How to write a mobile device usage policy

A mobile device usage policy potentially serves three purposes. First, it might serve as an integral part of a larger security policy. Mobile devices can easily be the weak link of corporate security - especially when the devices are put to both business and personal use. A well-written policy goes a long way towards minimising the risk inherent to mobile computing.

Secondly, a mobile device usage policy can be used to limit your organisation's liability by clearly specifying the respective responsibilities of the employee and the company. Thirdly, a good device policy helps IT manage devices by limiting the device types and applications supported, and by defining procedures users are expected to follow.

Mobile and BYOD policy - Think before you start

Before you start writing a mobile device usage or BYOD policy, make a list of things you want to achieve. Here are some things you might consider when making this list:

  • Think about the needs of your customers and partners.Do your customers have concerns about security in your organisation? What about your supply chain partners? Do your partners need you to restrict the use of mobile technology to help them comply with regulation? Keep in mind your customers and partners when you review the risks you need to mitigate, and the behaviour you need from your mobile users.
  • Think about any potential audits of your device usage policy.The mobile device usage policy might get audited as part of larger security audits. A well-written policy that covers all the right points will make the audit process go smoother and faster.
  • Think about which devices and operating systems you want to support.Which device types do your device management tools support? Which device types allow you to separate business and personal apps and data in the ways you want? Which device types allow you to perform backup and restore of business apps and data, while leaving the personal apps and data out?
  • Think about which applications you want to allow on devices that connect to your organisation's network.You may come up with a blacklist, a list of apps you don't allow. But in some organisations it may be easier - and wiser - to use a whitelist, a list of apps you do allow. While you may have tools that control which business apps get installed on a device, the only thing you can do to limit the use of personal apps is to include appropriate rules and guidelines in your policy.
  • Think about device wipe and lock-down.If a device is lost or stolen you certainly want to remove all business data or prevent access to the business apps and data on the device. However, you don't have the legal right to remove personal apps or data. When business and personal software are comingled on the device, it becomes difficult to wipe only the business apps and data. This is one of many reasons you need to separate business and personal software on devices.
  • Think about how much your organisation will support employee-owned devices.Your organisation has a stake in keeping devices and business apps running, but you can't get dragged into supporting personal apps or troubleshooting problems resulting from personal use of a device. Also make sure you're clear on who is responsible for replacing lost or stolen devices, and how quickly the responsible party must replace the device.
  • Think about how you want to handle backup and restore.An increasing number of workers store business data on their mobile devices, which makes backup and restore critical. However, you have to make sure you aren't backing up personal data, especially when that personal data identifies people other than an employee. Keep in mind that most workers have personal data about family and friends on their devices.

BYOD policy - Make your mobile device policy a living document

Writing a mobile device usage policy should be thought of as a process, rather than an event. Put in place procedures for updating your rules and guidelines regularly:

  • Position your document in the context of other related policy.Make sure your rules and guidelines on mobile device usage remain consistent with any other related documents, such as your security policy, or your general IT usage policy.
  • Keep your rules and guidelines consistent across departments, and across geographies.It's easy enough to make policy consistent across departments. But from one country to another you may have variation in national laws on things like company liability and data privacy. Nevertheless, you should strive to make the policy as consistent as possible from one country to another.
  • Solicit feedback from stakeholders.Different people in the organisation have different appetites for risk. Make sure you get the right people on board. If your policy is in conflict with the risk sensitivities of business leaders, those business leaders might try to nix it. It's better to find out what stakeholders are thinking beforehand; and make sure you keep all the right stakeholders in the loop on all revisions to your policy.
  • Keep notes on your reasons for including elements in the policy, and the reasons you left other elements out.As you collect feedback from stakeholders, and as you produce new versions, you'll need a reminder of why you wrote the different parts of the document.
  • Monitor adherence to the policy.If your users don't comply, your policy isn't worth the paper it's written on. Set up a process to ensure compliance and take notes on which rules and guidelines users tend to ignore.
  • Find the right person to write.You shouldn't have the most junior person in your organisation write policy; nor should you have your most senior technology guru do it, unless he or she is an excellent writer. It's better to get somebody who writes clearly and knows something about writing policy in general. After all, how clearly you state your rules and guidelines will determine how strictly they are followed.

Next page - 15 tips on writing a mobile device usage policy >>

1 2 Page 1
Page 1 of 2
7 secrets of successful remote IT teams