BYOD a reality that all CIOs need to address in order to implement best practices
With the advent of user owned devices and the ever increasing mandated requirements for record retention and security CIOs are challenged to manage in an ever more complex and changing environment.
Before the CIO and enterprise can start the process of implementing BYOD policies they needs to ensure that what is created meets the an enterprise's compliance, culture and operational requirements. This requires defining the scope and objectives of the policy:
- Cost - Who will pay for the data plan? What rewards will be provided to get people to buy in?
- Agree to Acceptable Use - What terms will be included in the Acceptable Usage Policy, and how will the enterprise ensure its employees understand and agree to it?
- Mandated requirements : the enterprise will have to account for factors such as open source variables for Android implementations for different devices and any security or regulatory requirements that relate to your industry (i.e. Healthcare HIPAA compliance)
- Security: Will the policy state how the passwords be enforced? Encryption? Will the enterprise blacklist any applications?
- Management: how will the enterprise manage the devices connected to your network?
The steps to do this are well defined in Janco's BYOD Policy template which includes a detail best practices that:
Implement remote wipe from the enterprise
As the number of personal devices used increases, the greater the chance that one of them will be lost or stolen. Given that a remote wipe that can be generated from the enterprise with all of its implications should be implemented.
Provide simple workable solutions that even novices can use
Solutions should allow users to log-on to the user interface and access a list of their enrolled devices. From there, they can locate their device, lock it, reset its password, or wipe it. The user interface should be able to self-audit the device and report compliance issues.
Build a facility to deal with terminated employees
Even before an employee is leaves the enterprise they are a security risk. That risk is magnified once the process of termination begins - either voluntarily or involuntarily.
Protect sensitive and personal information
Personal devices are full of personal information, documents, and applications that are on the device for non-work purposes. There should be a way to identify your personal vs. corporate owned devices, and apply a particular policy to hide the personal information from IT administrators.
Implement a records management policy for business records
Records management is a critical compliance requirement and should be controlled by the enterprise and not left to the individual user. A clear definition of what is a business record and how it should be saved and archived should be defined. (See Record Management, Retention, and Destruction Policy)
Isolate corporate data
When supporting BYOD, you need to be able to isolate corporate data on the phone, which includes, but is not limited to:
- Mandated records management requirements for archive and revival
- Disaster recovery and business continuity implications
- e-Mail Accounts
- VPN and Wireless settings
- Enterprise applications that have been pushed down
Continuously monitor automated actions
The enterprise should have the ability to monitor the state of each device accessing the network wither it is approved or not
- Is the device enrolled?
- Is it in compliance?
- Does it have any new applications? Answering these questions will allow the enterprise to make adjustments based on the data you're seeing. This information will tell you if you need to make new policies or compliance rules.
Options that you can take include, but should not be limited to:
- Send a notification to the user with steps to be taken
- Block the device from accessing the corporate network and/or email
- Wipe the device (full wipe or selective wipe)
Other Infrastructure Tools for CIOs
The policies have just been updated to comply with all mandated requirements and include electronic forms that can be Emailed, filled out completely on the computer, routed and stored electronically -- a total solution.
We have just completed a major update of most of the individual polices and almost all of the electronic forms.
- CIO IT Infrastructure Policy Bundle (All of the policies below are included as individual MS Word files and a single PDF file. Electronic forms are all individual documents that are easily modifiable)
- Backup and Backup Retention Policy
- Blog and Personal Web Site Policy (Includes electronic Blog Compliance Agreement Form)
- BYOD Policy Template (Includes electronic BYOD Access and Use Agreement Form)
- Google Glass Policy (Includes Google Glass Access and Use Agreement Form)
- Incident Communication Plan Policy (Updated to include social networks as a communication path)
- Internet, e-Mail, Social Networking, Mobile Device, Electronic Communications, and Record Retention Policy(Includes 5 electronic forms to aid in the quick deployment of this policy)
- Mobile Device Access and Use Policy
- Patch Management Policy
- Outsourcing and Cloud Based File Sharing Policy
- Physical and Virtual Server Security Policy
- Record Management, Retention, and Destruction Policy
- Safety Progam
- Sensitive Information Policy(HIPAA Compliant and includes electronic Sensitive Information Policy Compliance Agreement Form)
- Service Level Agreement (SLA) Policy Template with KPI Metrics
- Social Networking Policy(includes electronic form)
- Technology Acquisition Policy
- Telecommuting Policy(includes 6 electronic forms to effectively manage work at home staff)
- Text Messaging Sensitive and Confidential Information (includes electronic form)
- Travel, Electronic Meeting, and Off-Site Meeting Policy
- Wearable Device Policy
- IT Infrastructure Electronic Forms