BYOD Policy. Table of Contents

Similar documents
Mobility Policy Bundle

CIO IT Infrastructure Policy Bundle

EU GDPR & ISO Integrated Documentation Toolkit integrated-documentation-toolkit

Internet, , Social Networking, Mobile Device, and Electronic Communication Policy

Checklist: Credit Union Information Security and Privacy Policies

Why is Office 365 the right choice?

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Juniper Vendor Security Requirements

Introduction To IS Auditing

ADIENT VENDOR SECURITY STANDARD

INFORMATION ASSET MANAGEMENT POLICY

THREE-PART GUIDE TO DEVELOPING A BYOD STRATEGY WHITE PAPER FEBRUARY 2017

SUBJECT: REQUEST FOR PROPOSALS FOR HARBOR DEPARTMENT CLOUD COMPUTING SERVICES

SECURITY & PRIVACY DOCUMENTATION

Bring Your Own Device. Peter Silva Technical Marketing Manager

3-Part Guide to Developing a BYOD Strategy

October 2016 Issue 07/16

Security Information & Policies

S T A N D A R D : M O B I L E D E V I C E S

Bring Your Own Device Policy

Mobile Device policy Frequently Asked Questions April 2016

Automate sharing. Empower users. Retain control. Utilizes our purposebuilt cloud, not public shared clouds

Altius IT Policy Collection

Microsoft 365 Business FAQs

HIPAA Compliance Checklist

A company built on security

Seven Requirements for Successfully Implementing Information Security Policies and Standards

Building Cloud Trust. Ioannis Stavrinides. Technical Evangelist MS Cyprus

01.0 Policy Responsibilities and Oversight

Data Processing Amendment to Google Apps Enterprise Agreement

HIPAA / HITECH Overview of Capabilities and Protected Health Information

GM Information Security Controls

Information Security Management Criteria for Our Business Partners

Altius IT Policy Collection Compliance and Standards Matrix

Google Cloud & the General Data Protection Regulation (GDPR)

<Criminal Justice Agency Name> Personally Owned Device Policy. Allowed Personally Owned Device Policy

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

Isaca EXAM - CISM. Certified Information Security Manager. Buy Full Product.

EUROPEAN ICT PROFESSIONAL ROLE PROFILES VERSION 2 CWA 16458:2018 LOGFILE

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Information Security BYOD Procedure

Exam4Tests. Latest exam questions & answers help you to pass IT exam test easily

ISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard

ROLE DESCRIPTION IT SPECIALIST

Altius IT Policy Collection Compliance and Standards Matrix

WORKSHARE SECURITY OVERVIEW

MaaS360 Secure Productivity Suite

Acceptable Use Policy

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

PeopleSoft Finance Access and Security Audit

CCISO Blueprint v1. EC-Council

Table of Contents. Blog and Personal Web Site Policy

Security Architecture

Anchor Competitive Sheet May 2015

<< Practice Test Demo - 2PassEasy >> Exam Questions CISM. Certified Information Security Manager.

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Securing BYOD With Network Access Control, a Case Study

Trinity Multi Academy Trust

SECURITY PRACTICES OVERVIEW

Sparta Systems TrackWise Digital Solution

IT MANAGER PERMANENT SALARY SCALE: P07 (R ) Ref:AgriS042/2019 Information Technology Manager. Reporting to. Information Technology (IT)

Retain, search, review and produce government mobile text messages

Protecting your data. EY s approach to data privacy and information security

Security Policies and Procedures Principles and Practices

CONSIDERATIONS BEFORE MOVING TO THE CLOUD

Manager, Infrastructure Services. Position Number Community Division/Region Yellowknife Technology Service Centre

What can the OnBase Cloud do for you? lbmctech.com

PROTECT YOUR DATA, SAFEGUARD YOUR BUSINESS

Service Description VMware Workspace ONE

eprost System Policies & Procedures

IBM System Storage Data Protection and Security Chen Chee Khye ATS Storage

Objectives of the Security Policy Project for the University of Cyprus

Position Description IT Auditor

IT Privacy Certification Outline of the Body of Knowledge (BOK) for the Certified Information Privacy Technologist (CIPT)

Information Security Policy

TB+ 1.5 Billion+ The OnBase Cloud by Hyland 600,000,000+ content stored. pages stored

BYOD (Bring Your Own Device): Employee-owned Technology in the Workplace

Use of Mobile Devices on Voice and Data Networks Policy

ADDING BUSINESS VALUE THROUGH EFFECTIVE IT SECURITY MANAGEMENT

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017

WHO SHOULD ATTEND? ITIL Foundation is suitable for anyone working in IT services requiring more information about the ITIL best practice framework.

KantanMT.com. Security & Infra-Structure Overview

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

Embedding GDPR into the SDLC. Sebastien Deleersnyder Siebe De Roovere

PROCEDURE POLICY DEFINITIONS AD DATA GOVERNANCE PROCEDURE. Administration (AD) APPROVED: President and CEO

Box Competitive Sheet January 2014

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY September 20, 2017

Application Control Review. August 4, 2012

Apex Information Security Policy

Retain, search, review and produce business mobile text messages

SQL Compliance Whitepaper HOW COMPLIANCE IMPACTS BACKUP STRATEGY

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Information Technology General Control Review

Cyber Criminal Methods & Prevention Techniques. By

Auditing Bring Your Own Devices (BYOD) Risks. Shannon Buckley

Certified Information Systems Auditor (CISA)

Cisco Meraki Privacy and Security Practices. List of Technical and Organizational Measures

AWS continually manages risk and undergoes recurring assessments to ensure compliance with industry standards.

Projectplace: A Secure Project Collaboration Solution

Transcription:

Version 1.6

Table of Contents Bring Your Own Device (BYOD) Access and Use Policy... 3 Overview... 3 Components of the BYOD Strategy and Basics for BYOD Policy... 4 Device Choices... 4 User Experience and Privacy... 5 Trust Security Compliance... 5 Application Design and Infrastructure... 5 Economics... 6 Liability... 6 Maintainability... 6 Internal marketing and training... 6 Policy... 7 Device Requirements... 7 Policy Definitions... 8 Access Control... 8 Security... 9 Help & Support... 10 Enterprise Mobile Device Infrastructure... 10 BYOD Infrastructure... 11 Disaster Recovery... 11 Backups... 11 Tablet Computer (ipads)... 12 Internal Network Access... 12 Repair Procedure... 12 Upgrade Procedure... 12 Patching Policy... 12 BYOD Security Best Practices... 13 Security Controls... 13 Remote BYOD Management... 13 Access Management Controls... 13 Tablet and Smartphone Applications... 14 BYOD Metrics and SLA Agreement... 15 Executive management... 15 Business unit executives... 15 IT organization... 15 Legal Considerations... 17 Privacy... 17 Record Retention... 18 Appendix... 20 BYOD Access and Use Agreement Form... 21 BYOD and Mobile Content Best of Breed Security Checklist... 22 Mobile Device Security and Compliance Checklist... 23 What s New... 24 Page 1

Bring Your Own Device (BYOD) Access and Use Policy Overview The purpose of this policy is to define standards, procedures, and restrictions for end users who have specific and authorized business requirements to access enterprise data from a personal device - BYOD (Bring Your Own DEVICE) - connected via a wired, wireless or unmanaged network outside of ENTERPRISE s direct control. This policy applies to, but is not limited to, all devices and media that fit the following device classifications: Smartphones PDAs USB devices and data Laptop/notebook/tablet computers Ultra-mobile PCs (UMPC) Mobile/cellular phones Wearable devices Home or personal computers used to access enterprise resources Any mobile device capable of storing corporate data and connecting to an unmanaged network The policy applies to any hardware and related software that could be used to access enterprise resources, even when the equipment is not approved, owned, or supplied by ENTERPRISE. Once you implement a BYOD policy, it s important to have a written agreement in place with every mobile device user. An agreement raises consciousness about the critical nature of mobile IT operations, and it protects organizations in the event of a BYOD policy violation. Like your BYOD policy itself, this agreement should be as clear as possible, to prevent misunderstandings that could generate a wide range of problems and IT headaches. Page 3

Components of the BYOD Strategy and Basics for BYOD Policy Device Choice Options Trust Security Compliance User Experience and Privacy Maintainability BYOD Strategy Internal Marketing and Training Application Design and Infrastructure Liability Economics The BYOD strategy and resultant policy is driven by 8 factors: device choice options; user experience and privacy; internal marketing and training; liability; economics; application design and infrastructure; maintainability; and trust security compliance. Each of these factors have been considered in creation of this policy. A detail description of each of these factors is provided later in this policy. Everyone in the company must be on the same page about what you can and can't access on personal devices. Policy guidelines need to be clear and compliance mandatory. Device Choices Analyze employee preference and understand which devices they already have Definite an acceptance baseline of what security and supportability features a bringyour-own-device program should support Understand the operating system, hardware, and regional variances around that baseline Develop an easy certification process for evaluation of future devices Establish clear communication to users about which devices are allowed or not, and why Policies need to be established for device features from Global Positioning System (GPS) receivers to cameras and audio recorders. Policies should cover the use of these features as they relate to work. Page 4

BYOD Metrics and SLA Agreement For CIOs and executive management, a balanced scorecard approach for BYOD service levels is an invaluable tool. That approach allows an enterprise to link the application of BYOD technology to enterprise operations using a "cause-and-effect" approach. Some have likened the balanced scorecard to a SLA solution which enables IT and business line managers to think together about what IT can do to support business performance. Executive management often questions the benefits and risks associated with investments in IT and BYOD in particular. Blow is a list of questions that executive management, business unit executives, and the IT organization as a whole have. Executive management Does IT support the achievement of business objectives? What value does the expenditure on IT deliver? Are IT costs being managed effectively? Are IT risks being identified and managed? Are targeted intercompany IT synergies being achieved? Business unit executives Are IT services delivered at a competitive cost? Does IT deliver on its service-level commitments? Do IT investments positively affect business productivity or the customer experience? Does IT contribute to the achievement of our business strategies? Corporate compliance internal audit Are the organization's assets and operations protected? Are the key business and technology risks being managed? Are proper processes, practices, and controls in place? IT organization Does the enterprise develop the professional competencies needed for successful service delivery in a timely manner? Are we creating a positive workplace environment? Do we effectively measure and reward individual and team performance? Do we capture organizational knowledge to continuously improve performance? Can we attract/retain the talent we need to support the business? Page 15

To that end a balanced scorecard can be used to create effective SLA agreement between IT and the enterprise as a whole. An example with specific metrics is show in the table that follows. Component Customer Satisfaction Internal Infrastructure Quality of Information Financial Performance SLA Metric Percentage customers satisfied with responsiveness Percentage customers satisfied with cooperation Percentage customers satisfied with communication with service support staff Number of problems with BYOD devices and/or services Number of employees with BYOD Number of employees using enterprise BYOD devices Percentage of BYOD meeting information security compliance requirements Percentage of BYOD meeting records management needs Staff retention Staff training as a percentage of revenue Range of information available on BYOD Percentage of employees using BYOD effectively Employee satisfaction with quality of work infrastructure Percentage of employees satisfied with BYOD quality and scope of information Cost per employee to support BYOD Cost avoidance due to BYOD ROI and productivity improvements due to BYOD Percentage over/under IT budget IT Budget as a percentage of revenue Framework for a Balanced Scorecard for a BYOD SLA A beneficial side effect of the use of the balanced scorecard is that, when all measures are reported, one can calculate the strength of relations between the various value drivers. For example, the relationship between BYOD usage and cost levels might infer that the usage of BYOD does not sufficiently contribute to results as expressed by the other (e.g., financial) performance measures. Page 16

BYOD Access and Use Agreement Form Employee Name Job Title ID Number Location Device Type Phone Tablet Other Description Employee agrees to adhere to the BYOD and Mobile Device Access and Use Policy Yes No ENTERPRISE concurs with employee participation and agrees to support the approved mobile devices A copy of the ENTERPRISE BYOD and Mobile Device Access and Use Policy has been given to the employee Yes Yes No No Equipment/Expenses Employee agrees to protect such equipment in accordance with ENTERPRISE guidelines. Employee is responsible for servicing and maintaining their own equipment. ENTERPRISE is not liable for damages to an employee s personal or real property during the course of performance of work related duties or while using equipment in the employee s residence. ENTERPRISE is not responsible for operating costs, home maintenance, or any other incidental costs (e.g., utilities) associated with the use of the employee s residence as an alternate work location. ENTERPRISE will compensate the employee for any incremental costs associated with connectivity and upgrade of equipment to support the BYOD s use on ENTERPRISE network or applications. Confidentiality/Security Employee will apply approved safeguards to protect ENTERPRISE records from unauthorized disclosure or damage, and will comply with the privacy requirements set forth in the ENTERPRISE policy or procedure ENTERPRISE has the right to remotely wipe the contents of the device A pin number of at least 4 characters or numbers (or biometric scan i.e. fingerprint) will be utilized by the Employee and after 10 consecutive failed attempts ENTERPRISE has the right to automatically wipe the device All backups of the device will be to ENTERPRISE s network and remain the property of ENTERPRISE By signing this form, I affirm my willingness to abide by ENTERPRISE s BYOD access policies, procedures and guidelines. Employee Signature Date Supervisor Date Page 21

Mobile Device Security and Compliance Checklist Employee Name Job Title ID Number Location Device Type Phone Tablet Other Description Security Controls Yes No 256 bit AES encryption per file at rest, 30-day rotating encryption key 256 bit SSL encryption data transfer SSAE 16 Type II compliant, redundant data centers and DR policy 99.9% SLA Uptime Guarantee Remote Device Management Yes No Auto-timed screen logout on mobile devices Custom 4-digit pass code Immediate access restriction on device Auto login to end user accounts for remote wipe Access Management Controls Yes No Prohibit access to App/Web UI from admin console Prohibit access to content (folders and groups) from admin console Domain Identity Control: SSO available on mobile apps Compliance Disaster Recovery Business Continuity Yes No Has the user of this device completed all of the acknowledgement and use forms Is this deice and all of its data backed up Is this device included in the Disaster Recovery Business Continuity Plan Does this device meet the compliance requirements for the record management process Has the user of this device completed all necessary training Audit Trail Yes No All global files can be accessed directly from central admin console Usage statistics tracked for files, individual users and groups Downloads, uploads, previews Tracked by IP Address Employee Signature Date Page 23

What s New Version 1.6 Updated BYOD strategy and policy guidelines Updated all electronic forms Added Mobile Device and Compliance Checklist Version 1.5 Added SLA and Balance Scorecard metrics for BYOD Version 1.4 Version 1.3 Updated to include strategy planning definition for BYOD policy Updated to include latest compliance requirements Updated BYOD best practices Updated BYOD Access and Use Agreement Form Updated BYOD Access and Use Agreement Form Added Electronic Form Mobile Device Security and Compliance Checklist Version 1.2 Updated the BYOD Access and Use Agreement Added Device Access Security Added BYOD and Mobile Device Best of Breed Security Checklist Updated to meet all current compliance requirements Version 1.1 Version 1.0 Added materials on disaster recovery Added materials on back-up of company intellectual properties Policy Released Page 24

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback