Considerations and Best Practice for a BYOD Policy

Jason Poyner, Technical Director, Deptive

While not every organisation has a formal BYOD programme, every organisation should develop policies regarding the use of personal devices for work. These policies provide a framework for BYOD working, and need to address factors including:

1. Eligibility: Identify who can use personal devices for work and scenarios where it is inappropriate due to data security or worker type, for example. In enterprises that allow a BYOD device to replace a corporate endpoint, this decision is typically optional for the worker and it’s a management decision to allow or decline its use.
2. Allowed devices: BYOD programs should allow people to use whatever type of device best meets their needs. Inclusivity of devices is a cornerstone of great BYOD.
3. Service availability: Think about the services and apps you want to make available on BYOD devices and whether they differ by work groups, user types, device types and network utilised. BYOD needs to be tailored to specific needs.
4. Rollout: Provide guidance to help people decide whether to participate, choose the right device and understand the responsibilities that come with bringing their own device, including how data can be accessed, used and stored. BYOD will make their lives easier, but they need to understand how it works.
5. Cost sharing: Some organisations provide a subsidy for BYOD devices and other services, especially in cases where a corporate device is no longer provided. Think about your options, and what will work best for you and your people.
6. Security: Confidential business information should reside on the endpoint only in isolated, encrypted form, and only when absolutely necessary. Multi-layered security should include granular policy-based user authentication with tracking and monitoring for compliance; control over print capabilities and client-side storage; and mandated antivirus/anti-malware software. IT should consider remote wipe mechanisms if business information is allowed on the device.
7. Support and maintenance: Spell out the type of incidents IT will support and the extent of this support. A loan pool of devices allows uninterrupted productivity during service, especially when a BYOD device is used in place of a corporate device. Consider providing key personnel with additional, concierge-style support.

Note: This blog post is the 2016 updated version of a post by the same name published on 20 November 2013.