The success of a BYOD program rests with the careful creation of a bring-your-own-device policies, but many companies neglect to write them.
It is my opinion that the bring your own device (BYOD) trend will become the dominant strategy for provisioning subscriber devices in most organizations over the next few years. Originally, I was skeptical of the idea of being able to manage and secure devices that belong to end users and not companies, but the industry has made significant progress. Now, there are many interesting strategies, products and services that make BYOD effective -- and even easy -- for most organizations.
But what's often forgotten and thus missing in BYOD efforts -- especially in the initial phases --is the policy piece. BYOD isn't a free-for-all, do-whatever-you-want situation. Careful planning and end-to-end thinking are required before a company purchases any systems for managing BYOD and certainly before the general word goes out that BYOD is allowed.
Having the necessary BYOD policies and end-user agreements in place is essential to success. To that end, here are the basic policies and agreements that every company should draft:
The actual BYOD policy
The basics of a BYOD policy boil down to a few questions:
- Who should have access to which services and information?
- Which device models and operating systems can employees use to access these assets?
- From what locations (or via which networks) can those users access data?
- What are the time-of-day restrictions for that access, if there are any?
Companies will need to use specific software to manage access, devices and data. That software could include mobile device management or mobile application management software. Be sure to spell out the scope of function allowed to both parties.
Perhaps the number one concern surrounding BYOD involves the security of enterprise data on a personal device. An approved organization-wide security policy must be in place before a company can even think about allowing BYOD. The security policy document doesn't need to be complex, but it must at least cover the basics:
- What data is defined as "sensitive?"
- Who can have access to or store sensitive data, and under what circumstances?
- What will IT do in the event of a breach?
If policy involves selective or brute-force device wipe, such must be carefully spelled out in all appropriate polices and agreements.
Acceptable use policy
More on bring-your-own-device policy
Creating a BYOD policy
Using mobile device policies to make IT's job easier
How acceptable use policies improve BYOD
Similarly, it's important to define what BYOD users may do when they access the corporate network and any sensitive data in residence there. An acceptable use policy can and should include a list of prohibited activities, down to specific websites, applications and data that employees cannot access. An acceptable use policy and, in some cases, a corresponding user agreement are essential to protecting the liability of an organization in the event that corporate IT resources are used in any illegal or questionable activities.
A written and properly-executed agreement between authorized users and the organization is essential. I absolutely recommend that companies run any proposed policies by their legal counsels before drafting any agreements and putting them into practice. Laws vary significantly from jurisdiction to jurisdiction and from country to country. It's vital to get the BYOD agreement right to make sure that the interests of users and the company are protected and to ensure that everyone's rights and responsibilities are clearly, concisely and legally defined.
Though companies will likely need to make revisions to the BYOD agreement from time to time, the agreement should be universal and companies should not allow exceptions. That will make both the bring-your-own-device policy and its administration much more clear.
Education, training and support
Finally, it's vital to educate users on their rights and responsibilities. Some kind of training session -- either as a class or an e-learning seminar via the Web -- should review all BYOD policies, agreements, rights and responsibilities. General consciousness-raising and occasional reinforcement akin to a "loose lips sink ships" poster are also a good idea. After all, the value in most commercial enterprises today exists essentially as information that must be protected.
While all of this may look like a lot of work, it really doesn't need to be. A little up-front thinking and effort can save a lot of grief during operations.