BYOD Policy Sample: 14 Best Practices

Defining Acceptable And Unacceptable Uses



Steven Lerner
04/10/2019

byod policy sample

Enforcing a bring your own device (BYOD) plan can be tricky. There are numerous legal and technical obstacles to contend with, and users need to be aware of the rules.

To improve BYOD management and security, enterprises are commonly relying on written procedures that stipulate requirements that employees must follow. In order to develop these written procedures, a mobile administrator might read a BYOD policy sample first. Here are 14 best practices that are common in a BYOD policy sample, and could easily fit into an enterprise’s written mobile rules.

1. Strong Passwords

In terms of mobile device security, having a strong password is a must. Employees should be required to maintain one, and this requirement must be listed in the BYOD policy. In addition, after several failed attempts, the device should automatically be locked until IT can reopen it.

2. Maintenance Stipulations

A good BYOD policy sample should also stipulate the responsibilities of the user when the mobile device requires maintenance. Typically, the employee is solely responsible for the cost of maintenance, although the organization may reimburse it. However, companies may stipulate which third party providers can be used for maintenance.

3. No Camera Or Video

Although most mobile devices have advanced cameras, organizations don’t want employees to use them while in the workplace. It is common to find BYOD policies with this restriction.

4. No Privacy

Issues relating to privacy are always contentious in the workplace, and personal devices are no exceptions. Some companies, in order to protect against lawsuits, stipulate in the policy that employees using personal devices should have no expectation of privacy. The exceptions to this, of course, are circumstances that are governed by law.

5. Banning Unsecure Transfers Of Company Data

At times, employees might store enterprise data on a personal device. However, a top notch BYOD plan would prohibit employees from transferring enterprise-related data to an unsecure location, such as a cloud-based app.

6. No Device Usage While Driving

A company could face serious legal consequences if an employee is doing work-related tasks on a mobile device while driving and gets into an accident. To protect against this, companies are stipulating that personal devices should not be used for work activities while driving.

7. Data Encryption Mandate

Encryption is one of the best ways to prevent hackers from accessing sensitive data on a mobile device. This solution has become a staple for securing personal devices, and it is common in any BYOD policy sample.

8. Provisioning

Before an employee can access enterprise data and the network on a personal device, some organizations enforce a rule where IT must first provision those devices. The purpose of this procedure is to ensure both the configuration of apps and to enhance security.

9. When An Employee Leaves

Whether it’s through a termination or resignation, an enterprise should have at least an optional inspection policy in place regarding personal devices. In some enterprises, IT can request to inspect those devices before the employee leaves.

10. Software Installed

It is common in any BYOD policy sample for there to be a user requirement to install security software on the personal device. This includes anti-virus software, mobile device management (MDM) software, and unified endpoint management (UEM) software.

11. The Reasons For Data Wiping

One of the leading solutions to protect mobile device data is to remotely lock and wipe the device when a threat is detected. The reasons behind a company’s decision to wipe data could be outlined in the written procedures so that employees are aware of it.

12. Reporting Lost Or Stolen Devices

Within an airtight BYOD policy, it should be mandated that users report to IT if their personal device was lost or stolen. Some policies stipulate that those employees also report this to their carriers in case this happens. Employees should be required to report within 24 hours, so that IT can remotely wipe the corporate data from the device.

13. Viewing Employees’ Mobile Records

Enterprises sometimes prohibit employees from using their own devices for personal calls and messages during work hours. Occasionally, some policies might take things a step further by granting managers the right to review employee’s mobile records to see if any personal calls were made at work.

14. Failure To Comply With Policy

When a user breaks a company’s BYOD policy, there should be a strict punishment. Some organizations reserve the right to suspend or cut off all connectivity privileges. In a few cases, breaking BYOD policy could also be grounds for termination.

RECOMMENDED