The first step in developing a BYOPC strategy is to create BYOPC policies, and for this you need to understand the scope of your strategy. Jumping into implementation without knowing what you are implementing will likely waste time. You should consider acceptable use, liability, privacy, governance and enterprise-supported device policies.
Create and define BYOPC policies
When a company purchases, provisions and supports a computer, the company understandably expects to have full control over how employees use that computer. In a bring your own PC (BYOPC) environment, the lines of responsibility around proper use are blurred.
For example, a business may decide that employees shouldn't use company-owned desktops for personal tasks, such as tracking a family budget. This is precisely the kind of thing many employees would do with their own PCs, and they may not think that using a corporate device is any different.
Balancing the family budget with a company PC is unlikely to cause any problems, but devices with inappropriate material, such as illegally downloaded media or pornography, could become a human resources issue. Your organization should also clearly state BYOPC policies governing topics such as harassment with respect to personally owned devices.
One of the most important BYOPC policies is an acceptable use policy, which should specify the device owner's responsibility for protecting corporate information. For instance, employees should take care to protect personal devices that store sensitive data from loss or theft. If users install unauthorized applications on the same PCs that access corporate systems, IT must mitigate the risk of a user's PC eventually transmitting malware to company computers or data leaking through an inadequately secured PC.
IT can implement security controls in various ways, including verifying that anti-malware and personal firewall software are installed and up to date. When an employee's device does not meet minimal BYOPC security requirements, you can deny it access to the corporate network. Network administrators can require virtual private network use to further protect communications between business systems and the employee's PC.
IT professionals may determine that the best way to balance protecting the business while allowing BYOPC is to use virtual desktops and applications. With this approach, an employee connects to an access gateway to reach a centrally managed virtualized application or desktop. This allows IT admins to maintain control over corporate apps and data without implementing substantial controls on employee-owned PCs. In such a scenario, you'd need to define policies describing how to use the virtualized desktops, establish access restrictions and describe how users would be grouped according to their roles and responsibilities.
Comprehending the intricacies of liability will no doubt require legal advice. Some instances that may raise liability questions include a private or confidential data leak from a personal device and personal data loss because of a business application error, or as a result of poor advice from technical support.
User agreements can capture company policies, but employees should understand the details of those policies. Having an employee click through an end-user agreement may meet legal requirements for consent, but it does not mean employees understand the scope of the policies.
It's better for an employee to know up front that the business retains the right to alter a device connected to the corporate network -- including erasing personal data -- than to find out unexpectedly that the family photos are gone for good. When you describe key provisions of end-user agreements, it is also a good time to review best practices for protecting personal data, such as performing regular backups.
About the author:
Dan Sullivan, who holds a master's degree in computer science, is an author, systems architect and consultant with over 20 years of IT experience, with engagements in advanced analytics, systems architecture, database design, enterprise security and business intelligence.