While it seems logical, on the face of it, that your company owns the personal information stored on the servers that your employees access with their devices, it becomes more problematic when you consider the problem of wiping the device in the event it is lost or confirmed stolen. When you wipe the phone, traditionally all content on the phone is erased, including personal pictures, music and applications that in many cases the individual, not the company, has paid for. Sometimes it's impossible to replace these items. Does your BYOD policy make it clear that you assert the right to wipe devices brought onto the network under your plan? If so, do you provide guidance on how employees can secure their own content and back it up so they can restore personal information once the phone or device is replaced?
5. Decide What Apps Will Be Allowed or Banned.
This applies to any device that will connect to your environment, whether corporate- or personal-issued. Major considerations typically include applications for social media browsing, replacement email applications and VPNs or other remote-access software.
The question here is whether users can download, install and use an application that presents security or legal risk on devices that have free access to sensitive corporate resources. What if the latest Twitter app has a security hole in its integration with the Mail app on the iPhone that allows spammers to access relay mail through your organization? (This is purely hypothetical, of course.) What if a poorly written instant messaging client steals your organization's address book? These are serious questions to address in your policy, not to mention a starting point for BYOD policy development. Moreover, the technology for preventing downloads of questionable apps or copyright-infringing music and media on personal phones is immature at best, so manual screening of eligible users into a trusted group may be warranted.
6. Integrate Your BYOD Plan With Your Acceptable Use Policy.
If your company is on the ball, chances are corporate-issued phones are already covered and treated like notebooks, desktop computers, and other equipment on your network. On the other hand, allowing personal devices to potentially connect to your VPN introduces some doubt about what activities may and may not be permitted. Discussions about an acceptable use policy are required to fully cover your rear.
- If you set up a VPN tunnel on an iPhone and then your employees post to Facebook, is this a violation?
- What if your employees browse objectionable websites while on their device's VPN?
- What if they transmit, inadvertently or not, inappropriate material over your network, even though they're using a device they own personally? What sanctions are there for such activity?
- What monitoring strategies and tools are available to enforce such policies?
- What rights do you have to set up rules in this arena?
Sign up for CIO Asia eNewsletters.