BYOD Policy

With the growth of information technology and mobile devices proliferation, company networks are increasingly becoming hard to manage and maintain on a daily basis. Today’s work environment has employees who prefer using their own devices such as tablets and smartphones for work as well as personal activities. According to a report by the Federal communications system in March of 2013, the use of mobile devices has increased dramatically. Bring your own Device is a set up that enables companies to allow employees to use their devices to transact personal and company business. Despite the fact that this arrangement is economical to the company with regard to purchasing devices for every employee, it could also pose serious threats to privacy and information security. There is thus an urgent need for information technology departments to know which devices attempt to connect to their corporate networks for them to put in place enough security measures to govern the authentication of such devices.

This document presents a BYOD policy that creates rules for workers needed to uphold the privacy, integrity, and security of company technology and data from risks that emanate from employees being allowed to bring their own devices. Companies always reserve the right to disable devices, disconnect devices or revoke BYOD privileges of employees at any given moment with or without user notification if they fail to adhere to the procedures and requirements outlined within this policy.

SCOPE

This BYOD policy applies to all company employees whether contractors, permanent, interns or volunteers. All third parties whom the company may agree in some way to share some information with shall also be regulated by this policy as well as other information sharing policies.  Any employee seeking to connect his or her device, must gain a written authority from the information technology department to connect as well as give a budget to meet the device connection costs, before the connection request is initiated to the company information technology department.

BYOD supported devices

At the moment, this policy approves the devices outlined below together with minimum device specifications.

1. Android 5 or above tablets and smartphones.
2. I0S 5 iPads or iPhones.
3. Windows 8 or Windows 10 devices.

Any devices outside these specifications shall not be supported due to non-compliance. Windows and Android device users shall be required to install anti-spyware/anti-malware on their devices, otherwise, their devices shall be deactivated from accessing the company network.

BYOD Management

The information technology department together with company management will manage BYOD as stipulated in this document on behalf of the company. Furthermore, the human resources department shall advise the management where company policies have been violated. BYOD, in this case, includes monitoring, approval, reporting, and security procedures such as device factory reset.

The company uses a range of equipment to facilitate BYOD to its employees and this can be deployed with various features ranging from simple event planners or contacts to establishing additional features like instant messaging, network sharing, and share point. This policy for BYOD devices establishes a distinct working space differentiating personal data such as data owned by the employee from company personal data such as employee financial records. This BYOD policy only focuses on controlling and managing corporate company data only as opposed to personal confidential data residing on the BYOD devices.

The BYOD device operating environment is encrypted and all other information residing within the corporate network environment cannot be stored outside the various apps or within the devices locally. All communications are encrypted and often monitored to detect anomalies. To prevent information being compromised, the company network environment is protected using biometric identifications and passwords as per the company’s password policy meeting the criteria outlined below.

At least six characters in length, contain a mixture of uppercase and lowercase letters, contain at least two integers with special characters. The passwords must be changed on a monthly basis and cannot be shared or written on employee notebooks or work desks for easy recall. Remote wipeouts would affect all data stored on the devices irrespective of their ownership and before employees accept to use personal devices in the company they sign an agreement that makes the security of company data a priority over their personal information. Wipeouts could be initiated in case the devices are lost through theft or misplaced, after ten consecutive failed login attempts, employees being terminated from the company, and if a data breach is detected by the company security systems.

Device and System security

Companies always take data and information technology assets very seriously and devote substantial resources to guarantee security. The application of Bring Your Own Devices should therefore strictly comply with company device use regulations. Specifically, when an employee uses a personal device on work activity, they should uphold company information security with regard to accessing, viewing, storing, and manipulating data.

Over time, the company might necessitate that employees install or carry out updates on company-sanctioned device management software on such personal devices. It is hence the responsibility of every employee to acquaint themselves with the devices extensively to ensure their security.  This may involve, ensuring information confidentiality where necessary, preventing data loss or information theft, or maintaining information and data integrity.

All employees may at no time store or retain any valuable company information on their own personal devices.  When in doubt with regard to whether specific information can be retained on your device, the company requires you to first consult the information technology manager or seek guidance from your section manager.

Employees are required to always update their device software, for instance, android OS update, they are also required to take advantage of the security devices provided by their devices such as encryption, passwords, screen patterns to help in securing the devices when not in use, install anti-virus/anti-malware on your devices, remove any company information stored on your device after use including deleting all downloads and browser cache, factory reset the device in case you want to dispose of, sell or exchange the device, restrict the number of electronic mails or other sensitive information being sync on your device to the advisable minimum and configure tracking or automatic wiping services such as where’s my droid for android platform, find my iPhone for apple platform and find my phone for windows platform.

In case an employee’s device is stolen or compromised, it is the responsibility of that employee to immediately inform the information technology department for them to enforce additional security to company services. The employees are also required to corporate with company security staff in remotely wiping data from the device, regardless of how important your other personal data was. Further advice shall be given by the information technology security desk depending on the security situation.

Physical Security

Employees who bring personal devices shall bear full responsibility in securing their devices, undertaking precautions to avoid theft, loss or damage. Furthermore, employees must be extra vigilant when using any of the allowed BYOD devices when traveling to avoid the risk of compromise to information integrity and confidentiality. Avoid sharing the devices with friends or relatives who are not employees of the company

Monitoring user owned devices

The company would not monitor any content on employee-owned devices, nevertheless, the company reserves the absolute right to track and log data transferred between the employees owned devices and the company information systems both within the internal and external networks. In extraordinary situations, for example where the only copy of a company document is stored on a personal device, or where the company requires access so as to oblige with its legal requirements, or where mandated to do so by a court of law, the company will require access to company information stored within any employee’s personal device.

Under the circumstances outlined above, all reasonable and legal efforts shall be enforced to make sure that the company does not access private user information. For a situation such as where an employee needs to legally store or access specific types of information like financial or employee data using a personal device, you must seek authority in writing from the information technology desk. The company might in some situations be required to monitor the devices in a way that may affect user privacy by logging all activity on a user-owned device. This is done for purposes of ensuring integrity, privacy, and data confidentiality. Employees are required to undertake work-related activity in conformity to the company device use regulations.

Support

Where necessary, the company supports all device platforms, but employees have the sole responsibility of learning how to manage and use their devices well in the context of this BYOD policy. Advice and help are available on a sensible basis from the information technology service desk such as accessing certain apps, installing applications, and setting up network access. The company takes zero responsibility for repairing, supporting, insuring, maintaining, or otherwise funding the purchase of employee-owned devices, or for any damage or loss resulting from the support given.

Authorized use and restrictions

Employees who bring devices that have web cameras or video recording capabilities are not allowed to use such functions anywhere within the company premises unless authorized by writing to do so by the management. While working, all employees are required to apply the same discretion when using their personal devices as required for those using company-provided devices. Regulations and laws relating to discrimination, harassment, trade secrets, retaliation, and confidentiality apply to all employees using personal devices when handling jobs related activities.

Too many calls, text messages, or electronic mails during working hours, irrespective of the device in use, could hamper the productivity of employees or distract fellow employees. All employees should handle private businesses during non-work breaks and make sure that the people who frequently communicate with them are aware of this policy stipulation. Exceptions to this policy may be granted under emergency situations as authorized by management. Section managers reserve the right to request for more information on device bills and messaging during work periods to ascertain if they are excessive.

No employee can also use personal devices to carry out work-related activities outside their working hours without prior written authorization from the management. These factors include responding and sending electronic mails, reviewing texts, or making calls. Furthermore, employees are not allowed to use their devices to undertake work activities during their leave breaks without authorization. The company reserves the right to shut off employee access to company facilities during their leave breaks.

Employees will at all times be subject to company procedures and policy with regard to their personal conduct, information, and data security as well as physical security which may include policies from other departments. Fundamental to all company employees with regard to the use of personal devices is that the devices may at no time be used to:

1. Harass fellow employees or bully other people.
2. Store or transmit illegal content.
3. Engage in activities not related to the business such as betting or surfing social networks.
4. Transmit or store proprietary information owned by a different company.

The company has a zero tolerance policy for emailing, or calling when driving or at work except for situations that it is legal to do so.

Consequences for non-compliance

Any contravention to this policy by a company employee or third party will lead to disciplinary action, such as suspension, dismissal or termination of the employee’s access to the service or from their jobs, in some cases prosecution by law enforcement agencies, third parties of government agencies tasked with investigation of cybercrimes. Please be advised of the existing ratifications pertaining handling of company proprietary or confidential information for further guidelines.

Guidelines for compliance

 Employees with personal devices are expected to act in conformity with the company code of conduct at all times while at work. Where an employee is doubting, there are required to seek consultation from the human resource office, section managers, or the information technology service desk. Furthermore, any BYOD devices used within company premises may be subject to litigation discovery. This implies that information contained on the devices could act as evidence in legal suits.

The company hereby acknowledges the use of BYOD devices in handling company business as well as the risks for which the owners assume full responsibility. These risks include complete or partial loss of data, or software bugs emanating from poor programming practices. The company hereby disclaims any liabilities occurring due to any such risks. Furthermore, the company reserves the exclusive right to wipe out data at any time where necessary for the sole purpose of safeguarding company services and assets.

The company also disclaims liability for injuries occurring to device owners such as stress developed during work hours. The company provides enough resources suitable for carrying out all job-related activities and as such employees bring their own personal devices at their own risk. It is hence the duty of every device owner to ensure their device security.