Compliance Tool: Model Bring Your Own Device (BYOD) Policy

While implementing Bring Your Own Device (BYOD), the practice of letting employees use their own personal mobile devices to carry out work activities remotely, offers operational and cost advantages, it can also expose lab data to significant privacy and security risks. Creating and implementing a written BYOD policy can help manage those risks. While BYOD policies need to be based on the specific circumstances, technologies, and information securities involved, the following template, which is based on the National Institute of Standards and Technology (NIST) Special Publication 1800-22, illustrates the basic issues lab leaders may want to address. Speak to your IT staff about adapting this template for your own use.

BYOD POLICY

1. POLICY

[Insert Lab Name Here] follows a Bring Your Own Device (BYOD) policy that allows employees to use their personal smartphones, tablets, and other mobile devices to perform work duties. This BYOD policy is intended to establish rules for employee behavior to protect the privacy, security, and integrity of [Insert Lab Name Here]’s data and technology infrastructure against the risks that can arise when employees use their personally-owned devices for business purposes. [Insert Lab Name Here] reserves the right to disconnect devices, disable services, and/or otherwise revoke employees’ BYOD privileges at any time and without notification if users fail to comply with the requirements and procedures set out in this policy.

2. BYOD DEVICES

Only the following devices are approved for employee BYOD use and connecting to [Insert Lab Name Here]’s network:

[List devices here]

3. ACCESS & CONNECTIVITY

Connectivity issues are supported by the [Insert Lab Name Here] IT department. Employees [must/may not] contact their BYOD device manufacturer or carrier for operating system or hardware-related issues. Prior to accessing the [Insert Lab Name Here] network, employees must present their BYOD devices to the IT department for job provisioning and configuration of standard apps, such as browsers, office productivity software, and security tools.

4. NO EMPLOYEE EXPECTATION OF PRIVACY

Though [Insert Lab Name Here] will respect the privacy of your personal devices and take all reasonable precautions to keep it private and secure, [Insert Lab Name Here] also reserves the right to track and request access to the device to perform technical functions and implement security controls as outlined in this policy. Employees do not have the right and should not have the expectation of privacy while using BYOD equipment subject to this policy.

5. ACCEPTABLE USES

Employees may use their BYOD devices for the acceptable business uses of [Insert Lab Name Here] computers as set out in the [Insert Lab Name Here] Computer Use Policy.

Employees may not use their BYOD devices during work hours for personal purposes that are not permitted for use of [Insert Lab Name Here] computers, as set out in the [Insert Lab Name Here] Computer Use Policy, e.g., BYOD devices may not be used for accessing pornographic or offensive materials, storing or transmitting [Insert Lab Name Here] proprietary information, committing harassment, engaging in business activities that are in conflict of interest with their duties to [Insert Lab Name Here], etc.

6. ACCEPTABLE APPS

The following apps are permitted for downloading, installation, and use on BYOD devices:

[List acceptable apps here]

The following apps are not permitted for downloading, installation, and use on BYOD devices:

[List unacceptable apps here].

7. EMPLOYEE OBLIGATIONS

All employees participating in the BYOD program must take appropriate security measures required for laboratory-owned devices under the [Insert Lab Name Here] Computer Use Policy, including but not limited to:

• • Ensuring that their BYOD device is password protected using the features of the device and that a “strong password,” as that term is defined in the [Insert Lab Name Here] Computer Use Policy, is required to access the [Insert Lab Name Here] network [option: specifically list strong password requirements].

• • Ensuring that their BYOD device locks itself with a password or PIN if the device is idle for five minutes.

• • Ensuring that their BYOD device locks itself and must be re-opened by the IT department after five failed login attempts.

• • Not using rooted (Android) or jailbroken (iOS) devices to access the network.

• • Not sharing their BYOD devices with friends, relatives, or anybody other than a properly authorized user of the device under this BYOD policy.

• • Using their BYOD devices to access only the information authorized for that employee to access under the [Insert Lab Name Here] authentication and authorization procedures.

• • Reporting lost, misplaced, or stolen BYOD devices to the IT department (and mobile carrier) within 24 hours.

• Paying all costs associated with purchasing their BYOD device.

8. REMOTE WIPING OF BYOD DEVICE

The [Insert Lab Name Here] IT department shall have the right to remotely wipe an employee’s BYOD device if:

• • the device is lost or stolen;

• • the IT department detects a data or policy breach, virus, or other threat to the security of [Insert Lab Name Here]’s data and technology infrastructure; and/or

• the employee’s employment is terminated.

Though the IT department will take reasonable precautions to prevent the employee’s personal data contained on the BYOD device from being lost in the event it must remotely wipe the BYOD device, it is the employee’s responsibility to take additional precautions, such as backing up email, contacts, etc.