Keep BYOD policies simple but effective
From the web, to the cloud, to mobile technology, among the greatest concerns of IT managers is security. The same is true for bring your own device programs, which--despite their growing popularity--hold the possibility of placing an organization's data at great risk.
That is placing increased emphasis on BYOD governance programs--formal policies that govern acceptable behavior by employees who wish to access the corporate network with their personal devices. The challenge is to create a formal policy that provides employee flexibility while also ensuring corporate security.
A BYOD governance program doesn't have to be complex. In fact, according to David Fletcher, chief technologist for the State of Utah, it should be quite the opposite.
"I've seen some very complicated programs, but it's not a super complicated issue. Keep them simple," Fletcher said in an interview.
In a nut shell, a BYOD governance program should outline the rules and the responsibilities around employee behavior. The program should inform employees what they are allowed to do with their personal devices and the safeguards they are expected to take.
Fletcher notes that the State of Utah has not had a network breach so far and he credits that partly to the education and training efforts around the BYOD policy. All employees are given annual training on any changes to the state policy as well as how new devices in the marketplace impact that policy.
Helping out is the fact that, while all state employees are allowed to use their own personal devices at work, Fletcher says the majority still do not. State-wide, Fletches estimates that only ten percent to 20 percent take advantage of the BYOD policy. The greatest activity is among workers at the state capital building.
When creating a governance program, Fletcher points out that the first step is to decide how restrictive the program needs to be. Questions an organization should ask include:
- whether a top-down approach is the best way to guarantee security
- if a lock-down approach will hamper employee flexibility
- what is the acceptable level of risk the organization is willing to take
- where the organization sees itself hearing in the future.
As Fletcher notes, technology and devices are likely to change faster than your corporate policy, so a governance program should be forward-looking. Your employees will change, their devices will change and the needs of those devices will change. That makes it important to revisit the policy on a regular basis.
Fletcher says that communication is key for the success of a BYOD program so that employees have a clear understanding of how sensitive data can be put at risk and their role in that scenario.
As to what elements should be included in a BYOD governance program, Fletcher says they break down into technology and behavior categories.
The program should include policies on accessibility and enrollment, enforcement, employees' data and service plans, fees and charges incurred by the employee on mobile devices, stipend programs, employee consent, training, compliance, privacy and employee acceptance of the policies.
On the technology side, BYOD policies should address mobile device management, device wiping, cloud computing security, network access control, desktop virtualization, passcodes, PIN mandates, file permissions, which devices are allowed or banned and any specific applications that are banned.