COMPANY BYOD Policy Template


Purpose

1.0 Many employees and other agents of the COMPANY are using personally owned computing devices to accomplish work for the COMPANY. This policy addresses the rights and obligations of both owners of a device used for COMPANY work and the COMPANY’s rights and obligations to protect and own its data on these devices.

Definitions

2.0 Centralized IT (IT)-

A department in the COMPANY responsible for automated information systems and telecommunications technology.


2.1 Chief Information Officer (CIO)-

IT department head.


2.2 Cloud Service-

For the purpose of this policy, a Cloud Service is a virtual data storage or other service located on the Internet and usually managed by a third party.


2.3 Personal Computing Device (Device)-

A device owned by an employee, contractor or other individual using it to accomplish work for the COMPANY. A Cloud Service which stores data is considered a device for the purpose of this policy. Another definition is a device owned by an agent of the COMPANY used to produce, modify or view COMPANY data. A personally owned device may be a home desktop or laptop, a smartphone or tablet, a pager or cell phone. For the purposes of this policy a Cloud Service is considered a device.


2.4 Bring Your Own Device (BYOD)-

A program that allows users to use their own Personal Computing Devices to accomplish work for the COMPANY.


2.5 User-

Anyone using COMPANY Information Infrastructure and acting on the COMPANY’s behalf.


2.6 User’s Personal Data-

Is all data on the device that does not belong to the COMPANY and is any data that is not work product. This includes but is not limited to:

      • Any file
      • Any location or GPS data
      • Any credentials used to access other non-COMPANY services particularly social media sites
      • Device PINs and passwords
      • Any contact information
      • Any logs including web logs
      • Personal email or personal social media communications
      • Any personally-purchased movies, music, e-books, or apps
      • Any phone conversations, text messages, or logs
      • Any screenshots, input or output of microphones, cameras, keyboards, or pointing devices not explicitly shared with the COMPANY.
      • Any publicly published COMPANY data that is freely available to the public.
      • Any health care information for any individual unless that information is work product.
      • Any financial information for any individual unless that information is work product.

2.8 Work Product-

Data produced or accessed in the course of accessing COMPANY systems to do COMPANY business or is data produced on a Personal Computing Device as part of an individual's duties as an agent of the COMPANY.


2.9 Virtual Private Network (VPN)-

A COMPANY service to allow remote access. It requires certain configurations, patch levels, and antivirus software for some devices.


Policy

3.0   The User retains absolute ownership of the device and may use it as they see fit.

3.1   The COMPANY retains absolute ownership of the work product of its agents and has the right and obligation to govern this data.

3.2   The COMPANY and the User must comply with all Federal, State, and Local laws. In this context the law might require the COMPANY to access its data as well as your data on your device. The User may be compelled to provide any data from their device because of these laws.

3.3    The User understands that because of these laws they are giving up some rights to their device by accessing COMPANY data.

3.4    The User understands that the COMPANY may inadvertently come in contact with their personal data. If a User discovers that the COMPANY has come in contact with their personal data they should inform their supervisor.

3.5    The User agrees that the COMPANY may obligate them to certain configurations and practices before the User is allowed access to COMPANY data. If the User disagrees with any of these requirements, or if the User circumvents them, then the User must not access or process COMPANY data.

3.6    The COMPANY respects the ownership rights of these devices and will never configure, modify, delete, monitor, or install anything on the device, including wiping the device or resetting the device PIN or password, without the informed consent of the user. The COMPANY will make every effort to communicate with the user BEFORE these actions are taken.

3.7    The User understands that the COMPANY might require software be installed on the device if the User wishes to access COMPANY data.

3.8 The User is obligated to remove all COMPANY data from personally owned devices upon separation from the COMPANY or by the COMPANY’s request.

3.9 The User must, upon separation from the COMPANY or by COMPANY request, reconcile software licenses purchased by the COMPANY and installed on personally owned devices. Depending on the licensing of the software, and COMPANY requests, this might mean a User must reimburse the COMPANY for the software, destroy the software or otherwise release the license. The COMPANY may decide to allow the User to keep software with no further value.

3.8 The COMPANY will never confiscate or wipe a device, reset it's PIN or password, or download, view, store, modify, monitor, or delete a User’s personal data without proper legal procedures or the User's informed consent.

3.9 The COMPANY will never search a User’s device for COMPANY data without the prior consent of the User unless required by law.

3.10 The COMPANY or any Department may limit what data may be accessed remotely.

3.11 The COMPANY will not monitor, modify, wipe or delete the personal device of an employee, including changing the device PIN or password, separated from COMPANY Employment unless legally required or with prior consent.

3.13  Breaches, disclosures, possible disclosures, or malware infections on personally owned devices or cloud services utilized through BYOD must be reported to User’s supervisor.

3.14 The User and The COMPANY must follow all other administrative policies when a device is connected to the COMPANY internal networks or when Social Media or other Collaboration solutions are applied.

3.15  The COMPANY must permanently delete all its records of an inadvertent contact with a User’s personal data and inform the User as soon as discovered and practical.


Responsibilities

4.0 Users

  • Antivirus- The user will maintain and update antivirus software appropriate to the device.
  • Patches and Updates-
    • Automatic Updates must always be configured on and all updates must be applied.
    • Users must configure applications to update automatically when possible.
    • Users must regularly check that applications are updated.
    • Particular device instructions are in COMPANY BYOD Guidelines.
  • Additional Software and Apps
    • Users are expected to understand the consequences of installing applications on devices used to access COMPANY data.
    • If the User does not understand the consequences of installing a particular application then they should not do so until they do more investigation into the applications.
    • Well known and well respected application vendors should be used.
    • Well known and well respected online repositories should be used.
    • Common repositories by your ISP, OS or hardware vendor, or default marketplaces should be used.
    • COMPANY app repositories intended for personal devices should be used for appropriate devices.
    • The COMPANY may require an application be installed on the device. Any software required by the COMPANY will comply to all COMPANY policies, including this one, and Federal, State, and local laws.
  • Root, Administrative and User Access and Accounts
    • A User should not use a local device account with administrator or root rights to access the Internet for devices that support multiple local accounts.
    • If possible, a User should configure a personal local account for access into the COMPANY.
    • A user should consider the sensitivity of the COMPANY data they have access to when sharing a device with family members and guests. A User who accesses sensitive COMPANY data should consider not sharing devices with family members particularly if the device doesn’t support multiple user accounts.
  • COMPANY Data
    • Many laws and COMPANY policy makes the User responsible for safeguarding COMPANY data in their possession.
    • Never keep the only copy or the newest copy of COMPANY data on a personal device. This opens the User to legal actions including confiscations and searches beyond this policy.
    • If COMPANY data is created on the device then move the only copy or newest copy of COMPANY data to a COMPANY service or repository as soon as practical.
    • The COMPANY data Users publish on social sites, cloud sites, or personal servers is subject to the MPIA and other laws, regulations, policies and procedures.
    • The User is responsible to report lost or stolen devices and suspected or confirmed breaches of those devices that have been used to access COMPANY data to their supervisor. This includes malware infections.
  • Device Security Configurations
    • The user should configure services to use SSL or other encryption communications whenever possible.
    • The User must put a PIN or password on every device used to access COMPANY data.
    • The User must ensure that any device that is to be given, replaced, or thrown away must have the permanent memory of the device wiped. Simple deletion is not enough. An example of this might be when you upgrade to a new phone or sell an old laptop. See COMPANY BYOD Guidelines for particular technical requirements.  
    • The User must configure an inactivity screen that requires a PIN or password on every device.
    • The User must encrypt any device used to access COMPANY data if possible.
    • Android Users should not allow installing apps from third parties.
    • The User should install security software that can locate or wipe a lost or stolen device. If the COMPANY offers this service in the future it will comply with this and all policies.

4.1 The COMPANY

  • The COMPANY will not access a User’s device or data for any reason nor configure any services to do so that do not conform to this policy.
  • The COMPANY will inform a User before any devices or data on the device is accessed, modified, deleted, or wiped, nor will the COMPANY reset the device PIN or password, unless required to by law.
  • The COMPANY may offer security services for lost or stolen devices that wipe or locate these devices.

Procedure (In Progress)

5.0 The COMPANY request for access, modify, delete, or wipe a device or data on the device.
5.1 Communication to users for changes to this policy.
5.2 Request for Users to install mandatory software on their devices.
5.3 Request that a User wipe or remove COMPANY data from a device.
5.4 User request for the COMPANY to remotely wipe or locate a device.

Departments Affected

6.0 All Departments