When HR and IT come together: Your critical BYOD policy

HR, meet IT. You guys are going to be hanging around together a lot over the next few years. 

The issue you’ve got in common? The recent trend of “Bring your own device” — known colloquially as BYOD. That’s the ever-increasing incidence of employees using their personal electronics — tablet computers and smartphones — to do business.

In an ideal world, this could mean

• happier employees
• higher productivity, and
• lower costs for your organization.

In our not-so perfect real life, however, such a trend — exacerbated by the use of social media — could mean HR has to deal with

• employees, unwittingly or purposefully, making proprietary company info public
• cases of digital harassment and other employee misbehavior, and
• wage-and-hour claims from employees who are digitally connected to the workplace 24/7.

Management makes rules, IT has to play cop

The reality of BYOD is that it’s been going on for a long time — ever since the first mobile devices appeared on the scene.

Workers will invariably find a way to access company data and network resources on their own devices regardless of whether the employer wants them to or not.

The choices: Ban their use or find a middle ground that allows access and controls the risks associated with their use. This will require deciding who pays for what and how much control the organization gets over devices.

Getting down to it: A sample policy

IT’s main concerns about BYOD are command and control. All those devices running around loose scares the techies silly. The security risks are obvious.

Thus, according to IT Manager Daily, there are three critical components of any BYOD program:

• a written policy that outlines the responsibilities of both the employer and the employees
• a software application for managing the devices connecting to the network, and
• an agreement which employees must sign, acknowledging that they have read and understand the policy.

Here’s a sample p0licy (don’t worry, the IT folks will understand all the tech jargon):

Company XYZ: BYOD Policy

Company XYZ grants its employees the privilege of purchasing and using smartphones and tablets of their choosing at work for their convenience. Company XYZ reserves the right to revoke this privilege if users do not abide by the policies and procedures outlined below.

This policy is intended to protect the security and integrity of Company XYZ’s data and technology infrastructure. Limited exceptions to the policy may occur due to variations in devices and platforms.

All employees must agree to the terms and conditions set forth in this policy in order to be able to connect their devices to the company network.

Acceptable Use

The company defines acceptable personal use on company time as reasonable and limited personal communication or recreation, such as reading or game playing.

The company defines acceptable business use as activities that directly or indirectly support the business of Company XYZ.

Devices may not be used at any time to:

• Store or transmit illicit materials
• Store or transmit proprietary information belonging to another company
• Harass others
• Engage in outside business activities
• Etc.
• The following apps are allowed: (weather, productivity apps, Facebook, etc.)
• The following apps are not allowed: (apps not downloaded through iTunes or Google Play, etc.)
• Employees may use their mobile device to access the following company-owned resources: email, calendars, contacts, documents, etc.

Devices and Support

• Smartphones including iPhone, Android, Blackberry, and Windows phones are allowed (the list should be as detailed as necessary including models, operating systems, versions, etc. ).
• Tablets including iPad and Android are allowed (the list should be as detailed as necessary including models, operating systems, versions, etc.).
• Connectivity issues are supported by IT; employees should/should not contact the device manufacturer or their carrier for operating system or hardware-related issues.
• Devices must be presented to IT for proper installation and configuration of standard apps, such as browsers, office productivity apps and security tools, before they can access the network.

Reimbursement

• The company will a) pay the employee an allowance, b) cover the cost of the entire phone/data plan, c) pay half of the phone/data plan, etc.
• The company will/will not reimburse the employee for the following charges: roaming, plan overages, etc.

Security

• In order to prevent unauthorized access, devices must be password protected using the features of the device and a strong password is required to access the company network.
• The company strong password policy is: passwords must be at least six characters and a combination of upper- and lower-case letters, numbers and symbols. Passwords will be rotated every 90 days and the new password can’t be one of 15 previous passwords.
• The device must lock itself with a password or PIN if it’s idle for five minutes.
• After five failed login attempts, the device will lock. Contact IT to regain access.
• Rooted (Android) or jailbroken (iOS) devices are strictly forbidden from accessing the network.
• Employees are automatically prevented from downloading, installing and using any app that does not appear on the company’s list of approved apps.
• Smartphones and tablets that are not on the company’s list of supported devices are/are not allowed to connect to the network.
• Smartphones and tablets belonging to employees that are for personal use only are/are not allowed to connect to the network.
• Employees’ access to company data is limited based on user profiles defined by IT and automatically enforced.
• The employee’s device may be remotely wiped if 1) the device is lost, 2) the employee terminates his or her employment, 3) IT detects a data or policy breach, a virus or similar threat to the security of the company’s data and technology infrastructure.

Risks/Liabilities/Disclaimers

• While IT will take every precaution to prevent the employee’s personal data from being lost in the event it must remote wipe a device, it is the employee’s responsibility to take additional precautions, such as backing up email, contacts, etc.
• The company reserves the right to disconnect devices or disable services without notifying the user first.
• A lost or stolen device must be reported to the company within 24 hours.
• The employee is expected to use his or her devices in an ethical manner at all times and adhere to the companies acceptable use policy as outlined above.
• The employee is personally liable for all costs associated with his or her device.

The employee assumes full liability for risks including, but not limited to, the partial or complete loss of company and personal data due to an operating system crash, errors, bugs, viruses, malware, and/or other software or hardware failures, or programming errors that render the device unusable.