Previous
Learn how PurpleSec’s experts can help develop your organization’s cyber security policies.
Author: Rich Selvidge, CISSP / Last Updated: 01/02/22
Reviewed By: Michael Swanagan, CISSP, CISA, CISM
View Our: Editorial Process
Acceptable use of bring your own device (BYOD) at {COMPANY-NAME} must be managed to ensure that access to {COMPANY-NAME}’s resources for business are performed in a safe and secure manner for participants of the {COMPANY-NAME} BYOD program.
A participant of the BYOD program includes, but is not limited to:
This policy is designed to maximize the degree to which private and confidential data is protected from both deliberate and inadvertent exposure and/or breach.
A BYOD policy defines the standards, procedures, and restrictions for end users who have legitimate business requirements to access corporate data using their personal device.
This policy applies to, but is not limited to, any mobile devices owned by any users listed above participating in the {COMPANY-NAME} BYOD program which contains stored data owned by {COMPANY-NAME}, and all devices and accompanying media that fit the following device classifications:
Refer to the Company and Personally Owned Mobile Device Procedure.
This policy addresses a range of threats to, or related to, the use of {COMPANY-NAME} data:
Threat | Description |
---|---|
Loss | Devices used to transfer, or transport work files could be lost or stolen. |
Threat | Sensitive corporate data is deliberately stolen and sold by an employee. |
Copyright | Copyright Software copied onto a mobile device could violate licensing. |
Malware | Virus, Trojans, Worms, Spyware and other threats could be introduced via a mobile device. |
Compliance | Compliance Loss or theft of financial and/or personal and confidential data could expose {COMPANY-NAME} to the risk of non-compliance with various identity theft and privacy laws. |
Addition of new hardware, software, and/or related components to provide additional mobile device connectivity will be managed at the sole discretion of IT.
Non-sanctioned use of mobile devices to backup, store, and otherwise access any enterprise-related data is strictly forbidden.
This policy is complementary to any other implemented policies dealing specifically with data access, data storage, data movement, and connectivity of mobile devices to any element of the {COMPANY-NAME} network.
This policy applies to all {COMPANY-NAME} employees, including full and part-time staff, Board of Directors, volunteers, contractors, freelancers, and other agents who utilize personally-owned mobile devices to access, store, back up, relocate, or access any organization or member-specific data.
Such access to this confidential data is a privilege, not a right, and forms the basis of the trust {COMPANY-NAME} has built with its members, suppliers, and other constituents.
Consequently, employment at {COMPANY-NAME} does not automatically guarantee the initial and ongoing ability to use these devices to gain access to corporate networks and information.
This policy applies to:
This policy is intended to protect the security and integrity of {COMPANY-NAME}’s data and technology infrastructure. Limited exceptions to the policy may occur due to variations in devices and platforms.
The Audience, as defined above, must agree to the terms and conditions set forth in this policy to be able to connect their devices to the company network. If users do not abide by this policy, {COMPANY-NAME} reserves the right to revoke this privilege.
The following criteria will be considered initially, and on a continuing basis, to determine if the Audience is eligible to connect a personal smart device to the {COMPANY-NAME} network.
Third party vendors are expected to secure all devices with up-to-date anti-virus signature files and anti-malware software relevant or applicable to a device or platform.
All new connection requests between third parties and {COMPANY-NAME} require that the third party and {COMPANY-NAME} representatives agree to and sign the Third Party Agreement.
This agreement must be signed by the Vice President of the sponsoring department, as well as a representative from the third party who is legally empowered to sign on behalf of the third party. By signing this agreement, the third party agrees to abide by all referenced policies.
The document is to be kept on file. All non-publicly accessible information is the sole property of {COMPANY-NAME}.
The IT Department can supply a non-{COMPANY-NAME} Internet connection utilizing a US Cellular hot spot if needed.
{COMPANY-NAME}’s IT Department is not accountable for conflicts or problems caused by using unsanctioned media, hardware, or software. This applies even to devices already known to the IT Department.
{COMPANY-NAME} may offer a reimbursement of expenses to employees if they choose to use their own mobile devices in lieu of accepting a {COMPANY-NAME}-issued device. This may vary on the employees’ function within the company and will be in accordance with a schedule in the associated procedure. Refer to the Company and Personally Owned Mobile Device Procedure.
This Bring Your Own Device Agreement is entered into between the User and {COMPANY-NAME} LLC ({COMPANY-NAME}), effective the date this agreement is executed by {COMPANY-NAME}’s Information Technology Department (IT). The parties agree as follows:
The use of a supported smart device owned by the User in connection with {COMPANY-NAME} business is a privilege granted to the User, by management approval, per the Personal Device Acceptable Use and Security Policy.
A supported smart device is defined as an Android- or IOS-based cell phone or tablet running a manufacturer’s supported version of its operating system. If the User does not abide by the terms, IT Management reserves the right to revoke the privilege granted herein.
The policies referenced herein are aimed to protect the integrity of data belonging to {COMPANY-NAME} and to ensure the data remains secure.
In the event of a security breach or threat, {COMPANY-NAME} reserves the right, without prior notice to the User, to disable or disconnect some or all BYOD services related to connection of a personal smart device to the {COMPANY-NAME} network.
{COMPANY-NAME} offers a fixed reimbursement to eligible Users starting the month following BYOD enrollment. Reference the Company and Personally Owned Mobile Device Procedure, Appendix B for the reimbursement schedule. The User is personally liable for the device and carrier service.
Accordingly, {COMPANY-NAME} will NOT reimburse the User, over and above the monthly reimbursement, for any loss, cost, or expense associated with the use or connection of a personal smart device to the {COMPANY-NAME} network.
This includes, but is not limited to, expenses for voice minutes used to perform {COMPANY-NAME} business, data charges related to the use of {COMPANY-NAME} services, expenses related to text or other messaging, cost of handheld devices, components, parts, or data plans, cost of replacement handheld devices in case of malfunction whether or not the malfunction was caused by using applications or services sponsored or provided by {COMPANY-NAME}, loss related to unavailability of, disconnection from, or disabling the connection of a smart device to the {COMPANY-NAME} network, and loss resulting from compliance with this Agreement or applicable {COMPANY-NAME} policies.
Compliance by the User with the following {COMPANY-NAME} policies, published elsewhere and made available, is mandatory: Acceptable Use of Information Systems, Personal Device Acceptable Use and Security, and other related policies including, but not limited to, Anti-Virus, E-Mail, Network Security, Password, Safeguarding Member Information, Telecommuting.
The User of the personal smart device shall not remove sensitive information from the {COMPANY-NAME} network, attack {COMPANY-NAME} assets, or violate any of the security policies related to the subject matter of this Agreement.
{COMPANY-NAME} will offer the following support for the personal smart device: connectivity to {COMPANY-NAME} servers, including email and calendar, and security services, including policy management, password management, and decommissioning and/or remote wiping in case of loss, theft, device failure, device degradation, upgrade (trade-in), or change of ownership.
{COMPANY-NAME} is not able to provide any additional assistance on any personally owned device and is not responsible for carrier network or system outages that result in a failure of connectivity to the {COMPANY-NAME} network.
The User assumes full liability including, but not limited to, an outage or crash of any or all of the {COMPANY-NAME} network, programming and other errors, bugs, viruses, and other software or hardware failures resulting in the partial or complete loss of data or which render the smart device inoperable.
{COMPANY-NAME} expressly disclaims, and the User releases {COMPANY-NAME} from, all liability for any loss, cost, or expense of any nature whatsoever sustained by the User in connection with the privilege afforded the User under the terms of the Agreement.
Rich Selvidge is the Chief Information Security Officer at PurpleSec, providing singular accountability for all information security controls in the company. He brings over 21 years of information technology and security risk management experience.
Security Policies
Security Resources
Popular Articles