If a business wishes to implement Bring Your Own Device (BYOD) capabilities in its environment, it SHALL write and publish a BYOD Policy that specifies requirements and agreements governing employee use of personal devices.

Many businesses have embraced a network environment that enables employees to use their personal devices in the workplace. This functionality is usually enabled with requirements for certain security controls, such as a separate BYOD wireless network, network access control (NAC), and mobile device management (MDM) profiles to segregate personal user accounts from business accounts. Businesses should select the cybersecurity controls that reduce BYOD risks to an acceptable level. A BYOD Policy is necessary for any business that wants to enable BYOD functionality. The policy will specify terms for the acceptable use of mobile devices in business environments. A BYOD Policy is also necessary to specify the user rights afforded to employees who are using their personal devices.

A BYOD Policy should contain the following:

  • Scope of the policy: Who is allowed to use personal devices and what kinds of devices are allowed.
  • Device protocols and controls: Requirements for software and network controls that reduce the attack surface of personal devices. Depending on the decisions made by senior management, this may include Mobile Device Management (MDM) profiles, Mobile Application Management (MAM) governance, Network Access Control (NAC) checkpoints, 802.1X authentication, etc.
  • Acceptable use terms: Establish boundaries for how personal devices can be used. This may involve limiting personal browsing during work hours and setting restrictive schedules on when company resources can be accessed.
  • User Privacy Rights: The use of BYOD creates a gray area since company data is accessed from an employee-owned device. The business needs to be allowed to assert authority over its data without infringing on the ownership rights of employees using their personal devices. Businesses should have a well-thought-out and clear policy established that clears up these issues.
  • Safe Usage Procedures: Even though employees personally own devices, they need to be required to adhere to common best practices for digital security. Strong authentication strategies, anti-malware software, and security-assisting browser extensions are all basic security controls that should be highlighted. Lessons from security awareness training, such as phishing resistance and safe browsing habits, should also be highlighted.
  • Protocols for Lost Devices: If a personal device is lost, it isn’t financially upon the business itself to replace it. However, since their own resources were accessed from or stored upon the device, they still have a stake in its loss. There should be procedures for scenarios where employees misplace their devices. Remote wipe is a standard control that eliminates any company data from the device once it's reported missing.
  • Offloading protocol: When an employee leaves the business, they are obviously allowed to take their personally owned device with them. However, there needs to be a clear procedure for removing business data from the device during employee offloading scenarios.