand the boundaries when questions or problems creep up with personal devices. To set these boundaries, you’ll have to answer the following questions.

  • What level of support will be available for initial connections to your network from personally-owned devices?
  • What kind of support will IT representatives provide for broken devices?
  • What about support for applications installed on personal devices?
  • Will you limit HelpDesk to ticketing problems with email, calendaring and other personal information management-type applications?
  • What if a problem with a specific personal application is preventing access to the apps you have delineated previously that you will support?
  • Is your support basically a “wipe and reconfigure” operation?
  • Will you provide loaner devices for employees while their phone or tablet is being serviced?

4. Make It Clear Who Owns What Apps and Data

While it seems logical, on the face of it, that your company owns the personal information stored on the servers that your employees access with their devices, it becomes more problematic when you consider the problem of wiping the device in the event it is lost or confirmed stolen. When you wipe the phone, traditionally all content on the phone is erased, including personal pictures, music and applications that in many cases the individual, not the company, has paid for. Sometimes it’s impossible to replace these items. Does your BYOD policy make it clear that you assert the right to wipe devices brought onto the network under your plan? If so, do you provide guidance on how employees can secure their own content and back it up so they can restore personal information once the phone or device is replaced?

5. Decide What Apps Will Be Allowed or Banned.

This applies to any device that will connect to your environment, whether corporate- or personal-issued. Major considerations typically include applications for social media browsing, replacement email applications and VPNs or other remote-access software.

The question here is whether users can download, install and use an application that presents security or legal risk on devices that have free access to sensitive corporate resources. What if the latest Twitter app has a security hole in its integration with the Mail app on the iPhone that allows spammers to access relay mail through your organization? (This is purely hypothetical, of course.) What if a poorly written instant messaging client steals your organization’s address book? These are serious questions to address in your policy, not to mention a starting point for BYOD policy development. Moreover, the technology for preventing downloads of questionable apps or copyright-infringing music and media on personal phones is immature at best, so manual screening of eligible users into a trusted group may be warranted.

6. Integrate Your BYOD Plan With Your Acceptable Use Policy.

If your company is on the ball, chances are corporate-issued phones are already covered and treated like notebooks, desktop computers, and other equipment on your network. On the other hand, allowing personal devices to potentially connect to your VPN introduces some doubt about what activities may and may not be permitted. Discussions about an acceptable use policy are required to fully cover your rear.

  • If you set up a VPN tunnel on an iPhone and then your employees post to Facebook, is this a violation?
  • What if your employees browse objectionable websites while on their device’s VPN?
  • What if they transmit, inadvertently or not, inappropriate material over your network, even though they’re using a device they own personally? What sanctions are there for such activity?
  • What monitoring strategies and tools are available to enforce such policies?
  • What rights do you have to set up rules in this arena?

7. Set Up an Employee Exit Strategy.

Don’t forget about what will happen when employees with devices on your BYOD platform leave the company. How do you enforce the removal of access tokens, e-mail access, data and other proprietary applications and information?

It’s not as simple as having the employee return the corporate-issued phone. In this case, many companies choose to rely on disabling email or synchronization access as part of the exit interview and HR checklists, while more security-conscious companies choose to perform a wipe of the BYOD-enabled device as a mandatory exit strategy. You should have a clear methodology for backing up the user’s personal photos and personally-purchased applications prior to this “exit wipe. Proactively reach out to affected users to help them take part in this process—all while making it clear that you reserve the right to issue a wipe command if the employee hasn’t made alternate arrangement with your IT department prior to his or her exit time.

Jonathan Hassell runs 82 Ventures, a consulting firm based out of Charlotte. He’s also an editor with Apress Media LLC. Reach him via email and on Twitter. Follow everything from CIO.com on Twitter @CIOonline, on Facebook, and on Google +.