This is frequently over-looked by BYOD policy-writers.
If you're designing a BYOD policy that includes storage encryption policies (which it should), you need to make sure to inform your BYOD users that all information on that device is encrypted.
You need to decide *why* you are encrypting. What are your goals. There are two reasons, and you can have one without the other, in one case, but in the other, it will probably be both reasons you are aiming for.
Those reasons are:
1: To prevent unauthorized parties from getting physical access to the device and being able to access confidential or protected corporate data that resides there.
2: To prevent authorized users from moving confidential or protected corporate data from the phone onto other devices that are not controlled, monitored or authorized by corporate IT.
Reason #1 should always apply, reason #2 may apply depending on your organization.
In a BYOD environment, this introduces a challenge. Personal data is mixed in with corporate data on that internal storage - and end users are almost certainly using their devices for reasons that have nothing to do with workplace productivity. When your policy encrypts your users personal data, be it documents, media, or family photographs, employees and end-users need to be aware of the ramifications of that.
In the case of a policy driven by consideration #1 above, employees just need to know that they need to manage their data themselves and move it through available means to a non-secured destination. That may be as simple as "upload all data that is on your BYOD platform to Dropbox," or "send all of your vacation pictures to Facebook."
In the case of policy #2 - you'll have taken steps to block the ability of the device to transfer any kind of data from the BYOD solution to any physical or cloud device outside of the corporate network. That kind of policy is obviously going to have a significant impact on the bring *YOUR* own device appeal of BYOD.
In both cases, part of the user agreement that should be signed by an employee before allowing their BYOD onto the corporate network should include a clear disclaimer that confronts those two issues - and someone should go over these aspects and make sure end users understand *before* the corporate BYOD policy is applied to their device.
If you miss this, you're going to have *very* upset end users - most likely at the executive level, sooner or later.
Keep Up with TechRepublic