A mobile device usage policy potentially serves three purposes. First, it might serve as an integral part of a larger security policy. Mobile devices can easily be the weak link of corporate security - especially when the devices are put to both business and personal use. A well-written policy goes a long way towards minimising the risk inherent to mobile computing.
Secondly, a mobile device usage policy can be used to limit your organisation's liability by clearly specifying the respective responsibilities of the employee and the company. Thirdly, a good device policy helps IT manage devices by limiting the device types and applications supported, and by defining procedures users are expected to follow.
Mobile and BYOD policy - Think before you start
Before you start writing a mobile device usage or BYOD policy, make a list of things you want to achieve. Here are some things you might consider when making this list:
- Think about the needs of your customers and partners. Do your customers have concerns about security in your organisation? What about your supply chain partners? Do your partners need you to restrict the use of mobile technology to help them comply with regulation? Keep in mind your customers and partners when you review the risks you need to mitigate, and the behaviour you need from your mobile users.
- Think about any potential audits of your device usage policy. The mobile device usage policy might get audited as part of larger security audits. A well-written policy that covers all the right points will make the audit process go smoother and faster.
- Think about which devices and operating systems you want to support. Which device types do your device management tools support? Which device types allow you to separate business and personal apps and data in the ways you want? Which device types allow you to perform backup and restore of business apps and data, while leaving the personal apps and data out?
- Think about which applications you want to allow on devices that connect to your organisation's network. You may come up with a blacklist, a list of apps you don't allow. But in some organisations it may be easier - and wiser - to use a whitelist, a list of apps you do allow. While you may have tools that control which business apps get installed on a device, the only thing you can do to limit the use of personal apps is to include appropriate rules and guidelines in your policy.
- Think about device wipe and lock-down. If a device is lost or stolen you certainly want to remove all business data or prevent access to the business apps and data on the device. However, you don't have the legal right to remove personal apps or data. When business and personal software are comingled on the device, it becomes difficult to wipe only the business apps and data. This is one of many reasons you need to separate business and personal software on devices.
- Think about how much your organisation will support employee-owned devices. Your organisation has a stake in keeping devices and business apps running, but you can't get dragged into supporting personal apps or troubleshooting problems resulting from personal use of a device. Also make sure you're clear on who is responsible for replacing lost or stolen devices, and how quickly the responsible party must replace the device.
- Think about how you want to handle backup and restore. An increasing number of workers store business data on their mobile devices, which makes backup and restore critical. However, you have to make sure you aren't backing up personal data, especially when that personal data identifies people other than an employee. Keep in mind that most workers have personal data about family and friends on their devices.
BYOD policy - Make your mobile device policy a living document
Writing a mobile device usage policy should be thought of as a process, rather than an event. Put in place procedures for updating your rules and guidelines regularly:
- Position your document in the context of other related policy. Make sure your rules and guidelines on mobile device usage remain consistent with any other related documents, such as your security policy, or your general IT usage policy.
- Keep your rules and guidelines consistent across departments, and across geographies. It's easy enough to make policy consistent across departments. But from one country to another you may have variation in national laws on things like company liability and data privacy. Nevertheless, you should strive to make the policy as consistent as possible from one country to another.
- Solicit feedback from stakeholders. Different people in the organisation have different appetites for risk. Make sure you get the right people on board. If your policy is in conflict with the risk sensitivities of business leaders, those business leaders might try to nix it. It's better to find out what stakeholders are thinking beforehand; and make sure you keep all the right stakeholders in the loop on all revisions to your policy.
- Keep notes on your reasons for including elements in the policy, and the reasons you left other elements out. As you collect feedback from stakeholders, and as you produce new versions, you'll need a reminder of why you wrote the different parts of the document.
- Monitor adherence to the policy. If your users don't comply, your policy isn't worth the paper it's written on. Set up a process to ensure compliance and take notes on which rules and guidelines users tend to ignore.
- Find the right person to write. You shouldn't have the most junior person in your organisation write policy; nor should you have your most senior technology guru do it, unless he or she is an excellent writer. It's better to get somebody who writes clearly and knows something about writing policy in general. After all, how clearly you state your rules and guidelines will determine how strictly they are followed.
15 tips on writing a mobile device usage policy
First published in March 2012, as the consumerisation of IT and the Bring Your Own Device trend was gaining popularity in enterprise organisation, Pat Brans offered advice on writing a mobile device usage policy:
Most companies have a desktop computer usage policy in place, but with many workers using mobile computers, forward-thinking organisations have already developed a similar policy for mobile device usage.
Companies should use this policy to make users aware that security is important on their mobile devices and to raise awareness that they have sensitive company data on their devices.
John Engels, principal product manager of enterprise mobility at Symantec, suggests that any usage policy should include some basic rules.
“They should ensure people are keeping passwords safe, that they are using VPN if it’s configured for company business, that they do not leave the phone lying around, that they contact the corporation immediately if their device is lost, and that they are responsible for using the right applications for work correctly.”
But every organisation will also have its own specific needs. Here are some of the topics that might be covered in a company-wide policy.
1. Cameras in sensitive locations
Some organisations want to prevent pictures being taken at certain sites.
If there are proprietary procedures or equipment that allow your company to produce the best widgets in the world, you won’t want people to walk in and take pictures.
To protect against this you can include a statement such as the following, restricting people from bringing camera-equipped mobile devices into those areas:
To protect sensitive information, company security reserves the right to sequester mobile computing devices including smartphones upon entry into research and development centres. All such devices will be returned upon departure.
2. Recording meetings
If you want to avoid the recording of meetings, include the following:
Making audio recordings of meetings is forbidden in all cases, unless an audible approval from each participant is recorded at the beginning. Employees found using mobile devices in violation of this rule will have their mobile device privileges revoked.
3. Personal phone calls
One way to keep costs down is to prevent users from making international phone calls. To make this rule clear, you might included a statement like this:
Outgoing international phone calls may only be made by employees with jobs specifically requiring communication with people outside the UK.
In no case shall outgoing calls be made for reasons other than those related to company business.
4. Text and instant messaging (IM)
You might prevent outsiders from using internal IM resources with a statement like the following:
Internal IM may only be used by company employees to communicate with other employees.
5. Social media, personal web browsing and personal email
To make company policy clear you might include something like this:
Company-provided devices and networks may not be used to access personal social media services.
6. Storing sensitive data on the device
Many companies protect themselves by requiring that company data be encrypted. To ensure users follow this policy, you might write:
Sensitive company data is not allowed on mobile devices except in certain cases, where the data must be encrypted using approved encryption techniques.
This statement doesn’t detail the exceptions, nor does it say how the data is to be encrypted. It simply states the company policy knowing that job roles and technology tools may change.
7. Transmission of sensitive data from the device over the air
Similarly, you can restrict the communication of company data as follows:
Sensitive company data must not be transmitted over public wireless networks except for certain cases. Where these cases apply, the data must be encrypted using approved techniques before being transmitted.
8. Which devices are supported
You might list devices supported by the company as follows:
The company supports Dell laptops, BlackBerry devices and Apple iPhones. Special permission must be granted by the IT department for the use of any other type of device.
9. Use of virus and spyware protection and firewall
To ensure appropriate security in each device you might include a statement like this:
All mobile devices must use approved virus, spyware and personal firewall protection software.
10. Physically securing mobile devices (never leave them unattended)
To minimise loss or theft of devices and data you might write a rule stipulating users physically lock their device. You might also include a policy that requires users to report missing devices promptly, as follows:
Unattended company-provided mobile devices must be physically secured. In the event that a company device is lost or stolen, the user must notify the IT department immediately.
11. Remote wipe
When devices are lost or stolen, the IT department might execute a remote wipe to remove all data. Warn users that this might occur by mentioning it in the policy:
In order to protect the company’s interest, all data – or any subset thereof – may be deleted by the IT department from a company-provided device if the device appears to be lost or stolen or if the user terminates employment with the company.
If users are required to perform backup functions, that should be stated. If your IT department has an automatic backup facility, this is even better as it frees users from having to perform this function themselves. You might also forbid backup to data stores not owned by the company through a statement like this:
Data may not be backed up or copied from the device to non-company equipment.
To make it clear where responsibilities lie and how rules will be enforced, here are three other sections to include in the mobile device policy:
Indicate what the company and what the users are responsible for:
The company IT department is responsible for providing support for company-owned devices and ensuring access to network services.
Each user is responsible for ensuring the mobile device is used primarily for company business, immediately notifying the IT department if a device is missing, and keeping sensitive company data off the device.
To be clear on how the policy will be enforced, include a statement like this:
Users found in violation of this policy will be subject to disciplinary action up to and including suspension of mobile computing privileges or termination of employment.
The last page might be a statement that the user understands and accepts the policy. This page is to be signed, dated, and returned to the IT department.