Bring-your-own-device (BYOD) policies are an emerging solution to a new problem: How can an employer control the movement of company data when employees use their own personal devices instead of company-issued devices? With the growing ubiquity of smart phones and digital appliances, it is more and more common to see employees managing their lives through their personal devices, which are often newer and more user-friendly than company-issued devices. Many employees do not want to carry multiple devices and would rather manage their lives on a single device. Likewise, companies are hesitant to devote increasingly large budgets to keep up with employees’ desire for constantly evolving mobile devices. BYOD policies can provide the solution.
Creating and implementing BYOD policies require joint participation of legal, management, compliance, risk, and information technology (IT), and require planning and forethought. If properly implemented, these policies can allow employees the flexibility of using their own devices to access company resources while allowing employers to maintain control over company data, reduce IT costs, and control overhead expenses. Properly implemented policies can also lessen the expense, time, and confusion inherent in litigation holds and discovery production from mobile devices.
1. Start with email. Enterprise email solutions that many companies already use include centralized management tools for mobile users, making email deployment the easiest to manage.
2. Review your current policies. Your current security policies for web applications will likely apply to mobile devices as well.
3. Pick a device. Determine what device or devices you will support, with an emphasis on the security features of those devices and the availability of tools for remote management.
4. Set clear expectations. Train and educate your employees on their rights and responsibilities.
5. Write clear and concise policies. Create clear, understandable terms of use that employees sign and that are maintained by your human resources department.
6. PIN/authentication is mandatory. Encryption is mandatory.
7. Pick apps. Certain apps can facilitate a mass exodus of company information or can serve as a conduit for viruses and malware. Choose carefully what apps are and are not allowable.
8. Use mobile-device-management software. Commercial software packages can include information push and mobile central control of company data, and can remotely wipe a device.
9. Address what happens when an employee leaves. Define what will happen when employees with devices on your BYOD platform leave the company. Consider how you will enforce the removal of access tokens, email access, data, and other proprietary applications and information.
10. Integrate your BYOD plan with your acceptable-use policy. Clearly explain in writing what is and is not acceptable use on the employee-owned device that will be holding company data. Discussions about an acceptable-use policy are required to protect company data and shield the company from liability. Remember that written, enforced policies will protect the company in litigation.
Take care when implementing policies to ensure that employees are properly trained and that their use complies with policies. BYOD policies require coordination between management, IT, legal, risk, and compliance to ensure that they comply with other regulatory obligations and data-protection and -retention policies already in place. If properly executed and implemented, BYOD policies can empower employees, protect employers, and save company time and money.
No comments:
Post a Comment