Formulating BYOD policies and user agreements

By David Geer (Part of the FMIT special report Making BYOD work)

BYOD scenarios can differ from healthcare to retail to financial services industries. All scenarios require employee education for awareness of issues specific to their industry and enterprise as well as training in unique policy requirements and how to meet them.

Employee Use, Security, and Data Wiping

Enterprises use BYOD policies to enforce security. Policy-based approaches include white-listing approved applications or black-listing banned ones. "Enterprises also block inappropriate websites," says Christian Kane, analyst for enterprise mobility, infrastructure and operations at Forrester Research.

MAKO Surgical applies an acceptable use policy requiring employees to avoid illegal activity when surfing websites and links on BYOD devices. The policy further states that employees can only connect to the corporate network through the enterprise mobility solution.

"We don't have open connectivity. Employees must use MDM," says Ernie Wittyngham, senior director of information technology at MAKO Surgical. Employees must also sign off on protecting corporate information at all times.

Enterprises frequently require BYOD users to use a PIN or password for specific applications as well as devices. "We enforce device lock passwords," says Wittyngham. After a period of non-use, the device locks automatically.

BYOD policies often specify the ability to wipe lost or stolen devices. Though these are personal devices, companies feel strongly that if they're going to allow corporate data on them they need to reserve the right to wipe it (some MDM solutions enable the enterprise to wipe only the corporate data, leaving personal data untouched).

"At Napa County, policies require employees using BYOD to recognize and agree that the use of their device and its contents may be at risk and that they hold Napa County harmless if such content is accidently altered or deleted on the device," says Gary Coverdale chief information security officer of Napa County, California. This covers the potential for wiping a lost device. The Napa County policies further state that BYOD users will only utilize data download/upload schemas or transfer applications supported by ITS and approved by the security officer as the county standard. "This allows for full encryption and remote disabling when the device is lost or stolen," says Coverdale.

Other policy items include device reimbursement eligibility, what technical support will and won't address, and provisions for loaner devices, according to Kane.

Rights and Responsibilities

MAKO Surgical's BYOD policies include corporate and employee rights and responsibilities. Employee responsibilities include proper use and protection of the device and corporate data against security issues such as hackers, malware, and loss, according to Wittyngham. Corporate rights include the right to inspect the device at any time.

In Napa County, employees may receive a stipend for using their own device once the county authorizes its use. Devices must meet county standards, operate with existing security tools deployed by the county, and operate within existing guidelines.

"Additionally, the device will not be altered (i.e.: 'jail-broken') from its existing manufactured configuration and operating environment in an attempt to make it more flexible and/or more 'open' to accepting rogue applications and communications," says Coverdale.

Consider Possible BYOD Scenarios

The enterprise should consider possible BYOD scenarios prior to adopting policies. Some scenarios will include a guest network, which may require policies around connection and usage. Some enterprises may need to require employees to switch over to company Wi-Fi to access the Internet. There may also be contextual scenarios to consider.

Accessing patient records is just such a contextual scenario in healthcare. "Will the enterprise permit employees to access those outside the corporate network? What do you do about public Wi-Fi networks and what can you access while on those?" asks Kane. These kinds of scenarios may require location-based policies.

Scenarios can differ from healthcare to retail to financial services industries. All scenarios require employee education for awareness of issues specific to their industry and enterprise as well as training in unique policy requirements and how to meet them.

As companies approach different scenarios beyond the typical company BYOD user agreement, this compels them to think about how they deploy a BYOD strategy while managing the risks associated with any compliance responsibilities they have and also to protecting intellectual property. The enterprise may have to structure policies to disallow devices that are not up to these challenges, says Bob Egan, analyst, chief executive and founder of The Sepharim Group,

"In the case of Android, for example, most companies will not allow Android devices unless they are Android 4.3 or later. Many more companies would say, 'it has to be at least a Samsung safe certified device'," says Egan.

Companies may raise an eye at use of Android beyond e-mail applications due to concerns over malware and trojans showing up in the Google Play Store, according to Egan.

Ultimately, many companies will specify what applications they will or won't permit based on the risks and requirements of their industry. "Then they will layer certain policies on top of that depending on the role of the employee," says Egan.

A physician or nurse practitioner may have the privilege of adding patient records to their device while others won't.

A bank may grant access to some banking client data to employees using BYOD on the retail side. "But if they have relationships on the mortgage side or the commercial side of this business, maybe you disallow that access," says Egan.

Next in this special report: Security and legal ramifications of BYOD