How to Develop Your Bring Your Own Devices BYOD Policy


BYOD policies can vary significantly from organization to organization depending on your priorities and concerns, and should be designed in consultation with HR, finance, legal and IT security teams. This article takes an in-depth look at how a custom-fit BYOD strategy for your company can help you realize the full benefits of mobility.

BYOD


Ideally, an organization’s practices around BYOD should be detailed in a formal policy regarding the use of personal devices for work. While the temptation can be strong for IT to develop specific policies for every conceivable scenario, the reality is that most considerations can be addressed through the application of a few simple, consistent principles. In most cases, IT can think about how to manage and provide secure access to data and applications in terms of people, not the devices
they use. You may want to define more granular policies regarding specific device types, network connections and locations, but these will typically represent a smaller and more manageable set of scenarios.

Defined in consultation with legal, finance, HR teams, BYOD policies identify the scenarios in which BYOD is allowed, whether a subsidy will be provided, how security and support will be handled and other factors. In developing your policy, you should be sure to consider the following areas.

Eligibility
Organizations should identify who can use personal devices for work and scenarios where it is inappropriate due to data security, worker type or other factors. In enterprises that allow a BYOD device to replace a corporate endpoint, this decision is typically optional for the worker, with managerial discretion over which team members are appropriate candidates.

Allowed devices
BYOD programs should allow people to use the best devices for their needs, from smartphones and tablets to Mac and Windows laptops. A device-independent strategy provides this level of freedom while giving IT the option to manage BYOD devices if they so choose.

Service availability
BYOD doesn’t have to be an all-or-nothing proposition. You should think about the services and apps you want to make available on BYOD devices and whether it differs by work groups, user types, device types and network utilized.

Rollout and Acceptable Use
Communication is vital to BYOD success. Provide guidance to help people decide whether to participate, what the right device is and to understand the responsibilities that come with bringing their own device, including how data can be accessed, used and stored. How policy violations and lost/stolen devices will be handled should also be determined.

Cost sharing
Some organizations provide a subsidy for BYOD devices and other services, especially in cases where a corporate device is no longer provided.

Security
For effective data protection and information governance, business information should reside on the endpoint only in isolated, encrypted form, and only when absolutely necessary. Network security can be maintained through granular policy-based user authentication, with full tracking and monitoring to support compliance and privacy. Control must also exist over data exfiltration concerns, such as print capabilities and client-side storage. IT should require antivirus/anti-malware software on all BYOD devices and consider remote wipe mechanisms if business information is allowed on the device.

Support and maintenance
BYOD policies should spell out the type of incidents IT will support as and the extent of support. Especially when a BYOD device is used in place of a corporate device, Citrix recommends maintaining a loaner pool of devices to allow uninterrupted productivity while the device is serviced. Consider providing executives and other key personnel with additional, concierge-style support.

Note: This article is not intended to be a complete guide to establishing a bring-your-own-device (BYOD) policy for your organization.

Source and Sample of BYOD Policy refer to Citrix [CIO How-To Kit: Bring-Your-Own Devices]