BYOD Policy Should Precede BYOD Technology

Following is an excerpt from The Ten Commandments of Bring Your Own Device (BYOD) by MaaS360.  For the full list of “commandments” please visit the Maas360 site to download the entire guide.

Like any other IT project, policy must precede technology—yes, even in the cloud. To effectively leverage mobile device management (MDM) technology for employee owned devices, you still need to decide on policies. These policies affect more than just IT; they have implications for HR, legal, and security—any part of the business that uses mobile devices in the name of productivity.

Since all lines of business are affected by BYOD policy, it can’t be created in an IT vacuum. With the diverse needs of users, IT must ensure they are all part of policy creation.

There’s no one right BYOD policy, but here are some questions to consider:

• Devices: What mobile devices will be supported? Only certain devices or whatever the employee wants?

According to Forrester, 70% of smartphones belong to users, 12% are chosen from an approved list, and 16% are corporate-issued. Some 65% of tablets belong to users, 15% are chosen from a list, and 16% are corporate issued. In other words, users in most cases bring their own devices.

• Data Plans: Will the organization pay for the data plan at all? Will you issue a stipend, or will the employee submit expense reports?

Who pays for these devices? For smartphones, 70% paid the full price, 12% got a discount, 3% paid a partial amount, and in 15% of cases, the company covered the full price. With tablets, 58% bought their own, 17% got a corporate discount, 7% shared the cost, and 18% were issued and paid for by their companies. (Source: Forrester, 2011)

• Compliance: What regulations govern the data your organization needs to protect? For instance, the Health Insurance Portability and Accountability Act (HIPAA) requires native encryption on any device that holds data subject to the act.
• Security: What security measures are needed (passcode protection, jailbroken/rooted devices, anti-malware apps, encryption, device restrictions, iCloud backup)?
• Applications: What apps are forbidden? IP scanning, data sharing, Dropbox?
• Agreements: Is there an Acceptable Usage Agreement (AUA) for employee devices with corporate data?
• Services: What kinds of resources can employees access—email? Certain wireless networks or VPNs? CRM?
• Privacy: What data is collected from employees’ devices? What personal data is never collected?

No questions are off limits when it comes to BYOD. There must be frank and honest dialog about how devices will be used and how IT can realistically meet those needs.