Sample BYOD Security Policy Template
Contents
A bring your own device (BYOD) policy defines the standards, procedures, and restrictions for end users who have legitimate business requirements to access corporate data using their personal devices.
Free IT Security Policies
Get a step ahead of your goals with our comprehensive templates.
Overview
Acceptable use of bring your own device (BYOD) at {COMPANY-NAME} must be managed to ensure that access to {COMPANY-NAME}’s resources for business is performed in a safe and secure manner for participants of the {COMPANY-NAME} BYOD program.
A participant of the BYOD program includes, but is not limited to:
- Employees
- Contractors
- Board of Directors
- Volunteers
- Related constituents who participate in the BYOD program
This policy is designed to maximize the degree to which private and confidential data is protected from both deliberate and inadvertent exposure and/or breach.
Purpose
This policy applies to all personnel or volunteers/directors who have, or are responsible for, an account (or any form of access that supports or requires a password) on any system that resides at any {COMPANY-NAME} facility, has access to the {COMPANY-NAME} network, or stores any non-public {COMPANY-NAME} information.
This policy applies to, but is not limited to, any mobile devices owned by any users listed above participating in the {COMPANY-NAME} BYOD program which contains stored data owned by {COMPANY-NAME}, and all devices and accompanying media that fit the following device classifications:
- Laptops. Notebooks, and hybrid devices
- Tablets
- Mobile/cellular phones including smartphones
- Any non-{COMPANY-NAME} owned mobile device capable of storing corporate data and connecting to an unmanaged network
Refer to the Company and Personally Owned Mobile Device Procedure.
This policy addresses a range of threats to, or related to, the use of {COMPANY-NAME} data:
| Threat | Description |
|---|---|
| Loss | Devices used to transfer, or transport work files could be lost or stolen. |
| Threat | Sensitive corporate data is deliberately stolen and sold by an employee. |
| Copyright | Copyright Software copied onto a mobile device could violate licensing. |
| Malware | Virus, Trojans, Worms, Spyware and other threats could be introduced via a mobile device. |
| Compliance | Compliance Loss or theft of financial and/or personal and confidential data could expose {COMPANY-NAME} to the risk of non-compliance with various identity theft and privacy laws. |
The addition of new hardware, software, and/or related components to provide additional mobile device connectivity will be managed at the sole discretion of IT.
Non-sanctioned use of mobile devices to backup, store, and otherwise access any enterprise-related data is strictly forbidden.
This policy is complementary to any other implemented policies dealing specifically with data access, data storage, data movement, and connectivity of mobile devices to any element of the {COMPANY-NAME} network.
Audience
This policy applies to all {COMPANY-NAME} employees, including full and part-time staff, Board of Directors, volunteers, contractors, freelancers, and other agents who utilize personally-owned mobile devices to access, store, back up, relocate, or access any organization or member-specific data.
Such access to this confidential data is a privilege, not a right, and forms the basis of the trust {COMPANY-NAME} has built with its members, suppliers, and other constituents.
Consequently, employment at {COMPANY-NAME} does not automatically guarantee the initial and ongoing ability to use these devices to gain access to corporate networks and information.
Policy Detail
This policy applies to:
- Any privately owned wireless and/or portable electronic handheld equipment is hereby referred to as BYOD. {COMPANY-NAME} grants potential participants of the BYOD program the privilege of purchasing and using a device of their choosing at work for their convenience.
- Related software that could be used to access corporate resources.
This policy is intended to protect the security and integrity of {COMPANY-NAME}’s data and technology infrastructure. Limited exceptions to the policy may occur due to variations in devices and platforms.
The Audience, as defined above, must agree to the terms and conditions set forth in this policy to be able to connect their devices to the company network. If users do not abide by this policy, {COMPANY-NAME} reserves the right to revoke this privilege.
The following criteria will be considered initially, and on a continuing basis, to determine if the Audience is eligible to connect a personal smart device to the {COMPANY-NAME} network.
- Management’s written permission and certification of the need and efficacy of BYOD for that Employee
- Sensitivity of data the Audience can access
- Legislation or regulations prohibiting or limiting the use of a personal smart device for {COMPANY-NAME} business
- Must be listed on the Information Technology Department’s list of approved mobile devices
- Audience’s adherence to the terms of the Bring Your Own Device Agreement and this policy and other applicable policies
- Technical limitations
- Other eligibility criteria deemed relevant by {COMPANY-NAME} or IT
Responsibilities Of {COMPANY-NAME}
- IT will centrally manage the BYOD program and devices including, but not limited to, onboarding approved users, monitoring BYOD connections, and terminating BYOD connections to company resources upon the user’s leave of employment or service to {COMPANY-NAME}.
- IT will manage security policies, network, application, and data access centrally using whatever technology solutions it deems suitable.
- IT reserves the right to refuse, by non-physical means, the ability to connect mobile devices to {COMPANY-NAME} and {COMPANY-NAME}-connected infrastructure. IT will engage in such action if it feels such equipment is being used in such a way that puts {COMPANY-NAME}’s systems, data, users, and members at risk.
- IT will maintain a list of approved mobile devices and related software applications and utilities. Devices that are not on this list may not be connected to the {COMPANY-NAME} infrastructure. To find out if a preferred device is on this list, an individual should contact the {COMPANY-NAME} IT department Service Desk. Although IT currently allows only listed devices to be connected to the {COMPANY-NAME} infrastructure, IT reserves the right to update this list in the future.
- IT will maintain enterprise IT security standards.
- IT will inspect all mobile devices attempting to connect to the {COMPANY-NAME} network through an unmanaged network (i.e. the Internet) using technology centrally managed by the IT Department.
- IT will install the Mobile VPN software required on Smart mobile devices, such as Smartphones, to access the {COMPANY-NAME} network and data.
{COMPANY-NAME}’s IT Department Reserves The Right To:
- Install anti-virus software on any BYOD participating device
- Restrict applications
- Limit use of network resources
- Wipe data on lost/damaged devices or upon termination from the BYOD program or {COMPANY-NAME} employment
- Properly perform job provisioning and configuration of BYOD participating equipment before connecting to the network
- Through policy enforcement and any other means it deems necessary, to limit the ability of end users to transfer data to and from specific resources on the {COMPANY-NAME} network
Responsibilities Of BYOD Participants Security And Damages
- All potential participants will be granted access to the {COMPANY-NAME} network on the condition that they read, sign, respect, and adhere to the {COMPANY-NAME} policies concerning the use of these devices and services (see Exhibit A).
- Prior to initial use on the {COMPANY-NAME} network or related infrastructure, all personally owned mobile devices must be registered with IT.
- Participants of the BYOD program and related software for network and data access will, without exception:
- Use secure data management procedures. All BYOD equipment, containing stored data owned by {COMPANY-NAME}, must use an approved method of encryption during transmission to protect data.
- Be expected to adhere to the same security protocols when connected with approved BYOD equipment to protect {COMPANY-NAME}’s infrastructure.
- {COMPANY-NAME} data is not to be accessed on any hardware that fails to meet {COMPANY-NAME}’s established enterprise IT security standards.
- Ensure that all security protocols normally used in the management of data on conventional storage infrastructure are also applied to BYOD use.
- Utilize a device lock with authentication, such as a fingerprint or strong password, on each participating device. Refer to the {COMPANY-NAME} password policy for additional information.
- Employees agree to never disclose their passwords to anyone, particularly to family members if business work is conducted from home.
- Passwords and confidential data should not be stored on unapproved or unauthorized non-{COMPANY-NAME} devices.
- Exercise reasonable physical security measures. It is the end users responsibility to keep their approved BYOD equipment safe and secure.
- A device’s firmware/operating system must be up-to-date in order to prevent vulnerabilities and make the device more stable. The patching and updating processes are the responsibility of the owner.
- Any non-corporate computers used to synchronize with BYOD equipment will have installed anti-virus and anti-malware software deemed necessary by {COMPANY-NAME}’s IT Department. Anti-virus signature files must be up to date on any additional client machines – such as a home PC – on which this media will be accessed.
- IT can and will establish audit trails and these will be accessed, published, and used without notice. Such trails will be able to track the attachment of an external device to a PC, and the resulting reports may be used for investigation of possible breaches and/or misuse.
- If A) any BYOD device is lost or stolen, immediately contact {COMPANY-NAME} IT; and, if B) any BYOD device is scheduled to be upgraded or exchanged, the user must contact IT in advance. IT will disable the BYOD and delete associated company data.
- BYOD equipment that is used to conduct {COMPANY-NAME} business will be utilized appropriately, responsibly, and ethically. Failure to do so will result in immediate suspension of that user’s access.
- Any attempt to contravene or bypass said security implementation will be deemed an intrusion attempt and will be dealt with in accordance with {COMPANY-NAME}’s overarching security policy.
- Usage of location-based services and mobile check-in services, which leverage device GPS capabilities to share real-time user location with external parties, is prohibited within the workplace.
- The user agrees to and accepts that his or her access and/or connection to {COMPANY-NAME}’s networks may be monitored to record dates, times, duration of access, etc. This is done to identify unusual usage patterns or other suspicious activity, and to identify accounts/computers that may have been compromised by external parties. In all cases, data protection remains {COMPANY-NAME}’s highest priority.
- Employees, Board of Directors, volunteers, contractors, and temporary staff will not reconfigure mobile devices with any type of {COMPANY-NAME} owned and installed hardware or software without the express approval of {COMPANY-NAME}’s IT Department.
- The end user agrees to immediately report, to his/her manager and {COMPANY-NAME}’s IT Department, any incident or suspected incidents of unauthorized data access, data loss, and/or disclosure of {COMPANY-NAME} resources, databases, networks, etc.
Third Party Vendors
Third party vendors are expected to secure all devices with up-to-date anti-virus signature files and anti-malware software relevant or applicable to a device or platform.
All new connection requests between third parties and {COMPANY-NAME} require that the third party and {COMPANY-NAME} representatives agree to and sign the Third Party Agreement.
This agreement must be signed by the Vice President of the sponsoring department, as well as a representative from the third party who is legally empowered to sign on behalf of the third party. By signing this agreement, the third party agrees to abide by all referenced policies.
The document is to be kept on file. All non-publicly accessible information is the sole property of {COMPANY-NAME}.
The IT Department can supply a non-{COMPANY-NAME} Internet connection utilizing a US Cellular hot spot if needed.
Help And Support
{COMPANY-NAME}’s IT Department is not accountable for conflicts or problems caused by using unsanctioned media, hardware, or software. This applies even to devices already known to the IT Department.
Organizational Protocol
{COMPANY-NAME} may offer reimbursement of expenses to employees if they choose to use their own mobile devices in lieu of accepting a {COMPANY-NAME}-issued device. This may vary on the employees’ function within the company and will be in accordance with a schedule in the associated procedure. Refer to the Company and Personally Owned Mobile Device Procedure.
Bring Your Own Device (BYOD) Agreement
This Bring Your Own Device Agreement is entered into between the User and {COMPANY-NAME} LLC ({COMPANY-NAME}), effective the date this agreement is executed by {COMPANY-NAME}’s Information Technology Department (IT). The parties agree as follows:
Eligibility
The use of a supported smart device owned by the User in connection with {COMPANY-NAME} business is a privilege granted to the User, by management approval, per the Personal Device Acceptable Use and Security Policy.
A supported smart device is defined as an Android- or IOS-based cell phone or tablet running a manufacturer’s supported version of its operating system. If the User does not abide by the terms, IT Management reserves the right to revoke the privilege granted herein.
The policies referenced herein are aimed to protect the integrity of data belonging to {COMPANY-NAME} and to ensure the data remains secure.
In the event of a security breach or threat, {COMPANY-NAME} reserves the right, without prior notice to the User, to disable or disconnect some or all BYOD services related to connection of a personal smart device to the {COMPANY-NAME} network.
Reimbursement Considerations
{COMPANY-NAME} offers a fixed reimbursement to eligible Users starting the month following BYOD enrollment. Reference the Company and Personally Owned Mobile Device Procedure, Appendix B for the reimbursement schedule. The User is personally liable for the device and carrier service.
Accordingly, {COMPANY-NAME} will NOT reimburse the User, over and above the monthly reimbursement, for any loss, cost, or expense associated with the use or connection of a personal smart device to the {COMPANY-NAME} network.
This includes, but is not limited to, expenses for voice minutes used to perform {COMPANY-NAME} business, data charges related to the use of {COMPANY-NAME} services, expenses related to text or other messaging, cost of handheld devices, components, parts, or data plans, cost of replacement handheld devices in case of malfunction whether or not the malfunction was caused by using applications or services sponsored or provided by {COMPANY-NAME}, loss related to unavailability of, disconnection from, or disabling the connection of a smart device to the {COMPANY-NAME} network, and loss resulting from compliance with this Agreement or applicable {COMPANY-NAME} policies.
Security Considerations And Acceptable Use
Compliance by the User with the following {COMPANY-NAME} policies, published elsewhere and made available, is mandatory: Acceptable Use of Information Systems, Personal Device Acceptable Use and Security, and other related policies including, but not limited to, Anti-Virus, E-Mail, Network Security, Password, Safeguarding Member Information, Telecommuting.
The User of the personal smart device shall not remove sensitive information from the {COMPANY-NAME} network, attack {COMPANY-NAME} assets, or violate any of the security policies related to the subject matter of this Agreement.
Support
{COMPANY-NAME} will offer the following support for the personal smart device: connectivity to {COMPANY-NAME} servers, including email and calendar, and security services, including policy management, password management, and decommissioning and/or remote wiping in case of loss, theft, device failure, device degradation, upgrade (trade-in), or change of ownership.
{COMPANY-NAME} is not able to provide any additional assistance on any personally owned device and is not responsible for carrier network or system outages that result in a failure of connectivity to the {COMPANY-NAME} network.
The User assumes full liability including, but not limited to, an outage or crash of any or all of the {COMPANY-NAME} network, programming and other errors, bugs, viruses, and other software or hardware failures resulting in the partial or complete loss of data or which render the smart device inoperable.
Disclaimer
{COMPANY-NAME} expressly disclaims, and the User releases {COMPANY-NAME} from, all liability for any loss, cost, or expense of any nature whatsoever sustained by the User in connection with the privilege afforded the User under the terms of the Agreement.
Article by
Jason Firch, MBA
Jason is a proven marketing leader, veteran IT operations manager, and cybersecurity expert with over a decade of experience. He is the founder and CEO of PurpleSec.
Jason Firch, MBA
Jason is a proven marketing leader, veteran IT operations manager, and cybersecurity expert with over a decade of experience. He is the founder and CEO of PurpleSec.
Share This Page
Our Editorial Process
Our content goes through a rigorous approval process which is reviewed by cybersecurity experts – ensuring the quality and accuracy of information published.
Categories
Get the week’s best
cybersecurity content.
Related Templates
An acceptable use policy outlines the use of computer equipment. Inappropriate use exposes the company to risks including virus attacks, compromise of network systems and services, and legal issues.
This policy defines the requirement for reporting and responding to incidents related to the company’s information systems and operations
A penetration testing policy provides guidance for managing a penetration testing program and performing penetration testing activities with the goal of improving defensive IT security
The purpose of an internet usage policy is to establish the rules for the use of company Internet for access to the Internet or the Intranet.
The company must prioritize its assets and protect the most critical ones first; however, it is important to ensure patching takes place on all machines.
