Writing Your BYOD Policy
This article will point you to the core concepts of BYOD, removable device, and cloud storage policies so that you understand best practices before writing your own.
Removable media, cloud storage, and BYOD devices can be a quick and convenient way for employees to handle data. But with this convenience comes some serious security concerns. Unprotected removable storage is an easy entry point for end users to inadvertently bring in viruses and malware into your company network, thus increasing the risk of business data exposure, hardware failures and data breaches. While it may be easier to prohibit employees from using removable media and declare it a punishable offense, that approach is impractical and unrealistic.
If you do decide to allow removable media, cloud storage, and BYOD, here are five things to include in your policy:
General best practices
For removable media and bring your own devices, here are some general best practices to follow:
- Define that confidential data can never be stored on the device
- Create a procedure to report a lost/stolen device immediately
- Require data stored on removable media to be encrypted to prevent against data loss if the device is lost/stolen (refer to our post on writing an Encryption Policy)
- Wipe company data from device as part of the offboarding process
- Note: You may be liable if you wipe personal information while removing company data
- Complement all administrative, physical and technical BYOD controls with an acceptable use policy
Removable media is any type of storage device that can be removed from a computer without powering off the system, such as USB drives, external hard drives, and memory cards. Many companies are opting to only allow removable media that is approved and/or controlled by IT before use. For example, your IT team may choose to scan USB drives for viruses before allowing them to be connected to any corporate system. Or, IT may block all USB drive usage except from specific hardware they control. In some extremely security conscious cases, companies block removable media altogether.
Cloud storage is a quick and convenient way to give employees access to internal documents. However, security controls for cloud storage are dependent on the provider. As discussed in the IT Vendor Management post, it is on you to ensure the cloud storage provider meets your security requirements. You can’t just assume they will be responsible.
It’s a good idea to have some discussion and planning around cloud storage before just leaving it wide open for people to use. For example, you may want to declare that staff are required to use only the company provided/approved cloud services, and that employees cannot create accounts without formal organizational approval. You can leverage additional technical controls, such as Web site and application blocking on your firewall, to help enforce the policy.
Bring your own device
Bring your own device, also known as BYOD, can be tricky to regulate. On one hand, these devices belong to employees, so you are limited in the amount of technical controls you can enforce. On the other hand, these devices will regularly be connecting to your VPN and wi-fi networks, as well as your file and mail servers. At a minimum, your policy should define certain requirements, such as those outlined in item #1 above. Additionally, you should restrict which applications on the device can interact with company data, and define strong passwords and PIN requirements.
For additional control, there are technical tools available to help you manage BYOD more granularly. A mobile device management (MDM) solution, for example, can help you strike the right balance between keeping your corporate data safe while still giving employees freedom to do their jobs. MDMs can help you define which applications on a user’s device can interact with corporate data, as well as the minimum level of operating system a device needs to have.
MDMs can also “containerize” corporate data on personal devices and protect it with controls you define - such as a PIN/password or thumbprint. That way, if a user’s device gets lost or stolen, you have an extra layer of protection surrounding the corporate data. You also then have the power to wipe just the corporate data off the device while still leaving the user’s pictures, videos, contacts, etc. in tact. Make sure you do a careful analysis of MDM offerings before selecting one - some vendors have better controls for iOS devices (iPods, iPads, iPhones) than they do for Android phones and tablets.
Communicate clear expectations
Because the lines of employee privacy can get blurry when enforcing controls and expectations on personal devices, good communication is key. Clearly articulate and document your expectations to employees, such as:
- Minimum PIN/password requirements - it used to be that a 4-digit PIN was accepted, but today a 6-digit PIN is standard.
- What kind of information cannot be sent/accessed through personal devices?
Will you allow personal devices to connect to your VPN? Can users access corporate email? Will they be able to copy and paste company information into their personal applications?
- Define when and why the company will wipe an employee’s phone
This is a big one. You need to make these conditions very clear to employees - both during on-boarding and when their devices first connect to the wi-fi network. Otherwise, if an employee leaves the company and you wipe the phone on the way out the door, the situation could raise legal issues for your company. Therefore it’s a good idea to have employees sign a BYOD agreement - and pair it with an acceptable use policy - before ever allowing personal devices to touch your corporate network or data.
- What happens to personal devices during off-boarding procedures?
Whatever BYOD decisions you make in policies and enforce with technical controls, make sure they are clearly explained to users during off-boarding. This is another reason that creating a BYOD agreement for users to sign on day one is a good idea.
- What qualifies as an incident and what steps will be taken as a result?
Define incidents in as much detail as you can, and also spell them out clearly in policy. That way, users will understand what they might otherwise view as extreme reactions. For example, if your MDM solution reports that a personal device has a virus, and your policy states that any devices with known infections will be wiped immediately, you have proper justification to wipe the device. Otherwise, incidents that arise on personal devices might get into a gray area and cause conflicts between the IT department and other teams.
Portable hard drives, cloud storage, and personal devices provide easy ways to shuttle files between machines and over the Internet. Unfortunately, policing them from a corporate standpoint is anything but easy. It’s important to train users on how to use these tools properly in a work environment, as well as how and where they can store or transmit sensitive information. Finally, and perhaps most importantly, make sure users are crystal clear on the actions you will take on their devices and storage mediums when an incident happens.