BYOD (bring-your-own-device) policy
March 19, 2017
This policy outlines requirements for BYOD usage and establishes the steps that both users and the IT department should follow to initialize, support, and remove devices from company access. These requirements must be followed as documented to protect company systems and data from unauthorized access or misuse.
From the policy:
The bring your-own-device (BYOD) movement has helped streamline IT operations by allowing employees to connect personal devices such as laptops, smartphones, and tablets to organizational resources. Businesses have saved money by reducing or eliminating the need to purchase devices for their workers, and workers have benefited from the familiarity of using their own electronics to do their jobs.
Of course, this flexibility comes with another sort of price: the need to establish proper guidelines for usage and control of these devices, as well as what they can access and what steps should be followed in the event of loss, theft, or employment termination. Since employees use their devices for personal and/or recreational activities, this can pose more risk for the organization than the exclusive use of business-owned devices.
This policy describes the steps that the company and its employees will follow when connecting personal computers and devices to organization systems and networks.
All users must understand that whenever a computer device is connected to the organization’s network, systems, or computers, opportunities exist for:
- Introducing viruses, spyware, or other malware.
- Purposefully or inadvertently copying sensitive and/or proprietary organization information to unauthorized devices.
- Loss of data that may adversely affect the organization if it falls into the wrong hands.
- As a result of any of these circumstances, a user connecting their own device to organization resources, systems, or networks could interrupt business operations, cause unplanned downtime for multiple users, and/or cause a data breach releasing organization, client, and/or partner data to unauthorized parties. In worst-case scenarios (and in events entirely realized at other organizations), civil and criminal penalties for the user and/or substantial costs and expenses to the organization could arise.